Garage 30
AI agentsAI automationsmall businessNew Zealand

What does a personal AI operating system actually look like?

A personal AI operating system explained: shared memory, an assistant you talk to, and background AI workers with real jobs and hard limits. I run one daily.

Casey Hemingway··11 min read

A personal AI operating system is three parts working together: one memory every agent shares, one assistant you actually talk to, and a fleet of background workers with real jobs, real schedules, and hard limits on what they're allowed to do. Not a chatbot with ambitions. A system. I run one every day, and this is how it works.

Why I built one

I run a consultancy from Queenstown alongside a day job, and at home we have three kids under two. The maths doesn't work. There is no version of that week where I keep every promise, chase every loose end, and still do the thinking people actually pay me for.

The standard AI advice solves the wrong problem. It makes you faster at typing. Typing was never my bottleneck. The bottleneck was everything that fell through the cracks the moment I stopped watching: the follow-up not sent, the promise not tracked, the number not checked.

What I needed wasn't a better chatbot. It was staff. So I built some. The system has three named parts: Claudia, Henry, and the Station. The parts turned out to be the easy half. The half that matters is the trust architecture wrapped around them, and that's the part worth reading this for.

The three parts

Claudia is the memory. A database on my Mac holding facts, people, commitments, decisions, and a ledger of everything the system does. Every agent, interactive or background, reads and writes this same brain. That's what turns a pile of AI tools into a system. When the inbox worker spots a promise in an email, the commitment sweep already knows about it the next morning. Nothing has to be re-explained, ever.

Henry is the front door. The assistant I actually talk to. Henry handles the judgment work: triage, drafting, strategy, anything that crosses domains. When I sit down at the desk I'm talking to Henry, and Henry has already read what the workers did overnight.

The Station is the workforce. Scheduled background jobs that run whether or not I'm at the machine. Each one is named after its work, never given a persona: inbox clearing, a commitment sweep, a dispatcher, a weekly ads analysis loop. A worker is a job description, a schedule, and a leash. That framing matters more than it sounds. The moment you give a background process a personality, you start trusting it like a person instead of auditing it like a process.

A day in its life

Before 7am, the overnight email has been triaged and the replies worth writing exist as drafts, sitting in my email client waiting for review. The system never sends anything. It prepares; I approve.

At 7:00 the commitment sweep runs: every open promise I've made, cross-checked against what actually happened overnight in email and project tools. It once flagged a proposal I'd told a prospect was coming that had quietly sat unsent for six weeks. Nobody else was going to catch that. Honestly, I wasn't either.

Then the morning brief: one page, attention items first, plus an overnight report from the fleet. Every worker checks in after every run, so the brief can say "all quiet" and mean it.

Through the working day, a dispatcher sweeps every 30 minutes. New email, new tasks, changes in the project tools. It sorts each item into handled, needs-me, or blocked, deals with the reversible stuff itself, and sends exactly one notification when something genuinely needs a human. Most sweeps end in silence, and the silence is earned: "nothing happened" only counts when the worker can show it actually looked.

Monday at 7:30 the ads loop pulls the completed week's advertising data for two retail clients, compares it against history, flags anomalies, and drafts the client update. Drafts it. Never sends it.

And on Friday the system reviews itself. It reads its own failure logs and the week's check-ins, clusters the recurring friction, and writes me ranked proposals for what to fix or build next.

There's a small badge in my Mac's menu bar showing the fleet's status at a glance. Boring is the goal. Boring means it's working.

The rules that make it trustworthy

Here's the part most agent setups skip, and it's the only part that matters. Capability was never the hard bit. Trust is the hard bit, and New Zealanders know it: KPMG's 2025 trust research found fewer than half of us believe AI's benefits outweigh its risks. Fair enough. Most AI setups haven't earned it. Here's how mine tries to.

The leash is enforced, not promised. Every worker runs under a permission profile that caps which tools it can touch. It isn't asked nicely to stay in its lane; the runtime blocks anything above its level. Trust increases in increments, earned by a clean track record, the same way it would for a new hire.

Some things are never autonomous. Sending, publishing, paying, deleting shared data. Hard floor, no exceptions, and no trust level unlocks it. Every external action in this system ends with a human pressing the button. This floor is also the honest answer to prompt injection, the attack where a malicious email tries to talk your agent into acting for the attacker. It's the technique behind agent goal hijacking, the risk OWASP ranks number one for agentic systems in 2026. You don't beat it by hoping the model stays sensible. You beat it by making the dangerous actions impossible without a human.

Evidence or it didn't happen. Every run ends with a check-in: what happened, with proof, written to the shared ledger. A worker claiming "all quiet" has to show its working. This sounds like paranoia until the first time a worker crashes silently, because a crashed worker that says nothing looks identical to a healthy worker with nothing to report. Force the difference into the open and the whole system becomes auditable.

Every recurring job runs a learning loop. Produce the work, record what was produced, capture how I responded (accepted, edited, rejected), and read that track record before producing again. The inbox drafts and the ads analysis get noticeably closer to what I'd have written myself, month on month, because the system studies its own feedback instead of repeating a prompt.

