i did not want an AI agent with access to my whole life.

i wanted an agent the team could eventually talk to directly.
but i did not want "talk to the ABALLE agent" to secretly mean "give the team a side door into my personal Obsidian vault."
so I set up Olivia: a @NousResearch Hermes agent for ABALLE, running on a VPS, living in Discord, with a @Ledger-signed permission policy.
the full vault stays local.
the VPS gets a curated ABALLE context package.
Olivia can read ABALLE notes, meetings, operating docs, and repo material.
the point is not just convenience.
the point is segregation.
ABALLE context should be shared with Olivia.
my trading notes, contacts, private projects, and unrelated vault material should not be.
she can write to work + outbox.
she cannot silently edit my Obsidian vault.
she has no sudo, no trading access, no personal contacts, no broad .env, and no live Shopify/Omnisend/Meta keys.
then I signed a permission manifest with my Ledger.
My Ledger approves the policy.
Unix permissions, Hermes config, systemd, and scoped wrappers enforce it.
that separation is what makes the team version possible later.
other people can interact with Olivia in Discord and contribute signal back into the system.
but Olivia only has the ABALLE-shaped slice of context she was given.
not everything i know.
not everything i am working on.
not everything in the vault.
that feels like the right primitive.
agent security should not be "the prompt said be careful."
it should be:
1. explicit policy
2. signed authority
3. scoped runtime
4. reviewed outbox
5. new signature for new powers
next up: Omnisend.
Olivia should be able to read list/welcome-flow metrics and create campaign drafts.
but not send.
not schedule.
not mutate contacts.
not change tags.
not touch automations.
bounded autonomy > one god agent.
the model matters.
the permission architecture matters more.