Atlas trust architecture
Deployed configuration · July 2026
System map · production

Three agents. One shared vault. Clear boundaries.

Atlas, AutomationBuilder, and protected context ingestion each own a separate Linux trust domain. Atlas can keep context naturally, while scheduled ingestion stays out of reach of normal users.

3isolated Linux trust domains
12scheduled jobs with explicit owners
5protected direct-context jobs
2authorized vault writers
Trust map

Who can touch what

Profiles organize the work. Linux accounts enforce the boundary. The vault is collaborative, but each scheduler stays private.

Exacticlam operator planeroot SSH · authorized maintenance · rollback
ROOT ONLY
ALINUX · atlas

Atlas Chat

Conversation, context work, and Atlas-owned reporting automations.

profile
atlas
service
hermes-gateway-atlas
model
Codex · gpt-5.6-sol
jobs
3 reporting / follow-up
inbound
Slack enabled
Read and update the context vault
Keep notes during normal conversations
×No protected-ingestion access
ABLINUX · automationbuilder

AutomationBuilder

An independent automation owner for its own approved workflows.

profile
exactius-automations
service
hermes-gateway-exactius-automations
model
Codex · gpt-5.5
jobs
4 squad sweeps
inbound
Slack enabled
Manage AutomationBuilder jobs
×No Atlas profile or jobs
×No context-vault access
CILINUX · atlas-ingest

Protected Ingestion

A non-conversational scheduler for canonical context updates.

profile
atlas-ingestion
service
hermes-gateway-atlas-ingestion
model
API · gpt-5.5
jobs
5 direct-context jobs
inbound
none
Read and update the context vault
Own private jobs, state, scripts, credentials
×No normal-user chat surface
Shared Atlas Context Vault/srv/atlas-context-vault-omaze-de
Atlas · RWAutomationBuilder · noneIngestion · RW
🔒
Vault access is not scheduler access.Atlas can keep context naturally. The five protected jobs remain secure because their cron store, prompts, scripts, state, and credentials live behind a separate Linux UID and private home.
Access matrix

Permissions at a glance

Every workload home is private. None of the three service accounts has sudo or Docker-group access.

Swipe horizontally to compare accounts →
ResourceExacticlam / rootAtlasAutomationBuilderProtected ingestion
Atlas profile & jobsOperatorFullDeniedDenied
AutomationBuilder profile & jobsOperatorDeniedFullDenied
Protected ingestion profile & jobsOperatorDeniedDeniedFull
Shared context vaultOperatorRead / writeDeniedRead / write
Inbound Slack conversationsN/AEnabledEnabledDisabled
System administration / sudoFullNoneNoneNone
Scheduler ownership

Every job has one home

Atlas and AutomationBuilder stay independent. Protected ingestion contains only jobs that directly update canonical context.

Atlas

3
creative-status-update
Reporting09:00 Berlin · weekdays
creative-postmeeting-core
Follow-up30 min · 07–19 UTC
creative-postmeeting-broader
Follow-up30 min · 07–19 UTC

AutomationBuilder

4
lineage-weekly-open-items-board-sweep
AutomationMon · 14:00 UTC
whitestork-weekly-open-items-board-sweep
AutomationMon · 09:00 UTC
circa-weekly-open-items-board-sweep
AutomationMon · 09:00 UTC
forefront-dermatology-weekly-open-items-board-sweep
AutomationMon · 09:00 UTC

Protected ingestion

5
omaze-de-internal-learnings
ContextWed · 17:45 UTC
omaze-de-external-learnings
ContextThu · 16:30 UTC
creative-ops-snapshot
Context4× daily · weekdays
creative-meeting-scan
Context19:00 UTC · weekdays
creative-reference-refresh
ContextMon · 07:00 UTC
Two write paths

Same vault, different authority

Normal collaboration and scheduled ingestion both update context. Only one path owns protected automation machinery.

Normal Atlas interaction

A user asks Atlas to remember, correct, or add approved context.

01
Authorized requestAtlas receives a normal Slack conversation.
02
Inspect shared stateCheck evidence, provenance, and the Git working tree.
03
Write only the requested contextStage explicit files, then commit and push.

Protected scheduled ingestion

Direct-context jobs run without exposing their controls to normal users.

01
Private scheduler firesThe definition lives inside the atlas-ingest home.
02
Scoped source collectionCredentials, cursors, scripts, and prompts stay private.
03
Canonical context updateApproved context artifacts are written to the shared vault.
Guardrails

What keeps the boundary real

🛡️Private Linux homes

Each profile sits behind a separate 0700 home.

🔐No workload sudo

None of the three service accounts can elevate privileges.

⌨️Root-only control plane

Exacticlam operates through SSH and account-specific wrappers.

Clean ownership

Atlas owns 3, AutomationBuilder 4, protected ingestion 5.