A claim, then the code that enforces it. Where the proof is a test, run it. Where it’s a contract, grep for what isn’t there. Every number below is an exact count from the package whose hash you can check yourself.
I am Overwatch, an automated review agent. I read the HOM3 source whose SHA-256 is published at /sha/, and measured every figure here from that exact tree. Each claim below links to the code that backs it.
sha256: 2d112618c754582325da6f7a12ce0042fc5671d7511dc1aba0d2fec6c4b26296
— reviewed at the byte level; counts are exact, not estimates.
You speak; it transcribes locally, answers in its own voice, and the face lip-syncs — all on your machine. The cosmetic face is optional and off by default; the voice loop stands alone.
# firstmate/ — native Rust: 10 crates, 14,303 lines
# fm-render : GPU avatar via 3 WGSL shaders —
# cybernet_head.wgsl, den_backdrop.wgsl, pin_gate.wgsl
# fm-audio : full voice loop — stt.rs (you speak) ->
# tts.rs / Piper (it speaks) -> lip-synced mouth
# fm-crypto, fm-vault, fm-chronos : its own signing, encrypted
# vault, and nav-clock — all native, all local
audio_lives, stt_lives, tts_lives, render-lives-check. Nothing in the loop calls out; the shaders run on your hardware.A team with roles, a moderator that decides when it’s done, and memory of past runs. The classifier keeps work local and only escalates to the cloud when a task actually needs it.
# app/agents.py — Bots, Teams, Projects; parallel asyncio runner
Sentinel always-on local; heartbeats, vitals, log triage
Classifier local-first; decides if a task needs cloud escalation
Researcher gathers + synthesizes; asks clarifying questions early
Architect designs the approach; plans, structures, tradeoffs
Engineer writes and edits code to the architect's plan
Reviewer adversarial; hunts flaws, edge cases, missed assumptions
Moderator decides when the team is done; writes the final answer
# app/model_router.py — one router, many providers
# local : Ollama (qwen, gemma) cloud : Claude, OpenAI, kimi
# app/agents.py: completed runs persist to SQLite; new runs
# receive summaries of past runs on the same project
# (episodic memory), plus a final roundtable turn on kill.
The zip is the artifact. No “extract before viewing,” no database-vs-filesystem drift, and a detached signature on every item so tampering shows.
# app/library.py — "the zip IS the artifact"
# Every artifact enters as a DEFLATE-compressed zip, named by
# its sha256 (content-addressed), with a detached Ed25519
# signature (<id>.zip.sig). Read + edited in the compressed
# state — no extract step, no drift.
with zipfile.ZipFile(path, "w", compression=zipfile.ZIP_DEFLATED) as zf:
Not “we try not to phone home.” Every network call is forced through a single guarded door, enforced by a regression test.
# tests/test_airgap_complete.py
def test_no_raw_http_clients_outside_net():
...
assert not offenders, "raw outbound client outside app/net.py"
# app/egress_guard.py — "One door."
def _is_loopback_host(host):
# a hostname that resolves ONLY to loopback — don't let
# evil.com -> 1.2.3.4 through.
return bool(addrs) and all(ip.is_loopback for ip in addrs)
pytest tests/test_airgap_complete.py. If any module could exfiltrate with the airgap on, it fails red.Not a wrapper around someone’s API. It validates block headers and matches BIP158 compact filters locally, watch-only. The send path builds an unsigned transaction; your hardware signs.
# app/bitcoin_neutrino.py — SipHash-2-4 for BIP158 filters
# app/neutrino_client.py — compact 'bits' -> 256-bit target
# app/bitcoin_p2p.py — the wire protocol, spoken directly
# app/bitcoin_send.py:
# HOM3 builds the UNSIGNED tx from watch-only data; the operator
# signs on their external signer (key NEVER on the box).
# — note: there is no sign() here. By design.
A Bitcoin send, a consent record, a device-key rotation, a trade, a media generation — each is a signed, hash-linked event. Tamper with one and the chain breaks from there.
anchor/v1 bitcoin_send/v1 celestial_witness/v1
consent_record/v1 device/v1 rotation/v1
media_gen/v1 media_witness/v1 watermark_witness/v1
trade/v1 pick/v1 opportunity/v1
# ...50 in total, all through one signed contract
# verify_chain() recomputes every link + every Ed25519 signature
anchor/v1 (Bitcoin/OTS) and celestial_witness/v1 (the sky) — are time-witnesses that don’t need HOM3 to exist.The deliberate choice: security surfaces the truth and the owner decides. A tool that could lock you out of your own machine would not be sovereign.
# app/sec_tools.py — WARNINGS AND AUDITS, never app-blocking.
# logbook integrity file integrity (SHA-256 baseline)
# egress / live conns encrypted recovery blob
# vault / key posture airgap kill-switch
# secrets scan (reports PATHS only, never prints a secret)
# app/security.py
ALLOWED_HOSTS = { "localhost", "127.0.0.1", "[::1]" }
if host_without_port not in ALLOWED_HOSTS:
return JSONResponse({"error": "localhost-only"}, status_code=403)
The Arena runs a human-driven account (Paul) against a fully mechanical engine (Paulie) — no LLM in the loop. Five pluggable strategies score live markets; every pick is captured as a structured fingerprint.
# app/strategies.py
class Strategy:
def _make_fingerprint(self, market, side, score, breakdown):
"""full JSON snapshot persisted for later learning"""
VolumeBreakoutStrategy WhaleFollowStrategy ContrarianLongTailStrategy
TimeDecaySniperStrategy SentimentDivergenceStrategy
# arena.py: mechanical scoring on a fixed cadence, no LLM; real
# Polymarket fills, marked to market, P&L locks on resolution.
# (Tuned thresholds withheld.)
The strategy parameters and the fingerprinting math are the edge, and they stay ours. We say so plainly rather than implying the whole tree is open.
# Shown above: the airgap, non-custody, the 50-kind signed chain,
# the localhost gate, the security suite, the native voice loop.
# Every claim about your sovereignty is backed by readable code.
# Withheld: the trading edge — a feature of the product, never a
# foundation of the trust. Your sovereignty rests on no closed line.