Metnos is a digital butler for the home: an AI assistant that lives on a family computer, talks through the channels you already use (terminal, Telegram, later voice), performs real actions (reading files, running commands, consulting the web) but asks permission before anything serious.
The butler analogy is useful. A good butler:
/etc or ~/.ssh);metnos.com);
Metnos is the name of the process running on the PC
(${METNOS_HOME}/, myclaw-gateway.service). Same
system from two angles: outside as a name, inside as code.
Technically it is a Python ≥ 3.11 process that lives at
${METNOS_HOME}/, made of four layers (gateway, policy, sandbox,
workspace/tool). Every AI service (LLM, STT, TTS, embedding, speaker ID)
is consumed through an abstract interface
— Metnos is provider-agnostic by construction. In the
author's environment that interface is implemented by
suprastructure, a pre-existing sibling package; in another
environment it could be implemented by any equivalent adapter.
| Goal | What it means concretely |
|---|---|
| Self-hosted | Lives on a machine under the user's physical and legal control (in our case the metnos-server). The laptop and the phone are clients that talk to it, not the place where Metnos lives. The cloud remains an optional possibility (remote LLMs, the Telegram channel), never a place of residence. See ch. 4 for the full topology. |
| Secure by default | Bind on 127.0.0.1, autonomy Supervised, mandatory sandbox, forbidden paths, approval for risky actions. |
| Multi-channel | Same "mind", different interfaces: CLI, Telegram, then Signal, voice, web dashboard. |
| Open-ended | New tools and channels without rewriting the core: conform to a Protocol and you are in. |
| No lock-in | The AI layer sits behind an abstract interface: swapping Claude with Ollama = one configuration line, no code to touch. |
| No learning | Metnos does not train models. No fine-tuning. No RLHF. It changes itself through memory external to the LLM (the mnestome, ch. 9) and through proposing new executors filtered by the human (ch. 11). |
Both are excellent projects and were the primary inspiration. Both have quirks, though, that keep them unfit for household use on my PC:
| Project | Strengths | Limits for my case |
|---|---|---|
| openclaw TypeScript, Node 24+ |
Gateway-first design, 20+ channels, pluggable sandboxes (Docker/SSH/OpenShell), skills registry, multi-agent routing | Node stack unfamiliar to my other projects, more permissive defaults, cloud-oriented sandboxes |
| zeroclaw Rust 2024 |
Minimal footprint, autonomy levels, layered sandbox (Landlock+Bubblewrap), DM pairing, encrypted auth, 129+ security tests | Rust reintroduces a separate stack; rewrites from scratch the LLM/STT/TTS layer I have already solved with an abstract interface and its implementation (in my case suprastructure) |
The decision: take the best patterns of both (gateway-first from openclaw, autonomy+pairing+layered-sandbox from zeroclaw) and reimplement them in Python, where:
Before stepping into the technicalities, let's fix what Metnos has to be. Four adjectives, not in order of importance but in order of increasing difficulty. The fourth is the new one in v1.1 of the perspectives: previously there were three, now there are four.
| Adjective | What it asks of the system | Antithesis — the opposite temptation |
|---|---|---|
| Useful | Does real things for the user, does not perform intelligence. Reads the log, archives the invoice, remembers the deadline. | Impressive demo, no substance; an agent that talks beautifully and does little. |
| Intelligent | When it touches the LLM, it does so well: good prompts, good tools, low-noise context. | An agent hard-wired with if/else that draws nothing from the flexibility of language models. |
| Autonomous | Decides alone when to act without disturbing, and when instead to stop and ask. | Two equally toxic extremes: the agent that confirms everything, and the agent that acts on its own without ever pausing. |
| Proactive | Anticipates, proposes, reminds. Not only reacts but initiates. | The passive agent that always waits for a prompt. — But also, at the other extreme, the nagging agent that proposes non-stop. |
The fourth adjective is the one that raises the bar. A purely reactive agent is a chatbot with tools. A proactive agent needs a reason to act and a brake not to overdo it. Reason and brake are the subject of chapters 9, 10 and 11.
