# Network Communications Security Audit Report

**Project:** scorpiox/clang  
**Audit Date:** 2026-04-28  
**Auditor:** Security Audit Agent  
**Scope:** All network communications, endpoints, protocols, and telemetry in the codebase (493 .c/.h files, 224 non-vendor)

---

## 1. Network Activity Summary

The scorpiox codebase is a **network-intensive application** consisting of an AI coding agent platform with multiple LLM provider integrations, infrastructure tooling, and supporting services. Network activity falls into these categories:

| Category | Description | Risk Level |
|----------|-------------|------------|
| **AI Provider APIs** | HTTP/HTTPS to Anthropic, OpenAI, Google Gemini, Z.AI | Medium |
| **OAuth Token Acquisition** | Token refresh via HTTP, SSH, raw TCP | High |
| **Telemetry / Usage Tracking** | Usage stats and session events sent to code.scorpiox.net | Medium |
| **Software Distribution** | Downloads from dist.scorpiox.net | Medium |
| **Reverse Proxy (FRP)** | TCP+TLS connections to frps servers with yamux multiplexing | High |
| **SMTP Email** | Outbound email delivery via SMTP/STARTTLS | Medium |
| **DNS Server** | UDP/TCP DNS on port 53 with upstream forwarding | Medium |
| **Web Search** | HTML scraping of search engines (Mojeek, Brave) | Low |
| **HTTP Relay** | TCP binary protocol proxy for HTTP requests | Medium |
| **WebSocket Bridge** | WS-to-TCP bridge for VNC (ws2tcp) | Medium |
| **Unix Domain Sockets** | Local IPC for sxmux session management | Low |
| **HTTP Server** | Embedded web server with JWT auth (scorpiox-server) | Medium |
| **Voice/Whisper** | Audio transcription API calls | Low |

