Six commercial products and two open-source layers, built on a single identity substrate that gives users — not platforms — the final say over their data, credentials, context, and communication.
OpenFoundries is a portfolio of digital-sovereignty tooling: six commercial products for developers, teams, and privacy-aware individuals, plus two open-source layers that bind them together. Every product is local-first by default, structurally compliant with GDPR and the EU AI Act, and designed around the principle that users — not platforms — own their data, credentials, communications, and computational context.
The portfolio's coherence comes from a single architectural decision: a free, GPL-3.0 control layer called Agnesi mediates all access to data and credentials across every other product. The commercial tools are agents of Agnesi; they cannot read or write user data without an Agnesi-resolved permission. This is the structural privacy story — not bolt-on encryption, not a privacy policy, but a load-bearing architectural axiom.
| Product | Layer | Status | Pricing model |
|---|---|---|---|
| 🆔 Agnesi | Identity & trust protocol (control layer) | Phase 4 ZKP executing; SwiftUI app shipped | Free / GPL-3.0 |
| 🏔️ Bealach | SSH / SFTP / VPN | v1 + UI redesign shipped; Apple NE entitlement landed | $99/yr individual · $20/seat/mo team |
| 🔐 Telkes | Credential vault | Well past MVP; P2P sync in flight | $49/yr · $10/seat/mo · $5/mo bundle |
| 🧠 Sequentem | Context memory wallet for AI agents | Sprints 0–3 done; CLI shipped | $29/mo · API metered |
| 🪙 Crumbox | Browser cookie sandbox | MVP epic closed | Free · $39/yr Pro · $8/seat/mo team |
| 🔗 Tàth | MCP harness for the portfolio | 4 sprints scoped | Free / OSS |
| ✉️ Burnell | Email classification with local LLM | Pivoted 2026-05-18 to Thunderbird Tier 2 | $79/yr · $149/yr Pro · API |
| 🏡 Clachan | Trust-gated federated broadcasting | Concept · Q1 2027+ | TBD |
The shopping-mall internet had a viable commercial window because three conditions held simultaneously: users did not understand the cost of extraction, no regulation existed, and no alternatives were available. All three conditions have now changed.
Digital natives understand extraction. They use finstas, close-friends lists, throwaway accounts, ephemeral messaging, and signed-out browsing. They've intuited the small-town model and rebuilt fragments of it on platforms structurally hostile to it. The desire is durable; the supply side is not.
Regulation has caught up. GDPR. DMA. The EU AI Act. The Online Safety Act. CCPA and its successors. These laws don't merely penalize bad behavior — they assume an architecture where users can see, port, correct, delete, and withhold their data. Tools built on extraction are illegal-by-architecture; tools built on user sovereignty are compliant-by-architecture. The cost of retrofitting a surveillance product into a compliant one is, in many cases, higher than the cost of building a sovereign product from scratch.
Credible alternatives have emerged. Signal eats SMS. Bitwarden eats LastPass. Standard Notes eats Evernote. Bluesky and Mastodon eat Twitter (slowly). Linear eats Jira. The pattern is consistent: when an alternative respects user agency and matches feature parity, it durably takes market share from the extractive incumbent. Not always quickly, but reliably.
The small-town model worked — imperfectly, but it worked — for thousands of years because four properties held:
The internet broke this with algorithmic amplification and context collapse. Cadastral Commons' thesis is that the small-town model can be rebuilt at internet scale, not as nostalgia, but as cryptographic infrastructure. Agnesi is the operationalization of that thesis.
"The question isn't whether the small-town model can work at internet scale. It can. The question is whether we'll build the infrastructure to let it."
Sovereignty is not a marketing word in this stack. It has five concrete operational definitions:
The portfolio's coherence is not a marketing layer. It is structural. Agnesi is the control layer: it determines the user's current context tier and gates information access. Every other product is an agent that queries Agnesi before performing any privileged operation.
A typical credential-gated operation flows through the stack in a single direction:
The tools never see credentials or context that Agnesi has not authorized. The user can revoke access mid-session. Every decision is hash-chained into a per-user audit log that the user controls — not the company, not the cloud, not the tools themselves.
| Principle | What it forbids |
|---|---|
| Agnesi-first | Any product that does not gate access through Agnesi. No exceptions, including emergency code paths. |
| Rust cores are cross-platform | Zero OS-specific dependencies in any core crate. Platform layers (macOS / Windows / Linux) are separate overlays. |
| Separation of concerns | Agnesi = permission. Telkes = credentials. Sequentem = context memory. No product accumulates these responsibilities. |
| Local-first by default | No central servers as architectural starting point. Cloud sync, where it exists, is opt-in and E2E-encrypted. |
| GPL-3.0 over patents | Strategic protection via open licensing, not via IP barriers. Patents declined in favor of OSS adoption. |
Tools relate to Agnesi in two ways: those that feed signals into the trust graph, and those that consume trust decisions from it. A few products do both.
