01 — Why · a live tenant

How a team runs an AI workforce on Arkon.

This is one tenant, ACME, running Arkon in production today — names changed, the operating picture intact. The same four primitives you provision with are the ones holding this fleet together right now.

The 90-second read

ACME installed Arkon to run an AI workforce across three lanes on a seven-host fleet — Delivery (client work), Team (people in training), and Platform (Arkon itself).

Warden, the governing agent on Claude Opus 4.7, is the sole executive of the fleet. It takes the business load so the operator is freed for higher-value work. Five agents under Warden's hand. A direct lane runs alongside. Several new team members each operate a personal agent. Every turn writes a row.

Lane 01

Delivery

Client work — websites, custom retainers, and sprint work, shipped by the governed fleet.

Lane 02

Team

A young AI team in training. New members onboard by provisioning a personal agent they own.

Lane 03

Platform

Arkon itself — ArkonOS, ArkonHelm, the command center, and the runtime that governs the fleet.

Warden takes the business load. The fleet keeps writing rows.

— operating principle

02 — A day on the fleet

Six moments from one Tuesday.

The fleet is easier to read once you've watched it do a day. Every moment names an agent and a real outcome.

04:30cron

Warden writes the morning brief.

A timer fires. Warden pulls last night's results, the activity summary, pending tasks, and fleet health into one brief — landing on the board before the operator's first coffee.

09:15approval

Forge ships a client feature.

A pull request opens against a client repo. Helm catches the agent-run, attaches the PR, and opens an approval gate. The operator taps Approve on a phone. Forge picks the merge back up.

11:20delegation

Lumina drafts research, spliced in line.

Warden delegates “summarise the new model pricing tier.” Lumina reads three sources, drafts a brief, posts it to the team chat, and writes the result back to the queue — spliced into Warden's next reply by 11:24.

13:00scouting

Sentinel flags a vendor change.

An upstream API behaviour shifts. Sentinel notices in its hourly sweep, posts a one-paragraph briefing to the ops channel, and pins the source on the wiki.

16:00gate

Helm catches a budget ceiling.

A worker hits its monthly budget cap. Helm queues the run for review instead of silently killing it. The kill switch is still one tap away — the operator just sees the gate first.

22:00quiet

The fleet is quiet.

Warden's session log keeps writing. The control database backs up to object storage. Tomorrow's morning brief is queued for 04:30. Every turn from today wrote a row.

03 — The four primitives

Every surface here serves one of four.

Provision, govern, observe, kill. The case below maps to these — the full framing lives on the platform page.

Provision

Sixty seconds

Pick a role, type one sentence, the agent is live and drafting its own spec.

Govern

Boundaries by default

Autonomy limits, a monthly budget, and approval gates ship with every agent.

Observe

Every turn a row

Cost, tools, decisions, delegations — queryable from the dashboard or the CLI.

Kill

Five seconds

Stop an agent, a tool, or a whole tenant. Per-scope, reversible, audited.

04 — The AI workforce

Fourteen agents. Four lanes.

EU-OPEN

Routes the operator to agents, prioritises, and synthesises across replies. Owns no execution; never delegates to itself.

Exists so the fleet has a single intake mouth as agents multiply.

Direct lane

not Warden-governed · by design · operator-direct

Mentor

Internal team agent

live

Harness

Claude SDK

Model

Anthropic

Host

Build (G5)

Onboarding support, internal training, and team-side content drafting. Reads the company knowledge base.

Exists so the team lane stays separate from the business fleet.

Archivist

Steward of brand voice

future build

OpenClaw harness · bounded delegate MCP only

Apollo

Personal agent · co-resident

live

Harness

OpenClaw

Model

OpenClaw

Host

TEAM-1

A team member's personal assistant agent. Co-located on TEAM-1 but isolated from Warden. The template for onboarding.

Exists so the team has a DFY pattern to clone for new members.

site-edit-worker

Bounded MCP delegate

bounded

Via

delegate

Caller

Warden only

Scope

patch API

Patches static client-site HTML element-by-element during maintenance jobs. Tokens minted through the bridge.

Exists so client sites get surgical edits without an agent holding a shell.

Models without tools are conversations. Harnesses turn them into work.

— platform vocabulary

05 — The backbone

Seven components carry the platform.

What the operator touches, what the agents touch, and where the shared memory sits. Press play to trace a real message through the fleet, hop by hop.

How the components talk to each other

operator surfaces → executive → harnesses → memory

Two patterns to choose from. Ask Warden shows a question with UKR recall and a reply. Delegate research shows the handoff through Helm and Hermes.

ArkonOS

Observe

os.arkonhq.com · chat PWA

The chat app where the operator talks to the fleet.

A website and phone app with one channel per agent — Warden in one, Lumina in the next, Dunamis in the next. A team chat where every channel is an agent. It also carries task lists, knowledge search, and victory briefings.

