AriCore started as two ideas in one app: run a local model on your phone, or ride along with the one already running on your Mac. Solo and Linked. With v0.2 — currently in review with Apple — we're adding a third: Desk.
Desk is a different kind of agent. Linked is about remote control: you see what the desktop's coding agent is doing and nudge it. Desk is about delegation: named personal agents that live on your desktop, each with their own persona, toolset, memory, and schedule, that you message the way you'd message a person.
Heads up. Desk is a preview. The runtime — Aridesk — is under active development. The phone-side UI ships in AriCore v0.2, and the Desk tab only appears when the paired desktop advertises the capability. If you update the app but your desktop hasn't run aricode desk init, nothing changes.
What Desk is
Open the new tab and you get a list of agents. Tap one and you get a messaging surface — user bubbles going out, agent responses streaming in, tool calls folded inline as cards, approval prompts blocking at the bottom when the agent wants to do something sensitive.
Each agent has:
- A soul. A markdown persona file that defines who the agent is and how it talks. Swap it like you'd swap a system prompt.
- Instructions. Task scope — what it's supposed to be working on. Kept separate from persona so one can change without the other.
- A toolset. Browser, terminal, files, web search, AppleScript bridge, or a custom subset. Per-agent allow/deny lists so the inbox agent can't touch your code and the research agent can't send iMessages.
- Memory. Per-agent FTS5-indexed memory the agent can write, search, and forget. Not embeddings — just full-text search over facts it has decided are worth keeping.
- Skills. Reusable markdown procedures with YAML frontmatter. The agent invokes them by name the way you'd invoke a function.
- Schedules. Five-field cron entries. The research agent wakes up at 8 AM, does its pass, pings you on your phone when it's done.
The approval flow
Personal agents are only useful if you can trust them to do work without you watching. Useful, but scary — which is why every sensitive tool call on Desk passes through a three-tier gate before it fires.
First, the workspace pin: shell, file, and browser calls are rooted at the agent's workspace/ directory; resolve a path above it and the call is refused before it reaches the FS. Second, the exec policy: each shell command is classified as auto (safe reads — ls, git status, ripgrep), gate (asks once, can be remembered), or deny (foot-guns — sudo, rm -rf, curl | bash — never run). Third, the approval broker: anything outside the pin, plus every AppleScript call, stalls on the desktop or your phone with the verbatim script and a description.
You see what the agent wants to do, in plain text, and you tap Approve or Deny. There's an "always allow for this kind of call, this target" checkbox that writes a scoped rule — so the second iMessage to the same number just goes through. Rules are stored locally on the desktop, and every approval (granted, denied, auto-whitelisted, timed-out) is logged with a timestamp and decision source. You can audit what was run, revoke individual rules, and clear them all to re-prompt every call.
What actually shipped in v0.2
The Desk tab is the headline, but v0.2 is also a maturity release for the features feeding into it. Highlights:
- Compaction, manual and automatic. A long-running agent's history grows fast. Tap the pencil-box icon in the top bar to start a fresh context with the same agent — your visible transcript stays, the backend history gets archived and the next turn starts clean. Auto-compaction kicks in once a session gets long enough so you don't have to remember.
- Local notifications. When an agent finishes a reply, asks for approval, or asks you a question, AriCore posts a local notification so you don't have to babysit the chat. Each agent gets its own notification thread so iOS groups them sensibly.
- Reconnect resync. iOS suspends WebSockets when an app backgrounds. Returning to AriCore now fires a resync on the closed→open edge: the agent list refreshes, the open chat re-subscribes, and anything that happened while you were away lands. No more killing the app to see fresh state.
- Tool-call pairing fix. Rehydrating a conversation with mixed assistant-plus-tool history against OpenAI's Chat Completions API now correctly rebuilds the
tool_callson the assistant side. Previous builds occasionally hit a 400 "No tool call found for function" when reopening an old chat against GPT-4.x. - Skills and scheduled tasks on the phone. Both were already in the runtime; v0.2 adds the surfaces to view, create, and manage them from the phone without dropping into the terminal.
- Simplified agent cards. The agents list card now shows
SKILLS — Nas a single pill instead of listing every skill. Cleaner at a glance, still one tap away from detail.
Why no container
Aridesk runs each agent as a host process pinned to its own workspace, not in a container. That's a deliberate choice for a preview: the goal is to make every privileged call visible and declinable from your phone, not to rely on rootfs walls. Containerisation is a real engineering investment — image build, daemon dependency, broker socket lifting, AppleScript reach-around — and we'd rather earn the trust of the gate first, on a runtime that's easy to audit, easy to crash-recover, and trivial to inspect with ls.
The agent gets a real browser (Playwright + Chromium with a per-agent persistent profile), a terminal pinned to its workspace with the exec policy in front of it, a filesystem scoped to that workspace, and a persistent cookie jar — all on the host, all gated. macOS integrations (Mail, Calendar, Messages, Shortcuts, Notes) flow through the same broker as everything else; AppleScript is host-only by nature, and the broker is co-hosted inside Aricode, so there's no socket to lock down and no shared-memory hop to pay. Container-grade sandboxing stays on the long-horizon roadmap; if and when the threat model warrants iron walls, the gate's shape is already right.
The privacy story hasn't changed
Desk frames ride the same encrypted channel the rest of AriCore has always used: X25519 ephemeral key exchange on pairing, ChaCha20-Poly1305 on every frame. The relay sees ciphertext only. No accounts, no analytics, no APNs token collection — local notifications are strictly local, fired on the phone in response to frames you were already receiving.
Provider API keys (for remote LLMs, when you choose to use one) still live in the iOS Keychain with ThisDeviceOnly access. Nothing new has been granted to any third party.
What's next
The preview ships alongside a growing list of deferred items that belong on a proper v1:
- Push notifications (APNs). Local notifications fire when AriCore is foregrounded; backgrounded delivery needs an APNs server we haven't built yet.
- Voice. Both directions — ask a question out loud, hear the reply. Natural fit for Desk's delegation model.
- Agent-to-agent delegation. One agent handing work to another. Requires orchestration beyond a single message loop.
- A bundled LaunchAgent installer so
aricode desk startdoesn't need to sit in a Terminal tab. - Windows and Linux host support. macOS only for v0.2.
How to try it
AriCore v0.2 is in Apple review now. The Desk tab will light up automatically if your paired Mac has run aricode desk init and aricode desk start. On the desktop side, Aridesk ships in the next aricode release — the website's Aridesk page has the detailed positioning for the runtime itself.
If you're already running AriCore v0.1, you don't need to do anything — your Linked and Solo tabs keep working exactly as before. Desk is strictly additive.