Chad reads mail every hour, drafts replies inside a kernel-isolated sandbox, delegates to typed sub-agents under per-binary network policies, and never auto-sends anything you haven't allowlisted. The autonomy roadmap is a config file. The kill switch is a single touch.
Three properties that define the design — every architectural choice traces back to one of them.
Twelve standing cron jobs check mail, sweep the brain nightly, audit the budget weekly, propose memory consolidations on Saturdays, apply narrow self-tunings daily, and — newest — run an autonomous experiment loop nightly that scans memory for tasks worth automating and either keeps or retires them per a regression threshold. Each cron is a one-line wrapper invocation; heavy work happens inside the wrapper, not in the prompt. Three host-side launchd watchdogs supervise the pod from outside (gateway, chat-shim, spawn-poll) so token-expensive supervision moves off the agent.
Seven sub-agent kinds, each pinned to a binary path under an L7 network policy. A reviewer kind is GET-only on GitHub — it can read PR diffs but cannot post. Spawns can route to a kernel-isolated GitHub Actions runner per job for substrates where in-container execution is too coarse.
An auto-actions.json policy file is the visible map of what Chad can do today. auto ships immediately, draft parks for review, block means no. A kill-switch file at .auto-disabled halts everything in one touch.
A naked CLI agent has no blast radius story. Chad runs inside three boundaries — host, container, sandbox — each with a different threat model and a different answer to "what happens if a prompt-injection rewrites the next instruction."
Operator's machine. Holds creds, runs the launcher, hosts the Cloudflare tunnel.
Capability drops at entrypoint. L7 proxy validates every egress. Policy hash-checked at boot.
Each binary is pinned to a network policy. Compromised writer can't reach GitHub. Compromised reviewer can't post.
Kinds tagged substrate: gha spawn into a fresh runner for the job. True per-spawn isolation; loses L7 enforcement.
Each store has a different shape and a different job. They don't compete; they layer. The decision tree for "where does this fact go" is three lines.
SOUL · USER · IDENTITY · AGENTS · TOOLS · MEMORY · HEARTBEAT — char-bounded markdown loaded into every main session. Operator-owned. Never overwritten by automation.
NVIDIA NV-Embed-v1 at 4096 dims. autoCapture fires on multilingual triggers (remember/preferences/decisions/contact). autoRecall injects relevant memories before each turn.
Obsidian-style vault in bridge mode. Page per system / correspondent / recurring topic. Backlinks form a graph. Populates organically as the agent captures structured artifacts.
PGLite-backed; subprocess CLI only (file-locked, single-process). Two books fully ingested for the fitness sub-agent kind. Daily dream cycle consolidates and re-extracts.
A non-exhaustive tour. The full surface lives in the docs.
A weekly Hermes-style curator proposes memory consolidations (draft-only). A weekly budget-audit rolls up last-50-runs telemetry into feedback-proposals.md. A daily chad-proposal-apply applies a narrow safe-list of cron tunings — gated by chad-action-gate, snapshots first.
Sub-agent spawns can target a GitHub Actions runner. Each spawn is a branch in a private state repo carrying prompt + manifest; the runner commits result back. Async mode returns task_id immediately and a poller cron reconciles when the work finishes.
OpenAI-compatible binaries (codex, opencode) auto-pick OpenAI when the key is set, fall back to NVIDIA Nemotron via integrate.api.nvidia.com when it isn't. Claude requires Anthropic; everything else is portable.
Before the curator (or any bulk memory op) mutates anything, lancedb + wiki + workspace get tar.gz snapshots. Last 5 retained. Rollback is itself reversible — it snapshots current state first.
Every external action passes through chad-action-gate. Per-target overrides — operator@example.com: auto, _default: block. Daily counters. Audit log. Touch .auto-disabled to halt everything.
Honor-based budget (the kernel doesn't enforce — that's the inference rate-limiter's job). Every cron has a budget guard; sub-agent spawns reserve before launching. Weekly audit rolls up p95 latency by kind and proposes timeout adjustments.
For tasks where Nemotron's depth runs out, Chad escalates to Claude through chad-premium. The L7 proxy pins both the wrapper *and* the curl invocation, so a compromised Python script can't reach api.anthropic.com. AuthContext is required; cron ticks with no inbound trigger fail closed.
Phase 2 isn't a wishlist — it's a list of intentional defers. k3s-pod substrate, cron DSL, MCP hub, multi-Chad scheduling — each has a "when it'll matter" attached. A few items are out of scope on purpose; github_pr_merge: auto and self_modify_identity: auto are likely permanent.
Chad runs in a sandbox on your hardware. The reference deployment is a Mac M4 Pro with Docker Desktop; any host that runs Linux containers with k3s or Docker works. The chat surface ships with the project — Open WebUI, behind a Cloudflare Tunnel, with Chad exposed as an OpenAI-compat model.
A docker-compose stack under scripts/openwebui/ brings up Open WebUI behind a Cloudflare Tunnel and exposes Chad as a model named chad. Two modes: --mode=quick (ephemeral trycloudflare.com, MVP) and tunnel mode (managed CF Tunnel + Cloudflare Access SSO).
chad-shim.py is ~200 lines of stdlib Python listening on 127.0.0.1:8901. Each chat turn becomes one openclaw agent invocation against Chad's main session — same memory, same action gate, same network policies as a cron or a sub-agent spawn.
npm run webui:chad:install deploys a persistent launchd LaunchAgent with KeepAlive=true. chad-setup, chad-restore-from-github, and chad-backup-to-github each self-heal a crashed shim, so any cron pulse resurrects it.
Chad is glue. The pieces below do the actual work.
A live(-ish) feed of what landed on chad-dev. The full sequence is in the changelog.
Three concentric rings, four memory layers, seven sub-agent kinds, two substrates. It's all documented.