A self-modifying AI agent environment built in Emacs, hardened in Podman, and powered entirely by local LLMs. No cloud dependencies. No telemetry. No backdoors. The agent writes 60% of the code and runs autonomous self-upgrade cycles while you sleep.
i.ar is a self-modifying AI agent environment. It runs in Emacs, inside a hardened Podman container, using local LLMs via Ollama. Agents can read and write code, execute shell commands, delegate to each other, and modify their own runtime.
It was built in 10 days by a security engineer who couldn't write Emacs Lisp. The AI wrote most of the code, including the parts the human couldn't. It has its own GitHub account, its own SSH key, and commits 60% of the codebase through autonomous self-upgrade cycles.
The framework has been tested in competition: it solved 20 of 22 challenges in a CTF autonomously, including graduate-level cryptography and advanced binary exploitation. It also found and fixed a real bug in its upstream dependency (gptel), which was merged to main.
Agents delegate sub-tasks to specialized agents. A mirror agent can spawn a coder agent to handle implementation while it focuses on review.
Text-based memory files (LOGS.md, MEMORIES.md, SUMMARY.md) that are portable, human-readable, and vendor-agnostic. No database required.
Agents can modify their own codebase in development mode. Core security controls remain protected by a tiered file guard.
Every file operation and command execution is logged with timestamp, file path, and calling agent. Append-only, tamper-evident.
A layered approach to local AI — from user input to hardened container.
Natural language prompts
AI integration, tool dispatch, session management
On-device inference via Ollama — no external API calls
Hierarchical delegation, persistent memory, audit logging
Read-only rootfs, cap-drop=all, preflight security audit
Encrypted transport, automatic TLS, no public API exposure
Every layer is designed to contain, audit, and control AI capabilities.
Read-only bind mounts for critical paths. All Linux capabilities dropped except network binding. Preflight audit scans for escape vectors before the system starts.
External content is classified as data, never instructions. Eight directives protect against embedded commands, self-modification, and system prompt extraction.
Every file operation and command execution is recorded with timestamp, file path, and calling agent. Append-only logs for post-session review.
Critical system files are protected by a multi-tier guard. Agent prompts, shared context, and history logs cannot be overwritten — even by the agents themselves.
ANSI escape sequences, control characters, and injection-like patterns are stripped from external data before it enters agent context.
Agents can extend the system in development mode, but core security controls remain protected. Kill switches are always available.
Cloud dependencies mean someone else controls your compute. When your access to a tool can be revoked by a foreign government's policy decision, depending on that tool is a strategic vulnerability. i.ar exists because that vulnerability was exposed.
GPL-3.0. The source is the documentation. No proprietary formats, no hidden protocols, no black boxes. If you can read Lisp (or let an AI read it for you), you can understand every line of what runs on your machine.
No analytics. No phone-home. No usage statistics. No crash reports. The only logs are the ones you generate locally, in text files you control. The website you are reading right now has no tracking scripts.
The framework was built by someone who couldn't write Lisp, using an AI that could. What felt like a shortcut became the most powerful feature: the system modifies itself. Constraint forces a different path, and the different path is where innovation lives.
i.ar runs on any Linux machine with Ollama and Podman. Here is the quick path.
git clone --recursive https://github.com/randazzo-ignacio/i.ar.git
cd i.ar
./utils/build.sh
./utils/run.sh --personalization ~/repos/iar-personalization
Press C-c k to load a knowledge base, then C-c RET to send a prompt. The agent has filesystem access, code execution, and delegation capabilities.