Build on Cockroach.
A decentralized civic-signal protocol. Signed events, dumb relays, peer-to-peer mesh. CC0 public domain. Fork it. Run your own. Replace ours.
Read these
SPEC.md
Normative protocol: event format, signing rules, relay wire protocol, the orthogonal verdict-model split (kinds 2/3/4/5), the WebRTC peer-mesh signaling kinds (10001/10002/10003), threat model, and the locality-weighted reputation reference algorithm.
Read →WHITEPAPER.md
The why. Vision, design principles, threat model in prose, comparison to alternatives, the locality-weighted reputation argument.
Read →RELEASE.md
How to cut a release: signed Git tags, deterministic tarballs, multi-host Git mirroring, IPFS pinning, coordinated multi-operator launches.
Read →relay/RUN.md
Operator's friction ladder: Render, Replit, Termux, Docker, Fly, bare VPS, TLS reverse proxies, Tor hidden services, content policy template.
Read →Download a relay binary
Standalone executables. ~70 MB. Extract and run — no install, no Bun runtime required.
Extract → double-click start.command (Mac/Linux) or start.bat (Windows). The launcher inside the archive strips macOS quarantine, sets the exec bit, and runs the relay.
Or deploy with one click to a hosted runtime:
How it works
You hold your identity
Your phone or browser generates an ed25519 keypair the first time you open a client. The secret key never leaves your device. No signup, no email, no profile server.
Reports are signed events
A small JSON object — pubkey, timestamp, geohash, tags, description, signature. Around 300–500 bytes. Media is referenced by content-hash, never embedded.
Relays are dumb brokers
A relay verifies your signature, indexes the event, and serves it. It does not decide what is true. Anyone can run one. Anyone can ignore one.
v0.2 — WebRTC peer mesh
Every PWA install joins a peer-to-peer mesh via WebRTC. Events flow over both relays and peer connections. The network survives any single relay going offline.
The five verification verbs
A report on its own is one person's claim. The network's value comes from others observing the same reality and signing what they see. A verification is itself a signed event referencing a report, carrying exactly one verdict:
No global verified=true is stamped on a report. There is only a stream of signed verifications. Different clients aggregate them differently — by locality, by trust list, by recency.
Why locality — not vouching, not proof-of-personhood
If anyone can sign a verification, what stops one person from spinning up ten thousand keys?
Not a central registry of "real" users — that reintroduces the authority we just eliminated. Not proof-of-personhood — that hands the kill switch to whoever runs the verifier. Not vouching — that creates a social graph that becomes a kill list under a hostile regime.
The answer is locality. A key's verification of a report counts in proportion to that key's sustained signed presence in the area where the report was filed. Building influence costs being there over time, not money, not social capital, not external attestation.
Full algorithm in SPEC §8 and WHITEPAPER §6.
Fork. Run your own. Replace ours.
Every artifact in this project is CC0 public domain. No attribution required. No license clauses to honor. No "permission" to ask for. Mirror the repo to GitLab or Codeberg. Pin the spec to IPFS. Build a better client. Run a relay in your city.
If the maintainers of this repo disappear tomorrow, the network keeps working. That is, on purpose, the entire point.