Build, deploy, and orchestrate neural-grade services.
The complete reference for the AxonStellar platform — from your first service to autonomous agent orchestration. Everything an operator or agent needs to ship code into the constellation.
Introduction
AxonStellar is a neural-inspired orchestration platform. Services are neurons, traffic flows along axons, and autonomous agents reason at every synapse. The platform pairs a static infrastructure layer (nginx proxies, port allocation, SSL automation) with a dynamic agent layer (the Aexyr agent, Engram playbooks, Action Potential decision model).
This documentation covers everything in the constellation:
- Quickstart — your first service in under five minutes
- Architecture — proxies, tiers, traffic flow, port layout
- Agent protocols — Action Potential, Synaptic Delegation, Engrams
- API reference — every endpoint the platform exposes
- Troubleshooting — common pitfalls and recovery paths
Start with Quickstart to ship a service, then read Core Concepts for the mental model.
Quickstart
Ship a new HTTPS-served service into the constellation in six steps. Each step takes seconds — most of the wall-clock time is waiting for the SSL certificate to propagate.
Pick a port
Choose a free port in the 9551–9580 tier-1 range.
Scaffold
Create /aexyr/usr/projects/<name>/ with your code.
Manifest
Write service.json — the entry ticket to the grid.
Launch
Use the Server Rack control API or nohup.
Provision SSL
POST to /api_certificates with your domain.
Assign
POST to /api_assignments — nginx wired automatically.
A minimal manifest
Every service must publish a service.json manifest. No manifest, no discovery, no orchestration. The bare minimum:
{
"name": "My Service",
"port": 9560,
"role": "app",
"tier": 1,
"managed_by": "aexyr",
"traffic_type": "nginx_proxy",
"start_command": "node server.js",
"working_directory": "/aexyr/usr/projects/myservice"
}start_command is mandatory
Without it, Server Rack start/stop/restart buttons fail and the control API cannot manage the service lifecycle.
Launching the service
Two ways to start a service:
- Service Control API (preferred for services with a manifest):
import urllib.request, json
TOKEN = open('/aexyr/tmp/.internal_api_key').read().strip()
H = {'Content-Type': 'application/json', 'X-Internal-Auth': TOKEN}
body = json.dumps({'action': 'restart', 'port': 9560}).encode()
urllib.request.urlopen(urllib.request.Request(
'http://127.0.0.1:80/visualizer_service_control',
data=body, headers=H, method='POST'))- Direct nohup (first-time deployment, before discovery):
cd /aexyr/usr/projects/myservice
nohup node server.js >> logs/app.log 2>&1 &Core Concepts
Six ideas you must understand to operate in the constellation effectively.
| Concept | What it is |
|---|---|
| Service | A running process bound to a port, declared by service.json |
| Manifest | The service.json file — service's entry in the registry |
| Tier | 0=system · 1=app (9551–9580) · 2=microservice (35xx) |
| Proxy chain | Internet → :443 → Web Proxy → :3550 Backend Proxy → service |
| Engram | A stored agent playbook — a recipe for a recurring task |
| Quanta | A spawned sub-agent for a delimited task |
Architecture
AxonStellar runs inside a single Docker container with a layered network model. Each layer has one job and exposes a clear contract upward.
Traffic flow
Internet :443
└──▶ nginx (Web Proxy, SSL termination)
└──▶ Backend Proxy :3550
└──▶ Service :95xx (Tier 1)
└──▶ Microservice :35xx (Tier 2)Reserved system ports
Five ports are owned by the platform and must never be reassigned:
| Port | Service | Notes |
|---|---|---|
22 | SSH | Container shell access |
44 | Process Manager | Supervisor & lifecycle control |
80 | Aexyr UI | uvicorn — agent console + APIs |
443 | Web Proxy | nginx SSL termination |
3550 | Backend Proxy | Routes to tier-1 services |
Security model
Three distinct user identities collaborate via a privilege broker:
- root (UID 0) — runs Flask/uvicorn backend, owns system configs
- aexyr-user (UID 1100) — runs all agent code (terminal, python, nodejs)
- web_serve (UID 1101) — privilege broker; owns shared credential files
Blocked at the Docker level. Privileged operations (nginx restart, cert provisioning) MUST go through the internal API.
