
Two terminal agents was one too many
For most of this year we were building two terminal agents. AGTerm had a CLI and an orchestration layer of its own, and …

A surprising amount of the world’s most consequential computing happens in environments where the internet is restricted, monitored, occasionally severed, or absent entirely. Defense facilities. Intelligence agencies. Certain healthcare networks (hospital ICUs, surgical suites). Critical-infrastructure control rooms. Pharmaceutical manufacturing floors. Research labs with intellectual-property concerns. Financial trading floors during regulatory windows. The lists are long, the populations are large, and the work that happens in them is often the work where AI productivity would matter the most — if the architecture could support it.
Almost every commercial AI product assumes continuous internet connectivity to a model provider’s API. Some grudgingly support offline modes. Almost none are designed from first principles for near-airgapped operation: an environment with deliberately limited connectivity, where the internet is something that exists outside a controlled perimeter and the systems inside must function with or without it.
This piece is about that category. What “near-airgapped” actually means in practice. What AI can and cannot do inside that perimeter. What architectural decisions are non-negotiable. Why open-weights models running locally, governed by an internal policy layer, on infrastructure operated by the customer, is the only credible answer.
┌──────────────────────────────────────────────────────────────┐
│ │
│ ◀── More connected Less connected ──▶ │
│ │
│ Tier 1 — Standard internet │
│ Direct outbound to model providers; standard │
│ enterprise security stack. │
│ │
│ Tier 2 — Egress-controlled │
│ Outbound traffic mediated by proxies; allowlisted │
│ destinations; logged but not severed. │
│ │
│ Tier 3 — Near-airgapped │
│ Most workloads have no outbound internet access. │
│ A controlled set of crossings exists for updates, │
│ telemetry, and explicitly-authorized data exchange. │
│ │
│ Tier 4 — Air-gapped │
│ No outbound internet at all. Software updates and │
│ data ingestion happen via physical media or │
│ designated transfer terminals. │
│ │
│ Tier 5 — Fully isolated │
│ No network connectivity beyond the immediate │
│ operational environment. Sometimes deliberately │
│ electromagnetically shielded. │
│ │
└──────────────────────────────────────────────────────────────┘
Most enterprise AI products work fine at Tier 1 and partially at Tier 2. Tier 3 is where the architecture has to change meaningfully. Tier 4 and Tier 5 require a different posture entirely.
The reason “near-airgapped” deserves its own treatment is that Tier 3 is the largest population by a substantial margin. Most defense facilities, most healthcare ICUs, most critical-infrastructure control rooms, and most regulated trading floors operate at Tier 3. They are not fully air-gapped — they have controlled, audited connectivity for specific purposes — but they are emphatically not standard-internet environments either. The AI architecture has to fit the constraint.
For an AI system to operate inside a Tier 3 (or stricter) environment, three architectural properties are required:
┌──────────────────────────────────────────────────────────────┐
│ │
│ 1. INFERENCE INSIDE THE PERIMETER │
│ ──────────────────────────────── │
│ Foundation models must run on infrastructure inside │
│ the perimeter. Calling an external model API is not │
│ an option — the API may be unreachable, or the │
│ data going into the prompt may not be allowed to leave. │
│ │
│ Practically: open-weights models (Mistral, Mixtral, │
│ Llama, Qwen, DeepSeek, Codestral) hosted via Ollama, │
│ vLLM, or equivalent runtime inside the perimeter. │
│ │
│ 2. PLATFORM CONTROL PLANE INSIDE THE PERIMETER │
│ ──────────────────────────────────────── │
│ The platform that runs the AI workloads — runtime, │
│ workbench, governance — must operate without external │
│ dependencies. Updates can be staged in (Tier 3) or │
│ delivered by physical media (Tier 4), but ongoing │
│ operation must not require connectivity. │
│ │
│ Practically: Astrolift's vanilla-Kubernetes provider │
│ installs entirely on-prem; Zentinelle deploys │
│ alongside; the workbench surfaces work in a browser │
│ that lives inside the perimeter. │
│ │
│ 3. AUDIT AND TELEMETRY STAY INSIDE │
│ ──────────────────────────────── │
│ Logs, audit chains, telemetry, observability events │
│ all remain inside the perimeter. No cloud-hosted │
│ log aggregator. No external SaaS for monitoring. The │
│ organization's own audit and observability systems │
│ receive the data; no third party. │
│ │
│ Practically: Zentinelle's audit chain writes to a │
│ database inside the perimeter; the customer's existing │
│ SIEM or log warehouse is the destination for events. │
│ │
└──────────────────────────────────────────────────────────────┘
These three properties combined are what “AI inside the perimeter” actually means. A vendor that satisfies one or two but not all three has an offering for a different category. For Tier 3+ environments, all three are required.
The single architectural innovation that makes AI in near-airgapped environments practical in 2026 is the maturation of open-weights foundation models. The capability gap between the best open-weights models and the best proprietary US-hosted models has narrowed significantly over 2024–2026, to the point where, for a wide range of practical tasks, the local open-weights option is sufficient.
┌──────────────────────────────────────────────────────────────┐
│ │
│ What open-weights models do well in 2026 │
│ ────────────────────────────────────── │
│ │
│ • Summarization of logs, reports, documents │
│ • Classification (intent, severity, category) │
│ • Extraction (entities, facts, relationships) │
│ • Translation between human languages │
│ • Code generation for known languages and patterns │
│ • Question-answering against provided context │
│ • Drafting documents from templates │
│ │
│ What proprietary frontier models still do better │
│ ────────────────────────────────────────────── │
│ │
