Maximally isolated Signal authentication via colored operad security boundaries. VM→Container→Process enclosure with GF(3) conservation for Agent-O-Rama pathways.
/plugin marketplace add plurigrid/asi/plugin install asi-skills@asi-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Maximally isolated Signal client authentication using colored operad security boundaries. Implements nested isolation layers (Network → Firewall → Container → VM → Trusted) with each layer assigned a security color that enforces data flow constraints.
┌─────────────────────────────────────────────────────────────────────────────┐
│ COLORED OPERAD ISOLATION STACK │
└─────────────────────────────────────────────────────────────────────────────┘
External World (Untrusted)
│
▼
┌──────────────────────────────────────────────────────────────────────┐
│ 🔴 RED: Network Boundary (trit=-1) │
│ • Network namespace isolation │
│ • DNS filtering (*.signal.org only) │
│ • Firewall: outbound-only, ports 443/80 │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ 🟡 YELLOW: Container Boundary (trit=-1) │ │
│ │ • Podman/Docker rootless │ │
│ │ • --privileged=false, --read-only │ │
│ │ • Seccomp profile, AppArmor/SELinux │ │
│ │ • CAP_DROP=ALL, CAP_ADD=NET_RAW │ │
│ │ ┌──────────────────────────────────────────────────────────┐ │ │
│ │ │ 🟢 GREEN: VM Boundary (trit=0) │ │ │
│ │ │ • Firecracker microVM │ │ │
│ │ │ • 1 vCPU, 512MB RAM │ │ │
│ │ │ • Minimal kernel, read-only rootfs │ │ │
│ │ │ ┌────────────────────────────────────────────────────┐ │ │ │
│ │ │ │ 🔵 BLUE: Trusted Core (trit=+1) │ │ │ │
│ │ │ │ • Signal CLI process │ │ │ │
│ │ │ │ • Key material in memory-encrypted enclave │ │ │ │
│ │ │ │ • Attestation verification │ │ │ │
│ │ │ └────────────────────────────────────────────────────┘ │ │ │
│ │ └──────────────────────────────────────────────────────────┘ │ │
│ └────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────┘
RED(-1) ⊗ YELLOW(-1) ⊗ GREEN(0) ⊗ BLUE(+1) = -1
To balance: Add dynamic-sufficiency(-1) + skill-dispatch(0) + signal-messaging(+1)
Full triad: (-1) + (-1) + (0) + (+1) + (-1) + (0) + (+1) = -1 + 1 = 0 ✓
| Role | Skill/Layer | Trit | Function |
|---|---|---|---|
| MINUS (-1) | signal-isolated-auth | -1 | THIS SKILL - validates enclosure |
| MINUS (-1) | Network + Container | -2 | External constraints |
| ERGODIC (0) | VM boundary | 0 | Coordination layer |
| PLUS (+1) | Trusted core | +1 | Key generation |
| Client | Technology | Status | Notes |
|---|---|---|---|
| signal-cli | Java | ✅ Primary | Full protocol support |
| presage | Rust | ✅ Supported | Modern, performant |
| whisperfish | Rust/QML | ⚠️ Experimental | Sailfish OS focused |
| libsignal | Rust | ⚠️ Library | Requires wrapper |
Data can only flow INWARD (less trusted → more trusted):
RED → YELLOW → GREEN → BLUE ✓
BLUE → RED ✗ (security violation)
| Color | Trust Level | Trit | Meaning |
|---|---|---|---|
| 🔴 RED | 1 (lowest) | -1 | External constraint |
| 🟡 YELLOW | 2 | -1 | Container constraint |
| 🟢 GREEN | 3 | 0 | Boundary coordination |
| 🔵 BLUE | 4 (highest) | +1 | Trusted generation |
from signal_isolation_manager import (
SignalIsolationManager,
SignalClientType,
build_agentorama_signal_pathway,
)
# Build maximally isolated pathway
pathway = build_agentorama_signal_pathway(
name="agent-signal-secure",
client_type=SignalClientType.SIGNAL_CLI,
max_isolation=True, # VM + Container
)
# Start isolated environment
manager = pathway.isolation_manager
await manager.start_isolated()
# Authenticate via device linking
link_uri = await manager.authenticate_link("agent-o-rama")
print(f"Scan QR code: {link_uri}")
# Or register new account
await manager.authenticate_register("+1234567890")