| Product | Feeds into Agnesi | Consumes from Agnesi |
|---|---|---|
| Bealach | SSH session identity attestation; session events become auditable against verified identity | Verified identity for credential release and audit-log integrity |
| Burnell | Sender trust classifications contribute to the graph; OTP relay flows through identity vault | Trust signals to seed classifier weights; outgoing mail can be context-signed |
| Telkes | Secret access events are signed by Agnesi context (cryptographic accountability) | Identity tier scopes which credentials are unlocked at any moment |
| Sequentem | Context-disclosure events appended to audit graph | ZKP-gated retrieval — every read is permission-resolved before the agent gets bytes |
| Crumbox | Per-domain interaction telemetry (opt-in) | Per-domain cookie policy resolved by Agnesi tier (banking pass-through, ad-tech faked) |
| Tàth | — | Every MCP tool call gated by AgnesiGate |
| Clachan | Trust signals propagate to the federation layer | Trust graph is the content-visibility layer — Clachan cannot exist without Agnesi |
Cadastral Commons is the open-source foundation that stewards the Agnesi protocol. The word "cadastre" describes a public registry of land — who holds what, where, and under what terms. Cadastral Commons is the analogous registry for digital identity: open, formally structured, and trusted because its boundaries are legible to everyone.
If Agnesi were closed, it would be one more extraction point. Users couldn't verify that preferences are actually hashed; developers couldn't verify they can build on it without lock-in; regulators couldn't verify it satisfies their requirements structurally rather than by attestation. Code audit is the only credible proof. OpenFoundries makes products on top of Agnesi; Cadastral Commons makes sure Agnesi itself cannot become a moat against anyone but extractors.
The brand architecture encodes the relationship visually. OpenFoundries is brass — warm, commercial, the foundry that forges things. Cadastral Commons is verdigris — the patina that develops on brass over time, what the foundry's output becomes once it has weathered. The semantic chain is literal: the foundry makes things, those things develop patina, the patina is the commons.
Agnesi the product (rose) is the polished commercial interface above Cadastral Commons. Agnesi the protocol is what Cadastral Commons stewards. The product is commercial; the protocol is forever free.
Tàth is the likely second project to graduate into Cadastral Commons
governance once its OSS release stabilizes. Foundation formalization is
pending; the candidate domains alluvialfoundation.org and
cadastralcommons.org are identified but not yet registered.
The portfolio is best understood as two commercial bundles, two solo lines, and two open-source layers — not eight independent engines.
| Bundle / Line | Products | Shared spine | Buyer |
|---|---|---|---|
| DevOps bundle | Bealach + Telkes | ~40% shared plumbing; same buyer; same SOC2 story | Sysadmins, DevOps teams, indie devs |
| Privacy bundle | Crumbox + Burnell | Same buyer (privacy-conscious knowledge worker); same wedge | Journalists, GDPR-strict orgs, healthcare/legal |
| Solo line — Sequentem | Sequentem | Distribution depends on Tàth | AI agent builders, devs with cross-tool workflows |
| Solo line — Clachan | Clachan | Long-term moat play; portfolio-defining | Trust-network communities, indie creators |
| Free / OSS | Agnesi · Tàth | Substrate + distribution multiplier | — |
The architectural moat is structural, not marketing. Once a user adopts Agnesi, their contextual identity graph — the relationships, tiers, contacts, disclosures, audit log — lives there. Migrating away from Agnesi means migrating away from the entire OF stack and rebuilding identity context from scratch. The LTV math for any single OF product is bounded by churn; the LTV math for the bundle compounds because the substrate creates a one-way ratchet on switching cost.
Crucially, this is not proprietary lock-in. The Agnesi protocol is GPL-3.0; any party can build an alternative implementation. The moat is the user's investment in their own data graph, not vendor power.
The current generation of consumer AI — ChatGPT, Claude, Gemini — has solved the capability problem but not the trust problem. Every interaction ships user data to a third-party cloud whose training, retention, and access policies are out of the user's hands. The "personal AI" story today has no credible privacy answer.
OpenFoundries' stack is a structural answer. The six paid products collectively give an AI agent everything it needs to be useful — memory, credentials, infrastructure access, email, web interaction — while ensuring that none of those layers leak to a third-party cloud unless the user explicitly authorizes it for that single operation.
