CUST/OS/kuh-stohs/
The Agentic Custom Operator's System
From the Latin custos — guardian, keeper, warden. An edge-first, mission-customizable agentic runtime built into ATAK that watches the tactical picture, reasons over mission context, and acts through TAK's protocols — with the operator always in command.
Three Theses, One Product
Three commitments. None of them negotiable.
CUST/OS isn't a feature pile — it's the consequence of three design commitments that reinforce each other. Drop any one of them and the runtime collapses into something else. Hold all three, and you get an agent that gets better when the network is up, keeps working when it isn't, and never acts without the operator's authority.
Thesis I
Edge-First
The right place to run tactical AI is on the device the operator is fighting from. Not in someone else's data center. Not behind a contested network. Inside the trust boundary the operator already trusts.
Thesis II
Customizable to the Mission
Tactical needs change at mission cadence, not release cadence. Skills are Lua scripts the operator owns. Authority rules live in YAML. The same APK runs every deployment — the operator shapes the runtime to the mission, not the other way around.
Thesis III
Operator Always in Command
The agent serves the operator, not the other way around. Every consequential action passes an approval gate. Every decision lands in an immutable audit log. Every guardrail is a runtime property — never an operator chore.
The runtime is the guardian. The operator is the principal.
A Guided Tour
Fourteen stops through the runtime.
01 · Meet CUST/OS
It lives on the edge of ATAK.
The NavBar sits on the left side of ATAK's main screen. ATAK itself keeps the full canvas behind it. No separate app, no context switch, no second window to alt-tab. Every surface — chat, audit, automations, settings — is a single tap away.
Runs as a plugin in ATAK's process, not alongside it.
Thesis I — Edge-First
Why edge-first matters
Five concrete reasons the device is the default, not the fallback.
Comms Denial Is the Rule, Not the Exception
In a contested environment the network is the first thing to fail — jamming, distance, terrain masking, EMCON, mesh saturation. An agent that depends on the cloud stops working at exactly the moment the operator needs it most. CUST/OS keeps reasoning. Voice still works. Tool calls still work. Automations still fire.
“My agent works in the same conditions I work in.”
Classification Boundaries Are Enforced
Every provider declares a maximum classification. The router refuses to send a query to a provider whose classification is below the operator's clearance. UNCLASSIFIED providers cannot receive SECRET context. Period.
“I can use cloud providers for back-line analysis without ever risking classified leakage. The runtime is the guardrail.”
Latency Is a Tactical Variable
A cloud round-trip is 1–3 seconds on a good day, 5–10 on a bad one, and forever on a denied one. A small local model on modern handheld hardware produces tool calls in a few hundred milliseconds. Voice → STT → reason → tool call → TTS happens in under two seconds end-to-end on a handheld device with no network in the loop.
“My agent feels like a teammate because it answers at the speed of one.”
Sovereignty Is Non-Negotiable
Every cloud LLM contract has logging, retention, third-party subprocessors, jurisdictional risk. CUST/OS sidesteps the entire problem by not requiring a cloud provider at all. Conversations, audit, vectors — all live locally on the device.
“Nothing I say to my agent leaves my device unless I deliberately route it through a cloud provider.”
The Cloud Is the Fallback, the Device Is Primary
CUST/OS is built device-first from the beginning, not retrofitted. Native inference shipped inside the APK — in-process LiteRT-LM via JNI and subprocess llama.cpp, whisper.cpp, and vision servers. Voice pipeline, hot-reloading skills from /sdcard, in-app code editor — every architectural choice lines up.
“The runtime was designed for the conditions I actually fight in, not adapted to them after the fact.”
Six Compute Tiers
Tier is trust. Priority is fallback order.
Every provider declares a tier — what kind of trust environment it lives in — and a taskPriority — what order to try it in. The two are orthogonal. Security modes filter by tier. The router sorts by priority. One config line can disable every cloud provider without touching a single priority number.
The operator's own device. Native subprocess servers running locally. No network involved. Nothing leaves the device.
"If my unit goes EMCON for 12 hours, my agent keeps working for 12 hours."
On-person wired compute — Jetson Nano in a ruck via USB tether, Pi in a chest rig via Ethernet. No RF emissions. Bigger model than handheld, still on the operator's body. EMCON-safe.
"I carry a bigger brain in my ruck. Wired to my phone, no radio signature, stays with me when the squad's edge box is out of range."
