LaunchAgent Catalog
This is the per-agent rundown — the bestiary. The parent LaunchAgents & LaunchDaemons page covers the boot chain, plist generation, and the choreography of launchctl bootstrap. This page is the load-bearing subset grouped by role — the ones you actually grep for at 3 AM, each with the specific incident that earned it a paragraph. (The full fleet is north of a hundred labels and churns weekly.) Running right now if everything is working, silent if everything is working. Notice them at your peril.
Core Infrastructure
Section titled “Core Infrastructure”These agents stand up the VM, the gateway, and the firewall bridge. Without them, the rest of the stack is a collection of orphaned processes with nowhere to send their feelings.
com.sanctum.vm-autostart
Section titled “com.sanctum.vm-autostart”| Property | Value |
|---|---|
| Label | com.sanctum.vm-autostart |
| Purpose | Launch the Ubuntu VM via Lima (vmType=vz), restore the bridge100 IP, and re-establish the VM-facing Mac bridge surfaces |
| Required Service | vm |
| KeepAlive | No |
| RunAtLoad | Yes |
Runs the startup script that launches the Ubuntu VM via Lima (limactl start sanctum-vm --tty=false, vmType=vz on Apple Virtualization), waits for the VM to boot, configures the bridge interface IP via sudo ifconfig, and restores the VM-facing Mac service bridges after the network comes back. The host-only Mac↔VM bridge rides on socket_vmnet, so that has to be running first. In the current runtime that specifically includes the LM Studio bridge exposed on 10.0.0.1:1234. Requires the vmnet-bridge sudoers entry at /etc/sudoers.d/vmnet-bridge.
The first domino. Everything else assumes the VM is running and the bridge exists. If this one fails, enjoy your very expensive aluminum rectangle doing absolutely nothing useful.
com.sanctum.lmstudio-bridge
Section titled “com.sanctum.lmstudio-bridge”| Property | Value |
|---|---|
| Label | com.sanctum.lmstudio-bridge |
| Purpose | Expose the Mac-local LM Studio listener to the VM bridge address |
| Required Service | vm |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Port | 10.0.0.1:1234 |
This small bridge LaunchAgent forwards the VM-facing 10.0.0.1:1234 listener to the Mac-local LM Studio process bound on 127.0.0.1:1234. The VM does not need the whole desktop. It needs one reliable door.
com.sanctum.vm-autostart is responsible for ensuring this bridge exists once the bridge network comes back. The bridge itself is launchd-managed so it stays resident after the one-shot VM bootstrap work is finished.
com.sanctum.bridge
Section titled “com.sanctum.bridge”| Property | Value |
|---|---|
| Label | com.sanctum.bridge |
| Purpose | SanctumBridge.app — Mac-local data bridge (Messages, WhatsApp, Contacts, Calendar) for the agents |
| Required Service | sanctum_bridge |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Port | 4078 |
The agents live on the VM; the Mac owns the iMessage database, the EventKit store, and Contacts. This LaunchAgent runs ~/.sanctum/bin/sanctum-bridge.sh, which reads the port from instance.yaml (services.sanctum_bridge.port) and execs SanctumBridge.app — the plist never hardcodes the port, which is the whole point of the wrapper.
com.sanctum.firewalla-bridge-watchdog
Section titled “com.sanctum.firewalla-bridge-watchdog”| Property | Value |
|---|---|
| Label | com.sanctum.firewalla-bridge-watchdog |
| Purpose | Keep firewalla-bridge.js (the Firewalla P2P API bridge) alive on port 1984 |
| Required Service | firewalla |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Bridge Port | 1984 (bound on all interfaces, reachable from the VM) |
| Discovery Port | 8833 (Firewalla P2P) |
The original one-shot com.sanctum.firewalla plist is retired (.pre-w7.disabled); the bridge is now babysat by this watchdog instead. It supervises firewalla-bridge.js, which discovers the Firewalla box over the P2P port 8833 and exposes a bearer-token HTTP API on 1984, bound on all interfaces so the VM can reach it at 10.0.0.1:1984.
A watchdog for a bridge to a bridge. Networking is turtles all the way down, and at least one of the turtles needs a turtle-sitter.
