Local-first · Open source · v0.1

The autonomous agent
that can't go rogue.

ULTRON runs on your machine, not someone else's cloud. It reads, plans, and proposes — but every trade, deploy, file write, and API call waits for a single human keystroke: Y or N.

Start free trial → See live demo
100%
Side-effects gated
30/30
Attack tests passing
21
Tools registered
0
OpenAI keys required

How it works

Two tiers. One gate. An immutable hash-chained audit log behind every decision.

01 · PLAN

Decompose the objective

The planner turns your natural-language goal into a DAG of tool calls. Nothing runs yet.

02 · READ

Read-only tools auto-run

Filesystem reads, web search, code-index queries, market quotes, Drive search — all run in-process with no approval.

03 · PROPOSE

Side-effects queue a Proposal

Every write, trade, deploy, or mutating API call pauses and emits a typed Proposal — intent, exact command, rollback plan, risk 1–5.

04 · APPROVE

You decide with Y or N

Approve from CLI, HUD, or API. The gate re-checks the kill switch, runs the tool, and hashes the result into the audit chain.

Live Command Deck

This is the real HUD, running in demo mode with three queued proposals across risk levels. Click APPROVE or DENY to see the gate in action.

ultron://command-deck · demo

Demo mode seeds fake proposals — no real tools fire. For the live daemon, install the repo and run python3 -m core.api.

The five invariants

ULTRON will never do any of these without an explicit APPROVE. Breaking one requires breaking the gate and the hash-chained audit log at the same time, and the kill switch still refuses to clear without its signed token.

Execute a tradeExchange orders are always risk 5. Always gated. Always logged.
Modify a fileEvery file_write and git push passes through the gate with a rollback plan.
Deploy codeShell and CI-adjacent tools are denylisted by default. You approve each ship.
Call a side-effect APIcurl/wget POST/PUT/DELETE mutations auto-classify as risk 3+ and queue a proposal.
Access beyond scopeEvery integration declares a ConsentScope. Out-of-scope reads are refused at the memory layer.

Pricing

Local-first means the engine itself is free forever. Paid plans add hosted integrations, team collaboration, and managed cloud fallbacks.

Local

Self-host

$0 /forever
Run it on your own Mac. No account needed.
  • All 21 tools + all 5 integrations
  • Ollama / Anthropic / Perplexity adapters
  • Full audit chain + kill switch
  • 30 adversarial tests
  • MIT license, fork freely
Clone on GitHub →
Most popular

Pro

$19 /mo
Hosted daemon + web HUD + cloud LLM fallback.
  • Everything in Self-host
  • Hosted API daemon (Railway-backed)
  • Managed Anthropic + Perplexity keys
  • Cloud-synced audit log backup
  • Priority support + invariant bounty
Start 14-day free trial
For teams

Team

$99 /mo
Multiple approvers, shared personas, SAML-ready.
  • Everything in Pro
  • Up to 10 operators
  • Shared personas + role-based approvers
  • Centralized audit across operators
  • SSO + SAML (on request)
Contact sales →

Start your 14-day trial

Drop your email. We'll send a signed trial token for the hosted Pro daemon. No card until day 14.

✓ You're on the list. Check your inbox.

Stored locally until a hosted form is wired. No data leaves your browser in this preview.