Work — Local agent console
AI Cockpit: a local agent with its hands tied properly.
A dashboard for my own machine where a local model can see what’s running, chat about it, and do a small set of real things — under rules it cannot talk its way around. It binds to localhost only; no data leaves the machine.
The trust architecture
Plenty of local-AI tools have a piece of this — some ask you before a tool runs, some keep an audit log. What I couldn’t find in one place, on by default, was the whole combination: an agent whose hands are fail-closed to an allowlist, attribution that refuses to guess, a receipt for everything it does, and an independent evaluator attacking the build. That combination is what the cockpit is.
- ✓Fail-closed model attribution. Every reply is labeled with the model that actually produced it, verified against the server's response. If the identity is missing or doesn't match what was requested, the message is blocked — not guessed. Corrupt selection state blocks the chat instead of silently falling back to a default.
- ✓Drafts before writes. The agent proposes file changes as drafts. A classifier sorts every write: protected paths and anything secret-, policy-, or credential-shaped is gated for the operator; only low-risk lanes ever auto-apply, and each applied write is read back and verified.
- ✓A receipt for every action. Reads, writes, blocked attempts, service controls — each one lands as a JSON record on disk with what happened, the risk class, and how it was verified. The audit trail is files you can open, not a promise.
- ✓Bounded autonomy. The background loop is off by default, its writes are separately disabled by default, and it's restricted to a short whitelist of actions. Everything it does flows through the same classifier and receipts as manual use.
The receipt I’m proudest of: it caught my own bug
Every build is attacked by an independent AI evaluator before I call it done — a separate adversarial pass whose only job is to break the guarantees above. During the portability build it found a real one: with corrupted model-selection state, an explicitly requested model could still reach the chat pipeline through a path my own tests missed. I fixed it, the evaluator re-attacked, and only then did the build stand.
A later adversarial round claimed a second bypass — and this time the claim was wrong, which I proved with a runnable reproduction rather than an argument. Both outcomes are the system working: findings get verified, not trusted. The full story is in Writing.
Tested like it matters
- ✓52 automated tests covering the fail-closed edges: corrupt selection state, model mismatch, missing attribution, gated writes.
- ✓A fresh-install smoke test, plus a factory-clean Windows Sandbox test: on a machine with nothing installed, the bootstrap fails with plain-English diagnostics instead of a stack trace.
- ✓A portability scan that blocks hardcoded personal paths and secret-shaped strings from ever being committed.
Status, honestly
The cockpit runs daily on my own machine and is in final hardening. The code isn’t public yet — it goes through external review before it ships, the same rule it enforces on itself. An open-source release of the build, including its history, is planned. When it’s out, it will be linked here.