# Builder Takeaways: What's Surprising, What's Hard, What to Watch > Closing synthesis: the monolith-with-sidecars architecture, the breadth of admin-only surface area, the security implications called out in SECURITY.md, and the roadmap items the maintainers explicitly want help on. - Repository: pewdiepie-archdaemon/odysseus - GitHub: https://github.com/pewdiepie-archdaemon/odysseus - Human wiki: https://grok-wiki.com/public/wiki/pewdiepie-archdaemon-odysseus-8b8805c93124 - Complete Markdown: https://grok-wiki.com/public/wiki/pewdiepie-archdaemon-odysseus-8b8805c93124/llms-full.txt ## Source Files - `ROADMAP.md` - `SECURITY.md` - `ACKNOWLEDGMENTS.md` - `docker-compose.yml` - `app.py` ---
Relevant source files The following files were used as context for generating this wiki page: - [ROADMAP.md](ROADMAP.md) - [SECURITY.md](SECURITY.md) - [ACKNOWLEDGMENTS.md](ACKNOWLEDGMENTS.md) - [docker-compose.yml](docker-compose.yml) - [app.py](app.py)
# Builder Takeaways: What's Surprising, What's Hard, What to Watch Odysseus is a self-hosted AI workspace that, on first inspection, looks like a "kitchen sink" personal assistant — chat, memory, research, gallery, notes, calendar, email, vault, a shell, a model serving control panel — all behind one login. Reading the code makes the shape clearer: it is a single FastAPI process that owns nearly all behaviour, with three optional Docker sidecars and a small set of external tools (Ollama, Radicale, Dovecot, tmux, SSH) that the app shells out to. That choice is what shapes the rest of the page — the breadth of admin-only surface area, the security posture, and the roadmap items the maintainer is explicitly asking for help on. This page is a closing synthesis: the architecture in one diagram, the privileged-surface picture from `SECURITY.md`, the explicit "help wanted" list from `ROADMAP.md`, and the surprising details a README-only reader would miss. ## Architecture: a monolith with three sidecars `app.py` is the only entry point. It imports about 47 routers from `routes/` and wires them into one FastAPI app, then connects a handful of long-lived managers (auth, sessions, memory, RAG, webhooks, MCP, task scheduler) into them. The `docker-compose.yml` file adds three sidecars whose only job is to be a backend Odysseus can talk to over the network. ```text ┌───────────────────────── docker-compose.yml ──────────────────────────┐ │ │ │ ┌──────────── odysseus (FastAPI, port 7000) ─────────────┐ │ │ │ app.py orchestrator │ │ │ │ ├─ Middleware: CORS, SecurityHeaders, │ │ │ │ │ RequestTimeout (45s, with exemptions), │ │ │ │ │ AuthMiddleware (cookie + Bearer ody_) │ │ │ │ ├─ Routers (~47): chat, research, memory, shell, │ │ │ │ │ cookbook, hwfit, mcp, calendar, contacts, email, │ │ │ │ │ vault, notes, tasks, gallery, document, … │ │ │ │ └─ Managers: AuthManager, SessionManager, │ │ │ │ MemoryManager, McpManager, WebhookManager, │ │ │ │ TaskScheduler │ │ │ └─────────┬───────────────┬──────────────────┬────────────┘ │ │ │ │ │ │ │ ┌──────▼─────┐ ┌──────▼─────┐ ┌───────▼──────┐ │ │ │ searxng │ │ chromadb │ │ ntfy │ │ │ │ metasearch│ │ vectors │ │ push notif. │ │ │ └────────────┘ └────────────┘ └──────────────┘ │ └───────────────────────────────────────────────────────────────────────┘ │ │ └──── shells out to: ollama, ssh, tmux, mbsync ────┘ (declared in ACKNOWLEDGMENTS.md, not bundled) ``` A few things worth noticing about this shape: - All cross-cutting concerns — auth, CSRF-ish security headers, hard request timeout, CSP nonce injection into static HTML — live as Starlette middlewares inside the same process. Streaming and long-running endpoints (`/api/chat`, `/api/shell/stream`, `/api/research`, `/api/model/probe`, etc.) are exempted from the 45 s hard timeout by an explicit allowlist. Sources: [app.py:64-102]() - The Bearer-token path keeps a prefix-keyed in-memory cache of bcrypted API tokens with a dirty-bit invalidation hook (`app.state.invalidate_token_cache`). The cookie path is the more common one; the bearer path exists for external API integrations and is rate-limited indirectly by bcrypt cost per prefix bucket. Sources: [app.py:136-254]() - There is a deliberate loopback "internal-tool" header that lets the agent layer impersonate a user when calling back into admin-gated routes from inside the same process — gated to `127.0.0.1`/`::1` plus a matching token. This is the kind of detail a README-only reader would miss but a security reviewer should care about. Sources: [app.py:171-188]() - Vector RAG is wired in but `rag_manager = None` and `rag_available = False` at startup — the comment notes the ChromaDB client could not even initialise against the installed pydantic, and all callers were already guarded. Useful pattern: a feature flag