Metnos does not live on your laptop. It lives on a Linux server that stays on twenty-four hours a day, and the laptop — like the phone, like the browser of a device on the road — is a client talking to it. This chapter, new in v1.1, explains why this is so and what follows from it; toward the end it opens the door to an important future direction: remote executors.
The term local-first, in the literature (Kleppmann 2019), has a precise meaning that bundles two properties together: (a) the data lives on the user's machine; (b) the system also works offline. The v1.0 had adopted both as goals. Tested against the real life of a household, the picture changes.
The property that really matters is (a): the data and the logic do not live in third-party clouds. The reason is sovereignty, privacy, freedom from lock-in. Property (b) — "works offline" — is for us a half-truth: an agent that orchestrates LLMs, web fetches, notifications is not really useful without a network. If the network is down, the laptop "hosting Metnos" cannot call a language model, fetch a web page, or send a message anyway.
The v1.1 reformulates the principle: Metnos is self-hosted,
not "local-first" in the strict sense. The data and the logic live on a
machine under the user's physical and legal control — in our case
metnos-server, the home server. No vendor lock-in, no mandatory
channel through third-party servers. The cloud remains an optional
possibility (remote LLMs, the Telegram channel) but never as a place of
residence.
Thinking the problem through means enumerating the alternatives before deciding. Five topologies were (and are) plausible for a household agent of this shape:
| # | Topology | Pros | Costs / why not (for now) |
|---|---|---|---|
| A | Metnos on metnos-server, laptop = client.Current choice. |
Total coherence (one instance, one mnestome, one audit log). Serious sandboxing (bubblewrap, landlock). Resources adequate for local language models. Always-on proactivity: cron runs even when the laptop sleeps. |
Outside the LAN, an overlay is needed to reach it (→ Headscale). |
| B | Metnos on the laptop, calling metnos-server as a dedicated language-model machine. |
Metnos is "with you". Direct access to laptop files. | Windows has no real equivalent of bubblewrap / systemd-run / landlock: process isolation gets weaker. The laptop sleeps → proactivity dies with the lid. Memory is fragile (lose the laptop, lose everything except the synced copy). |
| C | Two instances (one per machine), mnestome kept in sync. | Always available, anywhere. | Distributed synchronization of a memory graph: CRDTs, conflicts, leader election. Complexity well beyond a household agent's budget. Twice the attack surface. |
| D | Metnos on metnos-server, laptop reduced to a pure thin client. |
Maximum simplicity. | Some useful actions need laptop resources (taking a screenshot, reading a non-synced file, driving a Windows application). D leaves them out. |
| E | Gateway on metnos-server, some executors run on the laptop (remote executors).Future direction. |
Single source of truth (mind, memory, rules on metnos-server), but access to per-device resources where needed. |
Opens an abyss of security and reliability considerations (see below). Tackling them on day one is not the right move. |
The pragmatic choice: A as the baseline, with E as the explicit future direction Metnos can grow toward.
metnos-server, always on and adequately resourced; clients (laptop, phone) reach it on the LAN, via the self-hosted Headscale overlay if outside, or via Telegram if more convenient. The user's sovereignty is never crossed.| Channel | Where it works | How |
|---|---|---|
| CLI / dashboard on LAN | Laptop at home, same network as metnos-server |
Direct connection to metnos-server's IP. Minimal latency. The everyday channel. |
| Headscale overlay | Laptop away from home, anywhere with Internet | WireGuard peer-to-peer toward metnos-server, as if you were on the LAN. The control plane (Headscale) also runs on metnos-server: no third-party coordination server. |
| Telegram | Phone, a friend's laptop, any device with Telegram | The bot polls outbound from metnos-server → api.telegram.org: no open ports needed, no public IP needed. The content flows through Telegram (a known compromise: a channel we already chose to use). |
There is a fourth scenario — you are on a plane, your home has no
network because of a power cut: no channel reaches metnos-server,
Metnos is unavailable for you. It is an acceptable degraded case,
symmetric to that of any service: without a network there is not much to
do.
