A private AI agent that talks through SimpleX Chat.

Self-hosted. Persistent memory. Sandboxed tools.
Built on Mistral, encrypted end-to-end.
No accounts. No phone numbers. No metadata.

Install View Source

Apache 2.0 · Python 3.12+ · v0.1.0

How it works

You (SimpleX App)  ──E2E──>  simplex-chat CLI  ──ws──>  Mistress Runtime
                                       (in Docker)                
                                                              Vibe AgentLoop
                                                              (Mistral LLM)
                                                                   
                                                     ┌─────────────┼─────────────┐
                                                  Memory       Sandbox      Scheduler

What it does

SimpleX Chat

E2E encrypted messaging. No accounts, no phone numbers, no bot tokens. The relay sees nothing.

Persistent Memory

3-tier system: core facts always in context, session logs auto-loaded, vector search for everything else. The agent extracts its own memories.

Sandboxed Execution

Every tool call goes through an approval callback. File writes are policy-checked. Bash commands are filtered. Config and memory are protected.

EU-Hosted AI

Built on Mistral Vibe. EU-based, operating under the EU AI Act. Stricter privacy compliance than other providers.

Skills & MCP Tools

Drop a SKILL.md into skills/ and it's live. Define MCP servers in JSON. The agent can install its own tools.

Cron Scheduler

The agent creates scheduled tasks that run Python scripts from the workspace. Output is logged. Scripts inherit the sandbox.

Install

One command. The installer handles Mistral auth, SimpleX setup, and Docker deployment.

$ curl -LsSf https://raw.githubusercontent.com/mistress-agent/mistress/main/install.sh | bash

Requires: Docker with Compose · Mistral Le Chat Pro or Team subscription · Linux or macOS

9 layers of defense

  1. 1SimpleX E2E encryption — messages encrypted in transit, relay sees nothing
  2. 2ACL — admin, user, and readonly roles per contact
  3. 3Rate limiting — token bucket per user
  4. 4Tool approval — every tool call intercepted by approval callback
  5. 5Sandbox policy — path-based allow/deny for all file operations
  6. 6Bash filter — dangerous commands denied, path-aware restrictions
  7. 7Memory protection — only MemoryManager writes to memory files
  8. 8Config protection — agent cannot read or modify .env or config
  9. 9Secrets vault — API keys encrypted at rest, agent can store but never read

Memory system

Tier 1

Core Memory

MEMORY.md per user. Always in the system prompt. The agent knows who you are on every message.

Tier 2

Session Logs

Daily markdown files. Today + yesterday auto-loaded. Browsable and editable by you.

Tier 3

Vector Search

sqlite-vec + FTS5. 70% semantic, 30% keyword. Local embeddings via fastembed — no API calls.

Your memories are Markdown files. Read them. Edit them. They're yours.

Mistral Vibe · SimpleX Chat · FastAPI · SQLAlchemy · sqlite-vec · fastembed · Python 3.12+