Chromium source code

[kbourro]

First of all thanks for the great work you are doing. Is there any public repo with your chromium source code ?

[Cloak-HQ]

Thanks for the kind words!

The wrapper code (Python + JS) is fully open source and MIT licensed. That's everything in this repo.

The Chromium binary is a proprietary build, so the C++ patches aren't publicly available. Anti-bot companies actively monitor open-source stealth projects to build detections against them, so keeping them closed protects everyone using CloakBrowser.

If you have more questions, happy to answer.

[aiprogramming]

Browsers have so much access to our data—going closed-source long-term is bad for trust and community growth. 😬

[Cloak-HQ]

We agree that trust matters, especially for a browser. This is something we take seriously.

We're planning a third-party security audit of the binary as the project grows. Independent verification is the right way to build trust without exposing the patches to anti-bot companies. More on this in #105.

In the meantime, here's what you can verify today:

• VirusTotal clean. Every release binary is scanned — latest Linux x64: 0/55 detections. Links are in every release.
• No telemetry. Built on ungoogled-chromium, which strips all Google tracking and phone-home services. You can verify by monitoring network traffic.
• GPG-signed releases. Every release tag is signed with our public key (C60C0DDC9D0DE2DD). Verify with git verify-tag.
• Binary provenance attestation. GitHub Actions generates provenance attestations for every build. Verify with gh attestation verify.
• SHA-256 checksums. Published in every release. Tampered downloads are rejected automatically by the wrapper.
• Open source wrapper. The Python and JS code is fully MIT licensed. You can read every argument and flag passed to the binary.
• Trusted publishing. PyPI and npm packages are published via GitHub Actions OIDC — no manual API tokens, no way to inject a compromised package outside of CI.

Why the patches stay closed: anti-bot companies like DataDome actively reverse-engineer open-source stealth projects and build targeted detections against them. Publishing our patches would make the browser detectable for every user. Keeping them closed is not about hiding something — it's about keeping the browser working.

We understand that's a tradeoff. The third-party audit is how we plan to bridge that gap — independent experts verify the code is safe without making it public for anti-bot companies to read.