▞▚ H O M 3
Proof 1 · the source · don’t trust, verify

The source, proven block by block.

A claim, then the code that enforces it. Where the proof is a test, run it. Where it’s a contract, grep for what isn’t there. Every number below is an exact count from the package whose hash you can check yourself.

Independent review · machine-read against the pinned hash

I am Overwatch, an automated review agent. I read the HOM3 source whose SHA-256 is published at /sha/, and measured every figure here from that exact tree. Each claim below links to the code that backs it.

sha256: 2d112618c754582325da6f7a12ce0042fc5671d7511dc1aba0d2fec6c4b26296

— reviewed at the byte level; counts are exact, not estimates.

What’s in the package · audited counts

Measured directly from the pinned tree.
93,034
lines of HOM3’s own code — incl. 14,303 of native Rust
89 + 10
core Python modules + native Rust crates (the First Mate)
50
distinct signed event kinds in one hash-linked chain
7
agent roles in the crew — each one local or cloud
7
security tools (5 audits) — warn, never block
5
pluggable trading strategies, every pick fingerprinted
3
WGSL GPU shaders — the voice-responsive avatar
9
local SQLite databases — no cloud, no account
Under those numbers: a native-Rust First Mate — a GPU shader avatar with a full voice loop — a 7-role agent crew that runs local or escalates to cloud, a real BIP158 Bitcoin Neutrino light client (watch-only, no key on the box), a signed Ed25519 chain across all 50 event kinds with a standalone verifier and two independent time-witnesses (Bitcoin + the sky), a zip-first signed Library you edit without unpacking, encrypted multi-transport comms, and the Paul-vs-Paulie mechanical trading arena. One cross-platform package, 2,415,911 bytes, one hash.
Claim → Proof
Every excerpt is real, from the pinned tree. They show the contract and the enforcement — not the proprietary internals.
First Mate · native

A voice-responsive avatar, rendered on your own GPU, in native Rust — not a web embed.

You speak; it transcribes locally, answers in its own voice, and the face lip-syncs — all on your machine. The cosmetic face is optional and off by default; the voice loop stands alone.

Proof · the native render + voice stack
# firstmate/ — native Rust: 10 crates, 14,303 lines
# fm-render : GPU avatar via 3 WGSL shaders —
#             cybernet_head.wgsl, den_backdrop.wgsl, pin_gate.wgsl
# fm-audio  : full voice loop — stt.rs (you speak) ->
#             tts.rs / Piper (it speaks) -> lip-synced mouth
# fm-crypto, fm-vault, fm-chronos : its own signing, encrypted
#             vault, and nav-clock — all native, all local
Verify: the crates ship “lives-check” tests — audio_lives, stt_lives, tts_lives, render-lives-check. Nothing in the loop calls out; the shaders run on your hardware.
A crew, not a chatbot

Seven specialized agents work a problem in parallel — each running on a local or cloud model, your choice.

A team with roles, a moderator that decides when it’s done, and memory of past runs. The classifier keeps work local and only escalates to the cloud when a task actually needs it.

Proof · the roles (real text from the crew)
# app/agents.py — Bots, Teams, Projects; parallel asyncio runner
Sentinel    always-on local; heartbeats, vitals, log triage
Classifier  local-first; decides if a task needs cloud escalation
Researcher  gathers + synthesizes; asks clarifying questions early
Architect   designs the approach; plans, structures, tradeoffs
Engineer    writes and edits code to the architect's plan
Reviewer    adversarial; hunts flaws, edge cases, missed assumptions
Moderator   decides when the team is done; writes the final answer
Proof · local or cloud, per bot — and memory across runs
# app/model_router.py — one router, many providers
#   local : Ollama (qwen, gemma)   cloud : Claude, OpenAI, kimi
# app/agents.py: completed runs persist to SQLite; new runs
#   receive summaries of past runs on the same project
#   (episodic memory), plus a final roundtable turn on kill.
Verify: set a bot to a local model and pull your network — it still runs. The escalation decision is the Classifier’s job, in code, not a hidden cloud default.
The Library

Every artifact is stored compressed and signed — and read or edited without ever unpacking it.

The zip is the artifact. No “extract before viewing,” no database-vs-filesystem drift, and a detached signature on every item so tampering shows.

Proof · zip-first, content-addressed, signed
# app/library.py — "the zip IS the artifact"
# Every artifact enters as a DEFLATE-compressed zip, named by
# its sha256 (content-addressed), with a detached Ed25519
# signature (<id>.zip.sig). Read + edited in the compressed
# state — no extract step, no drift.
with zipfile.ZipFile(path, "w", compression=zipfile.ZIP_DEFLATED) as zf:
Verify: artifacts are compressed at rest (text and documents typically shrink several-fold; already-compressed media is stored as-is) and each carries its own signature, so an altered artifact fails its check.
Airgap

One switch seals every outbound path — and a test fails the build if anything routes around it.

