Defense in depth — zero-dependency supply chain, container namespace isolation, seccomp syscall filters, secret redaction, tool permissions, and TLS encryption. All verified through automated codebase audits.
Scorpiox Code uses a defense-in-depth approach. Every layer assumes the layer above has been compromised. Zero external dependencies eliminates the supply chain attack surface entirely.
All crypto (mbedTLS), JSON (yyjson), and protocol code vendored in-tree. No npm, no pip, no cargo — no supply chain attack surface.
SX_STATIC_LINK=ON produces fully static musl-linked executables. No shared library hijacking. Single binary deployment.
Linux user namespaces (CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | CLONE_NEWUSER | CLONE_NEWNET) for rootless container isolation.
AI-powered codebase security audits run against every commit. Results published as versioned reports with severity classifications.
20 security features across 6 categories, all implemented in pure C with zero external runtime dependencies.
Rootless containers via clone() with CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | CLONE_NEWUSER | CLONE_NEWNET. pivot_root into overlayfs rootfs.
scorpiox-unshare.cBPF seccomp filter blocks personality() and keyctl() syscalls. PR_SET_NO_NEW_PRIVS enforced before filter installation.
scorpiox-unshare.cDrops CAP_IPC_LOCK from bounding set inside containers to prevent mlock()-based memory pinning attacks.
scorpiox-unshare.cIsolated network namespace via CLONE_NEWNET. Network access through slirp4netns tap0 interface. DNS at 10.0.2.3.
scorpiox-unshare.cmbedTLS with certificate verification. SX_TLS_VERIFY=true enforces full chain validation. Vendored in-tree — no OpenSSL dependency.
sx_tls.hSMTP STARTTLS and IMAPS TLS tunneling via mbedTLS. Certificate pinning support for mail servers.
sxmail_tls.cPure-C RFC 4226 (HOTP) + RFC 6238 (TOTP). Built-in SHA-1, HMAC-SHA1, Base32 decoding. Zero external dependencies.
scorpiox-otp.cMulti-source OAuth: local file, SSH remote, HTTP endpoint, TCP fetch. Supports Claude, Codex, and Gemini providers.
scorpiox-claudecode-fetchtoken.csx_config_is_sensitive() auto-detects KEY, PASS, SECRET, TOKEN, CREDENTIAL in key names. Values masked as '****' in all output.
sx_config.cOffline git repo backup (bundle/tar/zip). fork()+execvp() execution — no shell injection possible.
scorpiox-vault-git.cPersonal Access Tokens in git URLs masked in all log output. Only first 3 characters shown for identification.
scorpiox-unshare.cTOOL_BASH, TOOL_READIMAGE, TOOL_WEBSEARCH etc. individually enable/disable each agent tool. WASM auto-disables fork-dependent tools.
sx_tools.cMCP_ALLOW / MCP_DENY glob patterns control external tool access per MCP server. Deny-first evaluation.
scorpiox-mcp.cMCP commands validated against forbidden metacharacter set. execvp() used without shell to prevent injection.
scorpiox-mcp.cAll JSON string inputs validated and sanitized for proper UTF-8 encoding. Prevents malformed input attacks.
sx_json_yy.cfork()+execvp() preferred over system(). No shell interpretation. BASH_DEFAULT_TIMEOUT enforces execution time limits.
sx_exec.cDNS_AUDIT_LOG=true logs all DNS queries. DNS_AUDIT_LOG_DIR configures output directory. Full query/response tracing.
scorpiox-dns.cEvery session gets a trace file recording all tool invocations, API calls, and events with timestamps.
sx_trace.cActive configuration snapshot saved to session directory on startup. Sensitive values auto-redacted.
sx_session.cTracks child processes and detects resource leaks. Ensures clean shutdown with no orphaned processes.
sx_procmon.cAPI keys, tokens, and credentials are never written to logs or debug output in cleartext. Multiple layers protect sensitive data throughout the system.
sx_config_is_sensitive() detects any key containing KEY, PASS, SECRET, TOKEN, or CREDENTIAL (case-insensitive). All matching values are automatically masked as **** in log output, config snapshots, and debug traces.
# These values are always redacted in output:
• API keys → masked as ***
• x-api-key headers → ***MASKED***
• OAuth tokens → never logged
• SSH passwords → never logged
• PAT tokens → first 3 chars only
• Refresh tokens → never logged
API keys are set via scorpiox-env.txt with a four-tier cascade. Higher tiers override lower:
# Tier 1: Built-in defaults (compiled into binary)
# Tier 2: exe_dir/scorpiox-env.txt (global)
# Tier 3: ~/.claude/scorpiox-env.txt (user)
# Tier 4: CWD/.scorpiox/scorpiox-env.txt (project)
# Example: project-level API key override
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
GEMINI_API_KEY=AI...
Fine-grained control over which tools the AI agent can invoke and which MCP servers can execute commands.
Each tool is individually controlled via environment variables in scorpiox-env.txt:
| Key | Description |
|---|---|
| TOOL_BASH | Enable/disable shell command execution |
| TOOL_READIMAGE | Enable/disable image file reading |
| TOOL_WEBSEARCH | Enable/disable web search |
| TOOL_CREATEFILE | Enable/disable file creation |
| TOOL_BACKGROUNDBASH | Enable/disable background processes |
| TOOL_TASKMANAGER | Enable/disable task management |
| TOOL_INVOKESKILL | Enable/disable skill invocation |
| TOOL_READDOCS | Enable/disable documentation fetching |
| TOOL_ASKUSERQUESTION | Enable/disable interactive prompts |
| TOOL_EMITEVENT | Enable/disable event emission |
# Allow specific tools from an MCP server
MCP_ALLOW=read_file,write_file,list_dir
# Deny dangerous operations (deny-first evaluation)
MCP_DENY=exec_*,shell_*,sudo_*
# MCP server configuration
MCP_SERVER=stdio:///usr/local/bin/my-mcp-server
MCP_CONFIG=/path/to/mcp-config.json
Security-related configuration keys in scorpiox-env.txt:
| Key | Description |
|---|---|
| SX_TLS_VERIFY | Enable TLS certificate chain validation (default: true) |
| DNS_AUDIT_LOG | Enable DNS query audit logging |
| DNS_AUDIT_LOG_DIR | Directory for DNS audit log files |
| BASH_DEFAULT_TIMEOUT | Maximum execution time for bash commands (seconds) |
| IMAGE_BASE_URL | Base URL for container rootfs images |
| CLAUDE_CODE_TOKEN_SOURCE | OAuth token source: file, ssh, http, tcp |
| FETCHTOKEN_API_KEY_REQUIRED | Require API key for token server requests |
| FETCHTOKEN_LISTEN_PORT | Token server listen port |
# Container isolation settings
IMAGE_BASE_URL=https://images.scorpiox.net
# Seccomp: blocks personality() and keyctl() syscalls
# Capabilities: drops CAP_IPC_LOCK from bounding set
# Network: CLONE_NEWNET with slirp4netns tap0
# DNS: resolved through slirp at 10.0.2.3
# TLS verification for all HTTPS connections
SX_TLS_VERIFY=true
# DNS audit logging
DNS_AUDIT_LOG=true
DNS_AUDIT_LOG_DIR=/var/log/scorpiox/dns
Automated security audits run against the scorpiox-code C codebase. Each audit produces severity-classified findings across architecture, networking, data handling, vulnerabilities, and permissions.