It repairs itself, with a human gate. When a job fails, a repair process investigates and proposes a tested fix on a branch. I review it, then merge or reject. It never ships its own fixes, and a fix that later fails is treated as a diagnostic to improve, never quietly rolled back. Systems that hide their failures don't improve. They decay politely.

What it gets wrong

Something breaks most weeks. Genuinely. Early on, jobs collided over shared resources and knocked each other over. Workers failed silently until I built the rule that silence needs evidence. The self-repair loop exists precisely because running a slightly broken system for a week without noticing is the default state of unattended software.

So that's the honest shape of it: not a flawless robot workforce, a system with an immune system. If someone sells you autonomous AI agents with none of this scaffolding, you're being sold the demo, not the system.

The principles transfer even if you never build one

You don't need my setup for this to be useful. Four things carry over to any business:

Start with what you repeat. The jobs worth delegating are the ones you already do on a rhythm and can describe precisely. For most small businesses that's admin: follow-ups, triage, reporting. If you can't write the job description, an agent can't hold the job.

Wrap what already works. Every worker in my fleet wraps a workflow I'd already refined by hand. The proven process is the asset; the AI is the scheduler and the extra pair of hands. Automating a process you haven't fixed just makes the mess faster. It's the same pattern I've seen across 20-plus digital builds in NZ.

Give trust in increments. New workers start read-only and drafting. Wider permissions get earned with a clean record, and some things stay human forever. If your agents touch customer data, the NZ Privacy Act adds a floor of its own.

Demand evidence. Whatever runs unattended reports back with proof, every run. No news is only good news if the worker can show it looked.

This is the same thinking behind the AI automation systems I build for clients at Garage 30: narrow agents wrapped around processes that already work, a shared memory of the operation, permissions that are enforced rather than promised, and one metric that says whether it's paying for itself. There's a case-study write-up of my setup if you want the running version, hands-on training if you'd rather learn to run one yourself, and client work starts with a short, scoped discovery. If you're wondering which parts of your week could run themselves, a 30-minute call is the fastest way to find out.

How it's actually wired

For the technical readers; everyone else already has what they need.

  • Runtime: Claude Code running headless on schedules via macOS launchd. One lockfile per job, hard timeouts, logs per run. Claude Code now offers a hosted scheduler (Routines); I stay local because the credentials never leave my Keychain, every tool shares the one memory, and there's no run ceiling.
  • Jobs: each worker is a markdown file with YAML frontmatter (schedule, permission level, timeout) and the job prompt as the body. Version-controlled like any other code.
  • Memory: a local Python MCP server over SQLite, with vector embeddings for semantic search. Every agent mounts the same server, which is what makes the memory shared rather than per-tool.
  • Permissions: per-job settings profiles define the leash, and a pre-execution hook blocks any tool above the job's level. The never-autonomous floor sits above every profile.
  • Credentials: macOS Keychain behind a small resolver script. Workers can only resolve secrets in their own domain's namespace, so a consulting job can't read the day job's keys.
  • Tool scoping: each domain gets its own MCP config listing only the servers it needs, so workers load a fraction of the tooling and stay fast and focused.
  • Status: a SwiftBar menu-bar readout over the check-in ledger, refreshed every minute. One glance for fleet health, one click to act on anything stuck.

Local-first, deliberately. The model is the only remote piece; the memory, the credentials, the files, and the ledger all live on the Mac.

Total moving parts: one computer, one AI subscription, a folder of markdown files, and a set of rules the system can't talk its way around.

Frequently asked questions

What is a personal AI operating system?
Three parts working together: a persistent memory every agent shares, an interactive assistant that handles the judgment calls, and scheduled background workers that each own one job, like clearing an inbox or sweeping commitments. The difference from a chatbot is that the system acts on a schedule, remembers everything, and reports back with evidence.
Is it safe to give AI agents access to your email and calendar?
It's safe when the limits are enforced rather than promised. In my setup every worker runs under a permission profile it cannot exceed, and nothing ever sends, publishes, pays, or deletes on its own, whatever else it is allowed to do. Workers prepare drafts and flag decisions; a human presses send. Trust grows in increments based on a track record, the same way it would with a new hire.
Do you need to be technical to run something like this?
To build it yourself right now, yes: it's markdown files, schedules, and permission configs rather than an off-the-shelf product. But the thinking transfers even if you never build one. Start from workflows you already trust, give AI narrow jobs with clear limits, and demand evidence of what it did. Those principles work at any technical level.
What does it cost to run?
One AI subscription, a few hundred dollars a month in NZD terms, plus a Mac that stays on. There is no extra software to buy; the orchestration is scripts and config on the machine. The real investment is design time: deciding which jobs are worth delegating and what the limits should be.
How does Garage 30 build this for clients?
Same architecture, pointed at a business instead of a person: a shared memory of the operation, narrow agents wrapped around processes that already work, graduated permissions, and reporting you can audit. Every build gets a definition of done and one metric that matters. If you want to work out which parts of your week could run themselves, book a 30-minute call at cal.com/casey-hemingway/30min.