that the runtime owns, not the user. Sources: [app.py:348-356]() Sources: [app.py:1-102](), [app.py:163-271](), [app.py:409-598](), [docker-compose.yml:1-79]() ## The breadth of admin-only surface area The single biggest surprise reading this codebase is *how much* of it the operator-as-admin is responsible for. `SECURITY.md` lists the privileged surfaces explicitly: > Leave high-risk agent tools restricted to admins: shell, Python, file read/write, email send/read, MCP, app API, task/skill/memory management, settings, tokens, and model serving. That sentence is not aspirational — `routes/` includes individual modules for each of those concerns, and grepping for `require_admin`/`is_admin` checks finds ~137 occurrences across roughly 18 router files (shell, model, cookbook, mcp, vault, contacts, email, backup, webhooks, tasks, admin_wipe, …). In other words, "admin" in Odysseus is not just "settings page access" — it is the gate for an entire shadow operating system: shelling out to the host, downloading and serving local models, reading the user's IMAP mailbox, decrypting the vault, exposing a webhook surface, and wiping data. A few representative router wirings from `app.py`: | Surface | Router (in `routes/`) | Why it is privileged | |---|---|---| | Shell command exec / SSE stream | `shell_routes.py` | Direct host command execution | | Cookbook (local model download/serve) | `cookbook_routes.py` | Spawns tmux, pulls model weights, shells via SSH | | Hardware fit ("What Fits?") | `hwfit_routes.py` | Reads host hardware to score model viability | | MCP servers | `mcp_routes.py` | Runs Model Context Protocol child processes | | Vault | `vault_routes.py` | Encrypted secrets store | | Email (IMAP/SMTP) | `email_routes.py` | Reads + sends real mail | | Calendar / Contacts (CalDAV/CardDAV) | `calendar_routes.py`, `contacts_routes.py` | Speaks to Radicale or similar | | Admin "Danger Zone" wipes | `admin_wipe_routes.py` | Deletes user data classes | | API tokens | `api_token_routes.py` | Mints long-lived bearer tokens | | Webhooks | `webhook_routes.py` | Outbound HTTP from the box | Sources: [SECURITY.md:9-21](), [app.py:409-598]() The operational reading of `SECURITY.md` is short: do not expose this without auth, do not run it as a public service, keep `AUTH_ENABLED=true`, put it behind a reverse proxy and HTTPS, and treat admin accounts as root-equivalent. There is a publish-a-fork checklist that includes `git check-ignore` for `.env`, `data/auth.json`, `data/app.db`, `odysseus.db`, and a `git grep` regex for common API-key shapes (`sk-…`, `xox[baprs]-…`, `AIza…`, `Bearer …`). It is a nice example of a small, copy-pasteable hygiene gate. Sources: [SECURITY.md:22-32]() ## What the maintainer is explicitly asking for help on `ROADMAP.md` is unusually candid — its subtitle is *"Roadmap / Help Wanted"* and it opens with "I dont know what I'm doing hlep". That tone is useful because it labels the parts of the codebase the maintainer is least confident in. For builders dropping in, this is also where contributions are most welcome. The high-priority list, paraphrased and tagged: - **Reliability** — squash bugs; fresh Docker smoke tests on Linux, macOS, and Windows. Sources: [ROADMAP.md:8-11]() - **Integrations** — audit which integrations actually work end-to-end, document the rest, hide or remove what does not. The hint that this work is needed is itself a flag: a long list of providers and protocols is wired in faster than they can be verified. Sources: [ROADMAP.md:13]() - **Self-host troubleshooting cookbook** — the maintainer explicitly enumerates "30-second fixes that become 30-minute searches": Dovecot cleartext auth for local stacks, ntfy Android Instant Delivery, clipboard limits on plain-HTTP Tailscale URLs, Radicale collection URLs. These are the foot-guns of running a real self-hosted stack — worth lifting straight into a `docs/solutions/` entry if the project picks up a solved-problem doc convention. Sources: [ROADMAP.md:14]() - **Provider probing** — the call-outs for Anthropic, Gemini, Groq, xAI, OpenRouter, OpenAI, and DeepSeek echo the request-timeout exemption for `/api/model/probe` in `app.py` (probes can take up to 8 s each and iterate). Probe correctness is a known weak spot. Sources: [ROADMAP.md:20](), [app.py:80-85]() - **Skill audit** — "how does your model respond to skill injection, does it follow? Does its parsing miss?" — a frank admission that the skill/prompt-injection surface needs an adversarial pass. Sources: [ROADMAP.md:18]() - **Degraded-state reporting** — ChromaDB, SearXNG, email, ntfy, and provider probes are exactly the components running as Docker sidecars or external services, so the failure modes are network-shaped and easy to surface badly. Sources: [ROADMAP.md:19]() Refactor targets are also informative: `static/style.css` is openly called "Calypso's island", the onboarding tours are copy-pasted scaffolding asking for a shared `tour-core.js`, and mobile `@media` overrides are flagged as the root of a class of "CSS did not move" bugs. The Backend section ends with "Security hardening around admin-only tools and clear docs for their risk." — which is the next page over from the architecture point above. Sources: [ROADMAP.md:22-46]() ## Surprising details a README-only reader misses - **Most of the code was written with AI.