Audit the code. Run it in your VPC.
No hosted backend and no telemetry: your call recordings stay on your machine, and every network action is one you named.
- 0telemetry
- 0runtime deps
- 5evidence tiers
- MITlicense
git clone https://github.com/attenlabs/hotato pip install hotato # -> zero runtime dependencies pulled # re-derive a verdict from its own evidence hotato conversation verify ./call-artifact
$ git clone github.com/attenlabs/hotatoThe posture reads straight from the source.
Installing the core pulls zero runtime dependencies, so there is nothing to audit but the standard library. The whole scoring, scanning, and analysis surface reads local files and writes local files.
Because artifacts are content-addressed and evidence is portable, you can re-derive a verdict straight from its inputs. The repository is public: github.com/attenlabs/hotato.
Offline is the default path.
Scoring, scanning, input-health checks, reports, fixtures, and the workspace read the local files you point them at and open no sockets. Network access happens only when you run a command whose job is to reach out, against a stack you configured.
A script in the repository proves it: it runs the workspace on a Docker network with egress physically removed and shows a view still returns a success. Proxy variables are honored like curl and pip; TLS certificate validation is never turned off.
$ ./deploy/verify-zero-egress.sh- No telemetry
- There is no analytics or phone-home code path and no hosted backend.
- Credentials 0600
connectwrites stack credentials owner-only, with no network round-trip on store.- Local retention
- Reports, envelopes, and exports exist only where you wrote them.
Every command, and exactly when it reaches the network.
Derived straight from the code. If a command is not listed as reaching out, it opens no socket. The off-box paths are named, gated, and refused by default.
| Command | Egress | Reaches, and when |
|---|---|---|
| run, report, assert run, test run (local judge), serve | none | Fully local. Reads the files you point them at, writes local files, opens no socket. |
| connect | none | Stores a stack's credentials at file mode 0600. No audio moves; no round-trip on store. |
| capture, pull, sweep | your provider | Fetches the recordings you named from a voice stack you connected, into a local folder. |
| inspect | your provider | Reads (never writes) the current turn-taking config. Read-only. |
| hosted judge --judge-provider hosted | refused | Refused unless you pass --judge-egress-opt-in. The default judge is a local Ollama model that never leaves the box. |
| hosted diarizer --diarizer pyannoteai | refused | The one off-box audio path. Refused unless you pass --egress-opt-in. The default diarizer is local. |
| drive a live call (Vapi / Twilio) | double-gated | Places a billable call only with valid credentials and HOTATO_DRIVE_OPT_IN=1. Absent either, it dials nothing. |
A capability that lacks its input for a given run returns inconclusive, the same behaviour whether you self-host or not.
How strong the evidence is, on its weakest dimension.
Every result carries a machine-readable tier. The public tier is the weakest required dimension, taken as a minimum. It is never blended or averaged, and uncertainty only pulls it down.
- tier 0none
- tier 1asserted
- tier 2measured
- tier 3paired
- tier 4attested
measured recomputes from audio on one clean recording. paired binds a before/after in one manifest, both recomputed under one pinned policy. attested adds a signed policy and an attested capture origin. A tier is earned only when a signature verifies.
Sign the record. Anyone can check it with the public key.
Evidence signing is Ed25519 and opt-in via the [sign] extra. A verifier needs only the public key (no shared secret) and re-derives the verdict from the bound inputs.
If the audio was swapped, the manifest altered, or the wrong key presented, verification refuses. A signed artifact stays checkable by anyone who holds the public key.
Three things Hotato will not do.
The precise split between what runs offline, what reaches out only when you ask, and the boundaries that hold in every configuration.
Never mutates production by default
No command changes a live stack's config on its own. A plan and patch are proposals; apply operates on a fresh staging clone and dry-runs by default.
Never uploads recordings to Attention Labs
There is no hosted backend and no phone-home. Audio moves only from your stack to your disk, and only when you run a pull, capture, or sweep.
Never treats a webhook as instructions
The ingest worker reads a completed-call notification as data: it extracts a recording reference and scans it. Payload fields are never executed.
No badge to show. Something better to offer.
There is no SOC2, HIPAA, or other certification, and we will not claim one we do not hold. What we can offer answers the same question a badge is meant to: where does the data live, and can you check the controls.
Read the source. Run the per-command egress table against it. Deploy the whole platform inside your own VPC, so the recordings never leave the environment you already trust.
Self-host is the residency control: audio, transcripts, traces, and evaluations stay inside your boundary. Compliance operations, including SOC2, arrive on the managed offering only once certified.
You run it, you own the uptime. There is no shared status page to point a red light at, because the workspace runs on your own infrastructure.
Send vulnerabilities to security@attentionlabs.ai. Keep anything touching recordings, consent, or PII out of public issues.