Thanks for the kind words!

The wrapper code (Python + JS) is fully open source and MIT licensed. That's everything in this repo.

The Chromium binary is a proprietary build, so the C++ patches aren't publicly available. Anti-bot companies actively monitor open-source stealth projects to build detections against them, so keeping them closed protects everyone using CloakBrowser.

If you have more questions, happy to answer.

Browsers have so much access to our data—going closed-source long-term is bad for trust and community growth. 😬

We agree that trust matters, especially for a browser. This is something we take seriously.

We're planning a third-party security audit of the binary as the project grows. Independent verification is the right way to build trust without exposing the patches to anti-bot companies. More on this in #105.

In the meantime, here's what you can verify today:

• VirusTotal clean. Every release binary is scanned — latest Linux x64: 0/55 detections. Links are in every release.
• No telemetry. Built on ungoogled-chromium, which strips all Google tracking and phone-home services. You can verify by monitoring network traffic.
• GPG-signed releases. Every release tag is signed with our public key (C60C0DDC9D0DE2DD). Verify with git verify-tag.
• Binary provenance attestation. GitHub Actions generates provenance attestations for every build. Verify with gh attestation verify.
• SHA-256 checksums. Published in every release. Tampered downloads are rejected automatically by the wrapper.
• Open source wrapper. The Python and JS code is fully MIT licensed. You can read every argument and flag passed to the binary.
• Trusted publishing. PyPI and npm packages are published via GitHub Actions OIDC — no manual API tokens, no way to inject a compromised package outside of CI.

Why the patches stay closed: anti-bot companies like DataDome actively reverse-engineer open-source stealth projects and build targeted detections against them. Publishing our patches would make the browser detectable for every user. Keeping them closed is not about hiding something — it's about keeping the browser working.

We understand that's a tradeoff. The third-party audit is how we plan to bridge that gap — independent experts verify the code is safe without making it public for anti-bot companies to read.