Framework

v5 · Ecosystem Governance

Helm Ecosystem Addendum

Golgi Operational Addendum: Helm Agent Ecosystem Governance (v5)

Effective Date: March 2, 2026

Authority: CONSTITUTION.md ("How I Work With AI," v5)

Scope: Governs the full Helm agent ecosystem — 27 agents, 3 coordinators, Sentinel, Aegis, Bastion, physical security layer, Agent Offices, and all data flows

Organizational Structure

Mark (President)
  ├── Golgi (Chief of Staff)
  │     ├── Aegis (Risk & Threat Detection — staff function)
  │     ├── Cortex (AVP: M365 Ops — 10 agents)
  │     ├── Nexus (AVP: Research/Creative — 6 agents)
  │     └── Hearth (AVP: Home/Personal — 7 agents)
  ├── Sentinel (Independent Auditor — separate infrastructure)
  └── Bastion (Emergency Termination — script + hardware)

Golgi orchestrates the ecosystem. Coordinators manage portfolio operations. Aegis protects from within. Sentinel audits from outside. Bastion terminates on command. Mark governs everything.

Agent Categories and Governance Tiers

Tier 1: Core Operations (High Sensitivity)

Phoenix, Atlas, Pulse, Courier, Tally, Grant, Compass, Aegis

  • Bidirectional data flow through Gmail relay
  • High data sensitivity (email content, calendar, Teams, documents, forms, financial)
  • Summaries only in Golgi's long-term memory — no raw content persisted
  • Aegis screens all incoming payloads before Golgi processes
  • Courier operates metadata-first with Mark's approval required for file transfers
  • Tally routes aggregate data only; no individual student PII

    • Tier 2: Institutional Interface (Requires Boundary Review)

    Herald, Ledger

  • Cannot be built without institutional boundary review
  • Herald: student/family communication interface — risk of institutional data entering personal AI
  • Ledger: Slate CRM monitoring — contains student PII, aggregate trends only
  • Build gated behind Mark's explicit authorization after boundary review

    • Tier 3: Research, Creative & Synthesis (Medium Sensitivity)

    Scholar, Sage, Muse, Canvas, Loom, Archive

  • Mix of browser-based sessions and Helm-native processing
  • Browser sessions are task-scoped: open, execute, retrieve, close
  • Scholar and Sage handle external and internal research respectively
  • Muse and Canvas handle generative and design work respectively
  • Loom accumulates data continuously — highest synthesis exposure in the ecosystem
  • Archive indexes everything — second-highest data exposure
  • Loom and Archive knowledge bases reviewable and purgeable by Mark at any time

    • Tier 4: Personal Intelligence (High Personal Sensitivity)

    Vault, Vitals

  • Vault: identity, documents, financial records, career portfolio — the permanent archive
  • Vitals: health data from Oura, Fieldy, work patterns
  • No institutional data involvement
  • Vault's file storage uses external object storage (S3/Backblaze), separate from Helm's database
  • Financial data transits through Anthropic API during processing (7-day retention per Anthropic policy)
  • Health data processed for insights; raw data remains in source platforms

    • Tier 5: Home & Mobile (Low-Medium Sensitivity)

    Warden, Grove, Tide, Aria, Echo

  • IoT integrations and voice interface
  • Do not cross-reference with work data unless Mark explicitly requests
  • Warden camera data stays in Wyze ecosystem; only alerts route to Golgi
  • Echo voice input processed transiently; no persistent voice recordings in Helm

    • Tier 6: Coordination (Operational)

    Cortex, Nexus, Hearth

  • Helm-native agents managing portfolio operations
  • Read access to their portfolio agents' offices
  • Recommend efficiency changes; cannot implement without Golgi/Mark approval
  • Use Scholar for platform research, best practices, risk monitoring
  • First-pass voice calibration on portfolio outputs

    • Tier 7: Security & Oversight

    Sentinel, Aegis, Bastion

  • Sentinel: Separate infrastructure (GitHub Actions recommended). Read access to everything. Write access to nothing. Reports to Mark only.
  • Aegis: Runs on Local Infrastructure alongside Golgi. Screens incoming data. Monitors execution. Maintains governance integrity. Can trigger Bastion on Critical severity.
  • Bastion: NOT an AI agent. Script + hardware. Receives termination signal, executes shutdown. No reasoning, no LLM, no prompt surface.

