📄 01-architecture.md
⬇ Download Raw

Architecture & Supply Chain Security Audit Report

Project: ScorpioX CLI (clang codebase) Audit Date: 2026-04-28 Commit: b85fca9891f8ff39fce93868947ce31fe9fed50e Auditor: Security Audit Agent Total Lines of Code: 369,205 (C + H files)

Executive Summary

The ScorpioX CLI codebase is a C11 project comprising 259 .c files and 234 .h files across 369,205 lines of code. The project follows a vendored-dependency model — all third-party libraries are committed directly into the source tree under scorpiox/vendor/, and the build system uses only system-provided compilers (gcc/clang) via CMake. There are no runtime package manager dependencies for the core C build. The project produces multiple static executables (not a single binary), with approximately 40+ distinct tool binaries.

Overall Risk Assessment: LOW — The architecture demonstrates strong supply chain security practices with vendored dependencies, deterministic builds, and minimal external surface area. A few medium-risk findings are noted below.

1. Dependency Analysis

1.1 Package Manager Files Scan

FileFoundLocationRisk
package.jsonYESbridge/package.jsonMedium
requirements.txtNo
Cargo.tomlNo
go.mod / go.sumNo
vcpkg.jsonNo
conanfile.txt / .pyNo
setup.py / pyproject.tomlNo
GemfileNo
pom.xml / build.gradleNo
CMakeLists.txt with FetchContentNo
Finding: The core C codebase has zero external package manager dependencies. The only package.json exists in bridge/, a secondary Node.js/Bun-based WhatsApp bridge component that depends on @whiskeysockets/baileys (^7.0.0-rc.9) and qrcode-terminal (^0.12.0). This is a peripheral, non-core component with a bun.lock pinning exact versions.

1.2 Vendored Libraries

Two third-party libraries are vendored directly into the source tree:

LibraryLocationLicenseLinesPurpose
yyjsonscorpiox/vendor/yyjson/MIT~15KFast JSON parser (pure C99, zero deps)
mbedTLSscorpiox/vendor/mbedtls/Apache-2.0 / GPL-2.0+~210KTLS/crypto (AES-128-CFB, PBKDF2, TLS 1.2)
Vendored code: 225,896 lines (61% of total) Project code: 143,309 lines (39% of total)

Both libraries are well-known, audited open-source projects. They are compiled from source as static libraries during the build — no pre-built binaries of these libraries exist in the repository.

1.3 System Library Dependencies

The build links against the following system-provided libraries (not vendored, obtained from OS package manager or SDK):

LibraryConditionPurpose
libcurlAlways (static .a preferred)HTTP client
openssl / libssl + libcryptoLinux static buildsTLS for curl
zlibLinux static buildsCompression
zstdLinux static buildsCompression
nghttp2 / nghttp3Linux static buildsHTTP/2, HTTP/3
brotliLinux static buildsCompression
c-aresLinux static (musl)Async DNS
libidn2 / libunistringLinux static (musl)Internationalized DNS
libpslLinux static (musl)Public suffix list
ncursesTUI buildsTerminal UI
libutilLinux (non-macOS)forkpty()
libX11Linux (optional)Screenshot feature
pthreadsLinuxThreading

For static Linux builds, all of these are linked statically from Alpine system packages (see Dockerfile.build-musl). On macOS, dynamic linking is used where full static linking is unsupported.

Risk: LOW — All system dependencies are standard OS libraries. The static linking approach on Linux produces standalone executables with no runtime library resolution.

2. Build Process Security

2.1 Build System Overview

2.2 Build Flags

Release: -O2 -DNDEBUG -Wall -Wextra

Debug: -g -O0 -DDEBUG -Wall -Wextra

GCC-only: -Wno-format-truncation -Wno-stringop-truncation

All warning flags are appropriate. The -Wformat=2 flag is applied to vendored mbedTLS as well.

2.3 Network Activity During Build

The CMake build system does not download anything at build time. Specifically:

Code Generation Note: The build invokes tests/code_generator_models.py to generate sx_models_generated.h containing AI model constants. The CMake comment explicitly states this is "FROZEN at opus-4-6" and does not fetch from network at build time — it reads from a local frozen configuration.

2.4 Build Containerization

The project provides Dockerfile.build-musl (Alpine-based) for reproducible Linux builds. All dependencies are installed via apk add from Alpine's official repository — this is the standard and expected approach for containerized builds.

2.5 Release Scripts

ScriptPlatformSecurity Notes
release_macos_native.shmacOS ARM64Uses system Xcode clang; only requires brew install cmake
release.ps1Cross-platformClones repo on remote macOS for build (git over SSH)
release_windows.ps1WindowsRequires MinGW + curl; pre-installed via winget
release_wasm.ps1WASMDownloads emscripten SDK from GitHub — see Finding 2.5.1
release_whatsapp.ps1WhatsApp bridgeDownloads Bun runtime — see Finding 2.5.2
Finding 2.5.1 (Medium): release_wasm.ps1 clones https://github.com/emscripten-core/emsdk.git at build time. This introduces a network dependency for WASM builds only. The WASM target is not the primary deployment artifact. Finding 2.5.2 (Medium): release_whatsapp.ps1 runs curl -fsSL https://bun.sh/install | bash to install the Bun runtime. This is a curl-pipe-bash pattern that introduces supply chain risk for the WhatsApp bridge component only. Risk: LOW for core builds, MEDIUM for WASM and WhatsApp bridge builds.

