From asi
Models macOS MDM authentication as cobordisms for credential derivation, using Keychain operations and GF(3) state transitions in Python.
npx claudepluginhub plurigrid/asi --plugin asiThis skill uses the workspace's default tool permissions.
**Status**: ✅ Production Ready
Manages macOS Keychain credentials using bash commands to store, retrieve, verify, and delete secrets securely, avoiding env vars.
Provides facts, patterns, and best practices for reviewing, implementing, and modernizing iOS/macOS Keychain Services, biometrics, CryptoKit cryptography, Secure Enclave, certificate pinning, and OWASP compliance.
Implements secure credential storage using OS-native keychains on Windows, macOS, Linux. Guides TDD workflow for Python, TypeScript, Rust, Go with security principles.
Share bugs, ideas, or general feedback.
Status: ✅ Production Ready Trit: 0 (ERGODIC - transport/derivation) Color: #26D826 (Green) Principle: Auth is cobordism W: ∂₀ → ∂₁, not event sequence Frame: No demos, only derivation
MDM Cobordism models authentication and device management as cobordisms — manifolds with boundaries representing auth state transitions. Following the unworld philosophy:
Forms valid triads with MINUS (-1) and PLUS (+1) skills:
sheaf-cohomology (-1) ⊗ mdm-cobordism (0) ⊗ gay-mcp (+1) = 0 ✓ [Credential Derivation]
temporal-coalgebra (-1) ⊗ mdm-cobordism (0) ⊗ oapply-colimit (+1) = 0 ✓ [State Observation]
three-match (-1) ⊗ mdm-cobordism (0) ⊗ koopman-generator (+1) = 0 ✓ [Pattern Learning]
| Cobordism | Source → Target | Trit | Role |
|---|---|---|---|
| W₁ generate_key | Unauth → HasKey | +1 | Generator |
| W₂ request_scep | HasKey → HasCert | 0 | Coordinator |
| W₃ validate_cert | HasCert → HasToken | -1 | Validator |
| W₄ check_in_mdm | HasToken → Enrolled | +1 | Generator |
| W₅ verify_enroll | Enrolled → Enrolled | -1 | Validator |
GF(3) Conservation: +1 + 0 + (-1) + (+1) + (-1) = 0 ✓
# Auth manifold boundaries
Unauthenticated # ∂₀: No identity
HasKey # Device has private key
HasCertificate # Device has CA-signed cert
HasToken # Device has session token
Enrolled # Device enrolled in MDM
Supervised # Device under full management
macOS Keychain operations with GF(3) tracking:
# Store (+1) → Retrieve (0) → Validate (-1) = 0 ✓
Keychain.store_then_verify(service, account, secret)
| Operation | Trit | Description |
|---|---|---|
store | +1 | Create credential |
retrieve | 0 | Transport credential |
delete | -1 | Remove credential |
# Run MDM cobordism demo
python src/mdm_mcp_server.py
# Keychain operations (macOS)
security add-generic-password -s "mdm-token" -a "$USER" -w
security find-generic-password -s "mdm-token" -a "$USER" -w
security delete-generic-password -s "mdm-token" -a "$USER"
# Verify GF(3) for auth flow
just mdm-gf3-check
from mdm_mcp_server import (
W1_GENERATE_KEY, W2_REQUEST_CERT, W3_VALIDATE_CERT,
W4_CHECK_IN, W5_VERIFY, Unauthenticated, verify_gf3
)
# Execute enrollment chain
state = Unauthenticated(device_serial="C02XG1PDJHD4")
state = W1_GENERATE_KEY(state)
state = W2_REQUEST_CERT(state)
state = W3_VALIDATE_CERT(state)
state = W4_CHECK_IN(state)
state = W5_VERIFY(state)
# Verify GF(3)
trits = [W1.trit, W2.trit, W3.trit, W4.trit, W5.trit]
assert verify_gf3(trits) # True
<dict>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>URL</key>
<string>https://scep.example.com/scep</string>
<key>KeySize</key>
<integer>2048</integer>
</dict>
Device activates → DEP lookup → MDM URL → Enroll → Supervised
Supervision is an irreversible cobordism in normal flow.
There are no demonstrations. MDM enrollment is not a "process that runs" but a derivation chain that is.
Demo: "Watch me enroll this device" → temporal, performative
Derivation: "Enrollment derives from serial" → atemporal, structural
Credentials don't "exist" with properties. They derive from chain positions:
# Ontological (what IS this key?)
key.is_valid? # property of thing
# Untological (what DERIVES this key?)
key = derive(device_serial, enrollment_time)
key.chain_position # position in derivation
Auth flows compose like cobordisms:
W = W₅ ∘ W₄ ∘ W₃ ∘ W₂ ∘ W₁ : Unauthenticated → Enrolled
The composite W is itself a cobordism with GF(3) = 0.
mdm_enroll_device // Initiate enrollment (trit: +1)
keychain_store // Store credential (trit: +1)
keychain_retrieve // Retrieve credential (trit: 0)
keychain_delete // Delete credential (trit: -1)
auth_cobordism_check // Verify GF(3) (trit: -1)
src/mdm_mcp_server.py — Cobordism state machinearchitecture/MDM_AUTH_COBORDISM.md — Architecture docsSkill Name: mdm-cobordism Type: Device Management / Auth State Machine Trit: 0 (ERGODIC) Color: #26D826 (Green) GF(3): Conserved by construction Demos: None (νο δῆμος) Ontology: Replaced with untology
This skill connects to the K-Dense-AI/claude-scientific-skills ecosystem:
general: 734 citations in bib.duckdbThis skill maps to Cat# = Comod(P) as a bicomodule in the equipment structure:
Trit: 0 (ERGODIC)
Home: Prof
Poly Op: ⊗
Kan Role: Adj
Color: #26D826
The skill participates in triads satisfying:
(-1) + (0) + (+1) ≡ 0 (mod 3)
This ensures compositional coherence in the Cat# equipment structure.