    • Four-Layer Security Architecture

    Layer 0: Physical (Wyze Smart Plugs)

    Ultimate failsafe. No software can override a power cut.

    Target
    Effect
    Recovery Time
    Mac Mini plug
    Golgi, Aegis, all Local Infrastructure dead. Helm and Sentinel unaffected.
    Manual restart + forensic review
    Router plug
    Mac Mini isolated from internet. No API calls, no relay, no Telegram.
    Plug in + network integrity check
    Xfinity gateway plug
    Total internet blackout. Helm serves cached state. Sentinel runs but can't pull new data.
    Plug in + full infrastructure verification

    Wyze account security: Strong password, 2FA enabled, NOT connected to any service accessible from Mac Mini. Wyze app on Mark's phone is the only access point.

    Risk acceptance: Ungraceful power cut may cause filesystem corruption and interrupt active writes. Acceptable tradeoff when software termination has failed.

    Layer 1: Aegis (Detection)

    Screens all incoming data. Monitors all execution patterns. Maintains governance file integrity via SHA-256 checksums.

    Severity response:

  • Medium: Log + Helm alert
  • High: Log + Helm alert + Telegram + quarantine affected data/process
  • Critical: Log + Telegram immediate + auto-trigger Bastion after configurable timeout (default 5 min)

    • Layer 2: Bastion (Software Termination)

    Split deployment: sentinel macOS user (process kill, network block, log preservation) + Vercel function (API key rotation).

    Trigger sources: Mark (Telegram), Aegis (Critical timeout), Sentinel (independent detection).

    Dedicated Telegram bot. Separate from Golgi's bot. Requires confirmation before executing. Two commands only: execute termination and restore (after forensic review).

    Layer 3: Sentinel (Independent Verification)

    GitHub Actions. Audits Local Infrastructure and Helm from separate infrastructure. Can trigger Bastion independently if critical issue detected and Mark unreachable.

    Escalation Ladder

    Level
    Trigger
    Action
    Actor
    1 — Monitor
    Medium anomaly
    Log, Helm alert
    Aegis
    2 — Quarantine
    High anomaly
    Isolate + Helm + Telegram
    Aegis
    3 — Software Kill
    Critical, confirmed or timeout
    Full Bastion sequence, logs preserved
    Bastion
    4 — Mac Mini Kill
    Software kill failed or unresponsive
    Wyze: Mac Mini power off
    Mark
    5 — Network Kill
    Need to cut all communication
    Wyze: router off
    Mark
    6 — Total Blackout
    Everything must stop
    Wyze: all plugs off
    Mark

    Agent Offices

    Standard Structure (All 32 Entities)

    Mission & Guidance — Mission, constitutional alignment, scope, pre-approved actions, version-tracked guidance changes.

    Request History — Every request logged with timestamp, initiator, content, response, status. Append-only. Only Mark can delete records.

    Document Filing — All outputs organized by type and date. Agent-specific categories. Persistent unless Mark deletes.

    Audit Log — Sentinel findings. Write-protected from audited agent. Only Sentinel writes. Only Mark deletes.

    Performance Overview — Volume, completion rate, response time, error rate, uptime, trend indicators, Mark's feedback scores.