AI integration is not a single product. It's a cross-cutting capability the stack enables and gates:
| Layer | AI's role | The product that gates it |
|---|---|---|
| Memory | Portable context that any agent can read with permission | Sequentem |
| Credentials | Tier-gated secret release, every access audited | Telkes |
| Infrastructure | SSH, SFTP, VPN sessions identity-bound and context-gated | Bealach |
| Local LLM classification — content never leaves the device | Burnell | |
| Web interaction | Per-domain telemetry policy resolved by context tier | Crumbox |
| Protocol bridge | MCP harness that makes the whole stack agent-callable | Tàth |
| Permission | The control layer that says yes or no, with proof | Agnesi |
Burnell's headline feature is local-LLM classification via Ollama / llama.cpp. Journalists, legal, healthcare, and GDPR-strict orgs cannot send email contents to OpenAI; Burnell runs the classifier on-device. This is the kind of privacy-mandate buyer no SaaS email tool serves credibly today.
Telkes can release a credential to a cloud LLM-driven agent, but only after Agnesi resolves the context tier. The agent sees only what tier permits, only for the duration of the operation, and the access is hash-chained into the audit log. The user can revoke mid-session. The cloud LLM never sees credentials it isn't currently authorized for.
Sequentem inverts the mem0.ai / Letta model: instead of a cloud service that holds the user's context and rents it back, Sequentem keeps the wallet on the user's machine. Any AI agent — including one the user hasn't adopted yet — can request access through Tàth, get a ZKP-gated response, and the user retains full disclosure control. The user, not the agent vendor, owns their AI memory.
A context-gated identity wallet. The substrate every other OpenFoundries product depends on, and the open protocol Cadastral Commons stewards.
Named for Maria Gaetana Agnesi (the eighteenth-century mathematician erased from the curve named after her). Agnesi takes the small-town insight — that a person should be different things to different people in different contexts, and that those contexts shouldn't collapse — and makes it cryptographic. Every identity Agnesi holds is a context, every disclosure is bounded, every access is provable.
Pure-Rust core (crates/agnesi-core) with platform overlays.
Bulletproofs-backed zero-knowledge proofs for preference commitments.
CRDT for multi-device sync. SwiftUI app on macOS / iOS with shared
universal target. HTTP API surface for cross-process and cross-machine
integration. The cross-process daemon (agnesi-daemon)
provides a single source of truth so every Agnesi-dependent agent on the
machine reads the same context.
Agnesi is the permission gate for every AI workflow in the portfolio. When an AI agent (Claude, GPT, or a local model) requests credentials via Telkes, memory via Sequentem, an SSH session via Bealach, or any MCP tool via Tàth — Agnesi resolves the request first. Without Agnesi's "yes," the agent gets nothing. The ZKP layer means agents can prove they have permission without revealing the underlying contextual data.
Phase 4 ZKP executing. ZkpPreferenceStore shipped
(OPE-207). Full SwiftUI surface landed: multi-identity, contacts
two-pane, 3-ring trust graph, disclosure handshake, 4-step onboarding,
6-section settings, audit-log scrub. The cross-process daemon (OPE-78)
is complete — context is now readable across every Agnesi-dependent
process on the machine.
There is no product that does this. Closest comparables — ID.me, Auth0, OAuth providers — are all centralized identity issuers. Agnesi is user-issued, self-sovereign, context-tiered, ZKP-backed, and free. The combination is novel and (as flagged in IP review) potentially patentable; OF declined patents in favor of GPL-3.0 strategic protection.
Free forever. GPL-3.0. The "buyer" is every privacy-conscious individual online — universal addressable market, no acquisition cost beyond making the rest of the stack worth installing.
Risk: Apple or a major OS vendor ships native context-tiered identity as a platform feature. Inflection: the moment a paid OF product has 10k+ users, Agnesi becomes the de facto privacy identity wallet for a meaningful population.
SSH, SFTP, and WireGuard VPN for engineers who care about credential isolation, session attestation, and what their tools can see when they aren't looking.
Scottish Gaelic for "mountain pass" — a threshold you cross deliberately. Production access shouldn't feel like opening a desk drawer. Every session, every key, every tunnel is a crossing: explicit, witnessed, and reversible.
Pure Rust core (bealach-broker, bealach-ssh,
bealach-vpn, bealach-keystore) with SwiftUI
app on macOS. WireGuard via boringtun +
NEPacketTunnelProvider system extension. XPC process isolation between
app, daemon, and packet tunnel — credentials never reach the UI process.