AI & Voice
Section titled “AI & Voice”The agents that give the haus its opinions. One serves a 35-billion-parameter MoE model. One synthesizes speech. One listens for a wake word and responds as a fictional Jedi. Totally standard residential infrastructure.
com.sanctum.yoda-tts-worker
Section titled “com.sanctum.yoda-tts-worker”| Property | Value |
|---|---|
| Label | com.sanctum.yoda-tts-worker |
| Purpose | Qwen3-TTS text-to-speech via mlx-audio (workers.tts_server) |
| Required Service | tts |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Port | 8008 |
Provides TTS for the voice agent. Replaced com.sanctum.xtts-server on 2026-04-19 once Qwen3-TTS proved equal quality with lower memory pressure. Old XTTS plist retained as .retired for archaeology, not load.
com.sanctum.yoda-agent
Section titled “com.sanctum.yoda-agent”| Property | Value |
|---|---|
| Label | com.sanctum.yoda-agent |
| Purpose | Yoda voice interaction agent — the brain of the voice path |
| Required Service | yoda_agent |
| KeepAlive | Yes |
| RunAtLoad | Yes |
The conductor of the voice fleet. The path is no longer one daemon — it’s six: yoda-agent (this one), yoda-orchestrator, yoda-stt-worker, yoda-tts-worker, yoda-token-minter, and yoda-plain-bridge, each its own LaunchAgent. Together they capture audio, transcribe it, route the turn, mint a token, synthesize a reply, and answer in the cadence of a small green Jedi master. Your haus does this now. You chose this life.
com.sanctum.mlx
Section titled “com.sanctum.mlx”| Property | Value |
|---|---|
| Label | com.sanctum.mlx |
| Purpose | Council MLX — pure-Rust sanctum-mlx inference server |
| Required Service | mlx_server |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Port | 1337 (mTLS-only) |
Serves Qwen3.6-35B-A3B-4bit with TurboQuant Slice 4a fused Metal kernel. The 27B-distilled era ended 2026-04-22 when the council moved to the 35B MoE; the old com.sanctum.idle-mlx label retired with it. Thirty-five billion parameters, sitting in RAM, waiting to be useful — and only routable over mutual TLS, because not every consumer is a friend.
com.sanctum.server
Section titled “com.sanctum.server”| Property | Value |
|---|---|
| Label | com.sanctum.server |
| Binary | sanctum-server (sanctum-rs) |
| Purpose | Routing MLX server — content-routed inference in front of the local seats |
| Required Service | mlx_server |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Port | 127.0.0.1:8900 |
| Model | Qwen3.5-27B-4bit |
The com.sanctum.server label is the routing MLX server — sanctum-server, launched via ~/.sanctum/bin/sanctum-server-launch against Qwen3.5-27B-4bit with --router-config instance.yaml, on loopback :8900 (/health reports mode: routed). It does not own port 4040, and it is not proxyd — a long-standing doc conflation that this entry exists to kill.
proxyd is a separate binary (sanctum-rs) on *:4040: the bouncer-and-bartender doing sanitization, content routing, prompt caching, PII scrubbing, prefill stripping, model resolution, and tiered fallback. It currently runs as a resident process, not a loaded LaunchAgent, with keys injected from ~/.sanctum/secrets/. If it ever earns a plist, label it com.sanctum.proxyd — never com.sanctum.server.
com.sanctum.memory-vault
Section titled “com.sanctum.memory-vault”| Property | Value |
|---|---|
| Label | com.sanctum.memory-vault |
| Purpose | Long-term agent memory store with periodic consolidation |
| Required Service | memory_vault |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Port | 42069 (loopback only) |
SQLite-backed vault at ~/.sanctum/memory/.vault.db. Consolidates every six hours, exposes an SSE transport for MCP clients, and is the long-term memory the council reads from when a conversation runs longer than a context window. Read instance.yaml for the active port — the plist env var is decorative; the binary takes its truth from instance.yaml.
com.sanctum.reranker
Section titled “com.sanctum.reranker”| Property | Value |
|---|---|
| Label | com.sanctum.reranker |
| Purpose | Jina v2 reranker for memory-vault RAG queries |
| Required Service | reranker |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Port | 42070 (loopback only) |
Companion to memory-vault on the next port up. Jina v2 reranker (Python + transformers) that re-scores retrieved memory chunks for relevance. The torch warmup adds ~10s to launch; the relevance gain over raw vector similarity is worth it for long-running agent sessions.
Network & Tunnels
Section titled “Network & Tunnels”Every system with a VM that can’t see the LAN eventually grows a small collection of tunnels. This is that collection. Each one exists because some process needed to reach some other process, and a direct route was too much to ask.
com.sanctum.ha-tunnel (retired 2026-05-01)
Section titled “com.sanctum.ha-tunnel (retired 2026-05-01)”| Property | Value |
|---|---|
| Label | com.sanctum.ha-tunnel |
| Purpose | SSH tunnel from the HA Docker container to the VM’s Network Control API |
| Status | Retired (.plist.retired-2026-05-01) |
This let the Home Assistant container reach the VM’s Network Control API via host.docker.internal — a Docker container, talking through an SSH tunnel, to a VM it can’t see, about devices on a network it’s not on. Distributed systems are just loneliness at scale. The topology moved on: this tunnel and com.sanctum.network-control-tunnel (retired 2026-06-04) are both gone. Kept here as a stub because the cabinet remembers its drawers.