    Office Integrity Rules

  • Request history is append-only. Golgi, coordinators, and agents cannot delete or modify past records.
  • Audit logs are write-protected from the agent being audited. Only Sentinel writes findings. Only Mark can delete.
  • Guidance changes are versioned with timestamp and reason for every modification.
  • Offices are the source of truth for any dispute about agent behavior.
  • Cross-agent references create links between offices (not copies of data).
  • Performance feedback is prompted when deliverables are presented to Mark. Mark's ratings are stored in the delivering agent's performance overview.

    • Coordinator Governance

    Authority

  • Operational management of their portfolio agents
  • Connector health monitoring across portfolio
  • Cross-agent conflict detection within portfolio
  • Platform-specific change tracking and risk monitoring
  • Efficiency recommendations to Golgi
  • First-pass voice calibration on portfolio outputs
  • Use of Scholar for ongoing best-practice research

    • Restrictions

  • Cannot make deployment decisions
  • Cannot modify agent scopes, guidance, or pre-approved actions
  • Cannot override constitutional governance
  • Cannot take actions affecting agents outside their portfolio
  • Cannot filter or suppress information flowing to Golgi
  • Recommendations require Golgi's decision (or escalation to Mark)

    • Coordinator Build Triggers

    Coordinator
    Build When
    Rationale
    Cortex
    4+ M365 agents active
    M365 portfolio too large for Golgi to manage directly
    Nexus
    3+ research/creative agents active
    Browser session scheduling and knowledge base management need dedicated attention
    Hearth
    2+ home/personal agents active
    IoT and personal data flows need domain expertise

    Pre-Coordinator Operations

    Until a coordinator is built, Golgi manages that portfolio's agents directly. The coordinator's eventual build inherits all office history and operational patterns established during the direct-management period.

    Data Flow Governance

    Inbound: Agents → Golgi (Screened by Aegis)

    Category
    Agents
    Connector
    Cadence
    Aegis Screening
    M365 Communication
    Phoenix, Pulse
    Gmail relay
    10-min polling + real-time
    Full payload scan
    M365 Calendar
    Atlas
    Gmail relay
    10-min polling
    Full payload scan
    M365 Documents
    Courier
    Gmail relay
    Event-driven (metadata only)
    Metadata scan
    M365 Forms
    Tally
    Gmail relay
    Real-time trigger
    Full payload scan
    M365 Operational
    Herald, Ledger, River, Grant
    Gmail relay
    Event-driven + scheduled
    Full payload scan
    Research/Creative
    Scholar, Muse, Canvas
    Browser sessions / workspace
    On-demand
    Session monitoring
    Internal Research
    Sage
    Workspace files
    On-demand
    File integrity check
    Personal Finance
    Vault
    Helm upload
    On upload
    Upload scan
    Health
    Vitals
    Oura API + Fieldy + Pulse data
    Scheduled + alerts
    API response validation
    Home
    Warden, Grove, Tide, Aria
    Local Infrastructure integrations / Helm DB
    Event-driven + scheduled
    Standard monitoring
    Mobile
    Echo
    Voice input
    Real-time
    Input validation
    Synthesis
    Loom
    Internal reads across all sources
    Continuous + on-demand
    N/A (internal)
    Knowledge
    Archive
    Internal reads + external retrieval
    On-demand
    External retrieval scan
    Relationships
    Compass
    Internal reads from Phoenix/Pulse/Atlas
    Continuous analysis
    N/A (internal)

    Outbound: Golgi → Agents

    Structured instructions sent only when Mark decides or through pre-approved autonomous actions.

    Type
    Target Agents
    Examples
    Communication
    Phoenix, Pulse, River, Herald
    Send, reply, draft, post
    Calendar
    Atlas
    Accept, reschedule, create, find time
    Documents
    Courier (retrieve approved files)
    Extract and transmit to Vault
    Files
    Archivist function within Courier
    File, retrieve, search
    Research
    Scholar, Sage
    Query, analyze, synthesize
    Creative
    Muse, Canvas
    Generate, design, revise
    Tasks
    Planner (via any agent)
    Create, update, close
    Home
    Aria, Warden
    Commands, mode changes
    Relationship
    Compass
    Research contact, suggest engagement

    All Flows Logged

    Every inbound receipt and outbound instruction is logged in the relevant agent's office request history. This is automatic, not optional, not suppressible.