UniFFI bindings between Rust and Swift. OFDesignKit shared design
system. CI pipeline produces notarized archives on every merge.
AI coding agents — Claude Code, Cursor's remote sessions, Aider's SSH targets — need to access remote machines. Today they store SSH keys in plain files or rely on the host's ssh-agent. Bealach makes the agent a first-class consumer: it requests an SSH session through the Bealach SDK, Agnesi resolves the context tier (Production keys locked outside the Work context), and Bealach hands back a short-lived attested session. Every command an agent executes is auditable against a verified identity. Future: AI-driven session replay and anomaly detection on top of the audit stream.
v1 + full UI redesign shipped. Apple Network Extension entitlement
landed 2026-05-12 (the long-lead ship blocker — cleared). System
extension migration complete. CI live. Open structural work: Xcode
multi-target rebuild (OPE-64), BealachHelper SMAppService
privileged helper (OPE-209), macOS 26 test machine upgrade for
system-extension E2E (OPE-212), credential-backend plugin contract for
Telkes / Bitwarden / future tools (OPE-77).
Bealach is the only consumer SSH client with XPC process isolation between app and credential store, native Agnesi context-gating, and a SOC2-credible audit trail. Comparables (Termius, Tabby, Royal TSX) don't have any of those. Combined with WireGuard built in, the wedge against Termius is real for security-aware teams.
| Tool | Pricing | Est. ARR | What it lacks |
|---|---|---|---|
| Termius | $10–25/seat/mo | $5–15M | XPC isolation, context gating, audit-credible SOC2 |
| Tabby | Free | — | Commercial support, team features |
| Royal TSX | ~$80 one-time | Small | Active development, modern stack |
Individual Pro $99/yr · Team $20/seat/mo (5-seat minimum) · Enterprise $35–50/seat/mo with audit + SAML. Primary buyer: sysadmins and DevOps engineers; strongest sale is the team tier where a single SOC2 compliance officer signs off on Bealach + Telkes together.
Risk: Termius adds XPC isolation, or Apple's eventual built-in SSH gets enterprise features. Inflection: Windows / Linux port triples TAM by mid-Y3 — the single largest dollar lever in the Bealach line.
A credential vault that knows what you're doing and only opens what's appropriate. Named for Mária Telkes — solar engineer, professionally erased.
Most password managers treat every credential the same. Telkes treats credentials as contextual: your work AWS keys should not be revealable when your machine is in Personal tier, and your bank password should require Touch ID even when the vault is unlocked. The vault is not a static box. It is a state machine driven by Agnesi context.
SwiftUI macOS app, telkes-xpcd daemon,
crates/telkes-vault in pure Rust. macOS Keychain as one
backend, EncryptedFileStore (AES-256-GCM, Argon2id) as the
cross-platform backend. SecAccessControl bound to context
tier for biometry-gated reveals. Native messaging host
(crates/telkes-nm-host) bridges browser extensions to the
daemon over restricted UDS. telkesctl CLI for headless
DevOps workflows (telkes exec,
.env import/export).
Agentic coding workflows constantly need secrets: API keys for OpenAI /
Anthropic, GitHub tokens, AWS credentials, deployment keys. Today,
agents either store these in plain files or pull them from environment
variables that any process can read. Telkes is the credential broker: an
agent requests OPENAI_API_KEY, Agnesi gates the request by
current tier (Work-and-above only), Telkes releases the secret for the
lifetime of the operation, and the access is audited. Future: per-agent
credentials with revocable short-lived scope.
Well past MVP. The full password-manager feature surface is shipped — competitive with 1Password and Bitwarden at the macOS feature level, with two genuine differentiators they cannot copy: Agnesi tier-gating per credential, and serverless P2P sync over Bealach. P2P sync currently executing — 4/6 sub-issues done (telkes-sync CRDT, Bealach mTLS transport, mDNS discovery, SwiftUI Sync card). Pending: Agnesi WAN rendezvous (OPE-230), conflict-resolution UI (OPE-232). Deferred: team vaults (OPE-56).
Telkes wins on three structural points incumbents cannot copy without
rebuilding their stack: context-gated unlock (work creds locked outside
work tier), no-central-server architecture (genuinely serverless P2P
sync), and per-credential AccessGate (tier ≥ Work → Touch ID; tier <
Work → silent). The DevOps .env + exec CLI
workflow is the third wedge, aimed at the gap Bitwarden CLI leaves open.
| Tool | Pricing | Est. ARR | What it lacks |
|---|---|---|---|
| 1Password | $8–12/seat/mo | $250M+ | Context tier-gating, local-first by default, P2P sync |
| Bitwarden | $3–6/seat/mo + free | $100M+ | Same gaps. Strong free tier is the real competitor. |
| HashiCorp Vault | Enterprise | Enterprise-only | Individual / small-team UX |
Bealach bundle add-on $5/seat/mo · Standalone Individual $49/yr · Team $10/seat/mo · Business $15/seat/mo (audit + recovery + team vaults). The hardest sell in the portfolio standalone — cannot win on price against Bitwarden's free tier. Wins on bundle attach to Bealach, and on context-gating + local-first for the security-strict segment (journalists, healthcare, legal, GDPR orgs).
