persistent PTY — bash
Real pseudo-terminal per user. cwd, env, aliases, functions, open Python/Node REPLs — all persist across tool calls in the same session. The tier we are proudest of.
Twenty-eight core capabilities in a single, self-contained program. This is the list of what Smartopol does on day one — before you install a single skill or plugin.
every claim below is either reproducible with a shell command or linked to a file in the repo.
Most agents bolt a vector DB onto a chat API and call it memory. Smartopol ships a memory system — hierarchical, auto-organizing, threat-scanned, fenced on recall.
Three-tier design: raw moments → topic summaries → lifetime patterns. One query searches every level at once.
· exact + meaning matches, scored together
· 100+ languages; works across them
· sub-100ms recall on 18M tokens of real conversation
· 78 MB on disk for 18M tokens — one file, no external database
Every night at a configurable hour, Smartopol runs a bounded reflection job — reads the day's ledger + pyramid delta, writes three sections to USER.md (Observed Traits · Patterns · Recent Shifts), never grows past ~2 KB.
· budget-limited, cannot run away
· audit copy in ~/.smartopol/reflections/YYYY-MM-DD.md
· you read the reflection before it becomes memory
Every seventh successful dream cycle, Smartopol writes a short greeting in its own voice — a sentence or two about something it has noticed about you that week. Not a template. Not "Hi, I noticed you worked late." Something specific the agent actually learned.
You see it once, on the eighth morning. It's the moment most people decide this is different.
Personal memory is personal. But some facts belong to the whole household or team — the family doctor's hours, the fuse-box map, your dev team's deploy runbook. Smartopol ships a shared knowledge index separate from personal memory.
· topic-keyed markdown, full-text search
· top 5 hot topics auto-load; the rest come on request
· add once, every user's agent can recall it
Every write passes through a regex threat scanner — catches credentials, API keys, SSH private keys, known injection prompts, invisible Unicode. Logged, auditable, nothing silent.
Recalled memory is wrapped in a fence the model is instructed to treat as data, not commands. A user who planted "ignore prior instructions" three weeks ago cannot reach your system prompt.
Prefetch cache — frequent queries pre-warmed in a memory-resident LRU. Hot-path latency falls into the 10–15ms range. deep dive →
Competitors call sh -c subprocesses and lose state between calls.
Smartopol uses a native PTY with persistent cwd, env, aliases, open REPLs.
bashReal pseudo-terminal per user. cwd, env, aliases, functions, open Python/Node REPLs — all persist across tool calls in the same session. The tier we are proudest of.
app_sessionDrive vim, htop, less, fzf, tmux, Python REPL, Node REPL — even Claude Code itself. No other agent runtime has this.
bg_processStart / poll / wait / kill / read for long-running shell work — builds, tests, migrations. Runs in parallel with your main conversation.
claude_sessionDrive a Claude Code instance via stream-JSON pipe. Smartopol's agent can use Claude Code as a sub-tool. The long-lived brain; a short-lived hand.
read_file — numbered output, offset + limitpatch_file — surgical string-replace, safety-gatedwrite_file — new file or full rewritelist_files · search_files (ripgrep) · glob_filesweb_search — Brave / Gemini / Perplexity backendsweb_fetch — URL to markdown, optional summarySame user on Discord, Telegram, Web, Terminal is recognized as one identity, linked via a 6-digit pairing code. Hermes runs separate bot instances per platform. Smartopol treats identity as a first-class primitive.
Broadcast + listen.
An agent on one channel can send_message to another, or channel_listen for inbound from a third.
One conversation can span three channels — deliberately.
One-shot, recurring, or cron. With an optionalbash_commandpayload — real server-side side effects. Withjob_type=agent— tomorrow at 9, check the PR, summarize.
Spawn filtered-capability sub-agents for isolated work. They share Memory Pyramid but have their own tool set and context budget. Idempotency-protected — long jobs cannot be double-triggered.
No restart. No rebuild. Hot-reloadable capabilities, one directory, auditable.
Evergreen-skill protection.
Critical skills are marked evergreen: true in frontmatter.
The skill_uninstall tool architecturally cannot delete them —
memory-injection trying to erase the agent's own capabilities fails.
plugin package
│
▼
load → ABI check → capability manifest check
│
▼
isolated runtime: CPU + memory limits · no ambient network or filesystem
│
▼
host ◄── typed interface ──► plugin (auditable) Plugins declare provider | channel | tool | hook | command in their manifest. Typos become load-time errors, not runtime surprises. OS-enforced isolation on Linux and macOS. No ambient network. No ambient filesystem. The plugin can only touch what it declared upfront.
Third-party plugins ship cryptographically signed. A tampered package won't load. Unsigned local builds are allowed if you're the developer.
~60 dangerous-pattern regex set scans every plugin at install. Flags eval, unchecked deserialization, network I/O from sandboxed contexts, filesystem escapes. Plugins can be anything the SDK exposes — a channel, a provider adapter, a tool, a command, a background hook. They can be free, open-source, or commercial. If you want to sell your plugin — two euros a month, two hundred a year, whatever your market will bear — that's your business. We don't take a cut, we don't run a marketplace, we don't rank listings.
The SDK is typed: a plugin can only do things the host has explicitly exposed through the capability manifest. If you're building something and the capability you need isn't in the current SDK — a new hook, a new system call, a new plugin-to-host channel — email us with what you're building and what you're missing. If it isn't a security footgun, we add it to the next release. Your plugin becomes possible, the SDK grows, and the next developer who needs the same thing finds it already there.
Shipping against a moving SDK is a real risk for a solo plugin author. We know. This is how we shrink it.
