Ancilla · an-SILL-ah

Your sovereign personal AI.

A personal AI that lives on your hardware and answers only to you. Not to OpenAI, not to Google, not to anyone selling your attention.

Six pillars working as one platform. Ten best-in-class open-source tools woven together. One cryptographic identity you hold. Ingestion from every cloud vendor you have ever used, distilled into one queryable store, kept private by architecture rather than promises.

Read the manifesto Star on GitHub Get notified at launch
In active development · v0.0.1 ships when it works · no fake deadlines
6 pillars under build 10+ federated OSS tools 0 central servers Apache-2.0 when it ships

The premise

Your AI shouldn’t live in someone else’s data center.

Today’s personal-AI tools send everything to someone else’s server. Your inbox, your photos, your calendar, your private conversations, your medical history. The infrastructure isn’t yours. The terms aren’t yours. The models you can’t see were trained on data taken with terms you didn’t write.

Ancilla flips that. Your AI runs on your hardware. Your decades of personal context live in your storage. Every cloud call is a decision you make per request, not a default you can’t see. When you want to use a frontier model, you pick which one and what leaves your machine. A local model strips private spans first.

This isn’t a chat wrapper. It’s a complete platform: six integrated pillars, an ecosystem of best-in-class open-source tools, a cryptographic identity you hold, and a mesh that keeps working when the internet doesn’t. Built to outlive any single piece of software, including its own.

A day with Ancilla

One question, every source, your hardware.

You’re mid-conversation with a client. Without missing a beat, you ask:

you    “Ancilla, the invoice from Sarah Walker last quarter. What was the amount and did we pay it?”

Voice captured by Ancilla Voice Pipeline; routed through the on-device dispatcher.

ancilla   “Sarah Walker, resolved via Ancilla Identity, your work-domain graph. Invoice 2026-07 dated February 14 for $4,250, ingested from your email server on Feb 15. Paid by ACH from your Chase account on Feb 19, reference ACH-2026-0219-04812. Confirmation email Feb 19 at 7:14 PM in your inbox. Want me to draft a reply or pull the PDF?”

Ancilla Bastion correlated four sources (email, Ancilla Treasury, Ancilla Identity, Recollect summary) in 1.3 seconds on local hardware. Zero outbound calls.

Your client never knew the question was asked. The answer never left your room.

How Ancilla thinks

Five chapters of a personal-AI day.

Most personal-AI tools do one of these well and ignore the rest. Ancilla does all five, in one platform, on your hardware.

  1. Live · capture without effort

    Your voice on every call, your screen when you ask, your messages across twelve channels, your photos and locations and financial events. Ancilla Bastion ingests it all into one sovereign store with retention you control per source.

  2. Remember · decades, queryable

    Email back to 2008, every photo, every meeting transcript, every WhatsApp message, every health metric. One query layer over content-addressed blobs and a unified semantic index. Ancilla Identity resolves “Sarah” to the right person every time. Ancilla Recollect builds rolling summaries from 30 minutes up to a year.

  3. Reason · the right model, every time

    Ancilla Nexus routes each request across about fifteen local model backends, your LAN companion devices, your rented GPUs, and (opt-in per provider) vendor APIs. Cascade routing escalates only when needed. A local model scrubs private spans before anything cloud-bound leaves the box.

  4. Act · on your behalf, with your sign-off

    Send a message, book a calendar event, file an invoice, run an automation, all through the channel-broker, the granular consent layer, and the “Human + LLM 2-of-2” gate for anything sensitive. Every action is audited, every approval is granular, and your AI never sends anything you didn’t see.

  5. Defend · security, resilience, continuity

    Ancilla Aegis sandboxes every plugin, scans every dependency, watches the network. Ancilla Beacon keeps you running when the internet doesn’t. Cryptographic inheritance hands the keys to your designated heirs. Your AI outlives outages, devices, and you.

The six pillars

One platform. Six integrated peers.

Each pillar stands alone as its own open-source project. Each runs in concert with the others. Ancilla is the brand; the pillars are the workhorses.

