Under the hood.

Four layers, bottom-up.

Nothing exotic. Plain text on disk, an LLM agent that reasons over it, a config file that governs the agent, and a deploy path to real surfaces. The discipline is in the seams between them.

The vault is a corpus, not a notes app.

Every note opens with typed frontmatter so the agent can route and filter without parsing prose. Internal links are a graph. The whole thing is a private git repo, auto-committed — that's the audit trail, not a backup of last resort.

---
type:    project | resource | idea | content
project: bodysatva | sovereign-creator | spaceiscode
status:  inbox | active | parked | done | archived
created: 2026-06-20
tags:    [brand, system]
source:  <url or "self">
---
Body uses [[Wikilinks]] — the graph is first-class.

Three functional layers, one folder tree

• Raw — captures, research, transcripts. Immutable after ingest. Source of truth for facts.
• Synthesis — projects, strategy, identity. AI-co-authored, uses the raw layer. Where it compounds.
• Schema — CLAUDE.md. The rules that govern the other two. Human + LLM co-evolved.

Prompt-as-config, with precedence.

The agent boots by reading one versioned manual plus an always-loaded Operating Brief — current state, hard-capped at 500 words, replace-never-append. The manual is treated like a config schema: instructions that override defaults, and explicit precedence everywhere so two sources can never silently disagree.

# single source of truth — every duplicated fact names a winner
if the section disagrees with CORE  → CORE wins, section resyncs
if a render disagrees with the kit  → the kit (brand.css) wins
if prose disagrees with the live value → the carrier of the value wins

The contract is config-as-prose for judgment, code for determinism. A principle authors a guard; it doesn't become one.

Right model for the job.

Tokens are real cost, and input runs roughly Opus : Sonnet : Haiku ≈ 5 : 3 : 1. So the expensive thread stays lean: Opus holds judgment, bulk work is delegated to cheaper models in subagents and only the summary comes back.

A vault-wide grep on Opus would be ~5× the cost for zero added judgment. So it isn't run there.

Engineering around the window.

Quality degrades as context fills — a measured ~250K-token "smart-zone" for this model, tracked live on a status gauge. So sessions stay tight and state is handed forward deliberately instead of bloating one thread.

Handoffs — compact state, not a transcript

At a clean break the agent writes a small brief and drops it in a queue in the vault (the one interface every surface shares). The next session sweeps the queue on boot and offers to resume.

Goal     · what we're trying to land
Context  · decisions + reasoning a fresh boot wouldn't have
State    · done / in-progress / blocked
Next     · the immediate next steps
Open     · unresolved questions

Memory — file-based, typed, indexed

Durable lessons persist as one-fact markdown files with frontmatter (user · feedback · project · reference), summarised in an index loaded every boot. The partnership remembers across sessions, not just within one.

Hooks, not prompts.

Prose is the weakest enforcement an agent has. So the rules that must hold are transcribed to code. The test for the heavy treatment is a triple — guard a seam only when all three hold:

• (a) it's operationally important, and
• (b) it's copied somewhere that can change independently of its source, and
• (c) a divergence would be silent — no error fires.

That triple is the fragility signature. When it's met: canonical source + a drift-detector + a rule. A few that run here:

# denies what the "Never" rules forbid — enforced, not requested
deny  writes into .obsidian/            # never touch plugin state
deny  rm aimed at the vault
deny  git push --force | --mirror | --delete
# matches on command TEXT — a string that just references
# a blocked pattern is denied too. override is conscious.

• Truth guard — any displayed live value must be derived from source and carry a data-live marker; a check fails on a hand-typed number. "Derive the live value or guard it — never type it."
• Render kit — one brand.css is the single source of visual truth; a drift guard fails any page that re-inlines tokens.
• Shape guard — a round token is cut with clip-path: circle(), never a faked border-radius; the guard fails near-50% radii.

It ships itself.

The whole web presence is one monorepo deployed to Cloudflare Pages via wrangler, through a shared helper so there's one place to maintain the deploy mechanic. Lee never runs a command — the agent deploys, verifies the live URL, reports.

# one helper, every surface
site = cfpages.stage(src, whitelist)   # clean temp dir, no scratch/secrets
cfpages.stamp(site)                    # ?v= = md5 of the real asset — never hand-typed
cfpages.deploy(site, "leematulis-<surface>")

• Concurrency — the unit is the .git, not the project. One session per tree; advisory locks + git worktree for genuine parallelism.
• Interactive backends — Cloudflare Workers + KV. The daily feed runs double opt-in email, per-key point-read aggregates (to dodge list() lag), a reply loop.
• Verify against ground truth — a mutation isn't "done" until it's read back from the authoritative store (remote KV, git from root, the live page) — never a local proxy.

The machine signs its own work.

Provenance is a first-class concern. Across every artifact, human and machine voice are marked — not blurred — and the mark is enforced in the build step and the CSS, not left to discipline.