Mimir — SecOps dashboard + OSINT aggregator

Mimir consolidates security-relevant signal — endpoint telemetry, threat prevention, patch & asset state, OSINT feeds — into one observable surface. Trends, alerts, correlation, and natural-language query, all backed by a local LLM that never phones home.

● v0 · pivot in progress

Four-node topology. SQLCipher store. Local LLM.

A backend that owns the data (Swift + Vapor + GRDB on SQLCipher). A stateless ingest that forwards from daemons and connectors. An intelligence node — Mimir's Well — for NL summary and query against your own LLM. And a dashboard built on Vite + React.

Cloud-LLM is a hard "no" (D-009). Read-only by design — Mimir shows and warns. It does not execute counter-measures in v0–v1.

Endpoint telemetry from Mimir-daemons (SIEM-ish + inventory profiles)
OSINT correlation: MISP, OTX, AbuseIPDB, GreyNoise, VirusTotal, KEV, Shodan
Heimdal Threat Prevention + Patch & Asset connectors
Reads rAIzr fleet heartbeats — endpoint protection in the same pane
SQLCipher-encrypted store, audit-logged mutations
Local LLM (~30B Q4 via MLX / llama.cpp) for NL summary & query
Cloud-LLM is a hard "no" — D-009. Read-only by design.

// Posture — Mimir topology

Architecture: Four-node, single owner
Store: Encrypted at rest · key in OS Keychain
Ingest: Stateless · token auth
Intelligence: Local LLM (~30B class) · MCP client
Egress: None. Cloud-LLM forbidden by design.
Audit: Every mutation logged + signed
Mode: Read-only by design (v0–v1)

flow:
  endpoint   → ingest      // telemetry
  ingest     → backend     // data-owner
  backend    → intelligence // read-only
  backend    → dashboard    // read-only

boundary:
  loopback only · no cloud egress · audit-logged

See the signal, know the pattern.