◆

DAEMON v2.1

Dual Deployment · Personal (Local) + Company (Azure) · Native Apps

Dual-Deployment Model

Same codebase. Same gateway. Same agent registry format. Same DaemonKit client framework. Two instances -- one private, one company. The native app connects to both via connection profiles. You see both in a single app, switch between them like accounts.

Personal Instance

Your private JARVIS. Full access to everything -- all workspaces, local filesystem, iCloud Drive, network shares. Knows about the mortgage, the VA, the investments. Never leaves your hardware.

HostMac Studio (or Proxmox)

NetworkTailscale mesh only

AuthDevice certificate

WorkspacesAll (Company A, Company B, Side Project, Personal, Accounting)

File AccessiCloud Drive, NAS, mounted shares

IdentityFull SOUL.md + personal calibration

MemoryLocal PostgreSQL + Redis + Neo4j

CostAnthropic API usage only

Company Instance

Company Daemon. Company workspace only. HIPAA-compliant infrastructure. Team access via Azure AD. Professional tone, no personal context. Scales with the company.

HostAzure Container Apps

NetworkAzure Front Door + WAF

AuthAzure Entra ID (OAuth 2.0)

WorkspacesCompany workspace only

File AccessAzure Blob Storage

IdentityCompany SOUL.md (scoped identity, no personal context)

MemoryAzure Postgres + Redis + Cosmos DB

Cost~$150-300/mo base + API usage

Native App (iOS + macOS) -- Connection Profiles

One app, multiple gateway connections. DaemonKit manages connection profiles -- each profile specifies the gateway URL, auth method, and available workspaces. The app UI is identical regardless of which instance you're connected to. Switch profiles like switching accounts.

// DaemonKit/Sources/ConnectionProfile.swift

struct ConnectionProfile: Codable, Identifiable {
let id: String
let name: String
let gateway: URL
let authMethod: AuthMethod
let workspaces: [String]     // Available workspace IDs
let icon: String             // SF Symbol name
}

enum AuthMethod: Codable {
case deviceCertificate       // Personal (Tailscale)
case oauth(provider: String) // Company (Azure Entra ID)
}

// Configured profiles:
let profiles = [
ConnectionProfile(
id: "personal",
name: "Personal",
gateway: URL(string: "https://daemon.tailnet.ts.net")!,
authMethod: .deviceCertificate,
workspaces: ["company-a", "company-b", "side-project", "personal", "accounting"],
icon: "house.fill"
),
ConnectionProfile(
id: "company",
name: "Acme Corp",
gateway: URL(string: "https://daemon.company.com")!,
authMethod: .oauth(provider: "azure-entra"),
workspaces: ["company"],
icon: "building.2.fill"
)
]

Network Topology

 ┌──────────────────────────────────────────────────────────┐ │  YOUR DEVICES                                            │ │                                                          │ │  iPhone ──┐                                              │ │  iPad ────┤── DaemonKit App ── Connection Profile Switch  │ │  Mac ─────┘                      │              │        │ └──────────────────────────────────│──────────────│────────┘ │              │Tailscale Mesh      │   Public Internet(WireGuard)           │    (HTTPS / WSS) │              │ ┌──────────────────────┐   ┌───────┴──────────────┴───────┐ │ PERSONAL INSTANCE    │   │ COMPANY INSTANCE (Azure)       │
│                      │   │                              │
│  Mac Studio          │   │  Azure Front Door + WAF      │
│  ├─ Gateway (FastAPI)│   │  ├─ Azure Container Apps     │
│  ├─ PostgreSQL       │   │  │   └─ Gateway (FastAPI)    │
│  ├─ Redis            │   │  ├─ Azure Database Postgres  │
│  ├─ Neo4j            │   │  ├─ Azure Cache Redis        │
│  ├─ iCloud Drive     │   │  ├─ Cosmos DB (Gremlin)     │
│  ├─ NAS / SMB shares │   │  ├─ Blob Storage            │
│  └─ Local filesystem │   │  ├─ Key Vault               │
│                      │   │  ├─ Entra ID (auth)         │
│  Binds: Tailscale IP │   │  └─ Monitor + Log Analytics │
│  No public exposure  │   │                              │
└──────────────────────┘   │  Custom domain:              │
│  daemon.company.com             │
└──────────────────────────────┘

Both instances share:
├─ Same gateway codebase (Python/FastAPI)
├─ Same agent registry format (YAML manifests)
├─ Same DaemonKit client protocol
├─ Same LangGraph agent architecture
└─ Different configs, identity stacks, and trust boundaries

Full Deployment Map

company.com (marketing site)

Vercel

Next.js frontend, edge CDN, preview deployments, zero config

Personal Daemon Gateway

Mac Studio (local)

Full filesystem access, Tailscale only, private

Company Daemon Gateway

Azure Container Apps

HIPAA-eligible, team auth via Entra ID, managed infra

Mission Control Dashboard

Both (local + Azure Static Web Apps)

Next.js dashboard, connects to whichever gateway via profile

iOS + macOS App

TestFlight → App Store

Native SwiftUI, DaemonKit shared framework, not hosted

CI/CD Pipeline

GitHub Actions

Test → build container → push to ACR → deploy to Container Apps

Access Control (Company Instance)

Azure Entra ID provides role-based access. Roles defined at the gateway level, enforced on every request.

Role	Users	Permissions
Admin	John	Full access -- all agents, all tools, agent registry CRUD, memory management, system config, override authority
Operator	Marcus, future hires	Use agents, spawn sub-agents, read/write workspace files, execute approved tools. Cannot modify agent registry or system config
Viewer	Investors, advisors	Read-only dashboard access -- metrics, reports, status. Cannot interact with agents or access files
Service	CI/CD, webhooks	Scoped API access for automated integrations -- specific endpoints only, no interactive sessions

DAEMON v2.1 · Dual Deployment Architecture · Acme Corp, Inc.