Risk: 1Password adds context features; Apple's Keychain becomes credible enough for teams. Inflection: attach rate to Bealach > 30% — scales with Bealach revenue.
A user-owned wallet for AI memory. Agents query it the way they query the cloud, but the data lives on your machine and you control disclosure.
The current AI memory market — mem0.ai, Letta / MemGPT, agent platforms with proprietary memory APIs — assumes the platform should hold the user's context. Sequentem inverts the model: the user holds the wallet, agents request access. The data is yours, the disclosure rules are yours, the audit log is yours. The agent vendor is a consumer, not a custodian.
Two crates: sequentem-core (pure Rust library) and
sequentem (CLI binary). AES-256-GCM at rest with AAD.
BLAKE3 per-context version chain — every update produces
hash_vN = BLAKE3(canonical(content_vN) || hash_{N-1}), so
the entire history is tamper-evident. DEK fetched from Telkes via the
credential broker (Sequentem doesn't own its own key material).
Disclosure rules: file-backed, atomic-JSON, per-context. ZKP-gated
retrieval through Agnesi — every read flow is permission-resolved.
sequentem store --tier=Work --tag=foo — store context
bound to a tier.
sequentem retrieve — ZKP-gated, redacted to field level
if rules say so.
sequentem audit — hash-chained audit log, mirror of
Agnesi's /audit.
sequentem export / import — encrypted JSON portability
(Argon2id-derived key, distinct from Telkes DEK).
{name, role} but not
{salary} from the same context if rules permit only the
first two.
This is the product that exists for AI. Stateless agents lose context every conversation; cross-tool context is non-portable; cloud-memory services either hold your data or require you to trust their disclosure model. Sequentem is the user-owned alternative. When an AI agent queries via Tàth, Agnesi resolves the requester's tier, Sequentem applies the field-level disclosure rule for that context-id × tier, redacts what shouldn't leave, and returns what should. The agent gets useful memory; the user retains the wallet.
Sprints 0–3 complete. CLI + real-stack E2E (real Agnesi + real Telkes +
real FileBlobStore, no mocks at any seam) + audit-readiness
docs all shipped. Pure Rust, no GUI yet. Distribution is gated on Tàth —
without an MCP harness, Sequentem has no way for AI agents to actually
find and call it.
The user-owned model is the differentiation. mem0.ai is cloud-hosted; Letta is research → commercial early-stage; Apple, OpenAI, and Anthropic may eventually ship native portable context but, if they do, it will be vendor-bounded. Sequentem is the only credible "agent-agnostic, user-owned, audit-able, ZKP-gated" answer.
CLI free · Pro $29/mo (GUI + encrypted optional cloud sync) · Dev API $0.001–0.01/query · Team $50/seat/mo. Buyer is the agent builder, not (yet) the end-user. End-user demand will follow agent adoption.
Risk: Apple ships native private context API and AI vendors adopt it; mem0 raises a larger round and dominates. Inflection: Tàth ships, MCP achieves protocol consensus, Sequentem becomes the default memory backend for any agent that respects user data ownership.
A browser extension that doesn't block tracking cookies — it fakes them. Sites work; telemetry is poisoned.
The cookie-blocker industry (uBlock, Privacy Badger, Ghostery) approaches the problem with a binary tool: block or allow. The block-it-all approach breaks sites; the allow-it-all approach surrenders. Crumbox takes a third path: send the cookies, but make them lies. Sites get the response shape they expect. Trackers get noise. The user gets both functionality and privacy.
Manifest V3 Chromium extension, ~no backend. Uses
declarativeNetRequest for outbound cookie filtering.
BLAKE3-seeded fake-value generator with per-domain stable seed
(consistency across reloads, never sent to actual tracker). IndexedDB
audit log with 30-day retention and CSV export. Policy engine queries
Agnesi per domain via the /context API with 1-hour cache
and conservative-sandbox fallback on Agnesi unavailability.
