playbooks

home / skills / plurigrid / asi / signal-isolated-auth

signal-isolated-auth skill

/skills/signal-isolated-auth

This skill implements maximally isolated Signal authentication using colored operad boundaries to securely gate data through network, container, VM, and

npx playbooks add skill plurigrid/asi --skill signal-isolated-auth

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
11.4 KB
---
name: signal-isolated-auth
description: Maximally isolated Signal authentication via colored operad security boundaries. VM→Container→Process enclosure with GF(3) conservation for Agent-O-Rama pathways.
version: 1.0.0
---


# Signal Isolated Authentication

## Overview

Maximally isolated Signal client authentication using **colored operad security boundaries**. Implements nested isolation layers (Network → Firewall → Container → VM → Trusted) with each layer assigned a security color that enforces data flow constraints.

```
┌─────────────────────────────────────────────────────────────────────────────┐
│  COLORED OPERAD ISOLATION STACK                                             │
└─────────────────────────────────────────────────────────────────────────────┘

   External World (Untrusted)
          │
          ▼
   ┌──────────────────────────────────────────────────────────────────────┐
   │  🔴 RED: Network Boundary (trit=-1)                                  │
   │      • Network namespace isolation                                   │
   │      • DNS filtering (*.signal.org only)                            │
   │      • Firewall: outbound-only, ports 443/80                        │
   │  ┌────────────────────────────────────────────────────────────────┐  │
   │  │  🟡 YELLOW: Container Boundary (trit=-1)                       │  │
   │  │      • Podman/Docker rootless                                  │  │
   │  │      • --privileged=false, --read-only                        │  │
   │  │      • Seccomp profile, AppArmor/SELinux                      │  │
   │  │      • CAP_DROP=ALL, CAP_ADD=NET_RAW                          │  │
   │  │  ┌──────────────────────────────────────────────────────────┐  │  │
   │  │  │  🟢 GREEN: VM Boundary (trit=0)                          │  │  │
   │  │  │      • Firecracker microVM                               │  │  │
   │  │  │      • 1 vCPU, 512MB RAM                                 │  │  │
   │  │  │      • Minimal kernel, read-only rootfs                  │  │  │
   │  │  │  ┌────────────────────────────────────────────────────┐  │  │  │
   │  │  │  │  🔵 BLUE: Trusted Core (trit=+1)                   │  │  │  │
   │  │  │  │      • Signal CLI process                          │  │  │  │
   │  │  │  │      • Key material in memory-encrypted enclave    │  │  │  │
   │  │  │  │      • Attestation verification                    │  │  │  │
   │  │  │  └────────────────────────────────────────────────────┘  │  │  │
   │  │  └──────────────────────────────────────────────────────────┘  │  │
   │  └────────────────────────────────────────────────────────────────┘  │
   └──────────────────────────────────────────────────────────────────────┘
```

## GF(3) Conservation

```
RED(-1) ⊗ YELLOW(-1) ⊗ GREEN(0) ⊗ BLUE(+1) = -1

To balance: Add dynamic-sufficiency(-1) + skill-dispatch(0) + signal-messaging(+1)
Full triad: (-1) + (-1) + (0) + (+1) + (-1) + (0) + (+1) = -1 + 1 = 0 ✓
```

| Role | Skill/Layer | Trit | Function |
|------|-------------|------|----------|
| **MINUS** (-1) | signal-isolated-auth | -1 | **THIS SKILL** - validates enclosure |
| **MINUS** (-1) | Network + Container | -2 | External constraints |
| **ERGODIC** (0) | VM boundary | 0 | Coordination layer |
| **PLUS** (+1) | Trusted core | +1 | Key generation |

## Supported Signal Clients

| Client | Technology | Status | Notes |
|--------|------------|--------|-------|
| **signal-cli** | Java | ✅ Primary | Full protocol support |
| **presage** | Rust | ✅ Supported | Modern, performant |
| **whisperfish** | Rust/QML | ⚠️ Experimental | Sailfish OS focused |
| **libsignal** | Rust | ⚠️ Library | Requires wrapper |

## Security Color Rules

### Color Flow Constraint

Data can only flow **INWARD** (less trusted → more trusted):

```
RED → YELLOW → GREEN → BLUE  ✓
BLUE → RED                    ✗ (security violation)
```

### Color-to-Trit Mapping

| Color | Trust Level | Trit | Meaning |
|-------|-------------|------|---------|
| 🔴 RED | 1 (lowest) | -1 | External constraint |
| 🟡 YELLOW | 2 | -1 | Container constraint |
| 🟢 GREEN | 3 | 0 | Boundary coordination |
| 🔵 BLUE | 4 (highest) | +1 | Trusted generation |

