THE ARKIVIST COMPUTER

A private computer that thinks, talks, and acts — and never leaves your control.

A full agent runtime, voice, live dashboards, and on-VM vision — all inside one hardware-isolated VM, under your own encryption keys and your own model API key. Capability you can hand real work, on infrastructure no one else can touch.

arkivist@your-org · cold boot

  • [ok]ArkiAgent runtimeskills · memory · tools · self-modification
  • [ok]Voice bridgeinbound & outbound calls
  • [ok]Live dashboardsbuilt on demand
  • [ok]Drone visionon-VM detection, no cloud
  • [ok]Hardware isolationyour keys, your machine

One machine. Everything above runs inside it.

THE REFRAME

It's not an assistant. It's a computer.

An assistant answers questions. A computer has a runtime, senses, output surfaces, and memory — and runs your work. The Arkivist Computer reasons with ArkiAgent, hears and speaks over the phone, sees through on-VM vision, renders live dashboards, and remembers across restarts. The difference that matters: it's a whole machine you own, sealed inside a hardware-isolated VM under your keys — not capability rented on shared infrastructure you can't inspect.

What the computer does - A runtime, senses, and output surfaces — in one machine.

Most AI gets bolted onto someone else's infrastructure. The Arkivist Computer is a whole machine you own: it reasons, it speaks, it renders, and it ships artifacts — all inside the isolation boundary.

RUNTIME

It runs

ArkiAgent dispatches work, not prompts. Skills hot-reload from your Nextcloud, memory survives restarts, and the agent can extend its own toolset within guardrails.

See the ArkiAgent runtime →

VOICE

It talks

Inbound and outbound phone calls through a Twilio bridge with Cartesia voice. An operator console lets a human take the line at any time.

DASHBOARDS

It shows

Ask for a view and the agent builds a working, whitelabel dashboard live from your data — real typed widgets, not a screenshot.

See live dashboards →

OUTPUT

It produces

Office documents drafted straight into your Nextcloud, plus durable autonomous task loops that run for hours under hard bounding caps.

Inside the machine - The computer's memory and senses — wired on day one.

Every Arkivist Computer ships with the same tools, fully configured and connected. No installs, no wiring, no credentials to distribute. Your team logs in once with WebAuthn and the full machine is there.

your-org.arkivist.io

  • ArkiAgent
    /admin/chat
  • Data Explorer
    /admin/data
  • Code Editor
    /code
  • Files
    /files
  • Secrets
    /secrets

All paths served under your tenant subdomain. WebAuthn session shared across all tools — one login, full stack access.

  • ArkiAgent. Your agent inside the VM. Dispatches work against your data — dashboards, briefs, queries — under your OpenRouter key, on your terms. Arkivist never sees your prompts or outputs.
  • Data Explorer. Native SQL and Cypher workbench with a natural-language AskBar. Ontology-aware, schema-aware, ready on day one — no DBGate, no shared credentials.
  • Code Editor. VS Code with Cline running in your browser. AI-assisted development against your codebase, with MCP tools wired through ArkiAgent.
  • Files. A Nextcloud document library inside your VM. WebDAV sync, full-text search, version history — and where your agent drops every artifact it produces.
  • Secrets. A Vault for API keys, credentials, and OAuth tokens. Encrypted under your LUKS-derived key, never outside your VM.

VERTICAL · DRONE SECURITY

It can watch, too.

Camera feeds, object detection, and recording — all running inside the same isolated VM. Detection happens on-VM on CPU; no frame is sent to a cloud model. A surveillance swarm watches the watchers and emails the owner when something matters.

See the drone vertical →

Security - The more it can do, the more isolation matters.

You are handing a machine real power — to act, to call, to watch. That is only safe because there is no shared infrastructure underneath it. Arkivist removes the shared layer from the equation: there is nothing to breach that reaches another tenant.
  • Cryptographic isolation. Full-disk LUKS encryption per VM. Shamir 2-of-3 key split — one share held by you, anchored on Hedera's public ledger. The platform operator cannot decrypt your data unilaterally. Recovery requires your share.
  • Network segmentation. Each VM runs on a dedicated bridge with a VXLAN overlay and nftables egress allowlist. There is no route between tenants at the network layer — not a firewall rule that could be misconfigured, a physical absence of a path.
  • Identity without passwords. WebAuthn + FIDO2 for humans. mTLS with SPIFFE SVIDs for every service. No passwords, no static API keys, no shared secrets anywhere in the stack. Every identity is cryptographic and short-lived.
  • Compliance trail built in. Every write, query, and configuration change is dual-written to your local audit log and the Mothership compliance ledger. You arrive at a security review with a complete, tamper-evident record — not a promise to produce one.

Build vs. Buy - You could build this. Here's what that actually looks like.

We did. It took longer than we expected, and the list below is why.
  • Isolated tenant VM provisioning and lifecycle management
  • Per-tenant LUKS key generation and Shamir 2-of-3 escrow
  • VXLAN overlay networking and per-tenant nftables rules
  • SPIFFE/SPIRE deployment and SVID rotation
  • step-ca PKI with offline root
  • Bastion fleet management across providers
  • WebAuthn single sign-on across every tool
  • Compliance dual-write with tamper-evident audit trail
  • An agent runtime — skills, persistent memory, self-modification loop
  • A voice bridge — telephony plus streaming text-to-speech
  • On-VM computer vision — an object-detection pipeline on CPU
  • A live dashboard canvas that composes typed widgets on demand
  • A durable task-loop engine with hard bounding caps
  • Ongoing security patching across the entire stack

Realistic timeline

12–24 months

of senior engineering time to reach production parity across all of it — before ongoing maintenance, security patching, and compliance updates ever begin.

Every month your team spends on this is another month your customers are still waiting for a real answer. We provisioned all of it so you don't have to.

Configure - Pick your machine. We handle everything else.

Select the resources your team needs. We'll provision a dedicated VM, wire the full machine, and have it running within one business day. No migration project. No integration sprint.

vCPU

RAM

Storage

Pilot

Perfect for evaluating the Arkivist Computer with a small team.

SPECIALIZED TIER

Drone-Security — 6 vCPU · 24 GB · 200 GB

Feeds, on-VM detection, and recording in a near-solo VM.

See the drone vertical →

THE RUNTIME

ArkiAgent is the mind of the machine. It does work, not chat.

Dispatch agents to build dashboards, draft briefs, query your knowledge graph, take a phone call, or run a task loop for hours. Every output is anchored to your Five Pillars ontology and provable through Arkivist. ArkiAgent reasons under your own OpenRouter key — your account, your model, your bill — and nothing leaves your VM except the calls you authorize.

See the computer run your work.

We'll provision a live Arkivist Computer for your org — full machine, your data, your encryption keys. Book a slot and we'll have it ready before the call.

  • A live Arkivist Computer provisioned for your org — ready before your demo call
  • See ArkiAgent run real work: a dashboard, a drafted doc, a query against your data
  • AI under your own OpenRouter key — your account, your model, your bill; Arkivist never sees your prompts
  • One WebAuthn login for your whole team — across every tool on the machine