# Rook — Jetson Orin Nano Super Personal AI agent running on NVIDIA Jetson hardware. Rook manages conversations, email, tools, and skills across Telegram, web dashboard, and other platforms. ## Quick Start (New Device) ### Prerequisites - NVIDIA Jetson Orin Nano Super (8GB) - JetPack 6.2.2+ installed - Internet connection - SSH access to the Jetson ### Step 1: Install ```bash ssh youruser@jetson-ip bash install.sh ``` This sets up: headless boot, 32GB swap, UFW/fail2ban, Tailscale, Docker, Python 3.11, Node.js 22, systemd services, watchdog, log rotation. ### Step 2: Sync Agent Code From your dev machine: ```bash rsync -avz /path/to/rook-agent/ youruser@jetson-ip:~/rook-agent/ rsync -avz /path/to/rook-nerve/ youruser@jetson-ip:~/rook-nerve/ ``` ### Step 3: First Boot ```bash ssh youruser@jetson-ip bash first-boot.sh ``` The wizard walks you through: API key setup, Google Drive backup, Telegram bot, email, and optionally full security (BIP39 mnemonic + encrypted vault). ### Step 4: Verify ```bash bash verify-install.sh ``` Should show all green checks. ## Daily Management ```bash rook status # System overview rook restart # Restart all services rook logs agent # Follow agent logs rook backup # Run backup now rook training # Training data stats rook doctor # Health check rook config # Edit agent config ``` ## Architecture ``` ┌─────────────────────────────────────────────────────────┐ │ Layer 3: Rook │ │ - Telegram, Email, Web Dashboard interfaces │ │ - OpenRouter / NIM / Gemini / custom models │ │ - Tools: web search, code exec, file ops, email │ │ - Skills learned from experience │ │ - Sessions segregated for LoRA training │ ├─────────────────────────────────────────────────────────┤ │ Layer 2: Citadel Sandbox (optional) │ │ - Docker container with Landlock/seccomp │ │ - Auth proxy injects API credentials │ │ - Agent never sees raw API keys │ ├─────────────────────────────────────────────────────────┤ │ Layer 1: Host OS │ │ - Ubuntu JetPack 6.2.2+, headless │ │ - Tailscale VPN, fail2ban, UFW │ │ - rook-doctor watchdog (2min health checks) │ │ - Encrypted Google Drive backups (daily) │ │ - Session processor → training databases (15min) │ │ - fTPM + LUKS encrypted vault (opt-in) │ └─────────────────────────────────────────────────────────┘ ``` ## Security - **Quick Setup:** API keys in `~/.hermes/secrets/`, encrypted daily backups - **Full Security:** BIP39 mnemonic → LUKS vault → Vaultwarden, fTPM-sealed boot, Shamir's 2-of-3 recovery, optional key file second factor - SSH password auth ON by default (intentional — prevents lockouts) - Dashboard runs on host only, never inside sandbox - See `docs/architecture/secret-management.md` for full cryptographic design ## Training Data Conversations and tool calls are automatically segregated into separate SQLite databases for LoRA fine-tuning: ```bash rook training # Stats rook export jsonl ./out # Export to JSONL ``` ## Files ``` scripts/ install.sh # Full Jetson setup first-boot.sh # Onboarding wizard verify-install.sh # Post-install checker rook # CLI management tool src/ crypto/ # BIP39, LUKS, Shamir, fTPM, Vaultwarden auth-proxy/ # Outbound credential injection proxy sandbox-manager/ # Citadel Docker container config/ logrotate/ # Log rotation config fail2ban/ # SSH brute force protection container/ Dockerfile.citadel-rook # Sandbox container image docs/ architecture/ # Design docs and session logs superpowers/ # Specs and implementation plans ``` ## License Private — not yet published.