** The acknowledgments list `gpt-oss-120b`, Qwen3-235B, DeepSeek V3.1/V4 Pro/Flash, Claude, and Codex as collaborators, alongside human contributors. That is unusual to call out so explicitly and frames a lot of the breadth-versus-depth tradeoffs you see in the code. Sources: [ACKNOWLEDGMENTS.md:158-168]() - **The "agent loop" came from opencode; the "what model fits?" engine came from `llmfit`; the deep-research pipeline came from Tongyi DeepResearch.** These are concrete, attributable transplants under MIT and Apache-2.0, with the adapted-to file paths listed (`services/hwfit/`, `routes/cookbook_*.py`, `services/search/`, `api/research_*.py`). Sources: [ACKNOWLEDGMENTS.md:12-39]() - **The license story is deliberately permissive — with one AGPL trapdoor.** `pypdf` and `charset-normalizer` replaced earlier copyleft choices, and `chardet` was removed entirely. PyMuPDF is the one AGPL dependency left, and it is *optional* and lazy-imported, used only by PDF form-filling in `src/pdf_forms.py` and the form endpoints in `routes/document_routes.py`. If you install it for that feature, AGPL's network clause then applies to that feature for your deployment. Sources: [ACKNOWLEDGMENTS.md:139-156]() - **Static assets ship without a build step.** `_RevalidatingStatic` in `app.py` forces `Cache-Control: no-cache` for `.js`/`.css`/`.html` because the app serves raw ES modules with no hashed URLs — without it, browsers happily served stale modules across deploys. Sources: [app.py:277-293]() - **Sidecars are bound differently on purpose.** ChromaDB is published on `8100:8000` (host-wide), ntfy on `8091:80` (host-wide), but SearXNG is bound to `127.0.0.1:8080:8080` — only loopback. That is the right default for a metasearch you do not want to expose, and a small but real piece of the security posture you would not see without reading `docker-compose.yml`. Sources: [docker-compose.yml:38-74]() - **The container drops privileges via `PUID`/`PGID`.** The entrypoint chowns `/app/data` and `/app/logs` to match the configured user/group before running uvicorn, which is what keeps bind-mounted files editable from the host. Sources: [docker-compose.yml:20-30]() ## What builders should watch Pulling the threads together, this is the punch list a builder dropping into Odysseus should keep in mind: 1. **Treat any admin account as host-level access.** The privileged-tools list in `SECURITY.md` is not a configuration knob — it is the design. If you are reviewing security, the high-leverage targets are `routes/shell_routes.py`, `routes/cookbook_routes.py`, `routes/mcp_routes.py`, `routes/vault_routes.py`, `routes/email_routes.py`, and the loopback `INTERNAL_TOOL_HEADER` path in the auth middleware. 2. **Probing and degraded-state reporting are weak spots the maintainer flagged.** If you are writing a contribution that touches providers or sidecars, that work will be unusually welcome — and it lines up with the timeout exemptions already coded into `app.py`. 3. **Architecture additions should respect "monolith + sidecar".** New integrations belong as a router in `routes/`, a manager in `src/`, and (if heavyweight) a new compose service. There is no event-bus or microservice convention to honour — staying with the existing shape is the path of least resistance. 4. **Provider neutrality is a real design property, not a marketing claim.** Models, search, and notifications are all swappable: `searxng`, `chromadb`, `ntfy`, and any of the listed model providers can be replaced without touching the orchestrator. If you are integrating a knowledge profile or wiki layer on top, mirror that posture — keep the source of truth in files, not in a single vendor. 5. **`ROADMAP.md` is the contributor map.** It is short, specific, and includes the maintainer's own confidence about each area. If you want to land a PR with high signal, start there. The summary, in one line: Odysseus is a single FastAPI process pretending to be a workspace, three sidecars pretending to be infrastructure, and a long list of privileged tools that only make sense if you take the security model seriously. The roadmap tells you exactly where the seams are.