com.sanctum.health-tunnel
Section titled “com.sanctum.health-tunnel”| Property | Value |
|---|---|
| Label | com.sanctum.health-tunnel |
| Purpose | SSH tunnel for the health ingester to reach the VM on port 10101 |
| Required Service | health_center |
| KeepAlive | Yes |
| RunAtLoad | Yes |
The health ingester’s lifeline to the VM. Keeps itself alive because health data waits for no one — your resting heart rate doesn’t care that the tunnel crashed at 3 AM.
com.sanctum.tunnel
Section titled “com.sanctum.tunnel”| Property | Value |
|---|---|
| Label | com.sanctum.tunnel |
| Purpose | Cloudflare Zero Trust tunnel for external access |
| Required Service | cloudflare |
| KeepAlive | Yes |
| RunAtLoad | Yes |
Runs the cloudflared tunnel daemon for the configured tunnel name (e.g., sanctum-hub). Routes external traffic to internal services like Home Assistant and the health ingester. The one tunnel in this list that actually reaches the outside world, which makes it either the most important or the most dangerous, depending on your threat model.
com.sanctum.orbi-bridge
Section titled “com.sanctum.orbi-bridge”| Property | Value |
|---|---|
| Label | com.sanctum.orbi-bridge |
| Purpose | socat bridge allowing the VM to reach the Orbi router |
| Required Service | vm |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Ports | 18080 (HTTP), 18085 (API) |
Forwards VM traffic from 10.0.0.1:18080 to the Orbi web UI (:80) and :18085 to the Orbi API (:5000), because the VM has no direct LAN access. The Orbi’s LAN IP is not hardcoded — orbi-bridge.sh resolves it from endpoints.env (SANCTUM_ORBI_LAN) or instance.yaml (network.orbi_lan), per the no-hardcoded-endpoints doctrine that earned a memory entry the day the old Bell-subnet literal went stale.
If neither source is set — say the Orbi got unplugged at the Gold Pro cutover — the bridge idles with one clear log line instead of forwarding to a dead address, then self-heals on the next launchctl kickstart -k. A socat tunnel through the Mac that has the good sense to stay quiet when there’s nothing on the other end.
com.sanctum.signal-tcp-bridge
Section titled “com.sanctum.signal-tcp-bridge”| Property | Value |
|---|---|
| Label | com.sanctum.signal-tcp-bridge |
| Purpose | TCP bridge fronting signal-cli for agent messaging |
| Required Service | signal_bridge |
| KeepAlive | Yes |
| RunAtLoad | Yes |
Lets agents send and receive Signal messages. Three labels, not one: signal-tcp-bridge is the TCP front door, com.sanctum.signal-cli is the long-lived signal-cli daemon holding the registration, and com.sanctum.signal-health watches the pair. End-to-end encrypted AI communication — because if your haus is going to text you, it should at least have the decency to do it privately.
System & Maintenance
Section titled “System & Maintenance”The quiet ones. They file your documents, rotate your secrets, watch for fires, and serve your offline Wikipedia. They don’t get thanked enough.
com.sanctum.icloud-filer
Section titled “com.sanctum.icloud-filer”| Property | Value |
|---|---|
| Label | com.sanctum.icloud-filer |
| Purpose | Automatic filing daemon for iCloud Drive documents |
| Required Service | icloud_filer |
| KeepAlive | Yes |
| RunAtLoad | Yes |
Watches iCloud Drive directories and automatically files documents into organized folder structures. Digital Marie Kondo, but for PDFs. Does it spark joy? Doesn’t matter. It sparks organization.
com.sanctum.triage
Section titled “com.sanctum.triage”| Property | Value |
|---|---|
| Label | com.sanctum.triage |
| Purpose | Native memory triage daemon (Qui-Gon’s immune response) |
| Required Service | triage |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Interval | 30s (internal loop) |
A native Rust binary that monitors system RAM every 30 seconds, in graduated tiers. Under 30% free (or swap over 15 GB) it kills Apple bloatware — siriinferenced, sirittsd, HydraRenderingService, and friends. Under 20% free (or swap over 20 GB) it escalates: unloading large LM Studio models and triaging unloadable Sanctum services to keep the criticals breathing. Under 10% it would purge harder still — that tier is wired but deliberately disabled.
The system’s white blood cells. It only acts when the body is under pressure, and it acts with the cold efficiency of compiled code — Apple’s chattiest background daemons are simply the first to go.
com.sanctum.watchdog (retired as a launchd job)
Section titled “com.sanctum.watchdog (retired as a launchd job)”| Property | Value |
|---|---|
| Label | com.sanctum.watchdog |
| Binary | sanctumd (sanctum-rs) |
| Purpose | Periodic health sweep + auto-heal via service-doctor |
| Status | Not loaded (com.sanctum.watchdog-rust.plist.pre-w6.disabled) |
For a long time this was the most relatable agent in the fleet: every so often it woke up, looked around, made sure nothing was on fire, and went back to sleep. The Rust binary sanctumd did the sweep and auto-healed through service-doctor, with an intentional file-vs-label drift — com.sanctum.watchdog-rust.plist on disk, com.sanctum.watchdog as the label inside.
