Asi signal-isolated-auth

Maximally isolated Signal authentication via colored operad security boundaries. VM→Container→Process enclosure with GF(3) conservation for Agent-O-Rama pathways.

install

source · Clone the upstream repo

git clone https://github.com/plurigrid/asi

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/signal-isolated-auth" ~/.claude/skills/plurigrid-asi-signal-isolated-auth && rm -rf "$T"

manifest: plugins/asi/skills/signal-isolated-auth/SKILL.md

source content

Signal Isolated Authentication

Overview

Maximally isolated Signal client authentication using colored operad security boundaries. Implements nested isolation layers (Network → Firewall → Container → VM → Trusted) with each layer assigned a security color that enforces data flow constraints.

┌─────────────────────────────────────────────────────────────────────────────┐
│  COLORED OPERAD ISOLATION STACK                                             │
└─────────────────────────────────────────────────────────────────────────────┘

   External World (Untrusted)
          │
          ▼
   ┌──────────────────────────────────────────────────────────────────────┐
   │  🔴 RED: Network Boundary (trit=-1)                                  │
   │      • Network namespace isolation                                   │
   │      • DNS filtering (*.signal.org only)                            │
   │      • Firewall: outbound-only, ports 443/80                        │
   │  ┌────────────────────────────────────────────────────────────────┐  │
   │  │  🟡 YELLOW: Container Boundary (trit=-1)                       │  │
   │  │      • Podman/Docker rootless                                  │  │
   │  │      • --privileged=false, --read-only                        │  │
   │  │      • Seccomp profile, AppArmor/SELinux                      │  │
   │  │      • CAP_DROP=ALL, CAP_ADD=NET_RAW                          │  │
   │  │  ┌──────────────────────────────────────────────────────────┐  │  │
   │  │  │  🟢 GREEN: VM Boundary (trit=0)                          │  │  │
   │  │  │      • Firecracker microVM                               │  │  │
   │  │  │      • 1 vCPU, 512MB RAM                                 │  │  │
   │  │  │      • Minimal kernel, read-only rootfs                  │  │  │
   │  │  │  ┌────────────────────────────────────────────────────┐  │  │  │
   │  │  │  │  🔵 BLUE: Trusted Core (trit=+1)                   │  │  │  │
   │  │  │  │      • Signal CLI process                          │  │  │  │
   │  │  │  │      • Key material in memory-encrypted enclave    │  │  │  │
   │  │  │  │      • Attestation verification                    │  │  │  │
   │  │  │  └────────────────────────────────────────────────────┘  │  │  │
   │  │  └──────────────────────────────────────────────────────────┘  │  │
   │  └────────────────────────────────────────────────────────────────┘  │
   └──────────────────────────────────────────────────────────────────────┘

GF(3) Conservation

RED(-1) ⊗ YELLOW(-1) ⊗ GREEN(0) ⊗ BLUE(+1) = -1

To balance: Add dynamic-sufficiency(-1) + skill-dispatch(0) + signal-messaging(+1)
Full triad: (-1) + (-1) + (0) + (+1) + (-1) + (0) + (+1) = -1 + 1 = 0 ✓

Role	Skill/Layer	Trit	Function
MINUS (-1)	signal-isolated-auth	-1	THIS SKILL - validates enclosure
MINUS (-1)	Network + Container	-2	External constraints
ERGODIC (0)	VM boundary	0	Coordination layer
PLUS (+1)	Trusted core	+1	Key generation

Supported Signal Clients

Client	Technology	Status	Notes
signal-cli	Java	✅ Primary	Full protocol support
presage	Rust	✅ Supported	Modern, performant
whisperfish	Rust/QML	⚠️ Experimental	Sailfish OS focused
libsignal	Rust	⚠️ Library	Requires wrapper

Security Color Rules

Color Flow Constraint

Data can only flow INWARD (less trusted → more trusted):

RED → YELLOW → GREEN → BLUE  ✓
BLUE → RED                    ✗ (security violation)

Color-to-Trit Mapping

Color	Trust Level	Trit	Meaning
🔴 RED	1 (lowest)	-1	External constraint
🟡 YELLOW	2	-1	Container constraint
🟢 GREEN	3	0	Boundary coordination
🔵 BLUE	4 (highest)	+1	Trusted generation

Usage

Python API

from signal_isolation_manager import (
    SignalIsolationManager,
    SignalClientType,
    build_agentorama_signal_pathway,
)

# Build maximally isolated pathway
pathway = build_agentorama_signal_pathway(
    name="agent-signal-secure",
    client_type=SignalClientType.SIGNAL_CLI,
    max_isolation=True,  # VM + Container
)

# Start isolated environment
manager = pathway.isolation_manager
await manager.start_isolated()

# Authenticate via device linking
link_uri = await manager.authenticate_link("agent-o-rama")
print(f"Scan QR code: {link_uri}")