Services & Manifests
Services are discovered automatically by scanning /aexyr/usr/projects/*/service.json. The manifest is the source of truth for everything the platform needs to know about your service.
Manifest fields
| Field | Required | Values |
|---|---|---|
name | yes | Display name shown in Server Rack |
port | yes | Integer 9551–9580 (tier 1) or 35xx (tier 2) |
role | yes | app · database · cache · queue · auth · api |
tier | yes | 0 (system) · 1 (app) · 2 (microservice) |
traffic_type | yes | nginx_proxy · direct · internal_only |
start_command | yes | Shell command to start (e.g., node server.js) |
working_directory | yes | Absolute path to project directory |
endpoints | no | Array of {path, method, description} |
connections | no | Edges to other services (rendered in Topology) |
tags | no | Free-form classification tags |
Discovery sync
After creating, updating, or deleting a manifest, sync the registry:
# POST /manifests_sync — re-scans projects/ and updates the registry
curl -X POST http://127.0.0.1:80/manifests_sync \
-H "X-Internal-Auth: $TOKEN" \
-H "Content-Type: application/json" \
-d '{}'Networking & SSL
SSL is fully automated via Cloudflare DNS-01 challenges and Let's Encrypt. Two API calls take you from no certificate to a live HTTPS endpoint, typically in 60–90 seconds.
The two-phase workflow
- Provision the certificate — DNS challenge runs in the background
- Assign the cert to a service — nginx configured + restarted automatically
# Phase 1 — Provision (fire-and-forget)
body = json.dumps({'domain': 'myapp.example.com'}).encode()
urllib.request.urlopen(urllib.request.Request(
'http://127.0.0.1:80/api_certificates?action=provision',
data=body, headers=H, method='POST'))
# Phase 2 — Assign (after status == 'active')
body = json.dumps({'domain': 'myapp.example.com', 'servicePort': 9560}).encode()
urllib.request.urlopen(urllib.request.Request(
'http://127.0.0.1:80/api_assignments',
data=body, headers=H, method='POST'))POST /api_assignments writes the nginx SSL config, restarts nginx via supervisorctl, verifies the SSL handshake, and rolls back on failure. No manual nginx work required.
The assignment API is the only correct path. Manual edits will be overwritten on the next assignment and may bypass verification.
Agent Protocols
Aexyr operates under three interlocking protocols. Every autonomous action passes through them in sequence.
Action Potential
Before executing any tool call, Aexyr computes an activation:
z = (x₁ × 0.5) + (x₂ × 0.8) + (x₃ × 0.4) + b
Output = max(0, z)x₁— Confidence (0.0–1.0): certainty the action achieves the goalx₂— Safety (0.0–1.0): how safe (1.0=read, 0.0=destructive)x₃— Necessity (0.0–1.0): how strictly necessaryb— bias:−0.9standard,−0.7development mode
If Output > 0 the axon fires and the action executes. If Output == 0 the action is gated and Aexyr asks for confirmation.
Read-Before-Edit
Every file modification follows a strict five-step cycle. No exceptions.
- READ — open the file fresh; never edit from memory
- LOCATE — find the exact target with surrounding context
- ASSERT — verify the target string exists before replacing
- EDIT — surgical, targeted modification only
- VERIFY — read back and confirm the change landed
Documentation-Before-Response
After any change inside a project, the agent updates service_changelog.md and (when affected) service_blueprint.md before responding to the user. A change without a changelog entry is considered drift.
