Read the story
← All posts
Essay

The Case for AI You Own

The thinking behind Salmex I/O — a local-first, agentic AI platform — and why owning your AI matters more the moment it can act.

Most AI doesn't belong to the people who use it. It lives on someone else's servers, forgets you between sessions, and can do little beyond replying to what you type. You rent a conversation — and when it ends, nothing remains.

Salmex I/O was built on a simple conviction: your AI should be yours, it should do more than talk, and it should be safe enough to trust with real work. This is the thinking behind it.

Two problems, one platform

The AI industry has two problems that feed each other.

The first is ownership. People pay for ChatGPT, Claude, Gemini — and in return get a chat window on someone else's infrastructure, governed by someone else's rules, with their context locked inside a silo. Switch providers and you start from scratch. Preferences, project history, accumulated context — gone. Every provider builds walls, not bridges.

The second is capability. The models are extraordinary, but most products wrap them in the same narrow interface: a text box and a response pane. They can reason, summarise, and generate — but they can't act. They can't research a topic and save the results to your project. They can't send a message on your behalf. They can't execute code, monitor a system, or follow up tomorrow if nobody replies.

Salmex I/O set out to solve both — not with two products, and not by stitching together five tools and a Docker compose file, but with one platform that ran on your own machine, connected to any LLM provider, and carried the tools, memory, and safety architecture to actually do things on your behalf.

AI that acts

Salmex I/O wasn't a chatbot. It was an agent with real tools and real execution.

It had an embedded coding agent that read, wrote, edited, and executed files across a project. A multi-engine web search system — Perplexity, Brave, Google — with intelligent routing and a deep-research mode. A plugin system to extend the agent with anything you could build. Ask it to "research the top competitors and summarise their pricing," and it searched the web, synthesised the results, and saved a report. Ask it to "refactor this module," and it read the codebase, planned the changes, and edited the files.

And it worked across every channel you already used. Telegram, Slack, Discord, the CLI, the web — same agent, same memory, same tools. Start something from your phone; review the results on your laptop. The context followed you because the agent was persistent, not per-session.

AI that knows when to ask

This is where most agent platforms break. An agent that can act is powerful. An agent that can act without guardrails is dangerous.

The risk isn't hypothetical. When autonomous coding agents first went mainstream, OpenClaw became the obvious choice — API keys wired into the config, full access to the filesystem, the terminal, project directories. It was fast and capable. Then the audits arrived: 512 vulnerabilities, 8 critical, an enterprise-readiness score of 1.2 out of 5. Credentials sat in plain text in ~/.openclaw. No encryption. No auth on the gateway. Any malicious webpage could hijack the WebSocket and execute commands as the user.

OpenClaw reached 250,000 GitHub stars — faster than React — because people want AI that does things. But then CVE-2026-25253 handed attackers arbitrary code execution, followed by five more CVEs. 1,184+ malicious skills in the official registry. One AI-safety director's agent deleted her emails without permission. Microsoft concluded it was "not appropriate to run on a standard personal or enterprise workstation," and recommended a dedicated virtual machine just to use it safely. A dedicated VM — to run a productivity tool.

Salmex I/O took a different approach. Every tool call passed through a structured pipeline with an LLM judge — a separate model that reviewed high-impact actions before they ran. Four risk levels. Reading a file happened instantly. Executing code, sending a message, calling an external API — the agent paused and asked. A notification arrived on whatever channel you were on: "The agent wants to deploy the staging build. Approve or deny." You decided. It proceeded. Everything was logged.

Here's the counterintuitive part: safety didn't limit what the agent could do — it expanded it. Without a judge, you'd never trust an agent with real stakes; you'd confine it to drafts and suggestions — a chatbot with extra steps. With one, you could hand it progressively more. Routine tasks ran autonomously. High-stakes tasks came to you. Over time the boundary calibrated itself. The result wasn't a restricted agent. It was a trusted one.

AI that remembers

An agent without memory is just a script that runs once. Salmex I/O had three tiers: session transcripts that preserved every conversation, working memory that tracked current goals, and long-term memory powered by PostgreSQL and pgvector — hybrid retrieval that learned what mattered over weeks and months.

It remembered preferences, project decisions, which approaches worked and which didn't. Each interaction made the next one better. That wasn't a retention trick — it's how a personal tool should work. And because the memory lived on your machine, it was yours: not locked in a provider's cloud, not wiped when a subscription lapsed.

AI that's yours

Salmex I/O was a single Go binary. No npm supply chain. No 1,200 dependencies to audit. It ran on your machine, connected to any LLM provider — Anthropic, OpenAI, Google, or fully local with Ollama — and stored everything in your own PostgreSQL database. Your data never left your infrastructure unless you chose to connect an external API.

This matters more once AI can act. A chatbot that leaks your data is bad. An agent that leaks your data while holding access to your filesystem, your messages, and the ability to execute code is catastrophic. Ownership isn't only a philosophy. When the AI is agentic, it's a security requirement.

What it was

None of this was a roadmap — it ran. Telegram and CLI channels. A coding agent with full tool use. Multi-engine web search with deep research. Three-tier persistent memory. The LLM judge with four risk levels and human-in-the-loop escalation. Session branching. A plugin system. AES-256-GCM encrypted configuration. A desktop app for macOS. Every capability passed through the same safety pipeline — the principle was always to ship less and ship it right rather than race to a feature list nobody trusts.

Your AI should be infrastructure you own, not a service you rent. It should do more than talk — it should act on your behalf. And it should know when to ask before it acts.

Salmex I/O has since been sunset. The product is no longer available — but the argument behind it, that AI should be owned, capable, and trustworthy, has only grown more relevant as agents grow more powerful.