Classified A broadside, printed this twenty‑first day of April, MMXXVI Preview · v0.1

A playbill forattendant personal agents.

A staff of agents, each held at the gate, each driven from your phone — the Researcher, the Secretary, the Steward, the Shopper — and no agent shall touch the world without a key in hand and a signature on the petition. The gate is built of three plain things stacked: the workspace pin, the exec policy, and the ledger of refusals. Named, not hidden. Read on · five acts · six pages below

Player № I

the Researcher / Cognitor

Chamber of Index & Archive

Reads. Summarises. Cites. Returns what is asked, and only that.

BrowserWebFiles

Player № II

the Secretary / Scriba

Chamber of Correspondence

Drafts replies. Files inbox. Sends nothing without your leave.

BrokerFilesPhone

Player № III

the Steward / Custos

Chamber of Days & Hours

Holds the calendar. Writes invitations. Watches for clashes.

BrokerWebPhone

Player № IV

the Shopper / Mercator

Chamber of Wares & Tallies

Finds. Compares. Parks items in a cart. Never strikes the button.

BrowserWebPhone

The Gate — what keeps an agent indoors, drawn in plan

What today ships is three plain things stacked, named, not hidden. One: every terminal.run call is pinned to the agent's workspace directory — resolve a path above it and the call is refused before it reaches a shell. Two: an exec policy classifies each command before it runs — safe reads (ls, git status, ripgrep) auto‑allow, mutating commands gate to the phone, and a short list of obvious foot‑guns (sudo, rm ‑rf, curl piped into bash, fork bombs, dd against raw devices) hard‑deny regardless of approval. Three: every tool outside that pin — host shell, AppleScript through the broker, anything the user has not whitelisted — pauses on the phone as a petition until the user accedes, and the verdict, the script and the timestamp are appended to approvals.jsonl. The shape is right; the walls are thin; iron walls — should the threat model ever warrant them — are a long horizon, not the next folio.

The Keyring — five tools, named & worn on the belt

✎

Key № I

Files

Read, write, edit, search. Scoped to /workspace. Never above it.

.read · .write · .edit · .search

⌨

Key № II

Terminal

A shell pinned to /workspace. Timeouts enforced. Obvious foot‑guns refused outright.

.run(cmd, cwd, timeout_ms)

❏

Key № III

Browser

Chromium via CDP. Click, fill, extract, snapshot. Accessibility‑first reads.

.navigate · .click · .fill · .snapshot

❋

Key № IV

Web

Host‑side search. Brave API. Key per agent, or one for the house.

.search(query, freshness)

⚜

Key № V

Broker

AppleScript, at the host's discretion. Requires a signature (see Act III).

.send(script, description)

Allow lists and deny lists by name. Deny overrides allow. Each agent wears the ring it was issued — no more, no less.

AppleScript is the road to Mail, Messages, Calendar, Reminders, Notes, Shortcuts — host‑only, since AppleScript cannot live anywhere but on the Mac. The broker is the discipline laid over it: a co‑hosted gate inside the Aricode runtime — and, when scripted use is wanted, a Unix socket at ~/.aricode/desk/broker.sock — the only door through which an agent can ask the host to act. Every call is inspected. Every call is logged. Most are paused.

What the user sees, then, is a petition — a single card on the phone, stamped in wax, showing the verbatim script the agent wishes to run and, in plain prose, what the agent says it will accomplish. Two choices: accede or decline. A third: always allow for this target, which writes a narrow rule into rules.json — scoped to the operation kind and the target string, and nothing wider.

What is written down

Every petition — granted, refused, auto‑allowed — is recorded in approvals.jsonl with the script, the agent, the host's verdict, and the time. The audit is append‑only. If a rule was ever too loose, it is visible, and can be struck out.

Broker Petition № 0047 · Secretary

the Secretary wishes to address the host, and requests your signature —

“Send a message to Alex saying I’ll be five minutes late.”

tell application "Messages"
  send "I'll be five minutes late." to buddy "+44…0001"
end tell

Always allow imessage.send to target · +44…0001

The Dossier — four leaves, on disk, in plain Markdown

Each agent is a directory. Four files is the whole agent. Edit them in your editor, or let the agent amend its own memory.md. Version the dossier in git; leave the browser profile and the conversation log behind.

No registry, no database. If a template looks useful, copy its directory. If an agent ought to live on another Mac, rsync its dossier.

~/.aricode/desk/agents/<slug>/

Leaf I

soul.md

— the persona

Voice, disposition, rules of engagement. The system prompt, wearing a human face.

Leaf II

instructions.md

— the charter

Scope of work. What the agent is for. What is out of bounds. Read each turn, before all else.

Leaf III

agent.md

— the writ

YAML frontmatter: model, toolsets, allow/deny, idle timeout, cron entries. Body: a plain README, for humans.

Leaf IV

memory.md

— the commonplace book

Rolling notes, curated by the agent itself via the memory.update tool. Loaded whole. Inspect at your leisure.

On the Mac · aricode

the runtime

aricode desk start boots the relay, the broker, the cron scheduler and the agent registry. One process, one foreground. Agents wake on the first word and rest when the conversation falls quiet.

aricode desk doctor reports which pieces are missing or misconfigured: the broker, a reachable relay, a configured model key, the Playwright Chromium install, and the writeability of ~/.aricode/desk/.

On the Phone · aricore · desk tab

the messaging surface

One chat per agent. Tool calls render inline as cards. Petitions block that chat only — the others go on about their business. You are the messaging layer.

Desk only appears when the paired Mac advertises capabilities.desk. A fresh aricode without desk init gives no broken tab.