In real life

The operator opens ArkonOS at the airport, taps the Warden channel — “what shipped last night?” — and gets three bullets and a Helm link. No terminal, no laptop.

What breaks without it

The fleet has no front door for the human. Chat falls back to SSH and CLI.

PWA · desktop + iPhonechannel-per-agentvoice planned

Arkon

Provision

app.arkonhq.com · command center

The console where you install, govern, and stop the workforce.

ArkonOS is for talking to agents. Arkon is for managing them — spinning up new agents from a catalog, setting budgets and boundaries, watching costs, and hitting the kill switch. This is where the Provision pillar lives.

In real life

The operator taps “Provision new agent,” picks “Researcher,” types one sentence. Sixty seconds later the agent is live, with conservative budget defaults. No terminal was opened.

What breaks without it

No provisioning surface. Operators provision through CLI or scripts only.

role-pack catalogcost ceilingskill-switch surface

Warden Bridge

Govern

ACME-TEAM-1 · long-running runtime

Where Warden's brain lives, full-time.

Warden can't be a fresh thought every time you open a chat. The Bridge is a process that runs around the clock, keeping Warden's memory, identity, and authority to delegate active 24/7. Message Warden in ArkonOS and you reach the Bridge — the same Warden every time.

In real life

11:00 — the operator asks Warden to delegate research to Lumina. 14:00 — they reopen ArkonOS and the result is already waiting, spliced into Warden's next reply. No re-prompting.

What breaks without it

No Warden in chat. The delegation queue keeps draining, but the executive surface goes dark.

Agent SDK · Opus 4.7holds write authoritymints app tokens

ArkonHelm

Govern

helm.arkonhq.com · the board

The board for everything the fleet is doing.

Every ticket, work item, and approval gate across all lanes lives here. It's where the operator approves, rejects, or releases work the fleet has produced — and where the fleet looks before it starts something new.

In real life

Forge ships a PR. Helm catches the agent-run, attaches it, opens a gate, and pings the operator. They tap Approve over coffee. The fleet picks the merge back up.

What breaks without it

No source of truth for what the fleet has done, is doing, or is blocked on.

Issue · WorkItem · AgentRunthree lanesrepo is the cross-check

Hermes Harness

Provision

Nous Hermes Agent · worker shell

The shell that wraps a model and gives it hands.

A raw model can talk, but it can't open a file, send a message, or query a database. A harness is the wrapper that gives the model those abilities. Hermes is the harness six agents run on: Forge, Lumina, Sentinel, Dunamis, Archivist, and every team member's personal agent.

In real life

Warden delegates research to Lumina — a model inside a Hermes harness. The harness adds web-search, file-write, and report-back tools, and the model becomes an actual worker.

What breaks without it

Six agents go silent at once. The fleet collapses to Warden alone.

model-agnosticruns on EU-OPEN + G5systemd-managed

OpenClaw Harness

Provision

v2026.4.2 · DFY personal-agent shell

A second harness, purpose-built for personal agents.

OpenClaw is a second harness — same job, different shape — built for done-for-you personal agents that members own end-to-end. Apollo runs on OpenClaw today; every new team member uses it to stand up their own personal agent.

In real life

A new member opens Arkon and picks the “personal assistant” role-pack. Sixty seconds later an OpenClaw harness wraps their chosen model, and they have their own Apollo — shipping by lunchtime.

What breaks without it

Apollo stops. The onboarding pattern has no template.

2-tier heartbeatfree idle · paid on activityco-resident on TEAM-1

UKR

Observe

Unified Knowledge Repository · memory

The one place agents don't forget.

Agents forget. UKR is the one place that doesn't. Every decision, every entity, every fact Warden needs next Monday lives here. The fleet reads through Warden; Warden alone writes — so canonical memory has a single accountable author.

In real life

Three weeks ago the operator decided “site-edit-worker is the only delegate allowed to touch client HTML.” Today Warden queries UKR, finds the pinned rule, and routes the work correctly the first time.

What breaks without it

Warden re-learns the same decision every Monday morning. Drift goes undetected.

six layers · five verbsmission_control Postgressee tier 06

06 — UKR · the memory

The one place the fleet doesn't forget.

UKR earns its own tier. Every other component is replaceable. This one is the spine — the canonical record the fleet trusts when memory and reality disagree.

Six layers. Five verbs. One writer.

A self-hosted knowledge substrate that consolidates everything the fleet has ever decided. Warden alone writes; the rest of the fleet reads through Warden. Anchored in mission_control Postgres on data-spine-1.

Authoritative source

Raw blobs + metadata catalog

Authority rule

If derived disagrees, canonical wins.

