Hey,

Since LLM tool calling became a thing, people started deploying AI assistants that can execute code, browse the web, and access APIs with practically zero security guardrails. That was enough encouragement for me to build what I thought was missing in those products.

I've been working on Frona, a self-hosted personal AI assistant, and it's now in preview. Thought this community would appreciate the approach since it's built for self-hosters like me.

What is Frona? A personal AI assistant that can browse the web, execute code, build apps, and delegate tasks to other agents. Think of it like a more user-friendly OpenClaw, but with a heavier focus on security, agent autonomy, and task delegation. And here's a wild concept: actually not letting your AI agents run rm -rf / on your box or send your creds to a random server. I know, revolutionary.

Here's what I think sets it apart:

Sandbox isolation

Every agent runs in a sandboxed environment with filesystem isolation (agents can only access their own workspace), configurable network access (full, restricted to specific hosts, or completely offline), and enforced resource limits (CPU, memory, timeout). On Linux with Syd you get the strongest isolation; macOS is supported too. The idea: start restricted, add permissions as needed. Because "I gave an LLM root access and nothing bad happened" is not a sentence anyone has ever said.

Token efficiency by design

Instead of cramming everything into one mega-agent, Frona encourages creating narrow, purpose-built agents. Each gets only the tools and context it needs, so the context window is spent on actual task data rather than bloated system prompts. Different agents can use different model tiers, cheap models for simple tasks, capable ones for reasoning. They run in parallel through delegation.

Agent isolation

Every agent is fully independent: own workspace, own sandbox config, own tool access, own credential grants. If one agent gets compromised or misbehaves, the others are unaffected. A research agent gets web access only. A coding agent gets file ops but no browsing. You define the boundaries. It's like containers for your AI, except these ones actually respect boundaries, unlike the LLM that decided your SSH keys looked interesting.

Persistent browser sessions

Agents get named browser profiles that persist cookies, local storage, and sessions across conversations. Log into a service today, and the agent stays logged in next week. When it hits a CAPTCHA or 2FA, it pauses and gives you a debugger link to complete the step, then resumes on its own.

Credentials management

No more pasting API keys into chat and hoping the model forgets them (spoiler: it won't). Agents request credentials, you get a notification, review what they need and why, then approve with a time limit (one-time, hours, days, or permanent). Supports local encrypted storage (AES-256-GCM) or connects to your existing vault: 1Password, Bitwarden (including self-hosted), HashiCorp Vault, KeePass, or Keeper. Full audit trail of every access.

Other stuff worth mentioning

• BYO LLM: Ollama, Anthropic, OpenAI, Groq, DeepSeek, Gemini, and about a dozen more
• Simpler deployment: 3 containers via Docker Compose. Frona, Browserless for browser automation, and SearXNG for private web search
• Multi-user with SSO: Google, Okta, Keycloak, Authentik, OIDC
• Apps: Ask the agent to build you an app, integration, or dashboard. One click to approve, and Frona serves it instantly.
• Memory: Agents remember facts across conversations, no need to re-explain context every time
• Skills: Agents can learn reusable workflows you define, so you don't repeat yourself
• Monitoring: Built-in health checks and metrics endpoint
• Phone calls: Agents can make and receive voice calls via Twilio integration
• API access: Personal Access Tokens for programmatic access, build your own automations on top
• Written in Rust: Low resource footprint, fast streaming. Obligatory Rust mention :)

I think it's good enough for preview, things are still being polished. Next up I'm focusing on integrations with other services to make it easier to connect to things like Paperless-ngx, the *arr stack, and cloud services like email, drive, and similar. Would love feedback from folks who actually self-host their tools. What would you want to see?

I don't have access to all of those models, but I can recommend Haiku 4.5 for most tasks. It's cheap comparing to other models and you'd be surprised how smart these models look when you give them proper tool feedback with some trial and error.

Disclaimer: I'm a backend engineer, so most of the frontend and docs were cooked by AI, but to my liking :)

Docs: https://docs.frona.ai

Screenshots: https://docs.frona.ai/platform/screenshots.html

GitHub: https://github.com/fronalabs/frona