Many of the files you will want Metnos to handle are born on the
Windows laptop (invoices, photos, work code), but Metnos runs on
metnos-server. We close the gap modularly, starting
from the simplest solution:
| Level | Tool | When it makes sense |
|---|---|---|
| 0 (day one) | Syncthing: a folder ~/metnos-share/ on the laptop, replicated in real time on metnos-server. |
Zero intermediate servers, encrypted peer-to-peer sync, works under Headscale too. Metnos sees a local folder; it knows nothing of the sync that keeps it fresh. |
| 1 | Self-hosted Nextcloud on metnos-server, desktop client on the laptop. |
If and when web UI, versioning, sharing, mobile app are needed. More powerful, more setup work. |
| 2 | Remote executors (see next section). | When you need to act on the laptop, not just see files. Examples: take a screenshot, drive a Windows application, read a file that is not in the shared folder. |
Start at level 0. Climb only when the gap actually bites in a concrete case. Simplicity (principle 6) wins.
Option E in the table above is the most interesting one structurally.
Instead of demanding that all files end up in the shared folder, a simple
idea: not all executors live on metnos-server. Some
run on the laptop, exposed to metnos-server through the Headscale
overlay, and when Metnos invokes them it gets the result as if they were
local. One gateway, one rule set, one mnestome; arms distributed.
This is not just an optimization. For some use cases it becomes
the only sensible way. The example that fixes the idea: tidying
up a photo archive of ten thousand files on the laptop. The "sync
everything to metnos-server, tidy, sync back" approach implies
gigabytes of traffic, double disk usage, time windows in which the same
file exists in two states on two machines, and a real risk of conflicts
during the operation. An in-place rename on the laptop solves in a
second what the copy would take minutes for, with no wasted space and no
divergence risk. Similar examples: bringing an application to the
foreground, reading a file that, by size or by nature, does not belong
in the shared folder, cleaning out an old downloads folder, modifying
the permissions of a hierarchy.
The fifth principle (ch. 14) says every evolutionary act is reversible.
The same holds for remote actions: before performing a remote operation
that changes laptop state, Metnos keeps on metnos-server a
snapshot of the "before" — only what is needed to roll back, not
the whole data when not necessary. For a batch of photo renames, the
"before" can be a simple list (original_path, new_path, size, hash),
signed and timestamped. If Roberto says "undo", Metnos reads the
manifest and sends the laptop the same pattern in reverse. Duplication
is minimal (kilobytes, not gigabytes), reversibility is fully preserved,
and the audit log on metnos-server carries the trail of both sides.
In riskier cases (e.g. permanent deletion), the manifest can be promoted
to a snapshot of just the touched files, kept until Roberto says
"confirm".
metnos-server. The remote executor must
be a small confined process, with no access to the user's full
filesystem, with an allow-list of operations enforced
laptop-side as well, not just on metnos-server's
side.For these reasons, even if the direction is inevitable, we do not do everything at once. The rule is: introduce one remote executor at a time, motivated by a concrete use case the shared folder cannot cover. That single executor is born with all the guarantees in the list above and its contract lives in a dedicated micro-design document. The roadmap (ch. 17) places the first remote executor as ideal phase 5+, but that number is not sacred: if a priority use case needs it sooner — tidying photos is the most natural candidate — the phase is brought forward; the security requirements are not.
An agent that does whatever it wants is dangerous. An agent that asks permission for everything is useless. Between the two extremes there is not one tension but three. The word "safety" hides them all under a single label; this chapter pulls them apart, because only once they are separate can they be handled honestly.
Drawing the distinction up front pays interest throughout the document. The three words we need are identity safety, perimeter safety and robustness. The first is one whole thing; the second has a core and a shell; the third is its own axis. All three stand in some relation with Metnos's freedom, but the relation changes in nature. The point of this chapter is to teach the reader to recognize which of the three relations is in play in a given moment, because applying the wrong criterion is a frequent design error.