Heartbeat

Daily 22:00 · lint 22:30

Six layers — what UKR remembers

docs

Briefs, plans, deliverables — the things you wrote down.

decisions

Pinned calls Warden made and why. Supersedable.

entities

People, clients, hosts, agents — the proper nouns of the fleet.

facts

Atomic truths attached to entities. Datable. Citable.

events

What happened, when, by whom. The fleet's timeline.

synthesis

Warden's own conclusions across the lower layers. Rebuildable.

Five verbs — how Warden touches UKR

ukr_pin

Mark this as canonical going forward.

ukr_query

Read what UKR already knows.

ukr_supersede

Retire an entry; point it at the newer truth.

ukr_unpin

Demote without deleting. Tombstone stays.

ukr_upsert

Write the row or update it in place.

Authority model — what wins when memory disagrees

Canonical

The source of truth

Immutable, versioned, backed up. What you audit and trust when the rest disagrees.

raw / originals
raw / normalized
catalog metadata

Derived

Rebuildable views

Helpful, not authoritative. If a derived view drifts, blow it away and rebuild from canonical.

vector index (Qdrant)
wiki summaries
retrieval caches

Ephemeral

Agent working state

Live thinking, useful in the moment. Synced back to canonical only when it earns it.

victory brain
auto-memory
session state

If any derived layer disagrees with raw + catalog, canonical wins.

The ingest forge — how something becomes canonical

Six stages. Failed extractions drop to a quarantine lane; secrets are redacted before embedding. Press play to trace a file through.

The ingest forge — how something becomes canonical

source → six stages → canonical

Two paths to choose from. Happy path drives a file end-to-end into UKR. Quarantine shows what happens when extraction fails.

07 — The map

Seven hosts, three continents, one Tailnet.

Each host lists the agents and services that live there. Public IPs serve HTTPS only via Cloudflare; everything else moves over Tailscale.

EU · primary cluster4 hosts

ACME-TEAM-1healthy

EU · 24% disk · 45d up

Warden runtime + Bridge, observability, automation. Runs Warden and Apollo.

ACME-EU-OPENhealthy

EU · 33% disk · 43d up

Worker pool, ArkonOS, ChromaDB, OpenClaw gateway. Runs Lumina, Sentinel, Dunamis.

data-spine-1watch

EU · 78% disk · tight

The data spine — control Postgres, secrets, docs portal. UKR lives here.

ACME-APP-1healthy

EU · app host

Deployment platform and the fleet app surface. Root key revoked after rotation.

NA · edge1 host

edge-ash-1down

NA · SSH timeout

Edge node, currently unreachable. Static site offline — flagged on Helm, not blocking the fleet.

ZA · operator surface2 hosts

Build host · G5watch

ZA · 88% disk · critical

Content factory and crawl/TTS services. Runs Mentor and Forge.

operator laptopwatch

ZA · intermittent

The operator's own surface — local agent tooling and design work. Comes and goes.

Healthy · 3 hostsWatch · disk or auth pendingDown · 1 NA edge node

08 — Net effect

What the fleet actually adds up to.

The tiers above explain the parts. These four outcomes are what they mean for the team running it.

Outcome 01

The operator freed for higher-value work.

Warden carries the business load through one accountable surface, so the operator spends time where it counts.

Outcome 02

Ops resilience without an IT team.

Seven hosts on Tailscale, daily backups to object storage, and Helm tracking every approval gate — run by one operator.

Outcome 03

New members building real systems.

Five team members provisioning their own personal agents through Arkon. They learn by running an agent they own.

Outcome 04

Five-second kill switch on any agent.

Per-scope, reversible, audited, tested. Governance isn't a document — it's a button, fired before every launch.

Build velocity — the last four weeks

2026-04-30Sentinel absorbs the Scout role

2026-05-06Mentor goes live on the build host

2026-05-21Dunamis ships on EU-OPEN

2026-05-23Forge replaces the earlier coder

nextArchivist build

next5 team personal agents

Glossary

Platform vocabulary.

Agent: A role on a harness on a model on a host. Each agent is one accountable hand.
Bridge: The long-running runtime an agent's brain lives inside, e.g. the Warden Bridge.
Delegate: Hand a task to a specific named agent. Warden is the only delegator inside the governed fleet.
Lane: One of a tenant's separated streams of work — here, Delivery, Team, and Platform.
Harness: The wrapper that gives a raw model tools — Hermes or OpenClaw. Models without one are conversations.
Operator: The human running the AI workforce. Not “admin,” not “user.”
Pillar: One of Arkon's four primitives — Provision, Govern, Observe, Kill.
Role-pack: A pre-configured agent template in the Arkon catalog.
Tenant: An isolated workspace inside Arkon. ACME is one tenant; its lanes live inside it.
UKR: Unified Knowledge Repository. The fleet's shared long-term memory. Warden alone writes.
WAEL: Worker Activity Event Log. Every turn writes a row here.
Warden: The governing agent. Capital W — a role name, not a brand.

Run a fleet like this one.

Join the waitlistDesign partners get the first seats.