The AI Assistant
InterGenOS ships with InterGen, a local AI assistant that runs entirely on your own machine. It answers questions about your system, helps with shell, configuration, and code tasks, and never sends your data off the box by default. There is no cloud account, no API key, and no telemetry.
InterGen is a system assistant. Its strength is knowing your machine, not the
whole world. You open it from the Applications menu or from any terminal with
the intergen command.

InterGen answering a disk-usage question: it runs the underlying command, then reads the result back in plain English.
What it does
You talk to InterGen in plain language. It recognizes intent, runs the right command, and reports back. Typical requests:
- “How much free space is on my root partition?” — runs the right
dfinvocation and summarizes the answer. - “What’s my current IP address?” — a direct
iplookup plus a plain-English summary. - “Write me a systemd timer that runs
backup.shevery Sunday at 03:00.” — drafts the unit and timer files, then asks before installing. - “Why did sshd fail to start after I edited the config?” — reads the relevant
journalctloutput, summarizes the error, and suggests a fix. - “Install htop” — recognizes the intent and asks you to confirm before
running the install through
pkm, the InterGenOS package manager.
Local-first by design
Every model InterGen uses runs on your own CPU and GPU. Nothing about your prompts, your files, your configuration, or your machine identity leaves the machine by default. This is the InterGenOS posture in one feature: a machine you understand, can modify, and can trust.
The trade-offs are stated honestly:
- Local models are smaller than frontier cloud models, so answers on the hardest tasks are less sharp.
- First use downloads the model (roughly 1.5 to 21 GB depending on your hardware tier). After that, no network is needed.
- If you ask about brand-new software the model has not seen, it tells you so rather than guessing.
For cases where you want the depth of a frontier model, the optional Phone-A-Friend (Frontier/Cloud Escalation) path lets you opt in to a cloud provider on a per-request basis. It is off by default and never silent: InterGen asks before reaching out, and the outbound payload is scanned first.
How it scales to your hardware
InterGen inspects your RAM and GPU and picks a model tier automatically. The shipping tiers all use Qwen models:
- Tier 1 (~1.5 GB model) — machines with under 8 GB of RAM. Good for system queries, command lookups, and summarizing logs. Not built for writing code from scratch.
- Tier 2 (~5.5 GB model) — machines with 8 to 15 GB of RAM. The daily-driver tier: coding, configuration drafts, and multi-step reasoning. A Tier 2 machine without a discrete GPU falls back to the smaller model to keep latency usable.
- Tier 3 (~21 GB model) — machines with 16 GB or more of RAM and a discrete GPU. Deep, multi-file code analysis and complex architectural reasoning. A 16 GB+ machine without a discrete GPU stays on the Tier 2 model.
A small embedding model ships alongside every tier to power the assistant’s semantic-matching layer.
If your hardware changes, InterGen picks up the upgrade and switches tiers on the next start.
What it can and can’t do (the safety chain)
Every action InterGen proposes is classified before it runs:
- AUTO — read-only operations like
ls,df, andjournalctl. Run immediately, with the result shown to you. - CONFIRM — anything that changes state, such as
systemctl restart, apkm install, or editing a config file. InterGen pauses and shows exactly what it intends to do. Nothing runs until you approve it. - BLOCKED — destructive or security-bypass operations such as
rm -rf /or reformatting the root disk. InterGen refuses and explains why.
The classifier is conservative by design. Nothing that changes the system runs without explicit approval, and the most dangerous commands cannot run at all. See Constraining the assistant for how the safety chain is configured, and Privacy for the data boundaries.
InterGen Sentinel

InterGen Sentinel is the pluggable security scanner that guards InterGen’s interactions with the outside world. It inspects content crossing two boundaries: data returned from external and MCP tools (ingress) and content about to be sent off-device (egress). Both surfaces are scanned by default.
The default configuration runs two local stages: a fast local-rules pass and an optional deep pass backed by a small local Qwen classifier. For deeper analysis you may opt in to a cloud scanner backed by one of six providers — Claude (Anthropic), Gemini (Google), Copilot (Microsoft), ChatGPT (OpenAI), Grok (xAI), or DeepSeek. No cloud provider is configured by default, so the default install scans entirely on-device.
Other apps can talk to it
InterGen exposes a narrow D-Bus interface, so the text editor, the terminal, the system settings panel, and third-party apps can request code completion, log summarization, or semantic search over IPC. Only a small set of vetted interfaces is exposed, which keeps a local unprivileged application from driving arbitrary code execution.
InterGen is also a Model Context Protocol (MCP) client. It can connect to local MCP servers to acquire new capabilities while preserving the boundary between the assistant’s core runtime and the tool-execution environment.
Turning it on or off
InterGen is off by default. You opt in at install time through the assistant toggle in Forge, the InterGenOS installer, or at any time later by running:
intergen setup
This downloads the model, enables the intergen.service unit globally, and starts
the assistant. To opt out:
systemctl --global disable intergen.service
The model files stay on disk under /var/lib/intergen/models/ in case you want
to re-enable later without re-downloading.
In this section
- Overview — how InterGen fits the rest of the system
- Explanations — how the assistant reasons about your machine
- Teaching mode — learning alongside the assistant
- Constraining the assistant — tightening the safety chain
- Privacy — the data boundaries, in detail