Jas — Privacy-first personal AI assistant

The challenge

The AI assistant landscape is dominated by cloud-dependent services that route every conversation, memory, and credential through external servers. Users who want intelligent automation — email drafting, file management, web research, creative generation — are forced to trade privacy for capability.

Jas set out to break that tradeoff: build a personal AI that's genuinely powerful and genuinely private. Everything runs on the user's own hardware. Nothing leaves the device without explicit consent. The result needed to feel like a full-featured AI platform, not a hobbled offline experiment.

What we built

A local-first AI system architected around three pillars: security by default, multi-model intelligence, and real-world tool execution — all wrapped in a cross-platform experience that works on mobile, desktop, and terminal.

Security architecture

Privacy isn't a feature toggle in Jas — it's the foundation. Every layer of the system enforces data sovereignty:

AES-256-GCM encryption applied individually to every database, credential store, and audit entry using purpose-derived keys. Compromising one store reveals nothing about the others.
Local-first daemon running entirely on the user's hardware. No cloud dependency, no telemetry, no external server access to personal data.
Zero-knowledge memory powered by local embeddings that never leave the device. Semantic search across conversation history and context is fully on-device.
Tamper-evident audit trail using cryptographically chained logs. Every decision Jas makes is recorded in a verifiable, append-only ledger visible to the user at all times.

Multi-model orchestration

Rather than depending on a single AI model, Jas orchestrates multiple models — each scoped to its strengths and operating within strict trust boundaries. The pipeline follows three stages:

Understand — The user's request is parsed, sanitized, and wrapped in a secure envelope. Relevant context from memory and active projects is assembled with minimal data exposure.
Plan — A primary orchestrator decomposes the task into a dependency graph of subtasks, tagging each with required approval levels and the optimal model for execution.
Execute — Specialized workers carry out each subtask within strict capability ceilings. Results are validated before surfacing to the user. Nothing runs unchecked.

This architecture delivers smarter plans, safer execution, and results the user can actually verify.

Approval-gated tool system

Jas doesn't just converse — it acts. A growing set of real-world tools lets it interact with the user's filesystem, browser, inbox, and system shell. Every action is gated behind explicit user consent:

Web intelligence — Full browser sessions for navigation, search, extraction, and interaction with live websites.
Communications — Draft, review, and send messages on the user's behalf across multiple providers. Nothing leaves the outbox unreviewed.
File operations — Read, write, organize, and manage files with path-level security boundaries enforced by default.
System access — Command execution in isolated, resource-limited environments with full namespace and process isolation.
Creative generation — Visual asset production through connected generation models, with every output logged and every prompt traceable.
Learnable skills — A procedural skill system that lets Jas adapt to the user's workflows and grow over time.

Cross-platform delivery

Jas delivers the same intelligence, memory, and security posture across three interfaces:

Mobile — Voice input, real-time task updates, and full approval control on the go.
Desktop — A native application for deep work sessions with side-by-side conversations, workstream dashboards, and rich task visualization.
Terminal — Full CLI access with rich formatting, inline approvals, and scriptable task submission for power users.

The interface changes; the underlying mind doesn't. Conversations, memory, and context sync across all surfaces.

Design and identity

The visual language is dark, minimal, and confident — a near-black palette with sharp typographic hierarchy and generous whitespace. Numbered section markers and italic emphasis create a rhythm that feels editorial rather than corporate. The overall aesthetic communicates security and precision without feeling cold, reinforcing the product's core promise: intelligence that amplifies you, not surveils you.

The challenge

Security architecture

Privacy isn't a feature toggle in Jas — it's the foundation. Every layer of the system enforces data sovereignty:

AES-256-GCM encryption applied individually to every database, credential store, and audit entry using purpose-derived keys. Compromising one store reveals nothing about the others.

Local-first daemon running entirely on the user's hardware. No cloud dependency, no telemetry, no external server access to personal data.

Zero-knowledge memory powered by local embeddings that never leave the device. Semantic search across conversation history and context is fully on-device.

Tamper-evident audit trail using cryptographically chained logs. Every decision Jas makes is recorded in a verifiable, append-only ledger visible to the user at all times.

Multi-model orchestration

Rather than depending on a single AI model, Jas orchestrates multiple models — each scoped to its strengths and operating within strict trust boundaries. The pipeline follows three stages:

Understand — The user's request is parsed, sanitized, and wrapped in a secure envelope. Relevant context from memory and active projects is assembled with minimal data exposure.

Plan — A primary orchestrator decomposes the task into a dependency graph of subtasks, tagging each with required approval levels and the optimal model for execution.

Execute — Specialized workers carry out each subtask within strict capability ceilings. Results are validated before surfacing to the user. Nothing runs unchecked.

This architecture delivers smarter plans, safer execution, and results the user can actually verify.

Approval-gated tool system

Web intelligence — Full browser sessions for navigation, search, extraction, and interaction with live websites.

Communications — Draft, review, and send messages on the user's behalf across multiple providers. Nothing leaves the outbox unreviewed.

File operations — Read, write, organize, and manage files with path-level security boundaries enforced by default.

System access — Command execution in isolated, resource-limited environments with full namespace and process isolation.

Creative generation — Visual asset production through connected generation models, with every output logged and every prompt traceable.

Learnable skills — A procedural skill system that lets Jas adapt to the user's workflows and grow over time.

Cross-platform delivery

Jas delivers the same intelligence, memory, and security posture across three interfaces:

Mobile — Voice input, real-time task updates, and full approval control on the go.

Desktop — A native application for deep work sessions with side-by-side conversations, workstream dashboards, and rich task visualization.

Terminal — Full CLI access with rich formatting, inline approvals, and scriptable task submission for power users.

The interface changes; the underlying mind doesn't. Conversations, memory, and context sync across all surfaces.

Design and identity