3. Binary Output Analysis

3.1 Build Output

The project produces approximately 45+ distinct executables, not a single binary. Key executables include:

BinaryPurposeDependencies
scorpiox-bashShell executionsxutil
scorpiox-agentAI agent modesxnet, sxui, sxutil, curl
scorpiox-configConfigurationsxutil
scorpiox-serverHTTP serversxutil, yyjson
scorpiox-emailEmail (SMTP/IMAP)sxnet, sxutil, curl, mbedtls
scorpiox-frpReverse proxy clientsxnet, sxutil, curl
scorpiox-dnsLAN DNS serversxutil
scorpiox-hookEvent hooksZero deps (standalone)
scorpiox-vault-gitGit backupZero deps (standalone)
scorpiox-sdkHeadless CLI wrappersxutil
sx_shared (optional)DLL for C# P/Invokesxutil (when SX_BUILD_DLL=ON)

3.2 Internal Libraries (Static)

All internal libraries are built as static libraries and linked into executables:

LibraryPurpose
sxutilBase utilities, config, logging, JSON, tools
sxnetNetwork layer, TLS, HTTP, API clients
sxuiTerminal UI layer
sxhttpHTTP helpers
sxbridgeWhatsApp bridge IPC
sxtermTerminal/PTY management
mbedtls_libVendored mbedTLS (static)
yyjsonVendored JSON parser (static)

3.3 Static Linking Verification

On Linux (the primary deployment target):

On macOS:

3.4 Shared Library Target

An optional SX_BUILD_DLL target exists (sx_shared / sx.dll) for C# P/Invoke interop. This is OFF by default and produces a shared library only when explicitly requested.

Risk: LOW — The build architecture properly segregates static executables from the optional shared library target.

4. Code Provenance

4.1 Git Author Analysis

Author EmailCommitsPercentage
dev@scorpiox.net62363.4%
scorpiox@scorpiox.net35235.8%
partner@scorpioplayer.com30.3%
picobot@scorpioplayer.com20.2%
pico@scorpiox.net10.1%
sx@sx10.1%

4.2 Domain Analysis

DomainCommitsPercentage
scorpiox.net97699.4%
scorpioplayer.com50.5%
sx10.1%
99.4% of all commits (976/982) originate from @scorpiox.net addresses. The scorpioplayer.com domain appears to be a related/partner entity with only 5 commits. The single sx@sx commit appears to be a misconfigured local git config.

4.3 Repository Timeline

Risk: LOW — Strong single-organization provenance with consistent authorship.

5. Third-Party Code Check

5.1 LICENSE/COPYING Files Found

FileLibraryLicense
scorpiox/vendor/yyjson/LICENSEyyjsonMIT
scorpiox/vendor/mbedtls/LICENSEmbedTLSApache-2.0 / GPL-2.0+

5.2 Copyright Analysis

Third-party copyrights are confined exclusively to the scorpiox/vendor/ directory. No third-party copyright notices were found in non-vendor project code.

5.3 gnuwin64 Vendor Directory

The scorpiox/vendor/gnuwin64/ directory contains only:

No pre-built binaries are stored. The download script fetches MSYS2 packages at deployment time (not build time) for Windows environments that need GNU tools. This is not a build dependency.

Risk: LOW — Vendored code is properly attributed and license-compatible.

6. Pre-Built Binaries Check

6.1 Binary Scan Results

FileTypeRisk
bridge/scorpiox-ws2tcpELF 64-bit x86-64, dynamically linked, not strippedMedium
bridge/scorpiox-ws2tcp-arm64ELF 64-bit ARM aarch64, dynamically linked, not strippedMedium
No .so, .dll, .dylib, .a, .lib, .o, .obj, or .exe files were found anywhere in the repository.

6.2 Pre-Built Binary Analysis

Two pre-built ELF binaries exist in bridge/:

Finding 6.2.1 (Medium): Pre-built binaries in a source repository present a supply chain risk — there is no guarantee that the committed binaries match the committed source. These should ideally be built from source during the release process rather than committed as blobs.

7. Risk Assessment Summary

#FindingSeverityComponentRecommendation
1Core C build has zero package manager dependenciesPositiveCoreNone — excellent practice
2All third-party code vendored in-treePositiveCorePeriodically update vendored libs for security patches
3Build uses only system compiler, no downloaded toolchainsPositiveCoreNone
4Static linking by default on LinuxPositiveCoreNone — reduces runtime attack surface
599.4% single-org commit provenancePositiveCoreNone
6No FetchContent/ExternalProject in CMakePositiveCoreNone
7bridge/package.json introduces npm/Bun dependencies⚠️ MediumBridgeIsolate bridge build; pin exact versions; audit transitive deps
8Pre-built ELF binaries in bridge/⚠️ MediumBridgeRemove committed binaries; build from source in CI
9release_wasm.ps1 clones emscripten from GitHub⚠️ MediumWASM releasePin specific commit hash; verify checksum
10release_whatsapp.ps1 uses curl-pipe-bash for Bun⚠️ MediumWhatsApp releasePin Bun version; verify checksum
11gnuwin64/download.ps1 fetches MSYS2 packages at deploy time⚠️ LowWindows deployPin package versions; verify checksums
12Multiple executables (not single binary)ℹ️ InfoCoreArchitecture decision; not a risk

Overall Risk Rating: LOW

The core ScorpioX C codebase demonstrates exemplary supply chain security practices. All medium-risk findings are confined to peripheral components (WhatsApp bridge, WASM builds, Windows deployment tooling) that do not affect the primary build pipeline. The primary C build is fully deterministic, uses only vendored and system libraries, and produces static executables with strong provenance.


Report generated: 2026-04-28T11:32 NZST Audit commit: b85fca9891f8ff39fce93868947ce31fe9fed50e Agent: Security Audit Agent