Architecture

UltraSushiTron uses a multi-zone security model with defense-in-depth principles. Each component is isolated by trust boundary.

Security Zones

Zone 0 β€” Secure Enclave

Mobile App (React Native/Expo)

  • Secret approval UI with full context display
  • Admin dashboard β€” plugins, memory, scheduler, config
  • Push notifications (WebSocket + FCM fallback)
  • Biometric authentication
  • Ed25519 challenge-response auth
  • User's personal device β€” highest trust

Zone 1 β€” Air-Gapped

Secrets Agent (Rust microservice)

  • No network access β€” Unix socket only
  • SQLite vault with AES-256-GCM encryption
  • Ed25519-signed, hash-chained audit logs
  • gRPC service over Unix domain socket
  • Encryption key derived via Argon2id

Zone 2 β€” Full Access

AI Core (Rust)

  • LLM orchestration (Claude, GPT, etc.)
  • 11 built-in tools (Read, Write, Bash, etc.)
  • WASM sandbox for typed plugins (Tool, Channel, Provider, Memory)
  • Encrypted semantic memory store with vector search
  • Cron-based task scheduler
  • Never sees plaintext secrets
  • Network access for tool execution

Data Flow

When an agent needs a secret:

  1. AI Core calls RequestSecretAccess via gRPC (Unix socket)
  2. Secrets Agent creates a pending request and streams Pending status
  3. Secrets Agent sends approval request to Mobile App via WebSocket
  4. User reviews the request context and approves/denies on their device
  5. If approved: Secrets Agent derives a one-time token and streams Token response
  6. If denied: Secrets Agent streams Denied response
  7. AI Core injects the decrypted value, executes the tool, then wipes the secret from memory

Component Communication

From To Protocol Transport
AI Core Secrets Agent gRPC (protobuf) Unix domain socket
Secrets Agent Mobile App WebSocket + JSON Local network (TLS required in prod)
Secrets Agent Relay Server WebSocket Internet (TLS, fallback path)
Relay Server Mobile App FCM Push Google Cloud Messaging
Mobile App AI Core JSON-RPC (Admin API) WebSocket (via Secrets Agent relay)
AI Core Browser Service HTTP REST localhost:9515

Design Principles

Defense in Depth

No single component compromise grants access to secrets. The secrets agent has no network access, the AI core never sees plaintext, and user approval is always required.

Zero-Knowledge Core

The AI core operates under a zero-knowledge model β€” it requests secrets by name but never holds the plaintext encryption keys. Decrypted values are injected at execution time and wiped immediately.

Fail Secure

If approval times out (5 minutes), the request is denied. If the WebSocket connection drops, pending requests are denied. The system defaults to denying access.

Minimal Trust

Each component has the minimum privileges needed. WASM plugins cannot access the network or secrets store. Tools are sandboxed with output size limits and timeouts.

WASM Plugin Sandbox

Third-party plugins run in a WASM sandbox with capability-based security:

  • Blocked: Network access, secret store access, filesystem outside workspace
  • Allowed: Computation, string processing, structured output
  • Plugins declare required capabilities; users approve at install time