---

## 2. Endpoint Inventory

### 2.1 Hardcoded Production Endpoints

| URL / Host | Port | Protocol | Source File | Purpose | User-Initiated |
|------------|------|----------|-------------|---------|----------------|
| `https://api.anthropic.com/v1/messages` | 443 | HTTPS | sx_provider_anthropic.c, sx_provider_claude_code.c | Anthropic Claude API | Yes |
| `https://api.anthropic.com/v1/messages?beta=true` | 443 | HTTPS | sx_provider_claude_code_wasm.c | Claude Code API (WASM) | Yes |
| `https://api.anthropic.com/v1/models` | 443 | HTTPS | scorpiox-claudecode-models.c | Model listing | Yes |
| `https://api.openai.com/v1/chat/completions` | 443 | HTTPS | sx_provider_openai_wasm.c | OpenAI API | Yes |
| `https://chatgpt.com/backend-api/codex/responses` | 443 | HTTPS | sx_provider_codex.c | OpenAI Codex API | Yes |
| `https://auth.openai.com/oauth/token` | 443 | HTTPS | scorpiox-codex-refreshtoken.c | OpenAI OAuth refresh | Automatic |
| `https://console.anthropic.com/v1/oauth/token` | 443 | HTTPS | scorpiox-claudecode-refreshtoken.c | Anthropic OAuth refresh | Automatic |
| `https://generativelanguage.googleapis.com/v1beta` | 443 | HTTPS | sx_provider_gemini_wasm.c | Google Gemini API | Yes |
| `https://api.z.ai/api/anthropic/v1/messages` | 443 | HTTPS | sx_config_embedded.c | Z.AI proxy endpoint | Yes |
| `https://code.scorpiox.net/usage-send` | 443 | HTTPS | scorpiox-usage.c | **Usage telemetry** | Automatic |
| `https://code.scorpiox.net/sessions-send` | 443 | HTTPS | scorpiox-emit-session.c | **Session event telemetry** | Automatic |
| `https://dist.scorpiox.net/container-images/` | 443 | HTTPS | scorpiox-wsl.c, scorpiox-vm.c, scorpiox-unshare.c | Container image downloads | User-Initiated |
| `https://dist.scorpiox.net/executables/` | 443 | HTTPS | scorpiox-wsl.c, scorpiox-whatsapp.c | Binary updates/downloads | Automatic |
| `https://dist.scorpiox.net/firmware/` | 443 | HTTPS | scorpiox-vm.c | BIOS firmware download | User-Initiated |
| `https://dist.scorpiox.net/scorpiox/` | 443 | HTTPS | sx_config_embedded.c | Software distribution | User-Initiated |
| `https://dist.scorpiox.net/scorpiox/index.txt` | 443 | HTTPS | sx_config_embedded.c | Package index | Automatic |
| `https://whisper.scorpiox.net/` | 443 | HTTPS | scorpiox-voice.c | Voice transcription API | Yes |
| `https://opus.scorpiox.net` | 443 | HTTPS | sx_config_embedded.c | OpenAI-compat endpoint | Yes |
| `https://qwen3-coder-next.scorpiox.net` | 443 | HTTPS | sx_config_embedded.c | Qwen model endpoint | Yes |
| `https://login.scorpiox.net/` | 443 | HTTPS | scorpiox-server.c | JWT issuer (validation) | N/A |
| `https://scorpiox.net/api` | 443 | HTTPS | scorpiox-server.c | JWT audience (validation) | N/A |
| `https://git.scorpiox.net` | 443 | HTTPS | scorpiox-mirror-git.c | Git server | User-Initiated |
| `https://www.mojeek.com/search` | 443 | HTTPS | scorpiox-websearch.c | Web search | Yes |
| `https://search.brave.com/search` | 443 | HTTPS | scorpiox-websearch.c | Web search | Yes |
| `http://scorpiox.net:5176` | 5176 | HTTP | sx_config_embedded.c | **Router URL (plaintext!)** | Yes |
| `http://token.scorpiox.net/claude` | 80 | HTTP | sx_config_embedded.c | **Token endpoint (plaintext!)** | Automatic |
| `http://token.scorpiox.net/codex` | 80 | HTTP | sx_config_embedded.c | **Token endpoint (plaintext!)** | Automatic |
| `http://token.scorpiox.net/gemini` | 80 | HTTP | sx_config_embedded.c | **Token endpoint (plaintext!)** | Automatic |
| `registry.scorpiox.net` | 443 | HTTPS | sx_config_embedded.c | Container registry | User-Initiated |
| `relay.scorpiox.net` | 9801 | TCP | sx_config_embedded.c | HTTP relay server | Automatic |
| `anthropic.scorpiox.net` | 443 | HTTPS | sx_config_embedded.c | Anthropic proxy | Yes |

### 2.2 Hardcoded Internal/Private IPs

| IP Address | Port | Source File | Purpose | Risk |
|------------|------|-------------|---------|------|
| `20.53.240.54` | 9800 | sx_config_embedded.c | **TCP token server (public Azure IP)** | **HIGH** – Hardcoded in WASM binary |
| `192.168.1.12` | 8045 | sx_config_embedded.c | Antigravity API proxy (LAN) | Medium – Internal exposure |
| `192.168.1.3` | N/A | sx_config_embedded.c | TMux remote host (SSH/SMB) | Medium – Internal exposure |
| `192.168.1.6` | 22223 | sx_config_embedded.c | Claude Code SSH host | **HIGH** – SSH credentials hardcoded |
| `192.168.1.60` | 5900 | bridge/ws2tcp.c | VNC target (example/default) | Low |
| `192.168.1.204` | 8045 | sx_config_embedded.c | Antigravity API alt. endpoint | Medium |
| `127.0.0.1` | Various | Multiple files | Loopback (relay, proxy) | Low |
| `8.8.8.8` | 53 | scorpiox-dns.c, scorpiox-unshare.c | Google DNS upstream | Low |
| `1.1.1.1` | 53 | scorpiox-dns.c, scorpiox-unshare.c | Cloudflare DNS upstream | Low |