Engrams
Engrams are stored agent playbooks — sixteen battle-tested recipes spanning four categories. Each Engram is a complete spike train: ordered steps, expected outputs, and rollback conditions.
| Category | Engrams | Purpose |
|---|---|---|
| Creation | SiteBuild, Microservice, API Stub, … | Scaffold new services from canonical templates |
| Management | Restart, Reassign Cert, Migrate Port, … | Lifecycle & configuration changes |
| Remediation | 502 Triage, Port Conflict, Cert Renewal, … | Diagnose and resolve incidents |
| Monitoring | Health Sweep, Log Audit, Vitals Capture, … | Observe and report platform state |
Quanta & Delegation
When a task exceeds a single context window or requires specialized expertise, Aexyr dispatches a Quanta — a subordinate agent with a specific profile.
| Profile | Use for |
|---|---|
developer | Code writing, debugging, refactoring |
researcher | Web research, data analysis, reports |
hacker | Security auditing, penetration testing |
default | General multi-step tasks |
After five fresh spawns, Aexyr halts and performs a synaptic loop analysis to detect stalling or looping before continuing.
API Reference
All platform APIs are served from http://127.0.0.1:80 (uvicorn) and authenticated with the internal token:
export TOKEN=$(cat /aexyr/tmp/.internal_api_key)
curl -H "X-Internal-Auth: $TOKEN" http://127.0.0.1:80/manifests_listManifests
| Method | Endpoint | Purpose |
|---|---|---|
| GET | /manifests_list | List all discovered services |
| POST | /manifests_sync | Re-scan and refresh the registry |
Service control
| Method | Endpoint | Purpose |
|---|---|---|
| POST | /visualizer_service_control | Start, stop, or restart a service by port |
SSL & assignments
| Method | Endpoint | Purpose |
|---|---|---|
| POST | /api_certificates?action=provision | Provision a new cert via DNS-01 |
| GET | /api_certificates?action=status | Check provisioning status |
| GET | /api_certificates?action=list | List all certificates |
| GET | /api_assignments | List domain → service bindings |
| POST | /api_assignments | Bind a cert to a service (writes nginx + restarts) |
| DELETE | /api_assignments?id=… | Unbind a domain |
Engrams & agent
| Method | Endpoint | Purpose |
|---|---|---|
| GET | /engrams_list | List available Engram playbooks |
| POST | /engrams_execute | Execute an Engram in chat or direct mode |
Operations
| Method | Endpoint | Purpose |
|---|---|---|
| GET | /api_ops_system | System metrics — CPU, memory, disk |
| GET | /api_ops_network | Listeners and nginx state |
| GET | /visualizer_vitals | Real-time vitals with history |
| GET | /api_topology | Network graph (nodes + edges) |
Troubleshooting
The top fifteen pitfalls baked into the agent's knowledge base, ordered by frequency.
| # | Pitfall | Fix |
|---|---|---|
| 1 | Shell escaping hell (echo, heredoc, special chars) | Use Python open().write() for all file creation |
| 2 | Coding against tools that don't exist | Probe with which first; use language-native alternatives |
| 3 | Terminal session stalls (cat, curl in terminal) | Use Python file I/O; service_health tool for checks |
| 4 | Port already in use (EADDRINUSE) | kill $(lsof -ti:<PORT>) 2>/dev/null; sleep 1 |
| 5 | Broad pkill kills sibling services | Kill by port or project path only — never broad patterns |
| 6 | sed breaks on multi-line / special chars | Use Python for any multi-line modification |
| 7 | Service runs but invisible to platform | Create service.json in /aexyr/usr/projects/<name>/ |
| 8 | Express 5.x rejects bare * wildcard | Use /{*splat} for catch-all routes |
| 9 | Premature health check (curl right after launch) | Wait 3+ seconds after launch; use service_health |
| 10 | Forgetting to restart after code changes | Kill by port, relaunch, verify with service_health |
If the same error appears three times in a row, the agent stops, reads the entire file, and rewrites the affected section from a known-working template.
Changelog
Documentation site versions:
- v0.0.1 — 2026-05-25 — Initial documentation site. Nine sections covering quickstart, architecture, services, networking, agent protocols, Engrams, delegation, API reference, troubleshooting.