Home / Security

Audit the code. Run it in your VPC.

No hosted backend, no telemetry: recordings stay on your machine, and every network action is one you named.

$ git clone github.com/attenlabs/hotato
hotato — conversation verify
pip install hotato
# -> zero runtime dependencies pulled
$ hotato conversation verify ./call-artifact
  manifest         recomputed
  evidence tier    attested
  signature        verifies
exit 0
A verdict re-derives from its own inputs.

Offline by default.

Scoring, reports, and the workspace read local files and open no sockets.

Proxy variables are honored like curl and pip; TLS validation is never turned off.

Every command, and when it reaches the network
CommandEgressReaches, and when
run, report, assert run, test run (local judge), servenoneLocal only. Reads the files you point it at, writes local files, opens no socket.
connectnoneStores a stack's credentials at file mode 0600; no round-trip on store.
capture, pull, sweepyour providerFetches the recordings you named into a local folder.
inspectyour providerReads the current turn-taking config. Read-only.
hosted judge --judge-provider hostedrefusedRefused unless you pass --judge-egress-opt-in. The default judge is a local model.
hosted diarizer --diarizer pyannoteairefusedThe one off-box audio path, refused unless you pass --egress-opt-in.
drive a live call (Vapi / Twilio)double-gatedPlaces a billable call only with valid credentials and HOTATO_DRIVE_OPT_IN=1.

Evidence, tiered to its weakest signal.

A machine-readable tier caps at the weakest required dimension, never blended or averaged.

evidence · tier & verify
  • tier 0none
  • tier 1asserted
  • tier 2measured
  • tier 3paired
  • tier 4attested

measured recomputes from audio on one clean recording. paired binds a before/after in one manifest, both recomputed under one pinned policy. attested adds a signed policy and an attested capture origin, earned when the Ed25519 signature verifies.

verify re-hashes the bound children, then checks the signature.
Signed manifest, capture origin attested, key verifiesattested
Audio swapped after signing, hash no longer matchesrefused
Verified with the wrong public keyrefused
A tampered proof is refused, at tier none.

Signing is Ed25519, opt-in via the [sign] extra; a verifier needs only the public key.

Three things Hotato will not do.

Boundaries that hold in every configuration.

Guarantee 01

Never mutates production by default

A plan and patch are proposals; apply runs on a staging clone and dry-runs by default.

Guarantee 02

Never uploads recordings to Attention Labs

Audio moves from your stack to your disk only on a pull, capture, or sweep.

Guarantee 03

Never treats a webhook as instructions

The ingest worker extracts a recording reference and scans it. Payload fields are never executed.

Read the full threat model. Send vulnerabilities to contact@attentionlabs.ai; keep recordings, consent, and PII out of public issues.

Prove it yourself. Offline.

Score, assert, and sign every call on your own machine.

$ uvx hotato start --demo

Run it in your own VPC. Self-host →