### 2.3 Hardcoded Credentials in Embedded Config

| Credential | Value (Partial) | File | Risk |
|------------|----------------|------|------|
| `ANTHROPIC_ANTIGRAVITY_KEY` | `sk-6088a10d...` | sx_config_embedded.c | **CRITICAL** – API key in source |
| `ANTHROPIC_ZAI_KEY` | `9c6fba5d...ue19jY48d9GmddqX` | sx_config_embedded.c | **CRITICAL** – API key in source |
| `GEMINI_API_KEY` | `AIzaSyDsvlLn...8IQHVA8` | sx_config_embedded.c | **CRITICAL** – API key in source |
| `CLAUDE_CODE_SSH_PASS` | `xboxone` | sx_config_embedded.c | **CRITICAL** – SSH password in source |
| `CLAUDE_CODE_SSH_USER` | `root` | sx_config_embedded.c | **HIGH** – Root SSH access |

---

## 3. Protocol Analysis

### 3.1 HTTP/HTTPS (libcurl + WASM fetch)

**Implementation:** `sx_http.c` (native via libcurl), `sx_http_wasm.c` (browser fetch API)

- **Native path:** Uses libcurl with standard TLS. Default timeout: 600s.
- **WASM path:** Uses synchronous XHR or async fetch via Emscripten. Proxy through `/api/platform/websites/wasm_scorpiox_proxy`.
- **Streaming:** SSE (Server-Sent Events) for streaming LLM responses.
- **Headers:** Standard `Content-Type: application/json`, provider-specific auth headers.
- **Cancel support:** Progress callback can abort transfers.

### 3.2 Raw TCP Socket

**Implementation:** `scorpiox-claudecode-fetchtoken.c`

- **Purpose:** Fetch OAuth tokens from a raw TCP server.
- **Protocol:** Fire-and-forget: connect → server sends JSON → server closes connection.
- **Default endpoint:** `20.53.240.54:9800` (hardcoded in WASM config).
- **Security:** **NO TLS** — tokens transmitted in plaintext over TCP.
- **Timeout:** 10 seconds (SO_RCVTIMEO/SO_SNDTIMEO).

### 3.3 FRP Reverse Proxy

**Implementation:** `sx_frp.c` (2118 lines)

- **Protocol:** FRP wire format: `[1 byte type][8 byte int64 BE length][JSON payload]`
- **Auth:** MD5(token + timestamp) → hex string. **Weak** — MD5 is cryptographically broken.
- **Encryption:** AES-128-CFB on control stream. Key derived via PBKDF2-SHA1 with only 64 iterations and salt "frp". **Weak** — low iteration count.
- **TLS:** Optional TLS layer for frps-secure using mbedTLS. **Certificate verification DISABLED** (`MBEDTLS_SSL_VERIFY_NONE`).
- **Yamux multiplexing:** Multiple streams over single TCP connection.
- **Heartbeat:** 30-second ping/pong intervals.

### 3.4 SMTP (Email)

**Implementation:** `scorpiox-email.c` (libcurl), `sxmail_queue.c` (native SMTP client)

- **Protocols:** SMTP with STARTTLS (port 587), implicit TLS (port 465), plaintext (port 25).
- **Auth:** AUTH PLAIN and AUTH LOGIN supported.
- **TLS in relay:** mbedTLS with **VERIFY_NONE** — no certificate validation.
- **MX lookup:** Direct DNS MX resolution via `getaddrinfo()`.

### 3.5 DNS Server

**Implementation:** `scorpiox-dns.c`

- **Listens:** UDP + TCP on port 53.
- **Upstream:** Configurable, default 8.8.8.8 and 1.1.1.1.
- **Features:** Split-horizon, caching, zone management.
- **Scope:** Infrastructure service, not agent core functionality.

### 3.6 HTTP Server

**Implementation:** `scorpiox-server.c` (3174 lines)

- **Listens:** Default port 8080 (configurable).
- **Auth:** JWT HMAC-SHA256 validation (cookie-based).
- **URL handling:** Git clone with PAT injection into URLs.

### 3.7 WebSocket Bridge

**Implementation:** `bridge/ws2tcp.c`

- **Listens:** Default port 6080.
- **Protocol:** WebSocket (RFC 6455) to raw TCP bridge.
- **Purpose:** noVNC frontend connectivity.
- **Uses:** epoll for I/O multiplexing.

