FreeOSBot is not a separate AI. It is the DevOps persona of Phoenix Daemon, pre-shipped with the right Postgres role, the right MCP allowlist, the right escalation policy, and the right safety envelope for regulated on-prem operations. ShadowOps is its edge extension: per-node Watchmen agents that pre-classify the log firehose so a single DevOps persona can supervise hundreds of hosts without saturating.
Persistent multi-persona AI operations platform. One engine, five-layer brain, eleven-stage cognitive pipeline, four-tier action gate, hard persona severance.
Phoenix's DevOps persona shipped as a turnkey package: pre-built persona YAML, Postgres role, MCP allowlist (k8s · Vault · ArgoCD · Wazuh · Helm · Trivy · Loki · Prometheus · Grafana · Dagster · Git · Shell), escalation contract, and safety envelope for healthcare-grade infrastructure.
Per-node agent (DaemonSet on k8s, systemd unit on bare-metal) that tails journalctl + docker events + kubelet locally. Pre-classifies log lines through a deterministic regex tier and an optional local Ollama tier. Sends only structured envelopes to FreeOSBot — never raw log text.
FreeOSBot does not reinvent observability or replace your AI assistant. It plugs into Phoenix's existing severance model and uses ShadowOps to scale fan-in past the point where a centralised log tail breaks.
Phoenix is the long-running daemon: brain, pipeline, gate, severance. It runs every persona — not just DevOps. Memory, audit, drift watchdog and constitutional core are all upstream.
Same engine, same brain, same safety. Difference is that FreeOSBot is exactly the DevOps persona YAML — pre-shipped with the operator contract, escalation policy and toolset that regulated on-prem clusters actually need.
An edge fleet that turns the log firehose into a manageable structured stream. Watchmen pre-filter, optionally pre-classify with a small local model, and emit envelopes — never raw text — to FreeOSBot.
correlation_id
FreeOSBot ships personas/devops.yaml with a healthcare-friendly default contract: escalation.assigned_person.name required before any Tier-1+ autonomous execution; auto_discover_sources seeded for k3s + Helm + ArgoCD + dpkg + npm + pip; security_feeds.yaml seeded with NVD, GitHub Advisory, kernel security list, OSS licence press; and a default-deny outbound allowlist that opens only the channels you configure. The tool catalogue is the same 279 tools the engine ships, gated to this one persona by the YAML overlay. Add a persona — by editing YAML, not by building a separate product.
A two-tier architecture. Watchmen at the edge handle the >95% of log lines that are deterministic. Only structured envelopes — never raw logs — fan in to FreeOSBot. The DevOps persona then applies Phoenix's full safety model to anything that needs a decision.
Regex match against seeds/log_patterns.yaml. CrashLoopBackOff → restart (node-scoped). OOMKilled → queue a GitOps PR template. Disk pressure → prune + escalate. Noise → drop.
Sub-millisecond. No LLM. No network. Audited locally; aggregate digest emitted hourly to FreeOSBot for visibility.
Per-node 4B-class model — single-token {remediate|escalate|ignore} verdict + confidence. Only fires when Tier 0 confidence is below threshold. Routed locally via bifrost_llm; bypasses Bifrost circuit breaker; no token accounting.
Feature-flagged · default off in Phase 1. Killed and disabled if node memory pressure spikes — fail-safe to Tier 0 only.
Stable schema. correlation_id, cluster_id, severity, category, auto_remediation, evidence (≤ 4 KB log excerpt). Never raw log text.
Phoenix admission ingress accepts the envelope. Pipeline runs RECON, memory probe, action gate, plan mode. Operator escalation routed per escalation.policy: page · escalate-1h · daily digest · hourly digest.
Without ShadowOps, the log firehose breaks any centralised AI assistant — economically and architecturally. With ShadowOps, the same DevOps persona stays under load and inside the Phoenix safety model.
Watchmen drop the noise locally and self-remediate the auto-fixable patterns — pod restarts, journal pruning, log rotation — within a contract that mechanically refuses any action outside the node. Only the ~1% that needs a real decision becomes an envelope. FreeOSBot then applies the full Phoenix pipeline: RECON pulls last-deploy diff, memory probe cites prior incidents, the action gate scales approval to blast radius, plan mode auto-triggers at three or more mutating steps. Operator escalation stays inside the existing telegram / email / PagerDuty contract.
Two columns, no overlap. The left is what every Phoenix persona ships with — and FreeOSBot inherits unchanged. The right is what FreeOSBot and ShadowOps add on top.
PHOENIX_BUDGET_HARD=on.FOR UPDATE SKIP LOCKED single-claim event dispatch.shell:* calls intercepted before MCP routing — no JSON-RPC overhead, no 30 s MCP hangs.PHOENIX_DRIFT_K8S_TARGETS; opens draft PRs with a reconcile checklist.pull_request open / sync · deterministic diff + memory probe + scout + comment.escalation.assigned_person is blank — fail-closed.A pod runs out of memory in a regulated cluster. The on-call SRE is asleep. Here is what ShadowOps + FreeOSBot do, step by step.
Per-node Watchman tails kubelet events. OOMKilled matches the pattern library. Severity HIGH. Blast radius: node-scope. Watchman attempts the queued GitOps PR template for memory limits — but rejects the operation because the namespace is in protected_namespaces. Builds an envelope instead.
v1 envelope POSTed to FreeOSBot ingress over HTTPS. Sticky router pins by correlation_id. Phoenix admission accepts; p95_event_age_s autoscaler is well under threshold.
RECON pulls Prometheus memory series for the pod, last 7 day OOM history, cgroup limits, the deployment manifest. Memory probe surfaces [INC-2026-04-30-C9D2]: same pod was OOMing a month ago when traffic spiked; resolution was to bump resources.limits.memory from 512Mi to 1Gi.
Diagnosis: same memory ceiling, similar traffic shape. Recommended action: open a draft PR raising the memory limit (Tier 1 reversible — files a PR, doesn't merge it). Memory probe also surfaces standing common-sense entry: "do not auto-merge changes to billing-* manifests." Plan mode does not trigger (single-step, low tier).
FreeOSBot calls gh_pr_create through the persona outbound allowlist; rate-limited; payload-hash audited. PagerDuty page sent per escalation.policy = page_immediate for HIGH severity in protected namespaces.
Structured incident report on the operator's desk. Timeline, prior-occurrence citation, the PR FreeOSBot opened, what's still missing for a permanent fix, who needs to know. Audit log carries the watchman → envelope → admission → action chain end-to-end.
Start with a free 30-day pilot — we deploy a single Watchman into your cluster, read-only, no remediation. Convert when you're convinced. The platform is Apache 2.0 — you keep it whether we keep working together or not.
Whether you're scoping a pilot, evaluating a multi-cluster federation, or just want to understand how a DevOps persona under Phoenix actually works — we're happy to have that conversation.