Sokrates System Architecture
Summary
The Sokrates architecture is a distributed managed service providing on-premises AI department capabilities to Icelandic SMEs. Four subsystems — The Box, Fleet Command, the Claude Teams Surface, and The Basis — are connected by a strict security model that separates channel I/O (Hermes) from intelligence (Eidos + customer credentials).
Details
Subsystem Overview
| Subsystem | Role | Environment |
|---|---|---|
| The Box | On-premises appliance. Runs Hermes, Eidos/Hyle knowledge graph, and MCP connectors. | Customer’s office (CWWK N305, NixOS) |
| Fleet Command | Central coordination. Hosts basis registry, distributes updates (pull model). | Sokrates-controlled infrastructure |
| Claude Teams Surface | Conversational interface for employees. Curated Skills and Projects. | Anthropic’s infrastructure |
| The Basis | Accumulated enterprise AI deployment principles (Meta + Domain tiers). | Distributed (canonical in Fleet, cached on Box) |
The Periphery/Intelligence Split
The stack rejects monolithic agent frameworks in favor of a functional split:
- Periphery (Hermes Agent): “Ears and mouth.” Multi-channel I/O (Slack, Teams, Discord, WhatsApp, Telegram), heartbeats, session management. No access to customer system credentials.
- Intelligence (Eidos + agents): “Brain.” Knowledge graph queries, MCP tool execution, Socratic dialogue orchestration. Holds customer credentials (encrypted via
sops-nix).
This containment ensures that a communication channel compromise (e.g., Slack token theft) cannot lead to customer data exfiltration.
Security Tiers on The Box
- Tier 1 — NixOS Flake (OS-level): Declarative
nftablesrestricts outbound to Fleet Command + Anthropic API only. Auditable by customer IT. - Tier 2 — Routing Layer (Application-level): Holds encrypted credentials, manages mTLS to Fleet Command via private CA. Enforces the Generalization Boundary — scrubs telemetry via Logfire pattern scrubbing + OTel Collector with customer-specific rules.
- Tier 3 — Intelligence (Eidos/agents): Deep local access via MCP servers and knowledge graph. No direct network access — communicates outward exclusively through the Routing Layer.
Hardware Budget (CWWK N305, up to 32GB DDR5)
- NixOS + Docker + Kernel: ~700MB
- Neo4j (Eidos): ~1.75GB
- Hermes (Python): ~500MB-1GB
- Intelligence agents (Python): ~200MB
- Total: ~3.2-3.7GB, leaving substantial headroom for Neo4j pagecache and future local inference
Fleet Command and The Basis
Boxes poll Fleet Command for NixOS flake updates, configs, and Basis changes. The Basis divides into:
- Meta-principles: Socratic discovery and questioning methodologies
- Domain-principles: Vertical-specific workflow patterns (e.g., Icelandic financial service approval chains)
When a Box discovers a new pattern, it’s scrubbed by the Routing Layer and sent to Fleet Command for deduplication and fleet-wide distribution.
Product Tiers
Sókrates ships in three progressive bundles — Cowork, Code, and Compound — each expanding the agent’s autonomy and integration depth (see Sokrates Product Bundles (Cowork, Code, Compound) for full definitions).
Exit Architecture
“Exit with Dignity”: customer retains hardware, Eidos knowledge graph, and MCP connectors on cancellation. Intelligence components (basis-driven reasoning, Fleet Command connection) are deactivated.