| Word | What it protects | Examples of violation |
|---|---|---|
| Identity safety | That whoever speaks, decides or executes inside Metnos is actually Metnos: the trusted user, its own LLM, its own signed executors, its own rules. About authentication, signatures, pairing. | A prompt injection hidden in a web page convinces the LLM to leak a secret. A compromised dependency turns into an executor. An unpaired stranger on Telegram issues a command. An unauthenticated remote executor invokes rm -rf. |
| Perimeter safety | The reach of what Metnos can see and touch: folders, shell commands, outbound network, external devices. About the fence the agent moves within. | An executor with full filesystem access deletes a system folder by mistake. An unbounded shell command touches another user's files. An uncontrolled network egress reaches an unintended service. |
| Robustness | That the actions Metnos actually performs do not corrupt, lose, or close one-way doors. About downstream effects, not about who is acting. | A batch of renames fails halfway and leaves files in an inconsistent state. A forgotten cron overwrites a file in use. A bug deletes the wrong row of a csv. A remote executor loses connection and never rolls back. |
| Freedom | The latitude with which Metnos acts without disturbing and without asking permission. How much Roberto tolerates not being asked. | — (freedom is not a thing to violate; it is a thing that gets granted badly or granted well.) |
Three things, three different relations with freedom. The middle of this chapter examines them one at a time.
Identity safety is not a limit on Metnos's freedom: it is its precondition. If identity gives way — LLM hijacked by prompt injection, a malicious dependency dressing itself up as an executor, a command received from a stranger and mistaken for the user — there is no longer "Metnos acting freely": there is someone else, dressed as Metnos, acting on its behalf. Metnos's freedom cannot be the freedom of an impostor.
For this reason, identity-safety tools are non-negotiable. There is no autonomy level that loosens them, no sandbox profile that switches them off, no use case that justifies bypassing them:
These tools do not reduce freedom: they make it possible. The analogy is with the locks on a house. A door that closes does not limit the freedom of those who live inside; it limits the freedom of those who would walk in uninvited.
On the perimeter axis the trade-off is real, and serious. Widening Metnos's fence — more readable folders, more executable commands, more drivable devices — broadens what it can do for you, but at the same time it broadens the surface on which an error (its own or someone else's) can manifest: a prompt injection has more potential things to ask for; an executor bug has more files to touch; a "seeing" tool can end up seeing too much. More reach of action, more reach of any harm: the two grow together.
Metnos does not solve the trade-off by pretending it does not exist; it mediates it in two layers. There is a hard core that is not up for discussion, and a modulable shell around it.
The core is what stays forbidden even at the most permissive autonomy level. It is not configurable from YAML: it is in the code, it is in the Laws, and changing it requires a rite (code change, review, release). Examples:
~/.ssh,
~/.gnupg, system areas, the secrets vault,
workspace/.audit/. Even Full does not cross
them.bubblewrap or
systemd-run with a signed profile. The process
itself cannot leave its bounds, regardless of what it is asked or
tricked into doing.The core is a small circle. Inside it, you never enter. Its smallness matters: everything in the core pays the price of rigidity, and rigidity has a cost — you cannot relax it when a legitimate case would call for it. Stuffing too much into the core turns Metnos into a closed system that can no longer help.
Everything outside the core is the shell: the latitude of action that is chosen for Metnos, modulable by band. Modulation happens on three levers, applied together:
ReadOnly,
Supervised, Full. Defines which categories of
actions Metnos may take without asking. Latitude grows by demonstrated
trust.Full, certain actions (e.g. sending a message to third
parties, or permanent deletion of a file) remain subject to explicit
confirmation. The threshold is not binary, it is a function of the
action's risk and the active autonomy level.The shell can be widened and narrowed during the system's life. Start from tight configurations and relax only when use demands it and history justifies it. The opposite direction — start wide and narrow "if something happens" — is not practiced: trouble on the shell is largely irreversible.
