jenius Systems
A self-hosted fleet of AI agents — handling email, messaging, health, a shadow crypto trader, a marketplace appraiser, a read-only calendar and a places concierge, all behind a single hardened gateway.
current deployment · private, self-hosted · always-on
Four layers, one boundary
Everything runs loopback-only inside a private machine. Only an encrypted tunnel and key-only SSH cross the edge — there is no public inbound port.
The Gateway
A single token-authenticated process, loopback-only. It routes every channel event to the right agent, dispatches the model call for that agent, and enforces per-agent tool gates and exec-approvals on the way out.
How it's reached
A messaging app for conversation, email anywhere, SMS/voice to reach the same agent, and a private dashboard in the browser over an encrypted tunnel.
Always-on services
System services survive reboot & logout — gateway, dashboard, mail poller, morning digest, two Steward audits, health, cost aggregator, auth watchdog, and the trading trio.
Least-privilege
Each agent gets only the tools it needs. Untrusted-input agents run an exec allowlist. Self-modification and money moves are gated behind a Sentinel + a one-time code.
Cost-aware by design
Models are tiered per agent — lightweight reasoning for routine workers, premium only where the task demands it. Spend-sensitive paths carry hard daily caps.
The fleet, three tiers
One conversational hub surrounded by task workers and delegated specialists — each with its own workspace, model and tool gate.
Atlas
The conversational front. Talks to the operator, holds personal-context memory, and delegates to the specialists. Atlas's primary push channel is a messaging app, with a fallback channel behind it. An SMS / voice bridge lets you call or text the same agent — Atlas is the brain behind the call, not a separate one.
Sentinel
The approval gate. Tier-based: routine auto-approves, sensitive escalates, system-tier identity edits require a one-time code.
Relay
Cheap stateless router. Resolves agent names, validates payloads, rejects illegal cross-agent moves.
Scout
Inbound email processor. Read-only, prompt-injection-contained, catalog-disciplined output.
Envoy
Outbound action chain with per-recipient memory. Every send passes through Sentinel first.
Aurora
Daily digest from email, calendar, memory and your health data, delivered to your phone.
Steward
Self-modification audit + plan author. Diagnoses incidents and drafts fix plans for the Sentinel queue.
Overseer
Heavier-reasoning Steward lane reserved for sensitive system-tier diagnostics.
Pulse
Personal health-log curator. Append-only journaling from your wearable; sensitive-tier by default.
Ledger
shadowJournals intraday-momentum decisions, never trades. Withdraw/transfer denied at the tool gate; live trading is architecturally locked.
Verdict
appraiserPaste a marketplace listing for a fair-price read and a scam-risk flag. Heuristics only — never messages a seller or moves money.
Horizon
read-onlyRead-only calendar access. Lists, searches and reads events; the write tools are stripped from its loadout.
Concierge
"Find a mexican place near home", "plan this errand route". Backed by a maps & places provider, it geocodes against a discard-after-use home base and is held to a hard daily cap. Locked to an exec allowlist of a few scripts — no web, mail or shell beyond them.
Sous
specialistForward a short video and it learns what you cook — files the recipe and feeds a topic signal into the morning ranking. Untrusted-caption contained.
Voyage
sentinel-gatedDestination-agnostic trip planner. Builds itineraries and surfaces booking deep-links — it never books for you.
Perks
sentinel-gatedTracks credit-card perks and reminds you which benefit fits. You tell it what you used — no account linking, no money movement.
From your thumb to the model
A message flows down through the channels, across the network edge, into the gateway, out to an agent's model and any external service — then back the same way.
Private semantic recall at zero marginal cost — sensitive context is embedded and judged on-device, never sent to a third-party API. The gateway reaches it locally, and the dashboard renders the live memory-sphere over a same-origin proxy.
The console
A glimpse of how the fleet is watched day to day — status at a glance, the on-device brain working, and a running feed of what the agents are doing, all behind the same human-gated boundary.
Simulated preview — illustrative data.
Nothing irreversible without a gate
Three concentric controls — what tools an agent has, what commands it may exec, and a human-plus-one-time-code gate on anything that rewrites the system or moves money — built on standard, auditable protocols.
Tool allowlists
Each agent is granted only the tools it needs. Untrusted-input agents (like Concierge) use a fail-closed allowlist rather than a deny-list — a missed deny silently lets everything through, an allowlist over-restricts loudly. Gates are verified empirically, not assumed.
Exec approvals
The exec tool is itself gated. Untrusted agents may run only a short, named allowlist of scripts under a fail-closed policy, so a headless miss denies rather than runs.
Kill switches + one-time code
Self-mod and trading each have a one-flag kill switch. System-tier writes demand a one-time code from a separate device.
The self-modification chain
An agent can propose changes to its own config — but never apply them alone.
Built on auditable protocols
- NETEvery service binds to loopback — no public inbound port. The only edges are an encrypted tunnel and key-only SSH; the gateway requires an auth token on every request.
- AUTHStep-up auth via TOTP (RFC 6238) on system-tier writes; OAuth 2.0 for mail; TLS to every upstream provider; secrets stored with least-privilege file permissions.
- INTEGSHA-256 checksum verification before any self-mod write (halt-on-mismatch), timestamped backups, and a config-schema validation gate that runs before the gateway is ever restarted.
Tests run & passing
- ✓Core smoke suite — 34/34 green (channel, routing, gateway, daemon health).
- ✓Self-mod chain — 17/17 across all five rejection paths (kill-switch, expiry, forbidden-target, checksum, source allowlist).
- ✓Exec-approval allowlist verified empirically — an allowed command runs, a non-listed one is denied.
- ✓Continuous guardrails — heartbeat-staleness and cache-health monitors surface silent failures.
What's next
The platform is built to extend itself through the same gated chain it uses today. Everything below is planned work, in rough priority order.
Specialist expansion
Voice and phone-call access, travel planning, card-benefits tracking, and a personal style curator — each installable through the gated self-mod chain, never bypassing Sentinel.
Coaching layer
Goal-aware coaching across health and habits — streaks, accountability and gentle course-correction, built on the signals the fleet already sees.