# Or register new account
await manager.authenticate_register("+1234567890")
await manager.verify_code("123456")

# Get s-expression for categorical processing
print(manager.get_enclosure_sexp())

Julia API (WorldColoredOperads)

using Gay.WorldColoredOperads

# Build Signal-specific enclosure
enclosure = world_signal_enclosure(:signal_cli; seed=0xE12A4E)

# Verify security properties
result = verify_enclosure(enclosure)
println("Security score: ", result.security_score)
println("GF(3) balanced: ", result.gf3_balanced)
println("Color chain: ", result.color_chain)

# Output as s-expression
println(to_sexp(enclosure))

CLI Usage

# Start Signal in maximum isolation
python signal_isolation_manager.py

# With specific client
python -c "
import asyncio
from signal_isolation_manager import *

async def main():
    manager = SignalIsolationManager(
        client_type=SignalClientType.PRESAGE,
        use_vm=True,
        use_container=True,
    )
    manager.build_enclosure('+1234567890')
    await manager.start_isolated()
    link = await manager.authenticate_link('my-agent')
    print(link)

asyncio.run(main())
"

S-Expression Output

All authentication events emit s-expressions for categorical processing:

(signal-auth-event
  :type :device-link
  :device-name "agent-o-rama"
  :enclosure-fingerprint "a3b7c9d1e5f2"
  :link-uri "sgnl://linkdevice?uuid=agent-a3b7c9d1&pub_key=..."
  :timestamp 1735689600
  :color-chain (:red :yellow :green :blue))

(isolation-enclosure
  :target "signal_signal-cli"
  :client "signal-cli"
  :fingerprint "a3b7c9d1e5f2"
  :gf3-sum -1
  :gf3-balanced nil
  :valid t
  :security-score 100
  :color-chain (:red :yellow :green :blue)
  :layers (
    (layer :name "network_isolation" :color :red :tech :network :trit -1)
    (layer :name "firewall_rules" :color :red :tech :firewall :trit -1)
    (layer :name "container_boundary" :color :yellow :tech :container :trit -1)
    (layer :name "vm_boundary" :color :green :tech :firecracker :trit 0)
    (layer :name "trusted_signal_process" :color :blue :tech :enclave :trit 1)
  ))

Isolation Technologies

Firecracker microVM (Recommended)

vm:
  type: firecracker
  vcpus: 1
  memory_mb: 512
  kernel: vmlinux-5.10-signal
  rootfs: signal-rootfs.ext4
  boot_args: "console=ttyS0 reboot=k panic=1 pci=off"
  jailer:
    uid: 1000
    gid: 1000
    chroot: /srv/jailer/signal

Container (Podman Rootless)

podman run \
  --rm \
  --read-only \
  --security-opt no-new-privileges \
  --cap-drop=ALL \
  --cap-add=NET_RAW \
  --network=slirp4netns \
  -v /path/to/data:/data:rw \
  signal-cli-isolated:latest \
  daemon --json

Firejail (Alternative)

firejail \
  --private=/tmp/signal-sandbox \
  --net=none \
  --seccomp \
  --noroot \
  signal-cli daemon

Agent-O-Rama Integration

This skill provides a pathway for Agent-O-Rama's Signal communication:

from signal_isolation_manager import AgentOramaPathway

# Pathway carries color attributes for all components
pathway = AgentOramaPathway(
    name="signal-isolated",
    isolation_manager=manager,
    color_attributes={
        "ingress": SecurityColor.RED,      # Network input
        "processing": SecurityColor.YELLOW, # Container work
        "verification": SecurityColor.GREEN, # VM attestation
        "execution": SecurityColor.BLUE,    # Trusted action
    }
)

# GF(3) conservation across pathway
print(f"Pathway trit sum: {pathway.trit_sum}")

Required Skills (Dependency Triad)

Skill	Trit	Status	Purpose
signal-isolated-auth	-1	✅ THIS	Isolation boundary
dynamic-sufficiency	-1	✅ Have	ε-machine gating
signal-messaging	0	✅ Have	Message transport
gay-mcp	+1	✅ Have	Color generation

Files

File	Purpose
`signal_isolation_manager.py`	Main isolation orchestrator
`Gay.jl/src/world_colored_operads.jl`	Julia security model
`configs/signal_seccomp.json`	Seccomp profile
`configs/firecracker_signal.json`	Firecracker config

Security Considerations

Key Material: Never leaves BLUE boundary
Network: Egress-only to *.signal.org
Persistence: Data encrypted at rest in dedicated volume
Attestation: VM and enclave verified before key operations
Least Privilege: CAP_DROP=ALL, minimal syscalls

Related Skills

```
dynamic-sufficiency
```
- ε-machine gating for skill coverage
```
signal-messaging
```
- Message send/receive (requires auth)
```
gay-mcp
```
- Deterministic color generation
```
livekit-omnimodal
```
- Real-time coaching integration
```
blackhat-go
```
- Adversarial security analysis