A companion edge device the squad carries — tactical edge brick, compute pack. Inside the squad's physical perimeter, but not on the operator's own device.
"When the squad's edge box is up, I get a bigger model without doing anything different."
Vehicle-mounted compute with real cooling, real power, real GPU. Physically mobile with the unit. Gone when the operator dismounts.
"In the vehicle I get a vehicle-class model. When I dismount, the router quietly switches back."
Back-line workstation reachable over the TAK mesh via split-ReAct. Reasoning crosses the mesh, actions stay local — both sides keep their trust boundaries. CoT delegation transport ships in the APK but has not been vetted end-to-end on a real multi-device deployment. Treat as a design commitment with working scaffolding, not a production-ready capability.
"The CP is the cloud. I don't need cellular. I don't need satcom."
Internet-hosted provider. The wire goes through someone else's network, infrastructure, and jurisdiction. Bound by classification and the operator's clearance ceiling.
"When the network is good, I get cloud-grade reasoning. When it drops — automatic fallback, no reconfiguration."
security.mode
One line change. The router instantly drops every provider outside the allowed tier set.
providers:
- name: on-device
tier: handheld # trust category
protocol: litert
model: gemma-4-E2B-it
taskPriority: 1 # fallback order
- name: ruck-jetson
tier: pack # wired, no RF
protocol: openai
url: http://127.0.0.1:8082
taskPriority: 3
- name: cloud-fallback
tier: cloud
protocol: anthropic
model: claude-sonnet-4
taskPriority: 100
security:
mode: emcon # only handheld + pack
# everything wireless is gonetier answers "what kind of thing is this?" taskPriority answers "what order should I try?" Both fields are required. Neither replaces the other.
Skills & Runtime
A runtime they can extend in the field
The APK ships with zero skills by design. The open-source starter kit (44 skills, 101 tools, MIT-licensed) is a reference library — clone it, fork it, or drop it in. The number that matters is whatever the operator writes next.
---
group: custos
name: markers
description: Place, find, and delete map markers
script_paths:
- custos.markers/place_marker.lua
- custos.markers/find_items.lua
- custos.markers/delete_markers.lua
tags:
- markers
- map
- navigation
examples:
- "place a marker at 38.9, -77.0"
- "drop a hostile marker"
- "find all friendly markers"
---
# Markers
Tools for placing, finding, and querying markers on the ATAK map.
## Rules
- Confirm with the operator before deleting more than 5 markers.
- Use CoT type a-h-G (hostile), a-f-G (friendly), a-n-G (neutral).A skill is a directory. SKILL.md declares metadata and docs the agent reads; the .lua scripts declare tools with LDoc annotations. Sandboxed, instruction-capped, scoped to an allowlist of ATAK APIs. Ship skills by sending a directory.
Hot-Reload on Save
Save a file in /sdcard/atak/custos/skills/ — the runtime picks it up. The next agent turn calls the new tool. No APK rebuild, no signing, no release cycle.
In-App Code Editor
Operators don't need a workstation. The full-screen tabbed editor has syntax highlighting (Lua, YAML, Markdown), find-in-file, save-and-review diff, and debug-mode landing on script errors.
Author by Asking, Test Before Shipping
The agent can write its own skills via custos.skill_creator — reflect over the ATAK class index, write the Lua, save it. Then run tests from the editor before you ship to the squad.
Automations Without the LLM Tax
Three triggers — Scheduled, Monitors (intervals), Events (ATAK broadcasts). Every automation runs as deterministic Lua. An interval firing every 15 seconds costs milliseconds, not a full ReAct loop. LLM reasoning is opt-in via an explicit delegate call — small on-device models are never hammered.
Delegation Is Explicit, Not Automatic
The orchestrator runs whatever chat provider has the lowest taskPriority — typically the on-device handheld model. It does not auto-route to the cloud because a query 'feels hard.' A specialist runs only when the operator (or an authored skill) explicitly calls delegate.
Thesis III — Operator Always in Command
A safety model with seven layers
Not a feature dump — the mechanical expression of one commitment: the agent does not act without the operator's authority.
Pattern-Matched Hooks
Hook rules in custos.yaml deny entire categories of tools, allow specific ones, or force approval on otherwise-routine actions. Tier-aware hooks fire only when reasoning at remote tiers — e.g., require approval for comms tools when using cloud.
