Claude Code Plugins

Community-maintained marketplace

Feedback

mdm-cobordism

@plurigrid/asi
0
0

macOS MDM with auth manifolds as cobordisms for credential derivation

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name mdm-cobordism
description macOS MDM with auth manifolds as cobordisms for credential derivation
version 1.0.0

MDM Cobordism Skill: Auth Manifolds as State Transitions

Status: ✅ Production Ready Trit: 0 (ERGODIC - transport/derivation) Color: #26D826 (Green) Principle: Auth is cobordism W: ∂₀ → ∂₁, not event sequence Frame: No demos, only derivation

Overview

MDM Cobordism models authentication and device management as cobordisms — manifolds with boundaries representing auth state transitions. Following the unworld philosophy:

  • Credentials don't "exist" — they derive
  • There is no "authentication event" — only state derivation
  • Keys don't "expire" — their chain position becomes unreachable

GF(3) Triads

Forms valid triads with MINUS (-1) and PLUS (+1) skills:

sheaf-cohomology (-1) ⊗ mdm-cobordism (0) ⊗ gay-mcp (+1) = 0 ✓  [Credential Derivation]
temporal-coalgebra (-1) ⊗ mdm-cobordism (0) ⊗ oapply-colimit (+1) = 0 ✓  [State Observation]
three-match (-1) ⊗ mdm-cobordism (0) ⊗ koopman-generator (+1) = 0 ✓  [Pattern Learning]

Auth Cobordisms

Cobordism Source → Target Trit Role
W₁ generate_key Unauth → HasKey +1 Generator
W₂ request_scep HasKey → HasCert 0 Coordinator
W₃ validate_cert HasCert → HasToken -1 Validator
W₄ check_in_mdm HasToken → Enrolled +1 Generator
W₅ verify_enroll Enrolled → Enrolled -1 Validator

GF(3) Conservation: +1 + 0 + (-1) + (+1) + (-1) = 0 ✓

Boundary Types

# Auth manifold boundaries
Unauthenticated  # ∂₀: No identity
HasKey           # Device has private key
HasCertificate   # Device has CA-signed cert
HasToken         # Device has session token
Enrolled         # Device enrolled in MDM
Supervised       # Device under full management

Keychain Integration

macOS Keychain operations with GF(3) tracking:

# Store (+1) → Retrieve (0) → Validate (-1) = 0 ✓
Keychain.store_then_verify(service, account, secret)
Operation Trit Description
store +1 Create credential
retrieve 0 Transport credential
delete -1 Remove credential

Commands

# Run MDM cobordism demo
python src/mdm_mcp_server.py

# Keychain operations (macOS)
security add-generic-password -s "mdm-token" -a "$USER" -w
security find-generic-password -s "mdm-token" -a "$USER" -w
security delete-generic-password -s "mdm-token" -a "$USER"

# Verify GF(3) for auth flow
just mdm-gf3-check

API

from mdm_mcp_server import (
    W1_GENERATE_KEY, W2_REQUEST_CERT, W3_VALIDATE_CERT,
    W4_CHECK_IN, W5_VERIFY, Unauthenticated, verify_gf3
)

# Execute enrollment chain
state = Unauthenticated(device_serial="C02XG1PDJHD4")
state = W1_GENERATE_KEY(state)
state = W2_REQUEST_CERT(state)
state = W3_VALIDATE_CERT(state)
state = W4_CHECK_IN(state)
state = W5_VERIFY(state)

# Verify GF(3)
trits = [W1.trit, W2.trit, W3.trit, W4.trit, W5.trit]
assert verify_gf3(trits)  # True

Apple MDM Protocol

SCEP Enrollment

<dict>
    <key>PayloadType</key>
    <string>com.apple.security.scep</string>
    <key>URL</key>
    <string>https://scep.example.com/scep</string>
    <key>KeySize</key>
    <integer>2048</integer>
</dict>

DEP/ABM Supervision

Device activates → DEP lookup → MDM URL → Enroll → Supervised

Supervision is an irreversible cobordism in normal flow.

Philosophy

No Demos

There are no demonstrations. MDM enrollment is not a "process that runs" but a derivation chain that is.

Demo:       "Watch me enroll this device"  → temporal, performative
Derivation: "Enrollment derives from serial" → atemporal, structural

Untological Credentials

Credentials don't "exist" with properties. They derive from chain positions:

# Ontological (what IS this key?)
key.is_valid?  # property of thing

# Untological (what DERIVES this key?)
key = derive(device_serial, enrollment_time)
key.chain_position  # position in derivation

Cobordism Composition

Auth flows compose like cobordisms:

W = W₅ ∘ W₄ ∘ W₃ ∘ W₂ ∘ W₁ : Unauthenticated → Enrolled

The composite W is itself a cobordism with GF(3) = 0.

Security Best Practices

  1. Never store secrets in env vars — use Keychain
  2. Use SCEP for certificate enrollment — not PKCS#12 import
  3. Verify GF(3) for all auth flows — ensures completeness
  4. Supervision = irreversible — plan accordingly

MCP Tools

mdm_enroll_device    // Initiate enrollment (trit: +1)
keychain_store       // Store credential (trit: +1)
keychain_retrieve    // Retrieve credential (trit: 0)
keychain_delete      // Delete credential (trit: -1)
auth_cobordism_check // Verify GF(3) (trit: -1)

Files

  • src/mdm_mcp_server.py — Cobordism state machine
  • architecture/MDM_AUTH_COBORDISM.md — Architecture docs

Skill Name: mdm-cobordism Type: Device Management / Auth State Machine Trit: 0 (ERGODIC) Color: #26D826 (Green) GF(3): Conserved by construction Demos: None (νο δῆμος) Ontology: Replaced with untology

Scientific Skill Interleaving

This skill connects to the K-Dense-AI/claude-scientific-skills ecosystem:

Graph Theory

  • networkx [○] via bicomodule
    • Universal graph hub

Bibliography References

  • general: 734 citations in bib.duckdb

Cat# Integration

This skill maps to Cat# = Comod(P) as a bicomodule in the equipment structure:

Trit: 0 (ERGODIC)
Home: Prof
Poly Op: ⊗
Kan Role: Adj
Color: #26D826

GF(3) Naturality

The skill participates in triads satisfying:

(-1) + (0) + (+1) ≡ 0 (mod 3)

This ensures compositional coherence in the Cat# equipment structure.