Two angles. First, Crumbox is the layer that protects the user when AI scrapers are operating in the page (e.g., browser-agent platforms like Claude in Chrome). Second, the audit log of fake-cookie events is itself a useful signal Agnesi can consume — domains that demand high-volume telemetry consistently get classified as ad-tech tier, even without manual rules. Future: AI-detected dark pattern blocking (auto-decline cookie banners, anti-paywall detection).
MVP epic closed (OPE-118 — 6/6 sub-issues done). Awaiting Chrome Web Store submission. Identified for next iteration: tracking-pixel blocking (Meta, TikTok, LinkedIn, Hotjar) integrated with the cookie-sandbox layer.
Genuinely novel. uBlock and Privacy Badger block; Crumbox poisons. Per-domain Agnesi tier policy (banking distinct from ad-tech distinct from news) is structurally distinct from anything in the privacy-extension space. Audit-log export is a journalist-credible artifact none of the free incumbents offer.
| Tool | Pricing | What it does |
|---|---|---|
| uBlock Origin | Free | Blocks; breaks sites; no audit |
| Privacy Badger | Free | Blocks based on observed behavior; no per-tier policy |
| Ghostery | $4–12/mo Premium | Blocks; tier upsell; commercial owner |
| AdGuard | $30/yr | Network-level; not in-browser sandbox |
Free with full functionality · Pro $4/mo or $39/yr (encrypted cross-device sync, advanced rules, audit export) · Teams $8/seat/mo. Free tier's job is to drive Agnesi adoption. Paid ceiling alone is bounded ($200–500k ARR); strategic value is the Agnesi onboarding funnel.
Risk: MV3 limitations tighten further; ad-tech detects and adapts to fake-value patterns; uBlock adds tier-gated cookie behavior. Inflection: a viral privacy moment (data breach, regulatory action) + Chrome Web Store ranking.
Scottish Gaelic for "to weld together." The Model Context Protocol harness that makes every OF product agent-callable, with Agnesi gating every call.
Model Context Protocol is becoming the default way AI agents call tools. If the OF stack isn't MCP-native, it doesn't exist for the next generation of AI consumers. Tàth is the bridge: a single MCP server that exposes every relevant OF capability — credential release, context memory query, SSH session, cookie policy lookup, identity disclosure — through one protocol surface, with Agnesi gating every call.
Planned 4-sprint scope: scaffolding → Agnesi + Bealach surface → Sequentem + Telkes surface → HTTP / SSE transport + OSS release. Pure Rust. Likely graduates to Cadastral Commons governance once stable.
Tàth is the AI integration layer. It is the surface area where the OF portfolio becomes infrastructure for any privacy-respecting AI agent. Without Tàth, OF is a set of consumer products; with Tàth, OF is a stack other people build agents on top of.
Backlog. Plan scoped in OPE-181 → OPE-184. Sprint 0 scaffolding kicks off once Agnesi Phase 4 stabilizes.
Not a competitive product per se — it's distribution infrastructure. The differentiation is that no other privacy-first portfolio has anything analogous. Cloudy-AI stacks (Zapier MCP, etc.) exist; sovereignty-first MCP harnesses don't.
Free, OSS. No buyer. The strategic value is the distribution multiplier for Sequentem and Telkes.
Risk: MCP doesn't reach protocol consensus; competing protocol takes hold. Inflection: MCP becomes the default agent tool-call protocol; Tàth becomes the default privacy-respecting backend.
A branded Thunderbird distribution with a Rust classifier daemon that runs a local LLM. Email triage for buyers whose content cannot leave the device.
Named for Jocelyn Bell Burnell — discovered pulsars, denied the Nobel. Email classification with a local LLM is the privacy-conscious answer to the SaneBox / Hey / Superhuman market: same workflow value, no third-party cloud reading your mail. Journalists, healthcare, legal, and GDPR-strict orgs are forbidden from sending email contents to OpenAI; Burnell is the credible answer.
The original plan was a from-scratch Rust IMAP client. Scope pivoted: Burnell now ships as a branded Thunderbird ESR Tier 2 distribution (direct precedent: Betterbird, Interlink, the historic Eudora OSE). Product surface:
burnell-dist is the patch set against Thunderbird ESR plus
branding plus signed installers for macOS / Windows / Linux, with an
OF-controlled update channel (Mozilla AUS-compatible).
The local LLM is the differentiation. Ollama or llama.cpp runs on the
user's machine; mail headers and bodies are classified locally; no
content ever ships to OpenAI / Anthropic / Google. For users whose
content sensitivity mandates this (the GDPR-strict / healthcare / legal
/ journalism segment), Burnell is one of the few credible options. The
ConfiguredProvider abstraction also supports cloud LLMs for
users who prefer them, but local is the headline.
