Secure remote shell via Matrix E2EE — no ports, no TCP surface, TIBET L4 Airlock verification.
Project description
tibet-nc
PRE-ALPHA (v0.1.0a1) — NOT PRODUCTION READY
API, protocol, and security model are subject to change. Do not deploy in production environments.
Secure remote shell via Matrix E2EE — SSH without the attack surface.
What is tibet-nc?
tibet-nc replaces SSH/telnet with a remote shell that has no open ports, no TCP listener, and no discoverable attack surface. Commands are sent via Matrix (end-to-end encrypted) and every execution is a verified TIBET token.
Think of it as a speakeasy: there's no visible door. You need to know the Matrix room and have a verified TIBET identity to get in.
How it works
[Matrix Client] → E2EE message → [Matrix Server] → [tibet-nc daemon]
↓
L4 Airlock
├── Identity check
├── Timebox check
├── Command safety
└── Hash chain
↓
Restricted PTY
↓
Output + TIBET token
↓
[Matrix Client] ← E2EE
L4 Airlock Verification
Every command passes 4 layers before execution:
- Identity — Matrix user must be in the allowed list
- Timebox — Command must arrive within latency window for its DID type
- Command safety — Blocked patterns (
rm -rf /,dd if=, etc.) are rejected - Hash chain — SHA256 chain links every command to the previous one
What makes it different from SSH?
| SSH | tibet-nc | |
|---|---|---|
| Open port | 22 (scannable) | None |
| Protocol | TCP | Matrix E2EE |
| Auth | Keys/password | TIBET identity |
| Audit trail | auth.log | Full TIBET provenance per command |
| Command safety | None | L4 Airlock (blocked patterns) |
| Hash chain | None | SHA256 per session |
Current status
- Matrix E2EE transport
- L4 Airlock verification
- Restricted PTY execution
- TIBET token per command
- Hash chain integrity
- Blocked dangerous commands
- Systemd service (DL360)
- Multi-device session management
- File transfer via Matrix
- Interactive mode (vim, top)
- PyPI release
Running (development)
The daemon currently runs from /srv/jtel-stack/tibet-nc/ as a systemd service.
See the deployed instance for reference — package structure is being formalized.
License
MIT — Humotica AI Lab
Credits
Designed by Jasper van de Meent. Built by Jasper and Root AI as part of HumoticaOS.
Stack-positie: Groep experimental · Bootstrap = OSAPI-handshake naar tibet + jis (fail → snaft-rule + tibet-pol-rapport) · ← tibet-airlock · See STACK.md · See demo/golden-path/ for the spine end-to-end.
Enterprise
For private hub hosting, SLA support, custom integrations, or compliance guidance:
| Enterprise | enterprise@humotica.com |
| Support | support@humotica.com |
| Security | security@humotica.com |
See ENTERPRISE.md for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tibet_nc-0.1.0.tar.gz.
File metadata
- Download URL: tibet_nc-0.1.0.tar.gz
- Upload date:
- Size: 12.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1bdaedd4944685535ca0cfe00afdc834cf600a15e6049959e48d209d4cd90e00
|
|
| MD5 |
32e6b2f01696695364d7473c8a053d1f
|
|
| BLAKE2b-256 |
e9af58a0e9c2c368341acf39ef9b6396b677b25ad8f9638468a2be3d4cf90730
|
File details
Details for the file tibet_nc-0.1.0-py3-none-any.whl.
File metadata
- Download URL: tibet_nc-0.1.0-py3-none-any.whl
- Upload date:
- Size: 10.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e793f991ee2d6941ebaf9e3162ebfc8670ee02fc5cc2a5eb858e779df2c3701e
|
|
| MD5 |
5c64bd801e5a94f0e3f8ce3aa602c6f3
|
|
| BLAKE2b-256 |
a949d29d92516a52bf612d12d6ef57b4f8e0b7a3bf7b751cabae72face3f39c0
|