await manager.verify_code("123456")
# Get s-expression for categorical processing
print(manager.get_enclosure_sexp())
using Gay.WorldColoredOperads
# Build Signal-specific enclosure
enclosure = world_signal_enclosure(:signal_cli; seed=0xE12A4E)
# Verify security properties
result = verify_enclosure(enclosure)
println("Security score: ", result.security_score)
println("GF(3) balanced: ", result.gf3_balanced)
println("Color chain: ", result.color_chain)
# Output as s-expression
println(to_sexp(enclosure))
# Start Signal in maximum isolation
python signal_isolation_manager.py
# With specific client
python -c "
import asyncio
from signal_isolation_manager import *
async def main():
manager = SignalIsolationManager(
client_type=SignalClientType.PRESAGE,
use_vm=True,
use_container=True,
)
manager.build_enclosure('+1234567890')
await manager.start_isolated()
link = await manager.authenticate_link('my-agent')
print(link)
asyncio.run(main())
"
All authentication events emit s-expressions for categorical processing:
(signal-auth-event
:type :device-link
:device-name "agent-o-rama"
:enclosure-fingerprint "a3b7c9d1e5f2"
:link-uri "sgnl://linkdevice?uuid=agent-a3b7c9d1&pub_key=..."
:timestamp 1735689600
:color-chain (:red :yellow :green :blue))
(isolation-enclosure
:target "signal_signal-cli"
:client "signal-cli"
:fingerprint "a3b7c9d1e5f2"
:gf3-sum -1
:gf3-balanced nil
:valid t
:security-score 100
:color-chain (:red :yellow :green :blue)
:layers (
(layer :name "network_isolation" :color :red :tech :network :trit -1)
(layer :name "firewall_rules" :color :red :tech :firewall :trit -1)
(layer :name "container_boundary" :color :yellow :tech :container :trit -1)
(layer :name "vm_boundary" :color :green :tech :firecracker :trit 0)
(layer :name "trusted_signal_process" :color :blue :tech :enclave :trit 1)
))
vm:
type: firecracker
vcpus: 1
memory_mb: 512
kernel: vmlinux-5.10-signal
rootfs: signal-rootfs.ext4
boot_args: "console=ttyS0 reboot=k panic=1 pci=off"
jailer:
uid: 1000
gid: 1000
chroot: /srv/jailer/signal
podman run \
--rm \
--read-only \
--security-opt no-new-privileges \
--cap-drop=ALL \
--cap-add=NET_RAW \
--network=slirp4netns \
-v /path/to/data:/data:rw \
signal-cli-isolated:latest \
daemon --json
firejail \
--private=/tmp/signal-sandbox \
--net=none \
--seccomp \
--noroot \
signal-cli daemon
This skill provides a pathway for Agent-O-Rama's Signal communication:
from signal_isolation_manager import AgentOramaPathway
# Pathway carries color attributes for all components
pathway = AgentOramaPathway(
name="signal-isolated",
isolation_manager=manager,
color_attributes={
"ingress": SecurityColor.RED, # Network input
"processing": SecurityColor.YELLOW, # Container work
"verification": SecurityColor.GREEN, # VM attestation
"execution": SecurityColor.BLUE, # Trusted action
}
)
# GF(3) conservation across pathway
print(f"Pathway trit sum: {pathway.trit_sum}")
| Skill | Trit | Status | Purpose |
|---|---|---|---|
| signal-isolated-auth | -1 | ✅ THIS | Isolation boundary |
| dynamic-sufficiency | -1 | ✅ Have | ε-machine gating |
| signal-messaging | 0 | ✅ Have | Message transport |
| gay-mcp | +1 | ✅ Have | Color generation |
| File | Purpose |
|---|---|
signal_isolation_manager.py | Main isolation orchestrator |
Gay.jl/src/world_colored_operads.jl | Julia security model |
configs/signal_seccomp.json | Seccomp profile |
configs/firecracker_signal.json | Firecracker config |
dynamic-sufficiency - ε-machine gating for skill coveragesignal-messaging - Message send/receive (requires auth)gay-mcp - Deterministic color generationlivekit-omnimodal - Real-time coaching integrationblackhat-go - Adversarial security analysis