Q3 2026 kickoff. Sub-issues B-8 through B-12 seeded under OPE-157. B-8
(MailExtension scaffolding, OPE-222) is the unblocker. The
classification approach itself has been validated against 240k+ emails
on an independent research harness — that experimental work informed
burnell-core's pipeline design but is not part of the OF
portfolio.
The combination — local LLM + IMAP-agnostic + native Thunderbird distribution + Agnesi-gated workflow engine + REST API — has no direct competitor. SaneBox is cloud-only and content-sensitive segments can't use it. Hey is a closed ecosystem. Superhuman doesn't classify. Local-AI email triage exists only as scattered Python scripts; Burnell is the first packaged product.
| Tool | Pricing | Est. ARR | What it lacks |
|---|---|---|---|
| SaneBox | $7–36/mo | $5–10M | Local LLM; content sensitivity; API |
| Hey | $99/yr | Mid | Local LLM; IMAP openness |
| Superhuman | $30/mo | $30M+ | Classification; local AI; price-accessibility |
| Gmail filters | Free | Dominant | Sophistication; local control |
Individual $79/yr (cloud LLM) · Pro $149/yr (local LLM, zero cloud telemetry) · API $99–499/mo by volume · Teams $12/seat/mo. Primary buyer: privacy-restricted professionals at the Pro tier — journalists, lawyers, doctors, GDPR officers — who cannot use SaaS email AI. Secondary: SMB Teams. Tertiary: developers via API.
Risk: email is brutal as a category; Mailbird, Spike, Polymail all struggling. Distribution > features. Inflection: a single privacy-restricted vertical (legal, healthcare) standardizing on Burnell creates a beachhead.
Scottish Gaelic for "small hamlet." Federated broadcasting where the trust graph — not an algorithm — decides what reaches whom.
Federated social (Mastodon, Bluesky) solved decentralization but didn't solve trust. Crypto-anchored social (Lens, Farcaster) solved decentralization but stayed in the extraction trap. Clachan's bet: the missing ingredient is verified trust as a gating mechanism — content visibility, RSS feed eligibility, and federation routing all determined by Agnesi tier, not by an algorithm. Bot-proof by design because every participant requires a verified identity.
Reed-Solomon erasure coding (k=3 / n=4) for content distribution. BitTorrent DHT as transport substrate. Agnesi ZKP gating at the visibility layer. Metadata privacy phased: Agnesi-gated DHT (MVP) → private DHT (at scale) → hybrid (long-term).
AI's role in Clachan is constrained, not constitutive. Bots cannot freely participate — they need verified identities, and trust scores accumulate (or don't) through repeated interaction with humans. AI can amplify reach within a trust tier, but cannot cross trust boundaries it hasn't been granted. This is the architectural answer to the "AI-generated content floods social media" problem.
Concept stage. Q1 2027+. Hard dependency on Agnesi Phase 4 ZKP being stable and battle-tested. Architectural decisions made; implementation deferred until the substrate can carry it.
TBD. Likely freemium with paid federation hosting / advanced privacy tiers. Modeled as $0 through Y3 — strategic moat, not revenue line.
Risk: social products are category-defining or die in obscurity; little middle ground. Cold-start severe. Inflection: Agnesi reaches 10k+ users and the trust graph becomes dense enough to seed Clachan organically.
The mid-case Y1 number is $115k ARR across the portfolio with one person — founder unpaid, no hires. The goal is not revenue maximization; it is signal collection. Three signals matter:
Whichever fires first triggers the first hire.
Bealach + Telkes shipped as a tight bundle. The cross-sell pitch writes itself: "You bought Bealach, the credential vault is $5/mo extra and your SSH keys live in it." Attach rate > 30% is the threshold for Telkes scaling with Bealach; < 10% means Telkes is a side project, and the focus stays on Bealach. First contractor hire (Windows / Linux port, 3–6 months, $30–60k one-time) is the Y2 lever — triples Bealach TAM by mid-Y3.
Once sustained $500k ARR is real, Engineer #2 (Rust + Swift, senior) frees the founder for sales motion. Founding GTM hire (sales-engineer hybrid) converts the enterprise pipeline. This is the difference between $500k and $1.4M run-rate by end of Y3 — not because of more hours, but because of converted pipeline.
Engineer #3 (Windows / Linux specialist) ships Bealach v2 and Telkes Windows backend — the single largest dollar lever in the portfolio. CS / Support hire holds team-account NRR > 110% rather than leaking to 85%. Designer (contract or FT) closes design debt across products as the portfolio expands.