It is no longer loaded (.pre-w6.disabled). The generic sweep-and-heal role was carved up among specialists — council-guardian heals the MLX seat, launchd-health-sentinel surfaces stuck jobs, r2d2 runs the classify-and-fix loop. A stray sanctumd may still be resident from an old session, but nothing in launchd starts it now. The most relatable agent in the fleet was, in the end, also the most replaceable.
com.sanctum.lmstudio-guardian (retired 2026-06-07)
Section titled “com.sanctum.lmstudio-guardian (retired 2026-06-07)”| Property | Value |
|---|---|
| Label | com.sanctum.lmstudio-guardian |
| Purpose | Babysitter for LM Studio: SIGCONT stopped workers, reap orphans, restart on API hang |
| Status | Retired (.plist.retired-20260607) |
Built 2026-04-24 after a multi-hour outage where macOS App Nap SIGSTOP’d LM Studio’s llmworker children and never reaped them — thirteen zombies accreted in thirty minutes before anyone noticed. The guardian woke every minute, SIGCONT’d any STAT=T workers, killed orphans, and restarted the app if the :1234 API hung for three minutes (behind a 3-restarts-per-5-min circuit breaker).
Retired 2026-06-07 alongside the LM Studio coder seat itself — the local coder moved onto sanctum-mlx-codestral (Codestral-22B on :3301), which needs no SIGCONT nursemaid. The guardian’s old habit of re-loading an EXPECTED_MODEL every 60s kept fighting manual sanctum-admit releases anyway. The triage daemon now covers what’s left of the memory-pressure unloads.
Council Observability Quintet
Section titled “Council Observability Quintet”Five plists that watch the council from different angles. Documented as a group because they share a pattern: each writes JSON-lines to ~/.openclaw/logs/ and reports drift rather than fixing it — logging-grade, not enforcement-grade. The lone exception is council-guardian, which actually heals. The cadences are all over the map because the things they watch decay at different speeds; the table below is the live truth, not the convenient round numbers.
| Label | Cadence | What it watches |
|---|---|---|
com.sanctum.council-guardian | every 1 min | Auto-heals com.sanctum.mlx if down. The only one in the quintet that fixes things instead of just observing |
com.sanctum.council-integrity | every 5 min | Validates mTLS cert expiry + manifest signature chain |
com.sanctum.council-canary | every 10 min | A pinned prompt sent through the proxy; logs latency + answer hash drift |
com.sanctum.council-drift | hourly | Cross-checks the running sanctum-mlx model hash against the manifest |
com.sanctum.council-parity-smoke | daily, 03:00 | Runs a tiny golden-prompt diff between local council and a cloud reference; flags deviations |
Five separate plists is more than the average homelab needs. Five separate plists is the answer to the question “how do you keep a 35-billion-parameter model in compliance with itself?“
com.sanctum.rotate-secrets
Section titled “com.sanctum.rotate-secrets”| Property | Value |
|---|---|
| Label | com.sanctum.rotate-secrets |
| Purpose | Monthly secret rotation (gateway tokens, API keys) |
| Required Service | — |
| KeepAlive | No |
| RunAtLoad | No |
| StartCalendarInterval | 1st of each month at 03:30 |
Runs on a calendar schedule, not at boot. Rotates secrets stored in 1Password and the macOS Keychain. The only agent that doesn’t start at login — it waits for its appointed hour like a well-mannered assassin.
com.sanctum.dashboard
Section titled “com.sanctum.dashboard”| Property | Value |
|---|---|
| Label | com.sanctum.dashboard |
| Purpose | Command center dashboard web server |
| Required Service | dashboard |
| KeepAlive | No |
| RunAtLoad | Yes |
| Port | 1111 |
The dashboard. Where you go to see, at a glance, whether the twenty-odd processes described on this page are all still speaking to each other. Think of it as mission control, except the mission is “keep the haus sentient.”
com.sanctum.kiwix-serve
Section titled “com.sanctum.kiwix-serve”| Property | Value |
|---|---|
| Label | com.sanctum.kiwix-serve |
| Purpose | Kiwix offline library server (Wikipedia, etc.) |
| Required Service | kiwix |
| KeepAlive | Yes |
| RunAtLoad | Yes |
| Port | 8888 |
| ThrottleInterval | 30 |
Requires an external T9 drive to be mounted. KeepAlive with ThrottleInterval prevents rapid restart loops if the drive is disconnected. All of human knowledge, served from an external hard drive — the library of Alexandria, if Alexandria ran on USB-C.