On the third axis the trade-off has a different shape. Metnos's freedom to act without asking competes with the risk of actions that cannot be undone. Here too there is a precise principle, and it is economic, not ideological:
| Type of error | Example | Recoverable? |
|---|---|---|
| Loss of robustness | Important file permanently deleted; message sent to the boss; rename batch interrupted halfway in inconsistent state; a cron racing itself and doubling an effect. | No (or only at the cost of external backups: if there were none, nothing). |
| Restriction of freedom | Metnos asks confirmation for an action that was harmless; stays silent on a proposal that would have been useful; waits to do something it could have done by itself. | Yes. Roberto approves, the threshold updates for next time, the bother budget records the pattern and avoids asking about similar cases later. |
Reversibility is the real lever that shifts the balance on this axis, because it makes near-recoverable what would otherwise not be. A rename is more "free" if Metnos keeps the list of old names and can apply it backwards; a file move is more "free" if a backup exists; an execution is more "free" if it is idempotent. The fifth principle (ch. 14) does its work here: reversibility lowers the cost of yes.
Precautionary asymmetry must not turn into paranoia, however. A Metnos that always blocks because "it never knows what could go wrong" is a useless agent: the cost is not just the "non-harm", it is also the "non-value". Roberto does not want the cousin who calls every two minutes; he also does not want the butler who asks permission to move a chair.
The architecture distributes its countermeasures unevenly across the three axes, and rightly so. It is worth seeing them in a column.
| Brake | Axis it acts on | How |
|---|---|---|
| Constitution (4 Laws) | identity + perimeter (core) + robustness | A hard, binary boundary. Embedded in the prompts of every LLM call and replicated as a runtime check. Modifiable only by rite. |
| Sandbox + forbidden paths | perimeter (core) | Technically prevents the process from touching critical areas, even when the LLM is hijacked or an executor has a bug. The physical shell of the core. |
| Pairing + signatures + mutual auth | identity | Whoever enters must be recognized. Sender, device, executor version, internal channel. |
| Vaglio | identity (guard) + robustness (judge) | The guard is binary on Law violations; the judge is graded on telos alignment before an action produces effects. |
| Autonomy levels | freedom ↔ perimeter (shell) | ReadOnly / Supervised / Full. Latitude grows with trust. The main explicit lever on the shell. |
| Reversibility | robustness | Every move has a signed opposite. Yes costs less because the error is undoable. Applied to remote executors too via the "before/after" pattern (ch. 4). |
| Bother budget + cost limits | freedom (above) + robustness (below) | Friction grows with frequency and cumulative cost. Avoids both pestering and the inflationary race of actions. |
Metnos is an onion: the outside talks to the world, the inside executes. Each layer only trusts the one further in, and grants fewer privileges as you move toward the centre.
A single FastAPI process exposing HTTP/WebSocket/SSE on
127.0.0.1:42618. It receives messages from channels, manages
sessions, routes webhooks, runs cron jobs. It is the only point of contact
with the world. It never directly runs sensitive commands.
The filter of legality and of meaning. Given an event — "user X asks to do Y" or "Metnos wants to propose Z" — it answers: allowed, denied or allowed only after approval. It applies the autonomy level (ch. 12), rate-limits, cost caps, forbidden paths, and invokes the Vaglio (ch. 11) when needed: a constitutional guard that blocks any violation of the Laws, followed, if the guard is silent, by a teleological judge that measures how well the action is aligned with the user's telos.
When the policy says "yes", the action is still not run bare-handed. For
any tool that touches the filesystem or the shell we enter
bubblewrap (or systemd-run with hardening)
with a profile chosen by the autonomy level. No direct
subprocess.run, ever. Docker is a future option for the
strictest mode.
Inside the sandbox, an executor (ch. 9) does its job: read a
file from the workspace (${METNOS_HOME}/workspace/),
call an LLM through the abstract interface, write a line to the audit log.
Every time two executors collaborate, a mnest silently records it.
The set of all mnest forms the mnestome, the relational memory of
the system.
Let's follow a concrete example. You're in the garden, you write from Telegram: "tell me what's in tonight's log".
There is a second kind of request that classic agent diagrams never show: the request that is born inside. A cron, or the proto-mnest graph (ch. 9), or a regularity noticed by Metnos itself, generates a proposal: "would you like me to archive tonight's photos as usual?". This proposal enters layer 2 from below, not from the Gateway: first it passes through the Vaglio (ch. 11), which checks for a Law violation and for minimum telos alignment; only if it clears both is it forwarded to the Gateway and delivered as a soft notification on the user's preferred channel. If the user ignores it, the same proposal does not repeat identically: it is logged and its weight decreases.