Marketing / Content lead drives the growth engine past $3M ARR (SEO, content, community, partnerships). Engineer #4 (ML / LLM) takes Burnell's local-LLM tier from headline feature to plug-and-play default.
| Year | Bealach | Telkes | Burnell | Sequentem | Crumbox | Total |
|---|---|---|---|---|---|---|
| Y1 | $60k | $20k | $20k | $5k | $10k | $115k |
| Y2 | $200k | $80k | $80k | $25k | $50k | $435k |
| Y3 | $500k | $200k | $250k | $80k | $120k | $1.15M |
| Y4 | $900k | $400k | $500k | $200k | $200k | $2.2M |
| Y5 | $1.4M | $600k | $800k | $400k | $350k | $3.55M |
| Scenario | Y5 ARR | What it assumes | Feasibility |
|---|---|---|---|
| Worst case | $800k–1.2M | Bealach stalls at individual tier; Telkes can't attach; Burnell rebuild slips; Sequentem and Crumbox never monetize. | Still a sustainable solo business. |
| Mid case | $3.55M | Rollup above. Some products underperform; others compensate. | Solo-feasible only with some underperformance. Otherwise hiring required. |
| Bull case | $5–7M | Bealach lands flagship enterprise anchor; Burnell local-LLM tier becomes privacy-mandate default; Tàth + Sequentem catch the agent wave. | Not solo-feasible past Y3. |
| Year | Solo | Phased | Team EOY | Payroll | % of ARR |
|---|---|---|---|---|---|
| Y1 | $115k | $115k | 1 (founder) | $0 | 0% |
| Y2 | $435k | $480k | 1 + contractor | $40k | 8% |
| Y3 | $1.15M | $1.4M | 2–3 FTE | $260k | 19% |
| Y4 | $2.2M | $3.2M | 4–5 FTE | $670k | 21% |
| Y5 | $3.55M | $5.5M | 6–7 FTE | $1.15M | 21% |
Payroll stays at 19–21% of ARR through Y5 — healthy SaaS ratio. Hires trigger by ARR threshold, not calendar; if signals don't fire, the hire waits.
| Risk | Severity | Mitigation |
|---|---|---|
| Apple ships native context-tiered identity | High | Agnesi positions as cross-platform / portable. Apple's version will be macOS / iOS-only and vendor-bounded. |
| Solo founder burnout | High | Hire triggers are signal-gated; the model holds at $800k ARR worst-case. Don't ship products without strict scope guards. |
| Distribution failure | High | Bealach is the spine — every other product attaches. Focus is on Bealach team-tier traction before fragmentation. |
| MCP doesn't reach consensus | Medium | Tàth slips, Sequentem distribution stalls. Sequentem absorbs the delay; not fatal because it isn't a Y1–Y2 revenue dependency. |
| 1Password / Bitwarden add context features | Medium | Telkes's structural P2P sync and Agnesi-native architecture are not copyable without rebuilding their stack. |
| Email category fatigue (Burnell) | Medium | Pivot to Thunderbird distribution reduces build risk and increases distribution credibility. |
| Regulatory rollback (US) | Low | EU regulation is the binding constraint; US is downstream. Brand thesis holds even with US backsliding. |
Two structural trends are converging. Regulation is making extraction-based platforms compliance-impossible. AI agents are becoming the primary interface users have with their tools — and AI agents need credentials, memory, infrastructure access, and contextual understanding of who their user is to whom, in what context. Today, the only credible way for an AI agent to do those things is to ship the user's data to a third-party cloud.
OpenFoundries is the structural answer to both. A privacy-first portfolio whose products are compliant-by-architecture and whose agents can serve AI workflows without sending content to a third-party cloud. The free, GPL-3.0 substrate (Agnesi) creates a one-way switching cost that compounds across products. The bundles (DevOps and Privacy) give each individual product real revenue without depending on portfolio uptake. The OSS layer (Tàth) is distribution infrastructure, not a cost center.
This is buildable solo to $500k ARR. With phased hires triggered on signal, it reaches $3.55M mid-case / $5–7M bull-case by Y5. Profitability arrives mid-Y3 in the phased-hire model. No VC pressure is required before $3M ARR — and accepting it earlier distorts the brand thesis that makes the portfolio defensible.
The bet isn't on a single product winning. It's on the architectural axiom: that a sovereignty-first stack with a free identity substrate is the right shape for the next decade of regulation, AI, and user expectations — and that one focused builder can ship it before the incumbents copy the surface but fail to copy the structure.
Any one of these is a substantial business. The architecture says all three are reachable from where the portfolio stands today.