Secure remote shell via Matrix E2EE - no ports, no TCP surface, TIBET L4 Airlock verification.
Project description
tibet-nc
Secure remote shell over Matrix E2EE with a TIBET L4 Airlock.
tibet-nc is a no-listener remote command channel: there is no SSH port, no TCP
service to scan, and no inbound network path to the host. Commands arrive through
a Matrix room, pass a local airlock, execute in a restricted PTY, and return with
TIBET provenance.
Status: maintained alpha. Powerful enough for controlled operator use, not a general-purpose production SSH replacement yet.
Why It Exists
Sometimes the right operator path is not an agent workflow. If an agent, cortex, SNAFT, or policy layer decides an action is above its authority, a human still needs a narrow, auditable override lane.
tibet-nc is that human cockpit:
- no exposed SSH daemon
- Matrix E2EE transport
- allowlisted Matrix senders
- restricted shell
- blocked dangerous command patterns
- per-command L4 hash chain
- TIBET token/audit emission for command execution
The normal agent route remains capsule/cmail approval. tibet-nc is for direct
human-in-the-loop diagnostics and bounded intervention.
Architecture
Matrix client
-> E2EE room message
-> tibet-nc daemon
-> L4 Airlock
1. sender allowlist
2. freshness/timebox
3. command safety filter
4. hash-chain advance
-> restricted PTY
-> Matrix response + TIBET token
Example Use
In the configured Matrix control room:
$ status
$ df -h
$ uptime
$ journalctl --user -n 50
Outside the dedicated room, messages must use the $ prefix. Inside the
dedicated room, the deployed daemon accepts both prefixed and direct commands.
Safety Boundary
tibet-nc is intentionally not a raw root shell.
Blocked command families include:
- shutdown/reboot/poweroff/halt
- destructive disk commands such as
mkfs,fdisk,dd if=/dev - known shell bombs
- recursive root deletion patterns
- pipe-to-shell download patterns
High-impact actions should go through a signed capsule/cmail approval flow, not an ordinary Matrix command. That keeps the split clear:
tibet-nc: human diagnostics and bounded shellcmail/capsule: explicit signed approval for privileged execution
Configuration
Create an environment file for the daemon:
MATRIX_HOMESERVER=https://matrix.example.org
TIBET_NC_USER_ID=@tibetnc:matrix.example.org
TIBET_NC_ACCESS_TOKEN=...
TIBET_NC_ROOM=!roomid:matrix.example.org
TIBET_NC_ALLOWED_USERS=@operator:matrix.example.org
TIBET_NC_HOSTNAME=host-a
BRAIN_API_BASE=http://localhost:8000
The live Humotica deployment currently uses Matrix on
chat.jaspervandemeent.nl; migration to an AInternet Matrix domain is a hosting
decision, not a protocol requirement.
Install
From a checkout:
python -m venv .venv
. .venv/bin/activate
pip install -e ".[e2ee]"
Run:
python -m tibet_nc.daemon
The package metadata exposes a tibet-nc console command, but the CLI wrapper
must be verified before the next PyPI upload. See
GITHUB_UPLOAD_CHECKLIST.md.
Systemd
Use a locked-down service account and an environment file outside the repository.
[Unit]
Description=tibet-nc Matrix remote shell
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
WorkingDirectory=/opt/tibet-nc
EnvironmentFile=/etc/tibet-nc.env
ExecStart=/opt/tibet-nc/.venv/bin/python -m tibet_nc.daemon
Restart=always
RestartSec=5
NoNewPrivileges=true
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Current Package Notes
The deployed daemon has had maintenance beyond the older package snapshot:
/usr/local/tibet-nc-binis included in the restricted PATH- longer output windows exist for slow package/build commands
- progress output is collapsed before returning to Matrix
Before publishing a fresh PyPI build, sync those deployed changes back into
src/tibet_nc/daemon.py through the normal Root AI code-review path.
Project Status
- Matrix transport: implemented
- L4 Airlock: implemented
- restricted PTY: implemented
- Matrix response with TIBET provenance: implemented
- systemd deployment: proven locally
- file transfer: planned
- interactive full-screen programs: planned
- signed privileged override lane: use cmail/capsule, not raw
$commands
License
MIT. See LICENSE.
Credits
Designed by Jasper van de Meent and Root AI as part of the HumoticaOS / TIBET ecosystem.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tibet_nc-0.1.1.tar.gz.
File metadata
- Download URL: tibet_nc-0.1.1.tar.gz
- Upload date:
- Size: 15.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
99f8994b5525dd96e43dd6a6566cd478799cae1a0585913a21878546e1b83bfa
|
|
| MD5 |
0ce5c9c2d5e7ce520af8bca82d968d18
|
|
| BLAKE2b-256 |
75dd6292e1fdfec66efeb9200e32c468c3a1b659b8ef9c949a74ddd7ff267d49
|
File details
Details for the file tibet_nc-0.1.1-py3-none-any.whl.
File metadata
- Download URL: tibet_nc-0.1.1-py3-none-any.whl
- Upload date:
- Size: 12.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a2ae6e9436fdbb11493d8a3d9c284869eeef5bfb36ae3bbb9b644807336e2004
|
|
| MD5 |
cb68df1c7f1ec2ec1e9c25bb6f292a3f
|
|
| BLAKE2b-256 |
2fb4ba3d06d160ccb5d1bf5bb76c5e4f42ba8ea1de59b2e5422e8cb2be024497
|