Impact-Level Approval Gates
Tools at SIGNIFICANT impact or higher — SIGNIFICANT, STRATEGIC, LETHAL — cannot run without an approval dialog showing name, args, impact, and rationale. The operator picks Approve, Deny, or Modify (edit args inline before approving).
Sandbox Enforcement
Java package allowlist, method denylist, filesystem path scoping, instruction-count caps, concurrency limits. A bug or hostile script cannot do what the runtime does not allow.
Immutable SQLite Audit
Every tool call, approval decision, LLM call, delegation, and security event written to SQLite with UPDATE/DELETE triggers blocked. Pull with adb for after-action review.
Lockdown Modes & Classification
Six security modes — normal, no-cloud, field-only, squad-only, emcon, standalone — filter the active provider set to a tier subset with one config line. Per-provider classification declarations prevent classified context from reaching unauthorized tiers.
Encrypted Secret Store
API keys live in Android EncryptedSharedPreferences backed by the Android Keystore — never in YAML, never reachable from a Lua script.
Optional PKI Skill Signing
WIPSkillSignatureVerifier and the VERIFIED / COMMUNITY trust split are designed to enforce signed skills when requirePki: true. Verifier and config surfaces ship; integration with the skill-load loop is not yet complete — treat as a design commitment, not a shipping feature.
Every layer exists so the operator stays in command. The runtime is the guardian; the operator is the principal.
Who Should Care
Built for the people doing the work
From the dismounted operator to the command post — and the engineers who need to ship capability without a release cycle.
Operators in Denied Environments
The whole agent loop runs on your device. When comms drop, the agent keeps reasoning. When you go EMCON, the agent keeps reasoning. The runtime was designed for your conditions.
Operators Handling Classified Data
Per-provider classification declarations and a clearance-aware boundary mean classified context cannot leak to a provider that shouldn't reach it. Configure the deployment with on-device-only providers and the trust boundary is the device itself.
Squad Leaders Needing Force Multiplication
Every action passes the approval gate. Every decision is in the immutable audit log. The agent is a teammate, not a black box.
Mission Planners Wanting Repeatable Playbooks
Composed Lua scripts — one skill calling another through tools.call — run the same way every time with no LLM tax for routine ops. Arm them as scheduled or event-triggered automations. Threat checks, route validation, comms diagnostics, mission preflight.
Commanders Running Multi-Tier Deployments
Configure specialist agents with protocol: cot providers and the orchestrator on a field device can delegate hard problems to a CP over the TAK mesh. The cloud you've always wanted is just the CP, and the network is just the mesh.
Operators on Tactical Android Hardware
Built for arm64-v8a on the standard tactical Android stack (PRC-style devices, ATAK-CIV phones, ruggedized tablets). Sandboxed native subprocesses — a crash in the inference server never takes down ATAK.
Security Reviewers Needing Hard Guarantees
Seven-layer security model, immutable SQLite audit, allowlist sandbox, encrypted secret store, classification boundary on every provider, plus a PKI skill-signing layer (scaffolded, not yet end-to-end).
Mission Engineers Shipping Capability Without Releases
Skills are data, not code. Drop a directory on a device and it works. Operator-authored skills live in the same runtime as vendor skill packs, with different trust levels enforced by the runtime.
What CUST/OS Is Not
The negative space matters too
These are choices, not gaps. Every "not" buys a property we care about.
Cloud-bound
Cloud is optional. Edge is primary.
Bundled with one model
The operator picks which model runs at each tier.
Bound to one vendor
Provider-agnostic. Switch with a config edit, no rebuild.
A general-purpose chatbot
The agent's job is tactical work.
A separate app
Runs inside ATAK as a plugin, in the same process.
Bundled with skills inside the APK
Skills live on disk and are operator-controlled.
A document RAG plugin
Vector store is for skill selection and lightweight knowledge.
A build-time customization
Every customization is data, not code — except the runtime itself.
Dependent on third-party API uptime
When a vendor goes down, the runtime falls back to whichever tier is healthy.
Every "not" buys a property we care about: edge sovereignty, offline capability, runtime extensibility, security posture, vendor neutrality, and the operator's right to run the agent against whatever model the mission can field.
The Thesis, Restated
The right place to run tactical AI is on the device the operator is fighting from — against whatever model the mission can field — with the operator always in command.
CUST/OS is available on the Google Play Store. Download, point it at your inference providers, and start building skills.