### 3.8 HTTP Relay

**Implementation:** `sx_http_relay.c`

- **Protocol:** Custom binary protocol over TCP: `SXH1` magic header, big-endian framing.
- **Default:** `127.0.0.1:9801` (or `relay.scorpiox.net:9801`).
- **Purpose:** Offload HTTP/HTTPS to a relay server (for environments without libcurl/TLS).
- **Activation:** Opt-in via `HTTP_RELAY=1` config.

### 3.9 Unix Domain Sockets

**Implementation:** `sxmux_session.c`

- **Purpose:** Local IPC for terminal multiplexer sessions.
- **Scope:** AF_UNIX, SOCK_STREAM — no network exposure.
- **Risk:** Low — local only.

---

## 4. Telemetry Assessment

**Classification: MODERATE — Opt-in with sensible defaults**

### 4.1 Usage Tracking (`scorpiox-usage.c`)

| Aspect | Detail |
|--------|--------|
| **Endpoint** | `https://code.scorpiox.net/usage-send` |
| **Default** | **DISABLED** (`USAGE_TRACKING=0`) |
| **Trigger** | Fire-and-forget from agent loop |
| **Data Sent** | Session ID, provider, model, input/output tokens, cache tokens, tier, project name, git branch |
| **Machine Metadata** | hostname, username, OS, arch, OS version, scorpiox version |
| **Opt-out** | Set `USAGE_TRACKING=0` in scorpiox-env.txt |

### 4.2 Session Event Telemetry (`scorpiox-emit-session.c`)

| Aspect | Detail |
|--------|--------|
| **Endpoint** | `https://code.scorpiox.net/sessions-send` |
| **Default** | **DISABLED** (`EMIT_SESSION_TRACKING=0`) |
| **Trigger** | Fire-and-forget per message |
| **Data Sent** | Session ID, message sequence, type (user/assistant/tool), message text, provider, model, project, branch |
| **Machine Metadata** | hostname, username, OS, arch, OS version |
| **Risk** | **HIGH when enabled** — full conversation content transmitted |
| **Opt-out** | Set `EMIT_SESSION_TRACKING=0` in scorpiox-env.txt |

### 4.3 Cache Keepalive (`sx_cache_keepalive.c`)

- Sends periodic heartbeat pings (every 60s) to keep LLM API cache warm.
- User-configurable interval and max attempts.
- This generates billable API traffic to provider endpoints.

### 4.4 Software Update Checks

- `scorpiox-wsl.c`: Auto-downloads updates from `dist.scorpiox.net/executables/`.
- `scorpiox-whatsapp.c`: Auto-downloads WhatsApp bridge binary.
- `scorpiox-tmux.c`: Resolves binaries via distribution index.

---

## 5. TLS/SSL Security Analysis

### 5.1 Certificate Verification

| Component | TLS Library | Cert Verification | Risk |
|-----------|-------------|-------------------|------|
| HTTP Client (native) | libcurl + system TLS | **System CA bundle** (default) | Low |
| HTTP Client (WASM) | Browser TLS | **Browser CA store** | Low |
| FRP Reverse Proxy | mbedTLS | **VERIFY_NONE** ⚠️ | **HIGH** |
| SMTP Relay | mbedTLS | **VERIFY_NONE** ⚠️ | **HIGH** |
| SMTP Server (sxmail_tls.c) | mbedTLS | **VERIFY_NONE** ⚠️ | **HIGH** |
| Raw TCP Token Fetch | None | **No TLS at all** ⚠️ | **CRITICAL** |

### 5.2 Specific TLS Findings

1. **`sx_frp.c:1105`** — `mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE)`
   - FRP client skips all certificate verification.
   - Vulnerable to MITM attacks on the control channel.

2. **`sxmail_queue.c:532`** — `mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE)`
   - SMTP relay TLS skips cert verification. Comment says "relay is trusted".
   - Vulnerable to MITM on outbound email relay connections.