│ • The hardest novel reasoning tasks │
│ • Edge-case planning with extreme context lengths │
│ • Some specialized capabilities (e.g., specific │
│ multilingual or multimodal tasks) │
│ │
└──────────────────────────────────────────────────────────────┘
For most practical near-airgapped workloads — and the work that happens inside these perimeters is overwhelmingly “summarize this,” “classify this,” “extract from this,” “draft this” — open-weights models are not a compromise. They are operationally sufficient and frequently equal to the proprietary alternatives.
Mistral, specifically, has invested in open-weights tiers that target this segment. The combination of Mistral and Codestral covers most enterprise summarization, drafting, classification, and code-generation work at quality levels that satisfy regulated customers in 2026.
┌──────────────────────────────────────────────────────────────┐
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ CUSTOMER PERIMETER (Tier 3 or stricter) │ │
│ │ │ │
│ │ Workbench (browser-accessible inside perimeter) │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ Astrolift (vanilla-Kubernetes, on-prem) │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ Zentinelle (policy gateway, audit chain) │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ Local model runtime │ │
│ │ (Ollama / vLLM, open-weights models) │ │
│ │ │ │
│ │ Optional: data diode for outbound telemetry │ │
│ │ Optional: physical-media transfer for updates │ │
│ │ │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ No external model-provider connectivity required. │
│ No external platform connectivity required. │
│ No external audit destination required. │
│ │
└──────────────────────────────────────────────────────────────┘
This is the canonical Tier 3 topology. The runtime, the governance, and the inference all live inside the perimeter. The only outbound is for explicitly-authorized purposes (telemetry to a designated external audit destination, software updates) — and even those are typically gated by data diodes or controlled transfer terminals.
For Tier 4 (true air-gap), the topology is the same minus the outbound paths. Updates land via physical media. Audit evidence stays inside. The platform operates indefinitely without ever talking to anything outside.
The hardest operational challenge in near-airgapped AI is how to update the platform and the models without compromising the perimeter. Three patterns work in practice:
┌──────────────────────────────────────────────────────────────┐
│ │
│ Pattern 1 — Staged updates via designated proxy │
│ ──────────────────────────────────────────── │
│ A specific proxy host inside the perimeter has limited │
│ outbound access to verified update sources. Updates │
│ download, are scanned, and are then deployed inside. │
│ Common for Tier 3. │
│ │
│ Pattern 2 — Physical media transfer │
│ ──────────────────────────────────── │
│ Updates download outside the perimeter, are written to │
│ verified physical media, are transferred via designated │
│ procedures, and are deployed inside. Common for Tier 4. │
│ │
│ Pattern 3 — Internal mirror │
│ ───────────────────────── │
│ A separate, less-restricted environment maintains an │
│ internal mirror of approved versions. The near-airgapped │
│ environment pulls from the internal mirror. Common for │
│ large organizations with multiple perimeters. │
│ │
└──────────────────────────────────────────────────────────────┘
The Calliope stack is designed to operate under any of these update patterns. Container images for Astrolift, Zentinelle, the workbench, and the model runtimes are all available for offline staging. The update cadence is the customer’s, not the vendor’s.
Three industry contexts where near-airgapped AI is the most consequential:
┌──────────────────────────────────────────────────────────────┐
│ │
│ Defense │
│ ───────── │
│ Workflow drafting, intelligence summarization, │
│ logistics optimization, training-content generation. │
│ Tier 4–5 environments common. Inference must be local. │
│ │
│ Healthcare │
│ ──────────── │
│ ICU monitoring augmentation, surgical-suite documentation, │
│ imaging-pre-analysis, clinical-note completion. │
│ Tier 3 common; some Tier 4 environments. PHI cannot │
│ leave perimeter. │
│ │
│ Critical Infrastructure │
│ ──────────────────────── │
│ OT-side AI (anomaly detection, predictive maintenance), │
│ shift-handover assistance, regulator-query response. │
│ Tier 3 common. Some Tier 4 in safety-critical control │
│ rooms. │
│ │
└──────────────────────────────────────────────────────────────┘
The next two posts in this series go deeper on the defense and healthcare specifics — what workloads land, what regulations apply, what the operator experience looks like inside the perimeter. The general architecture is the same; the workloads and the specific regulatory weight are sector-specific.
For organizations evaluating AI for near-airgapped environments, the diagnostic question is:
Can you deploy this platform — and operate it indefinitely — without external connectivity, with audit evidence that satisfies your sector regulator?
The honest answer for most commercial AI products in 2026 is no. They require model-provider connectivity, platform telemetry, vendor-hosted dashboards. They cannot operate inside a Tier 3 perimeter without compromising the perimeter.
For Calliope-style private AI — Astrolift on vanilla Kubernetes, Zentinelle alongside, open-weights model runtime, audit chain inside — the answer is yes. This is the differentiator that matters most in this category. It is also why this category remains underserved by commercial AI: most vendors will not commit to architectures that do not depend on their hosted services.
Next: the same near-airgapped argument, applied specifically to defense contractors — where Tier 4 and Tier 5 environments are the default and the regulatory frame is national security rather than commercial compliance.

For most of this year we were building two terminal agents. AGTerm had a CLI and an orchestration layer of its own, and …

When Operational Reliability Is the Regulation Most regulated industries have a data-protection focus: customer …