## Usage

### Python API

```python
from signal_isolation_manager import (
    SignalIsolationManager,
    SignalClientType,
    build_agentorama_signal_pathway,
)

# Build maximally isolated pathway
pathway = build_agentorama_signal_pathway(
    name="agent-signal-secure",
    client_type=SignalClientType.SIGNAL_CLI,
    max_isolation=True,  # VM + Container
)

# Start isolated environment
manager = pathway.isolation_manager
await manager.start_isolated()

# Authenticate via device linking
link_uri = await manager.authenticate_link("agent-o-rama")
print(f"Scan QR code: {link_uri}")

# Or register new account
await manager.authenticate_register("+1234567890")
await manager.verify_code("123456")

# Get s-expression for categorical processing
print(manager.get_enclosure_sexp())
```

### Julia API (WorldColoredOperads)

```julia
using Gay.WorldColoredOperads

# Build Signal-specific enclosure
enclosure = world_signal_enclosure(:signal_cli; seed=0xE12A4E)

# Verify security properties
result = verify_enclosure(enclosure)
println("Security score: ", result.security_score)
println("GF(3) balanced: ", result.gf3_balanced)
println("Color chain: ", result.color_chain)

# Output as s-expression
println(to_sexp(enclosure))
```

### CLI Usage

```bash
# Start Signal in maximum isolation
python signal_isolation_manager.py

# With specific client
python -c "
import asyncio
from signal_isolation_manager import *

async def main():
    manager = SignalIsolationManager(
        client_type=SignalClientType.PRESAGE,
        use_vm=True,
        use_container=True,
    )
    manager.build_enclosure('+1234567890')
    await manager.start_isolated()
    link = await manager.authenticate_link('my-agent')
    print(link)

asyncio.run(main())
"
```

## S-Expression Output

All authentication events emit s-expressions for categorical processing:

```lisp
(signal-auth-event
  :type :device-link
  :device-name "agent-o-rama"
  :enclosure-fingerprint "a3b7c9d1e5f2"
  :link-uri "sgnl://linkdevice?uuid=agent-a3b7c9d1&pub_key=..."
  :timestamp 1735689600
  :color-chain (:red :yellow :green :blue))

(isolation-enclosure
  :target "signal_signal-cli"
  :client "signal-cli"
  :fingerprint "a3b7c9d1e5f2"
  :gf3-sum -1
  :gf3-balanced nil
  :valid t
  :security-score 100
  :color-chain (:red :yellow :green :blue)
  :layers (
    (layer :name "network_isolation" :color :red :tech :network :trit -1)
    (layer :name "firewall_rules" :color :red :tech :firewall :trit -1)
    (layer :name "container_boundary" :color :yellow :tech :container :trit -1)
    (layer :name "vm_boundary" :color :green :tech :firecracker :trit 0)
    (layer :name "trusted_signal_process" :color :blue :tech :enclave :trit 1)
  ))
```

## Isolation Technologies

### Firecracker microVM (Recommended)

```yaml
vm:
  type: firecracker
  vcpus: 1
  memory_mb: 512
  kernel: vmlinux-5.10-signal
  rootfs: signal-rootfs.ext4
  boot_args: "console=ttyS0 reboot=k panic=1 pci=off"
  jailer:
    uid: 1000
    gid: 1000
    chroot: /srv/jailer/signal
```

### Container (Podman Rootless)

```bash
podman run \
  --rm \
  --read-only \
  --security-opt no-new-privileges \
  --cap-drop=ALL \
  --cap-add=NET_RAW \
  --network=slirp4netns \
  -v /path/to/data:/data:rw \
  signal-cli-isolated:latest \
  daemon --json
```

### Firejail (Alternative)

```bash
firejail \
  --private=/tmp/signal-sandbox \
  --net=none \
  --seccomp \
  --noroot \
  signal-cli daemon
```

## Agent-O-Rama Integration

This skill provides a **pathway** for Agent-O-Rama's Signal communication:

```python
from signal_isolation_manager import AgentOramaPathway

# Pathway carries color attributes for all components
pathway = AgentOramaPathway(
    name="signal-isolated",
    isolation_manager=manager,
    color_attributes={
        "ingress": SecurityColor.RED,      # Network input
        "processing": SecurityColor.YELLOW, # Container work
        "verification": SecurityColor.GREEN, # VM attestation
        "execution": SecurityColor.BLUE,    # Trusted action
    }
)

# GF(3) conservation across pathway
print(f"Pathway trit sum: {pathway.trit_sum}")
```

