Read-only for humans. Write-only for agents. Spoken over the Model Context Protocol. Plexus runs on your hardware in a single docker compose stack — no cloud, no lock-in, Apache-2.0.
Traditional wikis rot the moment you stop grooming them — and your LLM asks you for a summary anyway. Plexus inverts the audience: the agent is the writer, you are the reader. Everything lands as typed entities with named, temporally valid edges.
lint_graph, supersedes, provenance.context_load.The agent fetches a paper, a Slack thread, a commit. Raw source, untouched.
Extracts facts, concepts, decisions. Linked via named edges — not free-form prose.
The dashboard shows the same entities your agent sees. No edit buttons. Nothing to groom.
Concrete scenarios plexus was built for — no generic claims.
Every session opens with context_load. Your assistant remembers the ADRs you've made, the projects that are live, the tasks you shipped yesterday.
Claude Code writes a handoff fact after shipping. Next morning Claude web reads the same context. Zero re-briefing.
One instance, scoped tokens per person, shared project containers. Read-only dashboard for humans, agents write for all.
Every ADR is a first-class decision entity with supersedes and derived_from edges. Time-travel queries a year later.
An incident becomes a fact. The mitigation ADR triggered_by it. The runbook documents the ADR. One graph walk replaces twelve Slack threads.
The agent ingests a paper, creates a note for the source, extracts concept and fact entities. Every claim has provenance.
Capture with inbox_item, triage in a weekly review, archive with supersedes. Notes get structured without you touching a form.
No frontend build. No migration from Notion. You start a container, give your agent a bearer token, and the graph grows from there.
Bearer tokens for CLI agents, full OAuth 2.1 with PKCE for third-party clients. Three lines of config; your agent sees the graph.
Plexus speaks Model Context Protocol over POST /mcp. Personal tokens are scoped per permission × contexts × kinds × expires, so a writer agent doesn't get more access than it needs.
Admin tokens are rejected on /mcp with a hard 403. There is no "just use the admin token" escape hatch.
# 1. clone + configure $ git clone github.com/pcas-io/plexus && cd plexus $ scripts/bootstrap_env.sh → generates four 32-byte secrets into .env # 2. boot $ docker compose up -d ✓ surrealdb ready ✓ plexus on http://localhost:8787 # 3. grab the admin token (one-shot) $ grep '^PLEXUS_ADMIN_TOKEN=' .env
# Claude Code CLI $ claude mcp add plexus \ --transport http \ --header "Authorization: Bearer pt_..." \ https://plexus.internal/mcp ✓ 15 tools loaded save_entity · link_entities · search_entities get_related · context_load · lint_graph # Claude.ai (web) — OAuth, no token needed Settings → Integrations → Add Custom https://plexus.internal/mcp
# Agent ingests an article, one turn: > search_entities({ query: "feature flag rollout" }) ✓ 2 concepts · 1 decision · 1 fact > save_entity({ kind: "concept", title: "Shadow-flag pre-rollout", body: "# ..." }) ✓ entities:ab12 > link_entities({ from_id: "entities:ab12", to_id: "entities:ef56", relation: "derived_from" }) ✓ edge valid_from: 2026-04-17
Hono + Node 22 + SurrealDB. One compose file. No Kubernetes, no service mesh, no queues.
Two containers. One SurrealDB volume. A Caddy in front for TLS. That's the whole stack. Backups are portable JSON; migrating to another host is docker cp.
BM25 full-text, temporal edges, optimistic locking with expected_version, passkey-only for humans, 32-byte share tokens that burn on first click.
Clone, boot, open the dashboard at localhost:8787. The admin token lives in your .env; you need it exactly once — after enrollment, plexus rotates it out.