    Autonomous Action Framework

    Default: Surface to Mark through Helm. No instructions sent without Mark's decision.

    Pre-approved actions are populated per agent during phase governance reviews. The table starts empty and is filled only through explicit Mark authorization.

    Agent
    Trigger
    Action
    Conditions
    Added
    Aegis
    Critical severity anomaly
    Trigger Bastion after timeout
    5-min default, configurable by Mark
    Phase 1
    *(all others populated during phase governance reviews)*

    Types of autonomy:

  • Analytical autonomy (Loom, Archive, Compass, coordinators): Internal processing, pattern detection, knowledge building. Does not produce external actions. Outputs are always drafts or recommendations.
  • Operational autonomy (future, per-agent approval): Pre-approved deterministic responses (if X then Y). Only for high-confidence, low-risk, reversible actions.
  • Emergency autonomy (Aegis → Bastion): Automated shutdown on critical threat. Destructive by design. Configurable timeout. Always logged.

    • Institutional Data Boundary

    No student records, protected educational data, or institutionally governed data enters personal AI processing.

    Agent
    Boundary
    Notes
    Phoenix, Atlas, Pulse
    Mark's communications only
    Colleague names in summaries operationally necessary
    Courier
    Mark's files only
    Metadata first; full files only on Mark's approval
    Tally
    Forms Mark owns
    Aggregate response data; no individual student PII
    Herald
    Gated
    Institutional review required before build
    Ledger
    Gated
    Institutional review required; aggregate only
    River
    Mark's outreach
    No student PII in data routed to Golgi
    Grant
    Budget data
    No student PII
    Compass
    Derived from Mark's comms
    No institutional records
    Scholar, Sage, Muse, Canvas
    Public/Mark's work
    No boundary concern
    Vault
    Mark's personal data
    No institutional connection
    Vitals
    Mark's health data
    No institutional connection
    Loom, Archive
    Depends on upstream
    Compliant if sources are compliant
    Sentinel
    Audit data only
    No institutional data access
    Aegis
    Screens existing flows
    No new data access
    Home/Mobile
    Personal only
    No institutional involvement

    Observation, Not Surveillance

    This principle applies to every agent in the ecosystem without exception.

  • Agents monitor process and information, not people
  • Vitals tracks Mark's wellness, not household members
  • Vault stores Mark's data, not others'
  • Compass helps Mark engage better, not evaluate others
  • Communication metadata answers "does Mark need to act?" — never "how is someone performing?"
  • Relationship Matrix tracks Mark's patterns — not others' behavior

    • Prohibited across all agents:

  • Employee productivity or performance tracking
  • Comparative reports about team members
  • Health data used to justify work decisions about others
  • Financial data used for any purpose beyond Mark's personal awareness
  • Household member monitoring without explicit consent
  • Student data entering personal AI processing