A simple, recurring use case of the proactive variant is to monitor
a mailbox on the domain (for example [email protected]): check
it at an agreed cadence, classify new messages (real requests, automated
confirmations, spam the filter missed, and so on), and deliver a summary to
Roberto only when it makes sense. The four minimal moves:
imap_status executor counts unread messages per folder without downloading them.imap_fetch_headers executor pulls headers; a classifier (a local-fast LLM, see ch. 8) labels into three or four categories.summarise executor produces two lines per item.notify executor sends the summary on Roberto's preferred channel (Telegram, personal mail, voice). The bother budget and the discretion telos regulate the frequency.
The four moves are not a new design category: they are a chain of
executors invoked by the
scheduler (a builtin executor, see microdesign ch. 9
on executors) at a cadence accepted once when the proposal was made.
Seen from the mnestome, this is a trace of four mnests that strengthens
every morning; on longer horizons synt (ch. 9) may propose a
fused version, a single email_morning_digest executor that
incorporates the chain. Scheduler-driven invocations consume a quota
separate from the bother budget of ad-hoc proposals, because the
consent to the cadence has already been given.
Metnos never talks directly to Claude, OpenAI, Ollama or any other
language-model provider. It talks to an abstract interface
(typically a typing.Protocol) that the registry resolves at
runtime to a concrete implementation. The same is true for STT, TTS,
embedding, speaker ID. This is the pattern that makes Metnos
provider-agnostic: whoever writes Metnos does not need to know
which model will actually run, and whoever administers the environment can
change it with a single line of configuration.
In the diagram below, Metnos is one consumer among possible others: a voice-driven home assistant, other bots specialised on narrow domains. All share the same abstraction. None rewrites the AI layer: they use it.
suprastructure, in the author's case) remains swappable.The concrete payoff: a new model (e.g. Claude 4.7 when available) is configured once in the interface implementation and every consumer inherits it simultaneously — Metnos included. No code to rewrite, no deploy to coordinate.
Here we enter the heart of the second dialogue. Two questions that look different but are the same one: how does Metnos act? and how does it remember?. The answer is a small vocabulary of five words. Learning them well now pays off for the rest of the document.
fs_read,
web_fetch, ocr_image, telegram_send,
archive_pdf, and so on. In code, an executor implements the
Tool Protocol. Conceptually, an executor is a node of the
graph we are about to describe.
Roberto receives a PDF invoice. Metnos reads it (fs_read),
extracts the text (pdf_ext), archives
(archive), notifies (notify). Every handoff
between two executors increments the weight of the corresponding mnest.
After a month the "invoices" trace is made of four densely connected
nodes.
One day an invoice arrives that is a scanned image only.
pdf_ext returns an empty string. Metnos looks for an
executor that does OCR. There is none. It records a proto-mnest: "from
pdf_ext I would like to jump to a hypothetical
ocr, which does not exist". After five scanned invoices
(same proto-mnest each time) the synt (ch. 10) proposes to the
user: "I'm repeatedly running into image-only PDFs. Shall I try to
synthesise an ocr_image executor?". If Roberto approves, a
new executor is born.
When a proto-mnest recurs, the synt does not jump straight to writing new code. It proceeds in steps, in a cascade that puts reuse first. The principle is practical, not aesthetic: a frontier-LLM call to generate a new executor scaffold costs about a euro; searching the existing signed pool for a chain that solves the same thing costs nothing. Cost discipline and library discipline coincide.
On top of the two reactive steps (which respond to a request within the turn) there are three introspective steps run at night by the ager on the mnestome and the signed pool:
All introspective steps are proposals: they reach Roberto in batch, on the same approval pipeline as a synthesis-by-generation. Nothing moves into the pool without a signature. The library does not degrade because every step, before entering, passes through the human guard.
A graph that grows by accumulation and never unravels is a dump. Metnos has three mechanisms to stay tractable: the emergence of traces (the structure self-organises), the ager (ageing by use, not by calendar), and reversibility (every evolutionary move has its opposite).
