DEV Community

Arthur Palyan
Arthur Palyan

Posted on

How We Govern 22 AI Agents on a $12/Month VPS

#ai #llm #opensource #devops

The Problem

We run 22 autonomous AI processes on a single $12/month VPS. Twelve AI family members - each with distinct roles, from email outreach to job applications to coaching to translation - operating 24/7 with minimal human oversight.

It broke constantly.

Not because the LLM was dumb. Because it was too helpful:

  • It "improved" a working proxy config and brought down 5 services
  • It spent 20 messages debugging a typo instead of dispatching a background agent
  • It timed out mid-task with zero record of what it was doing
  • It edited protected files because it rationalized "it's just a small fix"
  • It drifted from the actual problem into architecture redesigns nobody asked for

System prompts didn't fix it. We tried. The LLM would agree to every rule, then violate them within 3 messages.

Why System Prompts Don't Work

Here is what 56 logged violations taught us: promises are not enforcement.

2026-02-28T19:13:15+00:00 BLOCKED attempt to modify UNTOUCHABLE: /root/simple-proxy.js
2026-02-28T19:13:38+00:00 BLOCKED attempt to modify UNTOUCHABLE: /root/simple-proxy.js
2026-02-28T19:13:56+00:00 BLOCKED attempt to modify UNTOUCHABLE: /root/simple-proxy.js
2026-02-28T19:14:11+00:00 BLOCKED attempt to modify UNTOUCHABLE: /root/simple-proxy.js
Enter fullscreen mode Exit fullscreen mode

Four attempts in one minute to edit the same protected file. The system prompt said "never edit untouchable files." The LLM agreed. Then it tried four times anyway.

The fix was not a better prompt. The fix was a bash script that runs before every edit and returns BLOCKED.

The 7 Rules

We call it The Nervous System. Seven rules, mechanically enforced:

1. DISPATCH DONT DO - If a task takes more than 2 messages, stop. Write a task file, dispatch a background agent. Keep the main session for strategy.

2. UNTOUCHABLE = UNTOUCHABLE - 89+ protected files. Before ANY edit, preflight.sh checks the list. BLOCKED means STOP. No rationalizing.

3. WRITE PROGRESS AS YOU GO - Before each action, write what you are about to do. If you crash, the next session picks up exactly where you stopped.

4. STEP BACK EVERY 4 MESSAGES - Forced reflection cycle. "Are we solving the real problem? Is this moving toward the goal?" Say it out loud.

5. DELEGATE AND RETURN - When you dispatch work, come back. Report what was dispatched. Ask what is next. Never leave the human waiting.

6. ASK BEFORE TOUCHING - Data changes can proceed with direction. Logic changes get proposed and wait for human approval.

7. HAND OFF EVERY FEW MESSAGES - Session handoff file updated every 3-4 exchanges. If this session ends abruptly, the next instance knows everything.

Mechanical Enforcement

The key insight: enforcement happens in bash, not in prompts.

$ bash preflight.sh /root/simple-proxy.js
BLOCKED: /root/simple-proxy.js is UNTOUCHABLE.
# Logged to guardrail-violations.log with timestamp
Enter fullscreen mode Exit fullscreen mode

The LLM is instructed to run preflight.sh before any edit. If it returns BLOCKED, the LLM stops. If the LLM skips the check, the violation log catches the pattern during review.

This is not a suggestion. It is a gate.

We also added a hash-chained audit trail - every violation entry gets a SHA-256 hash of (previous_hash + entry_content). Tamper with one entry and the entire chain breaks. Verify with a single API call:

$ curl http://localhost:3475/audit/verify
{"valid": true, "entries": 56, "broken_at": null}
Enter fullscreen mode Exit fullscreen mode

Production Stats 

56 violations caught
0 bypassed
22 PM2 processes running
89+ protected files
12 AI family members
11 MCP tools
$12/month VPS (4GB RAM)
$300/month LLM subscription
24/7 autonomous operation
Enter fullscreen mode Exit fullscreen mode

The Uncle Lou Moment

Our first external deployment happened when Uncle Lou - one of our AI family members' real-world namesake - ran npx mcp-nervous-system on his MacBook Pro. The output confirmed: port 3475, SSE/HTTP/Health endpoints, Protocol 2024-11-05.

That was the moment it stopped being "our internal tool" and became something other people could actually use.

How to Install 

npx mcp-nervous-system
Enter fullscreen mode Exit fullscreen mode

That is it. One command. It starts an MCP server on port 3475 with 11 tools:

  • get_framework - the complete rule system
  • preflight_check - file protection patterns
  • session_handoff - context preservation templates
  • verify_audit_chain - tamper-evident log verification
  • emergency_kill_switch - instant shutdown
  • dispatch_to_llm - delegate tasks to background agents
  • Plus 5 more for worklogs, reflection, and rule enforcement

Works with any MCP-compatible client.

Live Demo

See the system running in production: Live Demo

View the audit trail: Audit Log

Full rules: Gateway

EU AI Act compliance mapping: EU AI Act

We posted this on Show HN: Show HN: The Nervous System - AI Governance That Actually Works

What's Next

We just shipped three competitive features in v1.1.0:

  • Kill Switch - POST /kill with auth. Instant emergency shutdown. Audit-logged.
  • Hash-Chained Audit - SHA-256 tamper-evident violation trail. Verify in one call.
  • Dispatch-to-LLM - Any MCP client can delegate heavy tasks to background agents.

Coming soon:

  • EU AI Act Article-by-article compliance certification
  • Signed evidence for each audit entry
  • Trust scoring for agent behavior over time

Works alongside Claude Code auto mode (March 12): Auto mode decides what Claude can do. The Nervous System governs how it behaves while doing it. Two layers, one production-ready stack.

Built by Arthur Palyan. The brain is powerful. It just needs a nervous system to keep it from hurting itself.

GitHub | npm | GitHub Marketplace | Live Demo

Top comments (0)