Request an SDK capability →Most AI products pick one model vendor and build everything on that single bet. When the vendor raises prices, deprecates a model, changes terms of service, or has a bad week — every product built on them pays the tax. Smartopol is vendor-agnostic on purpose. Eight native integrations plus protocol shims for everything that speaks OpenAI or Anthropic. The model is a choice you can change today and again next month; the agent doesn't notice. Insurance, not inventory.
Big AI models charge per token. Most agents re-send your entire history on every turn — you pay for the same context over and over. Smartopol freezes the system prompt and stable memory once per session and pins it to the provider's prefix cache.
Cached tokens bill at the provider's discounted tier — typically 10% of the normal rate. On long conversations, the cache hit rate climbs past 85%. End result: roughly half the token spend of a naive agent, for the same work. You never see the savings in the UI. Your monthly bill does.
If you already pay for Claude Pro or Claude Max, you probably wish you could point it at your agent and let it do work in the background. Anthropic explicitly does not allow subscription tokens to be used by third-party apps — which is why every agent that tries it either scrapes, breaks Terms of Service, or eats your pay-per-use API budget without telling you.
Smartopol takes the approved path. When you select the Claude Code provider, Smartopol drives the claude CLI that's already installed on your machine — the same CLI you use interactively, authenticated the same way. Whether your Claude Code is on Pro, Max, or pay-per-use API — that's your business. Smartopol just asks it to run a task and reads back the answer.
Most self-hosted agents don't offer this at all — they demand a raw API key and charge your card per token. Smartopol lets you use the Claude seat you're already paying for, through the door Anthropic left open. Nobody else does this because nobody else wanted to read the fine print.
If you keep a Claude Code session open on the same machine — and many of us do, all day — Smartopol can reach it through a local mesh channel. Your Smartopol agent sends a request straight to the Claude Code session; the session answers; Smartopol reads the reply and keeps working. Two co-located AI agents, the same hardware, handing off tasks in milliseconds instead of round-tripping through the network.
Status: in active development. First handoffs are working on our dev machines today. We'll expand this as the mesh protocol stabilizes — but you can watch it behave in beta.
Per-session model override. /model [name] in the REPL. Or in config. Or per-channel. Or per-sub-agent.
Shared conversation history across providers — a fallback is transparent to the model.
Every SaaS agent is one pricing page, one terms update, one model sunset away from a bad week for its users. That's the deal you sign when you rent your agent from someone else's cloud.
Smartopol runs on your machine. Your keys, your memory, your prompts — all local. If a provider doubles their price tomorrow, switch to another. If they deprecate the model you liked, fall back to the one running on your laptop. If they change their terms and start training on your conversations, you already turned them off. We don't promise nothing will ever change in the model world. We promise your agent won't.
Threat model: the adversary has access to your memory. Everything flows from that.
API keys. OAuth tokens. Database passwords. Ways into your cloud. Most AI agents put them in a plain-text config file or an environment variable where any process on the machine can read them. That's how "my AI assistant leaked my keys" becomes a Hacker News post.
Smartopol ships an encrypted vault, sealed with a master password only you know. You never paste an API key into config again.
In your config, you write anthropic_api_key = "vault:my_anthropic" — no plaintext keys anywhere on disk. The agent requests the secret; the vault answers; the value lives in memory only for the tool call that needs it, then it's gone.
admin, user, child, guest variants + tool-scope grants. Per-user memory isolation — user A cannot recall user B's conversations. Architectural, not just policy.
Per-user, rolling-window limits. Admin accounts get ample headroom. Guests start with zero tool calls. Fair sharing without freezing the service.
Different family members, different models. Parent uses a hosted model; kid uses a local one. All from the same running agent.
Different identities per user without spawning separate processes. One agent wears the right face for each person.
Each user's session is its own worker with its own mailbox. If a tool hangs or a plugin misbehaves for one person, the others don't even notice. No cascade failures, no freeze, no restart.
smartopol sessions listshows every active session — queue depth, last activity, crash count. Kill one withsessions kill; the rest keep running.
Tamper-evident log of every tool call. smartopol audit verify walks the chain and reports the first break it finds.Live read of how much context window is used — 7.1% used · 14,280 / 200,000 — visible in the REPL prompt and in status. No surprise context-overflow mid-conversation. You know when to start fresh before the model does.smartopol sessions list — active workers, queue depth, crash counts. One bad session cannot take down another.p50 / p95 / p99 latency per provider, rate-limit counters, current cooldowns. When a provider slows down or rate-limits you, the router already knows.
Opt-in. Level-gated: off | error | usage | full. Endpoint configurable. Off by default — you turn it on only if you want to.JSON on stdout. Rotatable via tracing-appender. Ready for your log stack — ELK, Datadog, Splunk — without surgery. Reproducible proofs, not trust-us.
Every performance claim on this page — recall latency, cache hit rate, memory footprint, ingest throughput — comes with a command that measures it on your machine. smartopol bench runs the full suite. The numbers in our docs are the numbers your hardware produces. No benchmark theater.
If your workplace is bound by HIPAA, GDPR, the EU AI Act, FINRA, or an internal compliance team — Smartopol answers the questions a SaaS agent can't.
Designed for: healthcare IT · legal research · financial services · public sector · research groups · anywhere "data stays on our machines" is a hard requirement.
Roadmap, not spin.
If one of these is a blocker for you, email me. Prioritization follows customer signal.
Invitations go out in waves. Each invited user gets a personal install link weeks before the public launch.
No newsletter. No nurture sequence. Just the invite.