3. **`sxmail_tls.c:185`** — `mbedtls_ssl_conf_authmode(&c->conf, MBEDTLS_SSL_VERIFY_NONE)`
   - SMTP server TLS connection skips verification.

4. **Token fetch over raw TCP** — `scorpiox-claudecode-fetchtoken.c`
   - OAuth tokens transmitted over unencrypted TCP to `20.53.240.54:9800`.
   - No integrity or confidentiality protection.

### 5.3 TLS Version

- mbedTLS defaults used (`MBEDTLS_SSL_PRESET_DEFAULT`) — supports TLS 1.2+.
- No explicit minimum version enforcement found.
- FRP uses custom 0x17 marker byte before TLS handshake (FRP-specific protocol).

---

## 6. Data Flow Diagrams

### 6.1 AI Provider Request Flow

```
User Input
    │
    ▼
┌──────────┐   JSON/HTTPS   ┌────────────────────────────┐
│  sx.c    │ ──────────────► │ api.anthropic.com          │
│ (agent)  │ ◄────────────── │ api.openai.com             │
└──────────┘   SSE stream    │ generativelanguage.google  │
    │                        │ chatgpt.com                │
    │                        │ api.z.ai                   │
    ▼                        └────────────────────────────┘
Display Response
```

### 6.2 Token Acquisition Flow

```
                        ┌──────────────────────────────────────┐
                        │  Token Source (configurable)          │
                        │                                      │
  ┌─────────┐   TCP    │  ① Raw TCP  → 20.53.240.54:9800     │
  │fetchtoken│ ◄───────│  ② HTTP     → token.scorpiox.net    │
  │   exe    │   SSH    │  ③ SSH      → 192.168.1.6:22223    │
  │          │ ◄───────│  ④ Local    → ~/.claude/.credentials│
  └─────────┘   File   │  ⑤ Config   → scorpiox-env.txt     │
       │                └──────────────────────────────────────┘
       ▼
  OAuth Token → Provider API
```

### 6.3 Telemetry Flow

```
  ┌──────────┐                    ┌─────────────────────┐
  │  sx.c    │  fire-and-forget   │ code.scorpiox.net   │
  │ (agent)  │ ──────────────────►│   /usage-send       │
  │          │  POST JSON/HTTPS   │   /sessions-send    │
  └──────────┘                    └─────────────────────┘
       │                                    │
       │ Collects:                          │ Receives:
       │  • session_id                      │  • token usage stats
       │  • hostname, username              │  • conversation content
       │  • os, arch                        │  • machine fingerprint
       │  • provider, model                 │
       │  • token counts                    │
       │  • message content (sessions)      │
```

### 6.4 FRP Reverse Proxy Flow

```
  ┌───────────────┐   TCP+TLS(no verify)   ┌──────────┐
  │ sx_frp.c      │ ◄─────────────────────► │ frps     │
  │ (frpc client) │   yamux multiplexing    │ server   │
  └───────┬───────┘   AES-128-CFB crypto    └────┬─────┘
          │                                       │
          │ local:127.0.0.1:port                  │ remote:port
          ▼                                       ▼
    Local Service                          Remote Access
```

---

## 7. DNS Resolution Analysis

| Caller | Domain Resolved | Method | Purpose |
|--------|----------------|--------|---------|
| `sx_frp.c` | `server_addr` (config) | `getaddrinfo()` | FRP server connection |
| `sx_http_relay.c` | `relay_host` (config) | `getaddrinfo()` | HTTP relay connection |
| `sxmail_queue.c` | MX records for domains | `getaddrinfo()` on port 25 | Email delivery |
| `sxmail_queue.c` | SMTP relay host | `getaddrinfo()` | Relay email delivery |
| `scorpiox-claudecode-fetchtoken.c` | `TCP_HOST` (config) | `getaddrinfo()` | Token server |
| `sxmail_maildir.c` | local hostname | `gethostname()` | Maildir unique names |
| `sx_frp.c` | local hostname | `gethostname()` | FRP login metadata |
| `scorpiox-dns.c` | upstream DNS | `inet_pton()` | DNS forwarding |
| libcurl (various) | API hostnames | Internal resolver | All HTTPS requests |

