Runs on your own infrastructure — private cloud, on-prem, or air-gapped. The agent OS for organizations that can't put their work in someone else's cloud. Nothing leaves their boundary.
Most companies will run AI agents in a vendor's cloud. Defense, banks, hospitals, and government legally can't put operational data there.
The centralized cloud "company brain" is disqualified before the first demo. Whichever agent OS those organizations adopt has to run on infrastructure they already own.
Generating software got cheap. Keeping it trustworthy didn't.
Once agents start producing real operational work, the only useful questions are about trust:
StacyOS is the secure agent OS built for those questions — running on the customer's own infrastructure, never on someone else's cloud.
StacyOS makes agent operations legible — without leaving the customer's boundary.
Meetings, tickets, workflows, dashboards, generated apps, operational decisions, and agent outputs become signed, permissioned artifacts the customer owns. Audit-ready by design. Compliance-ready by default.
Inside regulated organizations, agents already read, call, and write across:
There is no canonical record of:
Compliance teams reconstruct from scattered logs. Auditors are asked to trust screenshots.
Every run carries:
Compliance-ready, not automatically compliant. Evidence is generated as work happens; framework mapping is your auditor's call.
For organizations whose operational data cannot leave their boundary — defense, financial services, healthcare, government, energy, pharma, high-frequency trading — AI-native means more than running models inside a VPC. It means an operating system that turns every agent action into permissioned, signed, auditable evidence.
Today, software coordinates humans. Tomorrow, agents coordinate humans, systems, and each other — inside the customer's network, under their policies.
The AI-native company is not just searchable. It runs a governed self-improvement loop.
Observe → Compare → Correct → Verify → Remember. Every interaction, ticket, workflow, dashboard, generated app, and operational decision feeds the next agent run with verified, signed, permissioned context. Humans supervise high-stakes and novel decisions — the system does not silently rewrite the company.
Humans route information between teams and tools.
Operational intelligence coordinates itself — across agents, humans, and machines.
StacyOS is the secure agent OS for organizations whose work cannot leave their boundary — every action permissioned, logged, and signed into an audit trail they own.
StacyVM is the live execution layer of Stacy — self-hosted sandbox infrastructure for AI agents, with verifiable worker identity and signed Execution Receipts. Every AI action needs a safe place to run and a trustworthy way to prove it happened. StacyVM gives both.
As generated software becomes disposable and regeneratable, StacyVM gives every generated action a safe runtime and every execution a verifiable receipt.
Run generated code, agents, workflows, and previews in isolated disposable environments with verifiable worker identity. Choose your isolation: Firecracker microVMs (~28ms boot), Docker (runc, gVisor, or Kata), PRoot for restricted hosts, E2B, or a custom provider — same API across all. Runs in your own private cloud, on-prem, or air-gapped.
Open source. Self-hostable. Python and TypeScript SDKs. Live preview URLs. React web dashboard and a stacyvm tui terminal cockpit. Installable today.
stacyvm tui — full-screen terminal UI for operators who'd rather stay in the shell. Same primitives as the dashboard../stacyvm serve.
StacyOS makes every agent action permissioned, signed, and audit-ready — so each output an agent produces can be trusted, reused, and proven across the customer's own infrastructure. No central runtime. No shared tenant. The audit record lives where the work lived.
// invariant Evidence and Knowledge Objects live on the customer's infrastructure — never on Stacy Cloud. The customer owns the audit record.
Public coordination substrates are optional and workload-specific. StacyOS is sovereign and local-first by default.
The federation model · powered by Stacy Sync (research stage)
Ten installs become ten mini-brains. Each person owns theirs. They federate through Stacy Sync — opt-in, granular, revocable end-to-end — into a coordination fabric on the customer's own infrastructure. The same protocol holds as the team grows. Same substrate. No central tenant. No vendor lock-in.
Most enterprise AI systems are building company memory.
StacyOS is the secure agent OS that lets that work be shared without leaving the customer's boundary.
One signed Knowledge Object. One consent grant. One revocation. One verifiable audit chain. No shared server. No centralized record.