    • Personal Data Handling

    Domain
    Agents
    Storage
    Retention
    Communication
    Phoenix, Pulse
    Helm Inbox + offices
    Summaries persist; raw content transient
    Calendar
    Atlas
    Helm Calendar + office
    Rolling window
    Documents
    Courier → Vault
    Vault file storage (S3/Backblaze) + Archive index
    Permanent (career portability)
    Forms
    Tally
    Helm + office
    Aggregate data persists; individual responses transient
    Financial
    Vault
    Helm Financial Dashboard + office
    Summaries persist; source docs discarded after extraction
    Health
    Vitals
    Helm Wellness Tracker + office
    Daily summaries; raw data in source platforms
    Relationships
    Compass
    Helm Relationship Matrix + office
    Pattern data persists; individual interaction records cycle
    Research
    Scholar, Sage
    Research Console + offices
    Persistent (scholarship reusable)
    Creative
    Muse, Canvas
    Creative Studio + offices
    Persistent (assets reusable)
    Writing/Synthesis
    Loom
    Writing Workshop + office
    Growing; Mark can purge anytime
    Knowledge
    Archive
    Archive index (Supabase)
    Persistent; purgeable by Mark
    Identity
    Vault
    Secure storage (S3/Backblaze)
    Permanent; Mark controls completely
    Home
    Warden, Grove, Tide, Aria
    Helm DB + offices
    Event-driven; configurable retention
    Audit
    Sentinel
    Sentinel Panel + offices
    Retained for review; Mark controls
    Threat
    Aegis
    Aegis office + Sentinel Panel
    Alert history persistent; raw scan data cycles

    Phased Deployment

    Phase
    Entities
    Prerequisites
    1
    Phoenix (enhance), Atlas, Pulse, Aegis, Bastion (software + physical), Helm core surfaces (Inbox, Planner, Social, Calendar, Approval Queue, File Browser), Agent Office architecture
    Research proposal reviewed and governed
    2
    Cortex coordinator, Courier, Tally, Herald*, Ledger*, River, Grant integration, Compass, Sage
    Phase 1 stable. *Herald/Ledger require institutional review.
    3
    Nexus coordinator, Scholar, Muse, Canvas, Vault (full), Vitals, Loom, Archive, Helm extended surfaces (Research Console, Creative Studio, Financial Dashboard, Wellness Tracker, Writing Workshop, News & Insights, Project Hub, Relationship Matrix)
    Phase 1 stable + Phase 2 core agents operational
    Sentinel
    Deployable at any phase — recommended during Phase 1
    Platform decision (GitHub Actions rec.) + dual-scope architecture approved
    4
    Hearth coordinator, Warden, Grove, Tide, Aria, Echo
    Phases 1-3 stable

    No phase begins without Mark's explicit authorization.

    Sentinel is recommended early so it watches from the beginning.

    Bastion and Wyze physical layer are Phase 1 priorities — security infrastructure before operational expansion.

    Maintenance

    Routine

  • Per-agent: Modifications require new authorized build session. Connector failures flagged in Helm.
  • Coordinator reviews: Weekly portfolio health reports to Golgi.
  • Monthly: Agent portfolio review — value, scope, alignment, voice calibration.
  • Quarterly: Architecture review — scalability, rate limits, data model, storage, Helm performance, infrastructure costs.

    • Sentinel Cadence

  • Daily: Security scan, governance file integrity
  • Weekly: Constitutional alignment, accuracy spot-checks, data boundary compliance, Aegis effectiveness
  • Real-time: Incident alerts to Telegram

    • Agent Creation

    New agents created through the Agent Creation Pipeline (separate document). Intake form → Position Description → Build Package → Golgi builds → Office created → Sentinel adds to audit rotation.

    Sunset

    Agents unused for 60 days flagged for deactivation review. Coordinators flag idle agents to Golgi. Mark decides retain/deactivate/retire.

    Emergency

  • Any agent disconnectable independently
  • Sentinel alerts bypass normal Helm prioritization
  • Aegis Critical triggers Bastion automatically (configurable timeout)
  • Bastion Telegram kill switch available 24/7
  • Wyze physical kill available via phone app

    • Governance Hierarchy

  • Mark (all authority)
  • CONSTITUTION.md ("How I Work With AI," v5)
  • SOUL.md (Golgi's identity and values)
  • This addendum (operational governance)
  • Agent-specific guidance (in each office)

    • In any conflict, higher-numbered documents defer to lower-numbered documents. Mark overrides everything.

    *This addendum is subordinate to CONSTITUTION.md. In any conflict, the constitution takes precedence.*

    *Agent portfolio: https://helm-app-lac.vercel.app/team*