**Note:** A `DNS_AUDIT_LOG` config option exists (default: disabled) for logging DNS queries to `/var/log/scorpiox-dns`.

---

## 8. Data Exfiltration Pattern Analysis

### 8.1 Potential Patterns Found

| Pattern | Location | Risk Assessment |
|---------|----------|-----------------|
| **Machine fingerprinting + HTTP POST** | scorpiox-usage.c | Sends hostname, username, OS, arch. **Low risk** if user opts in. |
| **Full conversation content + HTTP POST** | scorpiox-emit-session.c | Sends complete message text when enabled. **High risk** when enabled. |
| **Base64 encoding + network** | sxmail_queue.c, sxmail_dkim.c | Used for SMTP AUTH PLAIN and DKIM signing — legitimate email use. |
| **Base64 encoding + terminal** | sx_term.c | Used for terminal clipboard (OSC 52) — local only. |
| **File read + HTTP POST** | scorpiox-emit-session.c | `--file` flag reads file content and POSTs it. **Medium risk** — user-initiated. |
| **Token file read + TCP send** | scorpiox-claudecode-fetchtoken.c | Reads OAuth credentials and uses them — normal auth flow. |
| **Git credentials in URLs** | scorpiox-server.c, scorpiox-mirror-git.c | PAT tokens embedded in HTTPS URLs for git operations. |

### 8.2 No Covert Exfiltration Found

No patterns of covert data exfiltration were identified. All network transmissions serve documented purposes and are either user-initiated or controlled by explicit configuration flags.

---

## 9. Risk Assessment

### 9.1 Critical Findings

| # | Finding | Severity | Location |
|---|---------|----------|----------|
| C1 | **API keys hardcoded in WASM binary** — Anthropic, Z.AI, and Gemini API keys embedded in sx_config_embedded.c | **CRITICAL** | sx_config_embedded.c |
| C2 | **SSH credentials in source** — root password "xboxone" for 192.168.1.6:22223 | **CRITICAL** | sx_config_embedded.c |
| C3 | **OAuth tokens over plaintext TCP** — tokens fetched via raw TCP (no TLS) from 20.53.240.54:9800 | **CRITICAL** | scorpiox-claudecode-fetchtoken.c |

### 9.2 High Findings

| # | Finding | Severity | Location |
|---|---------|----------|----------|
| H1 | **TLS certificate verification disabled** on all mbedTLS connections (FRP, SMTP relay, SMTP server) | **HIGH** | sx_frp.c:1105, sxmail_queue.c:532, sxmail_tls.c:185 |
| H2 | **Token endpoints over plaintext HTTP** — token.scorpiox.net/claude, /codex, /gemini use HTTP not HTTPS | **HIGH** | sx_config_embedded.c |
| H3 | **Router URL over plaintext HTTP** — `http://scorpiox.net:5176` for AI routing | **HIGH** | sx_config_embedded.c |
| H4 | **FRP auth uses MD5** — cryptographically broken hash for authentication | **HIGH** | sx_frp.c |
| H5 | **FRP encryption uses PBKDF2 with 64 iterations** — far below recommended minimum (600,000 for PBKDF2-SHA1) | **HIGH** | sx_frp.c |
| H6 | **Session telemetry sends full conversation content** when EMIT_SESSION_TRACKING=1 | **HIGH** | scorpiox-emit-session.c |
| H7 | **Private network IPs hardcoded** in WASM binary (192.168.1.x network topology exposed) | **HIGH** | sx_config_embedded.c |