N=2 is where federation becomes real: two installs can't cheat with a shared database, so every operation goes through the protocol. The cost is O(1) and pairwise — adding install number k needs no global consensus. Two installs are the unit test. Ten are a team. A hundred are a department. The same substrate scales beyond, on the customer's own infrastructure.
When StacyOS lives in your network, every agent in your organization runs under one substrate.
For a bank, a hospital, a defense prime, or a government agency: once StacyOS is installed inside your VPC, on-prem, GovCloud, or air-gapped enclave, your developers, analysts, support team, clinicians, traders, and case officers stop running disconnected AI tools. Their agents start running under one identity model, one authorization policy, one approval workflow, one audit trail.
Over time the system accumulates company intelligence inside your boundary — not a "memory" in someone else's cloud, but a permissioned, signed, revocable graph of your own decisions, your own evidence, your own Knowledge Objects. The substrate your auditors, your security team, and your next-generation agents all draw from.
The durable asset is not the generated app or the agent of the week.
The durable asset is what stays on your infrastructure:
Generated agents and generated apps can be regenerated. The permissioned company intelligence they ran on cannot.
Every output attested, every action audited, every object owned — inside the customer's boundary, under the customer's policies. StacyOS is the secure substrate your AI lives on.
Stacy unfolds one layer at a time. StacyVM is live and self-hostable. Stacy CLI is in active development. Stacy Sync is research with three published papers. Federation demo working today — ~25s end-to-end, reproducible 3/3.
The execution layer of Stacy. Self-hosted sandbox infrastructure for AI agents — multi-provider runtime (Firecracker, Docker, gVisor, Kata, PRoot, E2B, or custom), live preview URLs, verifiable worker identity, Python and TypeScript SDKs, React web dashboard, and a stacyvm tui terminal cockpit. Live and installable today.
Trust-first control plane for assigning, supervising, and auditing AI agents. Every agent has an owner, a budget, a workspace, a run history, logs, approvals, and a visible stop button. Connect your own Codex or Claude, assign tasks, watch live runs, track cost and risk, gate risky actions behind approvals. Built with Git worktree isolation per task, secrets redaction, local sandbox defaults, and full backup/restore tooling. Public command surface in active development.
The Coordination Intelligence Layer. The layer that coordinates everything Stacy generates. Generated software and Knowledge Objects become signed, content-addressed objects — each carrying provenance, ownership, content hash, and signature. Objects move under per-object consent, are revocable at read time, and leave hash-chained receipts. Permission lives in the object lifecycle, not a platform access table.
Contains: Knowledge Objects · consent · federation · receipts · synchrony.
A Knowledge Object is a signed operational artifact — meeting summary, dashboard, workflow, ticket, generated app, report, or agent output — carrying provenance, permissions, ownership, consent rules, and audit history.
The federation primitive — two installs sharing a signed Knowledge Object by consent, revoked end-to-end in ~25s, reproducible 3/3 — is a working demo today; public release in 90 days.
Stacy sits on top of published research. The operating system framing, the synchrony layer protocol, and the public synchrony infrastructure each have their own paper.
The research behind StacyOS is the trust, provenance, and evidence substrate for AI agents in regulated, sovereign environments: signed objects, per-object consent, revocation, hash-chained receipts, and federation that doesn't require a central tenant.
One client. Same calls both sides. Self-hosted compute sandboxes for AI agents — spawn, exec, destroy.
from stacyvm import Client
client = Client("http://localhost:7423")
sandbox = client.spawn(image="python:3.12")
result = sandbox.exec("python3 -c 'print(40 + 2)'")
print(result.stdout) # "42\n"
sandbox.destroy()import { Client } from "stacyvm";
const client = new Client("http://localhost:7423");
const sandbox = await client.spawn({ image: "node:20" });
const result = await sandbox.exec("node -e 'console.log(1+1)'");
console.log(result.stdout); // "2\n"
await sandbox.destroy();Built by a small team. Open to design partners. Reach us at accesstoarpan@gmail.com