AncillaMission Control
The human boss

Your single pane of glass. One cross-platform program (and per-desktop widgets) showing everything Ancilla knows, letting you configure anything it does, and approving or revoking every access in three seconds.

AncillaBastion
The data boss

Your sovereign personal-data store. A single Rust daemon holding your life-log, messages, photos, financial records, calendar, contacts, health metrics, smart-home events, even decisions and commitments your AI extracts. Open formats, encrypted at rest, designed to outlive its own code. If Ancilla disappears tomorrow, your data is still yours.

AncillaNexus
The compute boss

Your smart LLM router. One OpenAI-compatible API in front of fifteen local backends, your LAN devices, your rented GPUs, and opt-in vendor APIs. Per-request routing policy. Cascade with confidence-based escalation. Ground-truth benchmarks on your actual hardware. Cloud is opt-in per request, never silent.

AncillaAegis
The security boss

Your security shield. Wraps the open-source security ecosystem (vulnerability scanning, anti-malware, supply-chain checks, AI-specific threats, sandboxing) under one operator UX. Holds new dependencies in a five-day quarantine. Audits everything that has ever touched your system.

AncillaBeacon
The network boss

Your connection of last resort. A cryptographic mesh built on Reticulum that runs over LAN, Bluetooth, LoRa radio, USB sneakernet, even audio modem. Same architecture for a power outage and a six-month expedition. Your AI doesn’t stop working when the internet does.

AncillaLens
The analyst boss

Your cross-source analyst. Reads Ancilla Bastion in batches and surfaces patterns across decades of your data: behavioral trends, relational dynamics, topical trajectories, decision archaeology, anomaly alerts, executive digests. Every insight cites its sources back to specific events. Your sovereign AI knows you, and gets to know you better over time.

Identity & relationships

Every person in your life lives in multiple worlds at once.

So does the graph Ancilla Identity builds for you. Most contact apps store names, numbers, emails. Ancilla Identity stores the full shape of who someone is to you, across every context they appear in.

Multi-network parallel graphs

Family, work, friends, school, college, freelance, hobbies. Each network has its own graph; people exist in multiple at once.

Granular role + closeness

Spouse, colleague, mentor, vendor, ex, child. Tagged with closeness, dynamic, and side-of-relationship. Frequency tracked over time.

Genealogy + ancestry

Family tree with GEDCOM import. DNA exports from 23andMe, AncestryDNA, MyHeritage. Ancestral lines that go back as far as the records do.

Workspace genealogy

Who works with whom, who reports to whom, who came from which prior company. Org charts you actually need, built from your real interactions.

Cross-domain overlap detection

Your college friend who now works at a vendor you use. Your hobby acquaintance who is also your kid’s teacher. Ancilla notices the overlaps without confusing the contexts.

Third-party relationship mining

“Marcus knows David through Catherine.” The transitive relationships in your network, surfaced when relevant, hidden when not.

Three different Sarah Walkers in your contacts.

One is your colleague at work (joined 2024, reports to Marcus, lives in Austin).
One is your college friend (last seen 2019, lives in Berlin, you owe her a call).
One is your kid’s teacher (Mrs. Walker formally, replies fastest to email).

Ancilla knows all three are different people. When you mention “Sarah,” it picks the right one from context. When you start a new message, it asks if you mean Marcus’s Sarah or Berlin Sarah or Mrs. Walker.

Every contact app collapses them into one row. Ancilla keeps them separate, and keeps track of when they intersect.

Ingestion & versatility

Every byte of your digital life. One platform.

Ancilla Bastion is built ground-up to absorb data from everywhere you’ve ever existed online. A one-time mass migration brings your historical archive home. Ongoing ingestion keeps it current. The flexible schema absorbs new services as they appear, without migrations.

One-shot archives

Google Takeout

Gmail, Calendar, Maps, Keep, Contacts, Photos, Drive, YouTube history. Parsed and indexed per source.

One-shot archives

Apple iCloud Export

Mail, Photos, Notes, Contacts, Calendars. Apple’s walled garden, unlocked into your store.

One-shot archives

Microsoft & Outlook

OneDrive, Outlook PST, OneNote, Teams history. Years of work archives ingested in one pass.