## Required Skills (Dependency Triad)

| Skill | Trit | Status | Purpose |
|-------|------|--------|---------|
| signal-isolated-auth | -1 | ✅ THIS | Isolation boundary |
| dynamic-sufficiency | -1 | ✅ Have | ε-machine gating |
| signal-messaging | 0 | ✅ Have | Message transport |
| gay-mcp | +1 | ✅ Have | Color generation |

## Files

| File | Purpose |
|------|---------|
| `signal_isolation_manager.py` | Main isolation orchestrator |
| `Gay.jl/src/world_colored_operads.jl` | Julia security model |
| `configs/signal_seccomp.json` | Seccomp profile |
| `configs/firecracker_signal.json` | Firecracker config |

## Security Considerations

1. **Key Material**: Never leaves BLUE boundary
2. **Network**: Egress-only to *.signal.org
3. **Persistence**: Data encrypted at rest in dedicated volume
4. **Attestation**: VM and enclave verified before key operations
5. **Least Privilege**: CAP_DROP=ALL, minimal syscalls

## Related Skills

- `dynamic-sufficiency` - ε-machine gating for skill coverage
- `signal-messaging` - Message send/receive (requires auth)
- `gay-mcp` - Deterministic color generation
- `livekit-omnimodal` - Real-time coaching integration
- `blackhat-go` - Adversarial security analysis

## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 10. Adventure Game Example

**Concepts**: autonomous agent, game, synthesis

### GF(3) Balanced Triad

```
signal-isolated-auth (+) + SDF.Ch10 (+) + [balancer] (+) = 0
```

**Skill Trit**: 1 (PLUS - generation)

### Secondary Chapters

- Ch9: Generic Procedures
- Ch5: Evaluation
- Ch6: Layering
- Ch7: Propagators

### Connection Pattern

Adventure games synthesize techniques. This skill integrates multiple patterns.

Overview

This skill provides maximally isolated Signal client authentication using colored operad security boundaries. It composes nested enclosures (network → container → VM → trusted core) to enforce inward-only data flows and protect key material. The design emphasizes minimal trusted surface, attestation, and GF(3) conservation for pathway validation.

How this skill works

The skill builds an isolation enclosure that assigns a security color and trit to each layer and enforces data flow constraints (RED→YELLOW→GREEN→BLUE). It orchestrates rootless containers, Firecracker microVMs, firewall rules, and an in-memory encrypted enclave for the Signal process. Authentication events and enclosure state are emitted as s-expressions for deterministic, categorical processing and verification.

When to use it

  • You need to authenticate a Signal client with minimal trust surface.
  • When key material must never leave a verified enclave or high-trust boundary.
  • To run Signal in automated agent pathways (Agent-O-Rama) with provable color-flow constraints.
  • When you require attestation and constrained egress to *.signal.org only.
  • For security reviews that require formalized layer descriptions and GF(3) balancing.

Best practices

  • Enforce egress-only firewall rules and restrict DNS to Signal domains.
  • Use Firecracker microVMs with minimal kernel and read-only rootfs for the VM boundary.
  • Run containers rootless with --read-only, no-new-privileges, and a strict seccomp/AppArmor profile.
  • Keep key operations inside the BLUE trusted core and verify attestation before use.
  • Emit and retain s-expressions for audit, reproducibility, and automated verification.

Example use cases

  • Agent pipeline needs an isolated Signal pathway for automated notifications with attested key use.
  • CI job that links a device via QR/link URI inside a constrained microVM and sealed enclave.
  • Deploying a headless Signal client for an agent where persistence must be encrypted and egress locked to Signal servers.
  • Security research validating data-flow policies and GF(3) trit conservation across an isolation stack.
  • Embedded or edge deployment where resources are constrained (1 vCPU, 512MB) and minimal kernel images are required.

FAQ

What does GF(3) conservation mean here?

GF(3) conservation is a bookkeeping model that assigns trits to layers and verifies the pathway sums to zero, indicating the color triad balance and adherence to designed flow constraints.

Can I use other Signal clients?

Yes. The skill supports signal-cli and presage as primary clients; experimental support exists for whisperfish and library use requires a wrapper. The orchestration focuses on isolation rather than client internals.

Where must key material reside?

Key material must remain inside the BLUE trusted core (memory-encrypted enclave). No key material should be exported beyond that boundary.