### 9.3 Medium Findings

| # | Finding | Severity | Location |
|---|---------|----------|----------|
| M1 | Usage telemetry sends machine fingerprint (hostname, username, OS) | **MEDIUM** | scorpiox-usage.c |
| M2 | Auto-update mechanism downloads executables without integrity verification (no signature checking) | **MEDIUM** | scorpiox-wsl.c, scorpiox-whatsapp.c |
| M3 | Git PAT tokens embedded in clone URLs (visible in process list, logs) | **MEDIUM** | scorpiox-server.c |
| M4 | Cache keepalive generates ongoing billable API traffic | **MEDIUM** | sx_cache_keepalive.c |
| M5 | HTTP relay uses custom binary protocol without authentication | **MEDIUM** | sx_http_relay.c |
| M6 | SMTP AUTH PLAIN sends credentials in base64 (trivially decodable) | **MEDIUM** | sxmail_queue.c |

### 9.4 Low Findings

| # | Finding | Severity | Location |
|---|---------|----------|----------|
| L1 | DNS server defaults to Google/Cloudflare upstream (privacy implication) | **LOW** | scorpiox-dns.c |
| L2 | WebSocket bridge has no authentication mechanism | **LOW** | bridge/ws2tcp.c |
| L3 | Traffic logging writes raw HTTP request/response bodies to disk | **LOW** | Multiple provider files |

---

## 10. Recommendations

1. **Rotate all embedded credentials immediately** — API keys, SSH passwords in sx_config_embedded.c are compromised by being in source code.
2. **Enable TLS certificate verification** on all mbedTLS connections — replace `MBEDTLS_SSL_VERIFY_NONE` with `MBEDTLS_SSL_VERIFY_REQUIRED` and load CA certificates.
3. **Upgrade token fetch to HTTPS** — replace raw TCP token acquisition with TLS-secured transport.
4. **Upgrade token.scorpiox.net and router URL to HTTPS** — all authentication-related traffic must be encrypted.
5. **Replace MD5 in FRP auth** with SHA-256 or better.
6. **Increase PBKDF2 iterations** in FRP from 64 to at least 600,000.
7. **Add binary signature verification** for auto-update downloads.
8. **Remove private network IPs** from the WASM embedded config.
9. **Add integrity checking** (checksums/signatures) for downloaded container images and firmware.
10. **Document all network endpoints** in user-facing documentation so users can configure firewalls appropriately.

---

## 11. Appendix: Complete File-to-Network-Function Mapping

### Files with Direct Socket Operations

| File | Functions Used |
|------|---------------|
| `sx_frp.c` | `socket()`, `connect()`, `send()`, `recv()`, `getaddrinfo()`, `setsockopt()`, `close()` |
| `sxmux_session.c` | `socket(AF_UNIX)`, `bind()`, `listen()`, `accept()`, `connect()` |
| `sxmail_queue.c` | `socket()`, `connect()`, `send()`, `recv()`, `getaddrinfo()` |
| `sxmail_smtp.c` | `accept()`, `send()`, `recv()` |
| `bridge/ws2tcp.c` | `socket()`, `bind()`, `listen()`, `accept()`, `connect()`, `epoll_*()` |
| `scorpiox-server.c` | `socket()`, `bind()`, `listen()`, `accept()`, `setsockopt()` |
| `scorpiox-dns.c` | `socket()`, `bind()`, `sendto()`, `recvfrom()` |
| `scorpiox-claudecode-fetchtoken.c` | `socket()`, `connect()`, `recv()`, `getaddrinfo()` |
| `sx_http_relay.c` | `socket()`, `connect()`, `send()`, `recv()`, `getaddrinfo()` |

### Files Using libcurl (via sx_http.c)

| File | Purpose |
|------|---------|
| `sx_provider_anthropic.c` | Anthropic API calls |
| `sx_provider_claude_code.c` | Claude Code API calls |
| `sx_provider_codex.c` | Codex API calls |
| `sx_claude.c` | Scorpiox router API calls |
| `scorpiox-usage.c` | Telemetry |
| `scorpiox-emit-session.c` | Session telemetry |
| `scorpiox-voice.c` | Whisper API |
| `scorpiox-email.c` | SMTP via libcurl |
| `scorpiox-claudecode-refreshtoken.c` | OAuth token refresh |
| `scorpiox-codex-refreshtoken.c` | OAuth token refresh |

---

*Report generated by Security Audit Agent — 2026-04-28*
