About

  1. Why this exists
  2. Who this is for
  3. Who this isn’t for
  4. Design principles
  5. How it works

Why this exists

You want a personal AI agent that reads your email, manages your calendar, summarises your news feeds, searches the web on your behalf, posts to your blog, and runs scheduled jobs. You don’t want a second subscription fee, a second privacy policy, a second “we may use your content to improve our models” clause, or a second party between you and the hardware you already own.

The cloud-AI industry’s deal is this: pay a monthly fee, hand over your prompts and context, hope the vendor’s retention policy matches what they tell you, hope their training policy doesn’t change next quarter, hope they’re still around in two years, hope the model you rely on doesn’t get deprecated mid-workflow, hope the rate limit doesn’t tighten the month you need it most. That’s a lot of hopes.

You already own the hardware that can run a 26-billion-parameter Mixture-of-Experts model with a 3.8B active path at roughly the same speed as the hosted alternatives — or you can buy a used Apple Silicon Mac Mini for about the price of two years of a chat subscription. The model, the inference runtime, the container stack, the DNS layer, the backup tool, the mesh VPN are all already open source. The missing piece is the fifteen-minute install from “freshly booted Mac” to “Telegram bot that reads your inbox.”

That’s yabby. It’s glue code and a wizard. The glue is careful, the wizard asks for everything, and nothing is hardcoded.

It is not the easiest way to have an AI agent. It is, as far as we can tell, the easiest way to have one that nobody else can read, train on, throttle, deprecate, or turn off.

Who this is for

  • Privacy-minded power users who don’t want their inbox contents training next quarter’s commercial model
  • Homelab people with an Apple Silicon Mac Mini gathering dust or a line item in this month’s budget
  • Security-focused operators who read every docker inspect before they run a compose stack
  • Anyone who wants a real agent without vendor lock-in — your domain, your mail, your calendar, your model, your hardware

Who this isn’t for

  • Beginners who want a one-click hosted service. This is not that.
  • People with less than 24 GB unified memory. The default model won’t fit. Smaller models work but we don’t certify them.
  • People uncomfortable running bash <(curl ...) from a public repo. Read the script first if that’s you — that’s what we’d do.
  • People who want turnkey Linux support. The project is deeply Apple-Silicon-shaped and isn’t trying to be anything else. Forks welcome; upstream churn for a Linux port is not.

Design principles

A handful of load-bearing rules. There are more in the project’s internal docs, but these are the ones that shape everything visible:

  • Local-first, private by default. No cloud LLM provider on the hot path. Ever. Inference is native Apple Silicon via mlx-vlm.
  • Generic by design. No hardcoded domains, IPs, email addresses, or usernames anywhere. The wizard asks for everything. The project works for any domain on any DNS provider.
  • Deny-by-default tool policy. No ClawHub skill installs. After the 2026 ClawHavoc supply-chain incident, the registry is not trustworthy. This is not negotiable.
  • SHA256-pinned container images. Every image is pinned by digest. No floating tags, no Watchtower, no auto-update-on-push. Updates go through a reviewable scripts/update.sh path with a 14-day age gate.
  • No externally exposed ports. Resend handles inbound mail. Everything else is loopback or Tailscale-only. Port 25 is not open and is not coming back.
  • FileVault is the at-rest boundary. Secrets live in ~/.yabby/secrets.env (mode 0600). No Keychain dance, no env-vars-in-logs. The install hard-requires FileVault.

How it works

Roughly: a native mlx_vlm.server process supervised by launchd does inference on 127.0.0.1:11435. A hardened Docker Compose stack on two isolated networks runs the agent gateway (OpenClaw), a local CalDAV server (Radicale), a DNS firewall (Blocky), private search (SearXNG), per-container egress rules (iptables on the DOCKER-USER chain), and a log viewer (Dozzle). Outbound and inbound mail go through Resend’s HTTPS API so there’s no local MTA and no port 25. Tailscale is the auth layer for remote access.

The full architecture diagram, component table, network segmentation map, and email/calendar/blog flow diagrams are in the README on GitHub. We don’t repeat them here because ASCII diagrams drift out of sync with the thing they describe the moment you write them twice.