Social GDPR exports

Meta · X · LinkedIn

Facebook, Instagram, WhatsApp, Threads, X archive, LinkedIn full data. Every post, like, message, connection.

Media history

Spotify · Netflix · YouTube

Listening, watch, search history. Your taste graph reconstructed from a decade of consumption.

Community exports

Discord · Reddit · Slack

Server history, DM archives, subreddit activity, workspace messages. Everywhere you’ve been a member.

Live channels

Messaging · 12 channels

WhatsApp, Email, Slack, Telegram, Discord, Signal, iMessage, Matrix, IRC, XMPP, SMS, RCS. Live capture, search, reply.

Ambient sensors

Voice · Screen · Browser

Mic audio, screen captures with OCR, browser history with dwell time. Continuous capture, opt-in per stream, retention you control per source.

Body & place

Health · Location

Every wearable, every lab PDF, every prescription, every step, every place you’ve been. Deduplicated across devices.

Money & documents

Treasury · Receipts

Bank statements and credit-card exports from any country. Transfer refs across ACH (US), SEPA (EU), Wire, UPI (India), Faster Payments (UK), Interac (CA), PIX (BR), PromptPay (TH). Wise, Revolut, Stripe, PayPal. Invoices, subscriptions, bills, tax artifacts. Reconciled across sources.

Devices

Phone · Vehicle · SDR

Android ADB exports (SMS, call log, app usage). OBD-II vehicle telemetry. SDR captures: weather satellite imagery, aircraft ADS-B, marine AIS, amateur radio, broadcast metadata.

Old archives

Legacy · Time Machine

Old hard drives, scanned documents, photo libraries, legacy mailbox dumps. Anything you’ve ever saved.

The schema is flexible by design. When a new service launches in 2027, Ancilla absorbs it as a new source type, no schema migration, no data rewrite. Every row you ingest today is still yours tomorrow.

The federation

Ten best-in-class tools, orchestrated as one.

You don’t have to switch tools to use Ancilla. Keep whatever you already prefer: Notion, ClickUp, Asana, Google Calendar, Apple Notes, Things, Todoist, anything. Ancilla one-time-imports your historical data and then bidirectionally syncs ongoing changes. Your daily workflow stays where you like it; Ancilla maintains its own canonical copy underneath so your AI has the full picture.

The ten tools below are the option for going fully local-first: best-in-class open-source replacements that Ancilla deploys, supervises, and unifies under one UI. Use any combination. Use none if you prefer.

Stalwart

replaces gmail

Email server, all-in-one Rust binary. SMTP, IMAP, JMAP under your domain.

Radicale

replaces google calendar · contacts

CalDAV calendar and CardDAV contacts. Standards-based; talks to every device.

Memos

replaces google keep

Lightweight notes. One source of notes that Ancilla cross-links to everything else.

Vikunja

replaces google tasks · trello

Tasks, kanban, and CalDAV alarms backing your reminders engine.

Dawarich

replaces google maps timeline

Your location history on a map you own. Routes, places, time spent.

Immich

replaces google photos · icloud photos

Photos and videos library with face recognition. On your storage, never re-uploaded.

Seafile

replaces google drive · dropbox

Block-level file sync. The Drive replacement that doesn’t need a third party.

n8n

replaces zapier · ifttt

Cross-component automation hub. Connect anything to anything, on your terms.

AdGuard Home

replaces nextdns · pi-hole

Network-wide DNS filtering. Block ads and trackers for every device in your house.

Headscale

replaces tailscale control plane

Self-hosted mesh-VPN control. Reach your Ancilla from anywhere, with no third party.

Each tool keeps its own name. Ancilla doesn’t rebrand other people’s work. Ancilla Mission Control surfaces them under one UI; Ancilla Bastion holds the canonical state and keeps them in sync with whatever you actually use day-to-day.

Anywhere on Earth. Off-planet too.

Built for every place you’ll ever be.

Resilience, globalization, and continuity aren’t bolt-ons. They’re foundational. Ancilla runs in every time zone, every currency, every jurisdiction, and across every link from your home Wi-Fi to a multi-minute satellite delay.

Global from day one

Multi-region · multi-currency · multi-language · multi-jurisdiction

Currency conversion, timezone math, locale rendering, and per-jurisdiction compliance rules built into the foundation. Land in Tokyo or Berlin or São Paulo: your AI doesn’t blink.

Time zones

Calendar math that just works

Cross-timezone meeting scheduling, jet-lag-aware reminders, location-tagged events so your past stays anchored to where it happened. DST transitions, half-hour offsets, leap seconds handled.

Offline-first

Works through every outage

ISP down for a week? Power out for the storm? Capture keeps going, queries keep working on local data. Reconcile when the link returns. Most personal-AI tools become bricks the moment the network drops; Ancilla doesn’t.

Mesh networking

Six transports, one platform

Ancilla Beacon runs over LAN, Bluetooth, LoRa radio, USB sneakernet, audio modem, and (when available) the open internet. Same architecture for an apartment and an expedition. Two Ancillas always find each other.

Expedition mode

Hiking · sailing · research stations

Three weeks in Patagonia, six months on a research vessel, a year at McMurdo. Your AI keeps recording and reasoning on local hardware. When you return to coverage, your federation peers and chosen cloud tools catch up cleanly.

Off-planet

Designed for satellite delay

Lunar base. Mars colony. Three-minute lightspeed delay one way? Twenty-four? Ancilla’s store-and-forward architecture and delay-tolerant federation handle it. Your sovereign AI doesn’t care where in the solar system you are. The only personal AI built from day one for the next planet, not just the next continent.

Apps built on Ancilla

The platform’s APIs are open. Build your own.

Two federation-peer applications run on top of the Ancilla platform today, alongside the six core pillars. The same APIs are open for anyone to build the next ones.

AncillaHealth Hub

Your local Google Fit and Apple Health. Aggregates every wearable into one deduplicated metric store. Lab PDFs get OCR’d. Prescriptions and appointments cross-link to email and calendar.

peer · planned

AncillaHome Assistant

Gradually retire Alexa and Google Home. Smart-home routines on your network, sensor data in Ancilla Bastion, voice commands routed through the same consent layer as everything else.

peer · planned

Your app here

Open APIs over MCP. Build the analyst, agent, or interface you’ve been waiting for. Use Ancilla’s memory, identity, routing, consent, and audit. Ship it.

platform · open

What makes Ancilla different

Eight things only Ancilla does.

  • One integrated platform, not five tools glued together.

    Six pillars designed as peers under a single control plane: shared auth, shared config, shared trust model. You install one thing.

  • Substrate, not another AI tool.

    Most personal-AI tools are the agent. Ancilla is what the agent stands on. The tool you talk to (Claude Code, Cursor, OpenCode, whatever you prefer) keeps working and now inherits your memory, identity, routing, and audit trail.

  • Ingests from every cloud vendor you have ever used.

    One-time mass migration plus ongoing bidirectional sync. Google Takeout, Apple iCloud, Microsoft, Meta, X, LinkedIn, Spotify, Netflix, Discord, Reddit, legacy hard drives, Time Machine, scanned documents. The schema absorbs new services without migrations.

  • Smart routing per request, not per app.

    Ancilla Nexus lets you decide local-first, cloud-first, or strict-local for any single LLM call, with a five-tier vendor trust classification and a local PII scrubber on every cloud-bound request.

  • Identity that holds the full shape of who people are to you.

    Multi-network parallel graphs (family, work, friend, school, freelance) with cross-domain overlap detection, family tree and genealogy, workspace org-graph, and granular role + closeness + dynamic dimensions on every contact.

  • Your identity is a key you hold, not an account on someone’s server.

    Every Ancilla install gets its own cryptographic identity. Two Ancillas verify each other directly: no central account, no email-and-password, nobody in the middle who could spoof you or lock you out.

  • Works when the internet doesn’t.

    Ancilla Beacon runs over LAN, Bluetooth, LoRa radio, USB sneakernet, even audio modem. Same architecture for a hiking weekend and a six-month expedition with no contact.

  • Inheritance is a designed feature.

    A dead-man switch in Ancilla Bastion, Shamir Secret Sharing for designated heirs, and cryptographic succession events your peers recognize. Your sovereign AI passes cleanly when you don’t.

What Ancilla does, and what it refuses

Promises made by architecture, not marketing.

What Ancilla does

  • Runs entirely on your hardware by default.
  • Encrypts everything at rest with a key in your OS keyring.
  • Logs every routing decision, every consent grant, every action taken.
  • Shows you what data left your machine, when, and to where.
  • Verifies model files and dependencies cryptographically before loading.
  • Survives ISP outages, blackouts, and arbitrarily-long disconnection.
  • Hands your data to your heirs on your terms, with your keys.

What Ancilla refuses

  • No accounts. No login server. No identity provider in the middle.
  • No telemetry. No phone-home. No analytics on Ancilla’s own usage.
  • No hosted SaaS version, ever. Sovereignty isn’t a tier.
  • No silent cloud calls. Cloud is opt-in per request, per provider.
  • No training-on-your-data deals with anyone, ever.
  • No vendor lock-in. Open formats. Apache-2.0.

Common questions

What people ask before they install something this big.

Is Ancilla free? Will there be paid tiers?

Yes. Free. Apache-2.0. No paid tiers, no premium features, no subscription, no usage limits. Ancilla runs on hardware you already own; we never have your data to charge for. This exists to be useful, not extractive.

When does Ancilla v0.0.1 ship?

When the code works reliably end-to-end in daily use. The maintainer is the first user; release happens when one human can rely on it without regressions. Follow Reddit or X for actual news.

Do I have to switch to the federation tools, or can I keep using my current ones?

Keep what you already use. Notion, ClickUp, Asana, Google Calendar, Apple Notes, whatever fits your day. Ancilla one-time-imports your historical data and bidirectionally syncs ongoing changes; your workflow stays where you like it, your AI has the full picture underneath. The federation tools are an option if you ever want to go fully local-first, not a requirement.

How is Ancilla different from the AI tools I already use?

Most personal-AI tools are the agent (the thing you talk to). Ancilla is what the agent stands on: your memory, your identity, your routing, your consent gates, your audit trail. Whatever tool you already use (Claude Code, Cursor, OpenCode, your favourite IDE) keeps working and now inherits all of that automatically. You don’t migrate. You add a layer underneath.

Do I need to be a developer to use Ancilla?

Eventually no. The end goal is that Ancilla works for non-developers: install, configure via Ancilla Mission Control, daily-driver use without touching a terminal. The first release will be developer-shaped (it has to be), but the design is for everyone.

Why no cloud version? Why no hosted Ancilla?

Because sovereignty is the point. The whole reason Ancilla exists is so your data, your routing, and your AI memory stay on hardware you own. A hosted version would defeat that. If you want cloud LLMs, Ancilla Nexus can route to them on your terms, per request, per provider, with full audit and a local PII scrub before anything leaves your machine.

Can I use just one piece of Ancilla, or do I need everything?

One piece at a time. Each pillar stands alone. Run Ancilla Bastion as just a personal-data store. Run Ancilla Nexus as just an LLM gateway. Run Ancilla Aegis as just a security layer. They get much more useful together, but they’re not bundled into a monolith.

What hardware do I need?

One workstation or home server with a GPU works well. The reference machine is a Ryzen 9 with 64 GB RAM and an RTX 3090 (24 GB VRAM). Less than that (a Mac mini, a Pi cluster, a NAS) runs the lower-VRAM pillars and offloads heavy compute to your other devices via the mesh. Pure CPU works for many tasks; a GPU unlocks the deeper ones.

What happens to my Ancilla when I’m gone?

Inheritance is designed in. Ancilla Bastion has a dead-man switch; Shamir Secret Sharing splits the keys to your designated heirs in physical or digital envelopes; a cryptographic succession event signed by reconstituted keys lets your peers’ Ancillas recognize the new owner. Your sovereign AI passes cleanly when you don’t.

Stay in the loop

Hear from us when Ancilla ships.

Drop your email and we’ll let you know when there’s working code to try.

Or just email hello at ancilla.live directly.