Skip to content

Humotica/tibet-airlock

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
python
python
 
 
src
src
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 
airlock.log
airlock.log
 
 
airlock_v2.log
airlock_v2.log
 
 
test_airlock.py
test_airlock.py
 
 

Repository files navigation

tibet-airlock

Zero-trust microVM sandbox with TIBET provenance. Kernel isolation in <1ms, cryptographic proof of every execution.

What it does

Tibet-airlock receives an intent (what the AI agent wants to do), boots a pre-warmed microVM snapshot, executes the payload under SNAFT syscall monitoring, and returns a TIBET provenance token — cryptographic proof of exactly what happened.

Intent → Snapshot Wake (<0.01ms) → SNAFT Monitor → Triage → TIBET Token

Why

AI agents execute code. That code needs isolation. Not "container isolation" — kernel isolation. Every syscall monitored. Every execution proven. Every violation killed instantly.

  • Sub-milliseconde — 0.6ms average roundtrip including TCP
  • Intent-based routing — each intent maps to a specific OCI image and snapshot
  • SNAFT syscall monitoring — allowlist per intent + always-dangerous blocklist
  • TIBET provenance — every execution generates a cryptographic proof token
  • Kill or Safe — violations terminate the VM immediately, no second chances

Quick start

cargo install tibet-airlock
tibet-airlock  # starts MUX listener on 127.0.0.1:4430

Send a MUX frame (JSON over TCP):

{
    "channel_id": 1,
    "intent": "code:execute",
    "from_aint": "your_agent.aint",
    "payload": "print('hello world')"
}

Safe execution returns status 200 + TIBET success token. Dangerous payload returns status 403 + TIBET incident token with violations. Unknown intent returns status 400 + TIBET rejection token.

Supported intents

Intent OCI Image Snapshot
analyze_malware_sample airlock-python python-safe-boot
code:execute airlock-python python-safe-boot
file:scan airlock-scanner scanner-ready
call:voice:* airlock-sip sip-ready
call:video:* airlock-webrtc webrtc-ready

SNAFT blocked syscalls

Always dangerous (any intent): sys_ptrace, sys_socket, sys_connect, sys_dlopen, sys_fork, sys_clone, sys_mount, sys_reboot, sys_kexec_load

Features

  • simulation (default) — simulated VM for testing without /dev/kvm
  • kvm — real Ignition KVM isolation via lttle.cloud

Part of TIBET

Tibet-airlock is part of the TIBET ecosystem — Traceable Intent-Based Event Tokens. Install the full stack: pip install tibet[full]

Built by Humotica for the AInternet.

License

MIT

About

Zero-trust microVM sandbox with TIBET provenance — kernel isolation in <1ms, cryptographic proof of every execution. Rust + Python.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages