The fact that their phone server isn't free makes me somewhat more concerned as time goes on. I used to think it was just because they were busy, then I thought maybe they just wanted more time to refine things, but now it's been nearly two years since they released the current re-vamped Signal 2.0 for iOS and over a year since releasing Signal for Android. At this point I'm running out of justifications for them for why their phone server is still proprietary & closed source.

I keep thinking about this concept of a "glass server".

They can run it, but allow developers to somehow see running processes, and write (rate-limited) queries to test things.

I haven't solidified this concept in my head but it seems like a step towards federation without the problems of federation.

Hmm that's an interesting idea. I'm assuming their phone server is Java, same as their text server, so the builds should theoretically be identically reproducible for both. It seems like it should be possible to include a field in each response with some sort of signature so users can verify which build is serving requests. It'd have to be in every response so that they can't just reverse-proxy /status to the valid build and serve other requests from a modified build, and it'd have to be somehow dependent on some changing external factor or input so they can't just hard-code the valid build's signature.