jenius Systems
A self-hosted fleet of eleven AI agents living on an isolated virtual machine — handling email, messaging, health, a shadow crypto-trader and a places concierge, all behind a single hardened gateway.
current deployment · gateway v2026.4.9 · isolated macOS VM · Mac mini M4 Pro
Four layers, one boundary
Everything binds to 127.0.0.1 inside the VM. Only Tailscale and SSH cross the edge — there is no public inbound port.
The Gateway
A single Node process on :18789 (token-auth, loopback). It routes every channel event to the right agent, dispatches the LLM call to that agent's model, and enforces per-agent tool gates and exec-approvals on the way out.
How it's reached
Telegram & WhatsApp for conversation, email anywhere, and a Mission Control dashboard in the browser over an SSH tunnel or Tailscale.
13 launchd daemons
System-wide services survive reboot & logout — gateway, dashboard, mail poller, morning digest, two SysOps audits, health, cost aggregator, OAuth watchdog, and the trading trio.
Least-privilege
Each agent gets only the tools it needs. Untrusted-input agents run an exec allowlist. Self-modification and money moves are gated behind a Reviewer + TOTP.
Cost-aware by design
Models are tiered per agent — lightweight reasoning for routine workers, premium only where the task demands it. Spend-sensitive paths carry hard daily caps.
Eleven agents, three tiers
One conversational hub, nine task workers, and a paid specialist — each with its own workspace, model and tool gate.
Root
The conversational front. Talks to the operator, holds personal-context memory, and delegates to the specialists. Root's primary push channel is Telegram, with WhatsApp as a fallback.
Reviewer
The approval gate. Tier-based: routine auto-approves, sensitive escalates, system-tier identity edits require TOTP.
Orchestrator
Cheap stateless router. Resolves agent names, validates payloads, rejects illegal cross-agent moves.
Luna-Read
Inbound Gmail processor. Read-only, prompt-injection-contained, catalog-disciplined output.
Luna-Send
Outbound action chain with per-recipient memory. Every send passes through Reviewer first.
Morning-Update
Daily digest from Gmail, calendar, memory and Oura, delivered over Telegram.
SysOps
Self-modification audit + plan author. Diagnoses incidents and drafts fix plans for the Reviewer queue.
SysOps-Opus
Heavier-reasoning SysOps lane reserved for sensitive system-tier diagnostics.
Health
Personal health-log curator. Append-only Oura journaling; sensitive-tier by default.
Crypto-Trader
shadowJournals intraday-momentum decisions, never trades. Withdraw/transfer denied at the tool gate; live trading is architecturally locked.
Concierge
"Find a mexican place near home", "plan this errand route". Backed by Google Places (New) + Routes v2, it geocodes against a discard-after-use home base and is hard-capped at $5/day. Locked to an exec allowlist of three scripts — no web, mail or shell beyond them.
From your thumb to the model
A message flows down through the channels, across the network edge, into the gateway, out to an agent's model and any external service — then back the same way.
Private semantic recall at zero marginal cost — sensitive context is embedded and judged on-device, never sent to a third-party API. The gateway reaches it from inside the VM over a host-only bridge 192.168.64.1:8088; Mission Control proxies it same-origin (/api/local-brain) so the live memory-sphere renders over HTTPS without mixed content.
Nothing irreversible without a gate
Three concentric controls — what tools an agent has, what commands it may exec, and a human-plus-TOTP gate on anything that rewrites the system or moves money — built on standard, auditable protocols.
Tool allowlists
Each agent is granted only the tools it needs. Untrusted-input agents (like Concierge) use a fail-closed allowlist rather than a deny-list — a missed deny silently lets everything through, an allowlist over-restricts loudly. Gates are verified empirically, not assumed.
Exec approvals
The exec tool is itself gated. Concierge may run exactly three scripts — places · route · geocode — under security: allowlist with askFallback: deny, so a headless miss fails closed.
Kill switches + TOTP
Self-mod and trading each have a one-flag kill switch (selfMod.json, cryptoTrader.json). System-tier writes demand a one-time code from a separate device.
The self-modification chain
An agent can propose changes to its own config — but never apply them alone.
Built on auditable protocols
- NETEvery service binds to 127.0.0.1 — no public inbound port. The only edges are Tailscale (WireGuard) and key-only SSH; the gateway requires a bearer token on every RPC.
- AUTHStep-up auth via TOTP (RFC 6238) on system-tier writes; OAuth 2.0 for Gmail; TLS to every upstream provider; secrets stored at filesystem mode 600.
- INTEGSHA-256 checksum verification before any self-mod write (halt-on-mismatch), timestamped .before-* backups, and a config-schema validation gate that runs before the gateway is ever restarted.
Tests run & passing
- ✓Core smoke suite — 34/34 green (channel, routing, gateway, daemon health).
- ✓Self-mod chain — 17/17 across all five rejection paths (kill-switch, expiry, forbidden-target, checksum, source allowlist).
- ✓Exec-approval allowlist verified empirically — an allowed command runs, a non-listed one is denied.
- ✓Continuous guardrails — heartbeat-staleness and cache-health monitors surface silent failures.
What's next
The platform is built to extend itself through the same gated chain it uses today. The on-device brain just landed; the rest is planned work, in rough priority order.
On-device memory layer
Shipped. A local Ollama judge (llama3.2:3b) with nomic-embed-text embeddings over a sqlite-vec store — private, zero-marginal-cost recall, live in Mission Control as the rotating memory sphere. Next: ingestion to fill the store at scale.
Proactive watcher
A watcher/responder tier that surfaces what matters before it's asked — novelty-gated so it speaks up only when something genuinely warrants attention.
Model consolidation
Consolidate the daily-driver fleet onto a single subscription tier to flatten and predict spend without changing agent behaviour.
Specialist expansion
Calendar-aware scheduling, long-horizon deep research, and marketplace agents — each installable through the gated self-mod chain, never bypassing Reviewer.