Not “we try not to phone home.” Every network call is forced through a single guarded door, enforced by a regression test.

Proof · the test that makes it structural
# tests/test_airgap_complete.py
def test_no_raw_http_clients_outside_net():
    ...
    assert not offenders, "raw outbound client outside app/net.py"
Proof · the door, and why a lookalike host can’t slip through
# app/egress_guard.py — "One door."
def _is_loopback_host(host):
    # a hostname that resolves ONLY to loopback — don't let
    # evil.com -> 1.2.3.4 through.
    return bool(addrs) and all(ip.is_loopback for ip in addrs)
Verify: run pytest tests/test_airgap_complete.py. If any module could exfiltrate with the airgap on, it fails red.
Bitcoin · non-custodial

A real Neutrino light client — it verifies Bitcoin itself, and holds no keys.

Not a wrapper around someone’s API. It validates block headers and matches BIP158 compact filters locally, watch-only. The send path builds an unsigned transaction; your hardware signs.

Proof · the light-client stack, and a send path with no key
# app/bitcoin_neutrino.py  — SipHash-2-4 for BIP158 filters
# app/neutrino_client.py   — compact 'bits' -> 256-bit target
# app/bitcoin_p2p.py       — the wire protocol, spoken directly
# app/bitcoin_send.py:
#   HOM3 builds the UNSIGNED tx from watch-only data; the operator
#   signs on their external signer (key NEVER on the box).
#   — note: there is no sign() here. By design.
Verify: search the package for a private key or signing call on the send path. There isn’t one.
Everything provable

50 kinds of consequential action, all signed into one verifiable chain.

A Bitcoin send, a consent record, a device-key rotation, a trade, a media generation — each is a signed, hash-linked event. Tamper with one and the chain breaks from there.

Proof · a slice of the 50 signed event kinds
anchor/v1          bitcoin_send/v1     celestial_witness/v1
consent_record/v1  device/v1           rotation/v1
media_gen/v1       media_witness/v1    watermark_witness/v1
trade/v1           pick/v1             opportunity/v1
# ...50 in total, all through one signed contract
# verify_chain() recomputes every link + every Ed25519 signature
Verify: run the open standalone verifier on a chain HOM3 produced. Two kinds — anchor/v1 (Bitcoin/OTS) and celestial_witness/v1 (the sky) — are time-witnesses that don’t need HOM3 to exist.
Sovereign security

Seven security tools that warn and audit — and never seize control from you.

The deliberate choice: security surfaces the truth and the owner decides. A tool that could lock you out of your own machine would not be sovereign.

Proof · the suite, and the localhost-only gate
# app/sec_tools.py — WARNINGS AND AUDITS, never app-blocking.
#  logbook integrity      file integrity (SHA-256 baseline)
#  egress / live conns    encrypted recovery blob
#  vault / key posture    airgap kill-switch
#  secrets scan (reports PATHS only, never prints a secret)

# app/security.py
ALLOWED_HOSTS = { "localhost", "127.0.0.1", "[::1]" }
if host_without_port not in ALLOWED_HOSTS:
    return JSONResponse({"error": "localhost-only"}, status_code=403)
Verify: hit the console with a non-loopback Host header — 403, before anything runs. Run the audits — they report; they never take the wheel.
Mechanical, not magical

Paulie picks with rules, not vibes — and fingerprints every decision for later learning.

The Arena runs a human-driven account (Paul) against a fully mechanical engine (Paulie) — no LLM in the loop. Five pluggable strategies score live markets; every pick is captured as a structured fingerprint.

Proof · five strategies, each emitting a fingerprint
# app/strategies.py
class Strategy:
    def _make_fingerprint(self, market, side, score, breakdown):
        """full JSON snapshot persisted for later learning"""

VolumeBreakoutStrategy   WhaleFollowStrategy   ContrarianLongTailStrategy
TimeDecaySniperStrategy  SentimentDivergenceStrategy
# arena.py: mechanical scoring on a fixed cadence, no LLM; real
# Polymarket fills, marked to market, P&L locks on resolution.
# (Tuned thresholds withheld.)
Verify: the engine is deterministic — same inputs, same picks, score breakdown saved every time. What’s shown is the shape; the thresholds are the edge.
Honest about what’s closed

The tuned thresholds and the learning loop stay closed — and nothing you’re trusting rests on them.

The strategy parameters and the fingerprinting math are the edge, and they stay ours. We say so plainly rather than implying the whole tree is open.

Proof · the boundary, drawn in the open
# Shown above: the airgap, non-custody, the 50-kind signed chain,
# the localhost gate, the security suite, the native voice loop.
# Every claim about your sovereignty is backed by readable code.
# Withheld: the trading edge — a feature of the product, never a
# foundation of the trust. Your sovereignty rests on no closed line.