Sovereignty — Proof, Not Promise

cochranblock.org claims two things on /stats: zero vendor on the request path (via direct.cochranblock.org), and the ability to keep serving if every hyperscaler disappeared tomorrow. This page hands you the recipe to audit both claims from your own machine. Every fact below is either a value this server emitted, or a command you can run to verify it independently.

The proof model: don't trust the server. Run the six checks below from your own shell. If they pass, sovereignty holds. If any of them fail — or if this page lies about a value the CLI disagrees with — the claim is broken, the shield comes off the README, and you should email the owner.

Server-emitted facts (this binary, right now)

Fact	Value	Source
Git commit (source)	`8f7446e781`	github.com/cochranblock/cochranblock@8f7446e781
Binary SHA256 (short)	`33d9c55fed2b0be0…`	computed at startup from `/proc/self/exe`
Build timestamp (UTC)	`2026-05-08T01:56:22+00:00`	build.rs emitted at `cargo build`
Process start (UTC)	`2026-05-08T12:19:30+00:00`	captured on first page-load since boot
Host identifier	`kova-tunnel-god`	kernel `hostname(1)`
Full binary SHA256	`33d9c55fed2b0be0426f16d8c217db71474ce19b2ae92d31bbebda3fc783c3d5`

The Six Proofs — run these yourself

Proof 1 — No hyperscaler ASN on the wire

Claim: packets from you reach this server through consumer ISP → backbone → Verizon FiOS (AS701). No AWS (AS16509), Azure (AS8075), GCP (AS15169), or Cloudflare (AS13335) on the path.

Run it:

traceroute direct.cochranblock.org
# then for each hop IP:
whois -h whois.cymru.com " -v $IP"

Pass if: the last few hops resolve to AS701 (Verizon) and your ISP's AS. Zero hyperscaler ASNs in the trace.

Why this proves it: traceroute runs on your machine, not ours. We cannot fake hops. ASN ownership is public RIPE/ARIN data, independent of anything the server says.

Proof 2 — TLS cert issued by Let's Encrypt, not a vendor

Claim: the cert terminating TLS is from ISRG Root X1 (Let's Encrypt), issued via ACME DNS-01 to a Rust binary that speaks the protocol itself. No Cloudflare Origin CA, no AWS ACM, no Azure Key Vault.

Run it:

openssl s_client -connect direct.cochranblock.org:443 \
  -servername direct.cochranblock.org < /dev/null 2>/dev/null \
  | openssl x509 -noout -issuer -subject -dates

Pass if: issuer= contains O = Let's Encrypt. Anything else — ACM, Origin CA, DigiCert, etc — fails the proof.

Why this proves it: the cert bytes come from the TLS handshake your client already does. We cannot rewrite what your client sees. The issuer is signed by a root you already trust, not by us.

Proof 3 — Public IP is a household FiOS assignment

Claim: the A record for direct.cochranblock.org resolves to an IP allocated to Verizon Communications, not to a cloud provider's prefix.

Run it:

dig +short direct.cochranblock.org
whois $(dig +short direct.cochranblock.org) | grep -iE "orgname|netname|country"

Pass if: OrgName is Verizon / MCI / Cellco, NetName contains a FiOS or residential tag. Fail if it's Amazon, Google, Microsoft, Cloudflare, DigitalOcean, Linode, Hetzner, OVH, or any hosting provider.

Why this proves it: WHOIS records are registry-maintained at ARIN/RIPE and not under our control. The IP→Org mapping is public record.

Proof 4 — Binary is reproducible from public source

Claim: the three Rust binaries on the path (approuter-acme → approuter → cochranblock) are all published and their SHA256 matches what you get when you cargo build --profile=diamond from the same commit.

Run it:

git clone https://github.com/cochranblock/cochranblock
cd cochranblock
git checkout 8f7446e781
cargo build --profile=diamond
sha256sum target/diamond/cochranblock
# Compare with the SHA256 emitted above: 33d9c55fed2b0be0...

Pass if: your locally-built SHA256 matches the one this page reports. (Perfect reproducibility requires matching toolchain + target triple — see P27 Diamond for the canonical profile.)

Why this proves it: no supply-chain middleman can inject code that doesn't show up in your local build. If the hashes match, you've verified there is no build-time vendor on the path either.

Proof 5 — Hyperscaler-blackhole drill (network-level ablation)

Claim: the site has no runtime dependency on any hyperscaler. Drop their entire IP space at the firewall on the origin box and the site keeps serving.

Run it (as origin operator — destructive, do in a maintenance window):

# On the gd origin node:
# Blackhole AWS, Azure, GCP, Cloudflare CIDRs
for cidr in $(curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[].ip_prefix'); do
  sudo iptables -I OUTPUT -d $cidr -j DROP
done
# ... repeat for Azure, GCP, Cloudflare IP lists ...

# Then hit the site from an external probe:
curl -v https://direct.cochranblock.org/health

Pass if: 200 OK, response body identical. The site keeps serving because nothing on the request path needs to reach those CIDRs.

Why this proves it: ablation is stronger than inspection. It's one thing to trace and see no vendors. It's another to actively sever the connection to every vendor and watch the site stay up.

Proof 6 — Physical unplug-and-serve

Claim: no vendor has a power switch on this site. The only people who can take it offline are the owner and Verizon (by cutting residential internet).

Run it (as origin operator):

Unplug ethernet from the gd node. Site goes down. Note timestamp.
Wait 30 seconds.
Plug ethernet back in. Site comes back up. Note timestamp.
Record the total downtime. No cloud console was opened. No vendor was contacted. No account was recovered.

Pass if: recovery loop involves exactly one action (plug the cable back in) and zero vendor interaction.

Why this proves it: recovery scope equals sovereignty scope. If nobody else is needed to bring the site back, nobody else can take it down.

Proof log — past drills

Ablation drills are recorded here. Each entry links to the timestamp, what was severed, and how long the site continued to serve through the drill.

Date	Drill	Result
2026-04-14	Initial publication. Six-proof self-audit run against signed-only production paths. All proofs documented with CLI recipes; server-emitted facts live-computed. Development-time tooling separate from the verified production-inference path.	pending first external audit

The honest caveats

Where sovereignty has edges

DNS. cochranblock.org's authoritative DNS is on Cloudflare's free tier. The direct subdomain resolves through Cloudflare nameservers. That is a vendor on the name-lookup path, not on the request path. Replacing it requires either self-hosting a nameserver (plausible, ~1 hour of work) or paying a registrar ~$12/year for basic DNS. Either one is sovereign; Cloudflare's free tier is the pragmatic current choice because it's free and their nameservers are more available than ours would be.

Let's Encrypt. The TLS cert comes from a nonprofit CA. LE could theoretically stop issuing us certs. If that happens, the ACME client can switch to any other CA (ZeroSSL, Buypass, etc) without code changes — the protocol is standard.

Verizon FiOS. Residential ISP that can terminate service. This is a real dependency. Mitigation: a second ingress via a different ISP, same binary behind it, served as direct-2.cochranblock.org. On the roadmap.

Electricity + physical space. Power outage takes the site down until UPS/generator. Real, and the one vendor we cheerfully accept (the grid).

The registrar. Whoever sold us the cochranblock.org domain can, in principle, seize it. Mitigation: ICANN transfer lock, multiple-year registration, and the paranoid move of holding a second domain at a different registrar pointing to the same origin.

Sovereignty is a continuum, not a binary. This page publishes where we are on it, with enough detail for anyone to verify and anyone to critique. If a proof fails when you run it — file an issue. The goal is a page that is embarrassing to be wrong about.