Sókrates On-Premise Appliance (The Box)
Summary
The Sókrates On-Premise Appliance is a physical hardware-software stack deployed at customer sites to serve as the “execution layer” for the outsourced AI department. It centers on Hermes Agent (by NousResearch) as the agentic communication and automation engine, backed by Eidos (knowledge graph API) and Neo4j, all running on a hardened NixOS image. The appliance maintains a strict security boundary where data never leaves the customer’s premises.
Details
Hardware Strategy
The appliance is standardized on the CWWK 4-LAN N305 (Intel i3-N305, 8C/8T, up to 32GB DDR5, 4x Intel i226-V 2.5GbE LAN, M.2 NVMe, fanless) as the coordination tier. This replaces the earlier Beelink EQ14, which was discontinued and had RAM expandability and network driver limitations. For sovereign-tier deployments requiring local inference, the coordination box is paired with an NVIDIA DGX Spark ($3,999). See CWWK 4-LAN N305 (Sokrates Box) for full specifications and Sokrates Delivery Architecture for the two-tier model.
The hardware is intended to be a tangible manifestation of the “AI department.” In the Sókrates business model, the customer pays an onboarding fee that covers the hardware. If the subscription is canceled, the customer retains the physical box and the generic agent connectors, though they lose access to the Sókrates agent configuration (the primary intelligence and proprietary basis).
Software Architecture
The appliance runs NixOS to ensure reproducible fleet management across multiple customer sites. The stack includes:
- Hermes Agent: An always-on operational backbone managed via the
nix-hermesNixOS module. It handles multi-channel communication (Slack, Teams, Telegram, Discord, WhatsApp), proactive workflow monitoring, and Socratic dialogues with employees. - Eidos (GraphRAG): A local instance of the knowledge graph API (FastAPI + Neo4j + Voyage AI), allowing Hermes to reason over the customer’s specific operational context.
- MCP Servers: Local Model Context Protocol servers that provide Hermes with scoped access to customer tools (e.g., CRM, Email, Calendar). Hermes connects to Eidos via MCP.
- Docker Containers: All services are containerized for isolation and ease of updates.
Proactive Agency and Interaction
Unlike the Archaeologist, which is a reactive discovery pipeline initiated by a user, the Hermes agent is proactive. It is designed to “notice” patterns — such as a sales rep sending identical follow-up emails — and reach out via Slack or Teams to suggest automations or templates.
Interaction is governed by a “constrained direct engagement” model:
- Scoping: During onboarding, the CEO or CFO selects which employees the agent is permitted to interact with.
- Data Access: The customer chooses exactly which MCP servers to connect, controlling the agent’s “vision.”
- Mediation: While the agent interacts directly with employees for real-time signal, it also reports back to the Sókrates founders, who curate high-level insights for the customer’s leadership.
Security Boundary
The appliance is “secure by default” to satisfy the requirements of Icelandic SMEs and FinTech firms.
- No General Internet Access: The box is configured with a default-deny nftables egress whitelist, permitting only Sókrates API endpoints, M365/Google Workspace domains, DNS, and NTP.
- On-Premises Sovereignty: Because Eidos, Neo4j, and MCP servers live on the physical box behind the customer’s firewall, sensitive operational data never leaves the building.
- Channel Credential Isolation: Hermes holds channel credentials (Telegram, Slack, etc.) but has no access to customer system credentials, which are isolated in the Eidos container’s encrypted secrets directory.