How We Govern 13 AI Agents With a File-Based Nervous System

We run 13 AI agents on a single $24/month VPS. They coach people through a game with 6,854 scenarios. They draft legal memos, research grants, scan government contracts, translate content, manage real estate leads, and handle outreach across Telegram, Instagram, and Facebook.

No Kubernetes. No managed AI services. No database for governance. Just files.

Here is how we keep them from going off the rails.

The Problem Nobody Talks About

Everyone is building multi-agent systems. Nobody is talking about what happens when agent #7 edits a config that agent #3 depends on. Or when an LLM session decides to "helpfully" refactor your production bot at 2am.

We hit this wall early. An LLM session tried to optimize a working bot. It broke three downstream processes. We lost half a day.

That is when we built The Nervous System.

What It Actually Is

The Nervous System is an MCP server - 30 tools exposed over HTTP using the Model Context Protocol. Any LLM session can call them. It handles the boring, critical kind of AI work:

• Preflight checks before any file edit
• Hash-chained audit trails for every violation
• Drift audits that catch when docs fall out of sync with reality
• Security scans that find leaked tokens and bad permissions
• Bot compliance checks that verify access controls and identity rules
• Kill switch for emergencies

No persistent LLM brain sits behind it. The tools read files, check rules, write logs. Pure functions against the filesystem.

The Preflight Check

This is the most important piece. Before any agent edits any file, it must call preflight_check. Three outcomes:

• CLEAR - edit away
• PROTECTED - ask the human first
• BLOCKED - do not touch, period

89 files are BLOCKED in our system. Production bots, core configs, anything tested and stable. An agent can read them. It cannot change them.

$ preflight_check lily-telegram-enhanced.js
BLOCKED: UNTOUCHABLE file. Do not edit. Tell Arthur.

No exceptions. No "it is just a small fix." The file says no, the agent stops.

The Audit Chain

Every governance action creates a hash-chained record:

{
  "id": 47,
  "timestamp": "2026-03-13T14:22:01.000Z",
  "type": "PREFLIGHT_BLOCK",
  "detail": "lily-telegram-enhanced.js is UNTOUCHABLE",
  "hash": "a1b2c3...",
  "prev_hash": "d4e5f6..."
}

Each entry's hash includes the previous entry's hash. Tamper with record #30 and records #31 onward all break. A blockchain for agent behavior, minus the electricity bill.

verify_audit_chain validates the entire chain on demand. No log rotation deletes it. No agent can rewrite history.

Drift Detection

Documentation lies. It starts accurate and drifts as code changes. drift_audit compares:

• What docs say a port is vs. what is actually listening
• What config says is running vs. what PM2 reports
• Whether file paths in your docs point to files that exist

Drift is the silent killer of multi-agent systems. Things work until they do not, and by then nobody remembers what changed.

Security and Compliance

security_audit walks every file looking for leaked secrets - Telegram tokens, API keys, npm tokens, Stripe keys. It checks file permissions and flags anything exposed that should not be.

bot_compliance_check verifies each agent's access controls. Our coaching bot (Lily) is public but must never break character. Our legal bot (Aram) is locked to one user. Compliance is not optional when you have 13 agents with different trust levels.

Why Files Instead of a Database?

1. Portability. Copy the directory to another VPS and governance works. No migrations, no connection strings.
2. LLM compatibility. LLMs read files natively. No ORM, no query layer. Read /path/to/file just works.
3. Human readability. When something breaks at 2am, you open a text file. Not a database client.

The File Layout

UNTOUCHABLE_FILES.txt    # 89 files no agent can touch
SESSION_HANDOFF.md       # What happened last session
WORKLOG.md               # Every change, timestamped
audit-chain.json         # Hash-chained proof trail
guardrail-violations.log # Every rule broken
nervous-system.config.json  # Project-specific setup

Point the NS at your project root and it discovers your files, sets up protection, and gives you 30 governance tools.

Real Numbers

• 13 AI agents across Telegram, Instagram, Facebook, and web
• 28 PM2 processes on one VPS
• 30 MCP governance tools
• 89 untouchable files protected
• 6,854 game scenarios served
• 0 databases for governance
• $24/month VPS

Try It

npx mcp-nervous-system

Add to Claude Code:

claude mcp add nervous-system npx mcp-nervous-system

• GitHub: levelsofself/mcp-nervous-system
• npm: mcp-nervous-system
• Live Demo: api.100levelup.com/gateway.html

Install it. Add a nervous-system.config.json pointing at your project. You get preflight checks, audit trails, drift detection, and security scans in about 60 seconds.

Stop hoping your agents behave. Make them.

---

Built by Arthur Palyan dba Levels Of Self. 13 agents. One Nervous System. Zero trust in good behavior.

Comments

[klement Gunndu]

The hash-chained audit trail is a smart move for tamper detection. Worth noting that drift_audit could catch an even subtler failure mode — when agents silently succeed but produce outputs that gradually diverge from spec, which looks fine per-action but breaks downstream over weeks.