On a weekly scale, a lightweight process measures the modularity of the mnestome graph — an idea borrowed from network medicine: clusters of nodes with high internal density and low external density are natural traces. Metnos does not design them, it detects them. "Invoices", "photos", "mail" in figure 4 are three traces that emerged.
Traces have two concrete consequences:
If you go on holiday for a month and shut down the computer, you don't want to come back to a Metnos aged by a month. The time of the ager is the time of use: cycles advance with invocations, not with days. A system that sleeps does not age. It sounds like a nuance; it is not. Your mnestome is bound to how much you have used it, not to how much time has passed.
Every N invocations (50, 100 — the parameter lives in the config file) the ager:
Proposes, not executes. The ager has no autonomous decision power. It brings the list, the user decides. Like everything in Metnos.
The fifth principle (ch. 14) says: every evolutionary act is reversible, with a written reason. The operations have specific names:
| Move | What it does | How to undo it |
|---|---|---|
| Synthesis (synt) | Creates a new executor from a recurring proto-mnest, with human approval. | Archive the executor; mnests involving it go into "superseded" state. |
| Fusion | Merges E1 + E2 into a more general E12, within the same trace. | Defuse: E12 is retired, E1 and E2 become active again, their mnest resumes updating. Reason required. |
| Archiving | Marks as inactive an executor that has been in quarantine too long. | Restore: the executor becomes active again; its initial weight is low, it has to earn it back. |
| Freeze | You declare freeze; Metnos saves a mnestshot, halts ager and decay. | Defrost: it resumes exactly from the previous state. Time, during a freeze, has not passed. |
A proactive system that never stops is a nagging system. A proactive system that always stops is not proactive. The telos + vaglio pair is the mechanism that regulates this balance. Telos give the reason to propose; the Vaglio decides whether the proposal really deserves your attention.
TELOS.md is one of the six workspace files (ch. 13). It
contains three to seven short sentences describing what, in everyday
life, the user wants Metnos to favour. They are not KPIs. They
are soft tendencies.
### TELOS.md (example) 1. Free my time: prefer what reduces my repetitive manual load. 2. Order, not perfection: a 70% automatically tidy house is better than a constant struggle to make it perfect. 3. No surprise on spending: clear thresholds, timely notifications. 4. Protected solitude: do not disturb me after 9pm, unless it is a real emergency. 5. Cultivate the tools: if I ask for something your pool cannot yet do, exhaust the synthesis strategies (compose, generate, ask) before answering "I cannot". Failure is allowed; silent retreat is not.
Every spontaneous proposal of Metnos passes through an alignment function: how much the proposal favours each telos, weighted by their relative importance. The result is a number between 0 and 1. If it is above the threshold, the proposal arrives. If it is below, it stays silent and is logged in a "unasked proposals" register, useful to understand retrospectively whether the telos really weighed as much as you thought.
Before any proposal — spontaneous or requested — reaches the user, it goes through the Vaglio. The Vaglio has two phases in fixed order.
If you mixed "is it allowed?" and "how valuable is it?" into a single score, you would get what the literature calls self-enhancement bias: the model tends to justify its own proposals. Separating deontology (binary) from teleology (graded) is a deliberate design choice. And there is more: the teleological judge is a different LLM from the proposer — separate context, separate prompt, possibly separate provider. Structural independence, not declared.
The microdesign component for the guard+judge is vaglio.html; the one for ends is telos.html. There you'll find data types, Protocols, conformance tests. (The microdesign pages are in Italian: see the Italian microdesign index and the bridge page in English.)
Even with high alignment, one more thing the Vaglio evaluates: how many proposals have I already made recently?. The bother budget is a multiplicative brake that degrades alignment when Metnos has already spoken too much in a time window. It is the mechanical translation of "don't be the cousin who calls every time he thinks of something".
Concepts taken and adapted from zeroclaw. Every session runs at a declared autonomy level; the level sets how much Metnos can do before asking. Orthogonal to autonomy, pairing distinguishes a family member from a stranger on multi-user channels like Telegram.
| Level | Default for | What it can do without asking | What requires approval |
|---|---|---|---|
| ReadOnly | First connections, guests | Read workspace files, call LLM, do web search | Any write, any shell command, any external message |
| Supervised default |
Daily use | As above + write in workspace, allowlisted shell commands, Vaglio-approved proposals above threshold | Writes outside workspace, non-allowlist commands, cost > threshold, outbound messages |
| Full | Explicit admin sessions | Almost everything inside the home domain | Touching forbidden paths (/etc, ~/.ssh, ...): always denied, not approvable |
Full does not pass. Minimum list:
/etc, /root, ~/.ssh,
~/.aws, ~/.config/claude,
/var/backups, other /opt/ project folders
other than Metnos.
A channel like Telegram is inherently multi-user: anyone who knows the bot's handle can write to it. Pairing is the mechanism that tells a family member from a stranger.
The "personality" of Metnos is not in a Python file.
It is in workspace/, in six markdown files that Roberto can
edit any time without a restart. The idea comes from openclaw/zeroclaw
and it is right: behavioural configuration is readable text, not a data
structure buried somewhere.
| File | Contents |
|---|---|
IDENTITY.md | Who the agent is: name, tone, preferred language, response style. |
USER.md | Who the main user is: habits, time zone, preferences, constraints. |
MEMORY.md | Long-term facts: "the router password is in Bitwarden", "the dog is named X". Distinct from the mnestome, which is relational memory of how the system works; MEMORY.md is declarative memory of facts about the world. |
AGENTS.md | Orchestration rules: when to delegate to a sibling agent, how channels map to autonomy levels. |
SOUL.md | High-level operating principles: "never lie about actions taken", "if in doubt, ask", "self-hosted before cloud". |
TELOS.md | New in v1.1. Three to seven short sentences: the ultimate ends against which the Vaglio measures alignment for spontaneous proposals. Not KPIs, not lists: soft tendencies (see ch. 11). |
These files are injected into the system prompt on every LLM call (with proper caching so they don't consume tokens). Editing them is the primary way to "reprogram" Metnos.
The audit log lives in workspace/.audit/ as append-only
JSONL: one line per tool call, with timestamp, sender, action, outcome,
estimated cost. Every evolutionary move (synt, fusion, defuse, archive,
restore) leaves a line there. This is the one log that does not
unravel; reversibility is in the state, not in the history.
At the end of the second dialogue, Roberto set himself the task of counting the principles on his fingers. The result is a minimum vocabulary that holds the rest of the document. If you had to lose everything and rebuild from six sentences only, these would be the ones.
mnestome/ and vaglio/. The workspace/ directory now includes TELOS.md and the graph file mnestome.sqlite.metnos-server: one instance, one mnestome,
one audit log. See ch. 4 for the full explanation of this choice and
for the four discarded alternatives.The roadmap is deliberately small. One step at a time, with the microdesign document preceding the code.
| Phase | Goal | Gate |
|---|---|---|
| 0 | Complete Level 1 (this doc + dialogues + glossary) and microdesign | 22 docs in docs/architecture/, all approved (done) |
| 1 | Repo skeleton + gateway "hello world" + CLI channel + one sandboxed executor | gateway.html, channel.html, tool.html, sandbox.html — already approved |
| 2 | Policy engine + markdown workspace + audit log + Telos loader + minimal Vaglio | policy.html, workspace.html, observability.html, telos.html, vaglio.html |
| 3 | Telegram channel + DM pairing | pairing.html + damage-containment plan |
| 4 | Mnestome v1 + ager + synt with approval | neuron.html (to be renamed executor.html), synapse.html (to be renamed mnest.html), synthesizer.html, memory.html |
| 5+ | Voice channel, optional tunnel, minimal web dashboard | case by case |
v1.1. The v1.0
is archived in the repository. A v2 will come when the first
implementation has revealed what survived the passage from text to code.
Metnos — Architecture: Introduction v1.1 — 2026-04-24
Inspired by openclaw and
zeroclaw, built on top of
suprastructure.
v1.1: incorporates the Dialogue on ends and limits (telos, vaglio, 4 Laws)
and the Dialogue on executors and distributed memory (executor, mnest, mnestome, traces, ager).