The Sovereign Stack

50 min read 11,465 words Published May 17, 2026

bridge clear substantial developed clean

The Sovereign Stack

Frontiers article in the Harmonism cascade. Survey of contemporary infrastructure projects that materially carry the substrate sovereignty Harmonism articulates. See also: Cypherpunks and Harmonism, The Sovereign Refusal, The Sovereign Substrate, The Sovereign Stack, Running MunAI on Your Own Substrate.

A practical sovereign stack is the infrastructure on which a Harmonist practitioner can operate in alignment with the doctrine articulated across The Sovereign Substrate, The Sovereign Stack, and Cypherpunks and Harmonism. The projects, protocols, and tools that currently constitute one are surveyed below — opinionated, because many gesture at sovereignty and few actually deliver it under serious examination. Some hold up to the doctrinal test. Some hold up partially with caveats. Some explicitly do not.

The survey is current as of mid-2026. The landscape evolves; the doctrinal criteria do not. When a recommendation here is superseded by a stronger project, the criteria will identify the successor.

The Doctrinal Test

A project is aligned with Harmonist substrate sovereignty when it satisfies five conditions. Each condition closes a specific failure mode of institutional infrastructure.

Permissionless participation. Any practitioner can join the network, use the tool, transact through the system, host an instance, without seeking authorisation from a gatekeeper whose authorisation is itself a rent or a point of refusal. The condition is not satisfied by “easy signup”; it is satisfied by structural impossibility of meaningful gatekeeping.

Sovereign custody. The practitioner who holds the keys holds the substance. No third party can freeze, reverse, invalidate, or seize what the practitioner has custodied. This is the cryptographic guarantee, not the institutional promise.

Mathematical foundation. The system’s integrity rests on mathematics and information theory rather than on the operator’s good behaviour. Where the operator must be trusted, the project is not fully aligned. Where the mathematics enforces the property, the project is.

Open source and auditable. The code is publishable, readable, modifiable, forkable by anyone with sufficient skill. Closed-source projects, even well-intentioned ones, fail this test by virtue of requiring the practitioner to trust what they cannot inspect.

Decentralised or sovereignly hostable. The project either runs as a network without central points of failure, or can be self-hosted by the practitioner on hardware they own. Single-operator centralised services, even privacy-focused ones, are at best transitional bridges rather than long-term aligned substrate.

The five conditions taken together are the test. A project that fully satisfies all five is aligned. A project that satisfies most but not all is adjacent — useful, often the best operationally available option in its domain, with the caveat that its alignment is partial. A project that fails the test on critical dimensions is not aligned and should be evaluated against the alternatives.

The survey below applies the test across twelve layers of the practitioner’s substrate. Each layer warrants its own treatment because the alignment question takes different shape at different layers — the questions that matter at the monetary layer differ from the ones that matter at the communication layer or the operating-system layer.

The Practitioner’s Disciplines

The architectural test above describes what aligned infrastructure looks like. The disciplines below describe what the practitioner does with that infrastructure — the daily practices through which the architecture stays operational in the practitioner’s own life. The architecture is what makes the disciplines practicable; the disciplines are what keep the architecture in operation. Neither alone produces sovereign substrate; the two together do.

Encrypt by default. Full-disk encryption on every device that holds the practitioner’s substrate. End-to-end encryption on every channel through which the practitioner communicates. The seal closes whether or not the message is consequential, because the habit of plaintext is itself the failure mode — the system that learns to read the trivial correspondence does not unlearn the habit when the consequential correspondence arrives. The mathematics is bedrock; the practice of relying on it is the practitioner’s daily work.

Hold one’s own keys. The keys that secure correspondence, custody, and identity belong on devices under the practitioner’s direct control. A third party that holds the practitioner’s keys holds the practitioner’s correspondence, the practitioner’s funds, the practitioner’s identity, available to that third party on whatever terms the third party finds convenient. Password vaults the practitioner controls. Hardware signers for monetary custody. Local cryptographic keys for the identity systems that allow them. The keys are the practitioner’s; the substrate they secure is the practitioner’s; the holding is the practice through which the relationship between key and substrate stays intact.

Self-host what can be self-hosted. The library, the photo archive, the notes, the calendar, the messaging that does not require federation with strangers, the documents, the bookmarks. A weekend of setup against a working server in the practitioner’s home buys back what would otherwise be a lifetime of rent paid to cloud operators whose terms permit them to read, mine, and discontinue access to the substrate at will. Not everything must be self-hosted; some services genuinely require the network effect or the operational scale that self-hosting cannot provide. But the default reverses: cloud where the operational requirement demands it, self-host everywhere else.

Pay through sovereign rails. Where the transaction can be made through Bitcoin, Lightning, Monero, or another sovereign monetary substrate, the transaction is made there. The intermediary that previously extracted margin between payer and recipient is removed from the relationship. The maker receives directly; the practitioner pays directly; the substrate of exchange is mathematics rather than the issuance discretion of a third party. This is not a maximalist position — fiat rails will remain operationally necessary for many transactions for years — but the default reverses: sovereign rails first, fiat rails only where the recipient cannot yet accept the sovereign substrate.

Strip metadata before publishing. The photograph carries the camera, the room, the coordinates, the hour. The document carries the author, the revisions, the printer. What the practitioner means to share is the content; what is actually shared, in default workflow, is the file with all its invisible attestations. The discipline is to clean the file before it leaves the practitioner’s hand, so that what is published is what was intended to be published, rather than what was incidentally generated by the production process.

Compartmentalise identity. The practitioner is not one public surface but several, and the surfaces serve different purposes. The professional identity, the public-square participation, the household correspondence, the financial custody — these are distinct, and the discipline of distinct identities for distinct surfaces prevents the breach at any one surface from compromising the others. Distinct mailboxes, distinct handles, distinct keys, distinct browsers where the stakes call for it. The breach the practitioner cannot prevent is contained by the walls the practitioner remembered to build before the breach.

Refuse the cloud by default. The cloud is someone else’s computer. Every install proposes to keep a copy of the practitioner in a building the practitioner has never entered, against terms the practitioner cannot read, retrievable at the operator’s discretion. The default answer is no — and the answer remains no when the prompt is rephrased. What the practitioner cannot keep off the cloud, the practitioner encrypts before the cloud sees it: the operator receives opaque blocks; the practitioner keeps the plaintext on hardware they control.

Repair before replace. The device sealed against the practitioner is the one the practitioner replaces and forgets. The device that opens to the screwdriver is the one the practitioner keeps for a decade. Buy hardware that opens. Stock the parts. Read the schematic. The landfill is easier to refuse from the start than to leave once settled in.

Watch what is broadcast. The location stamp on the photograph, the friend tagged in the post, the daily timestamp confirming the morning route. Half of operational sovereignty is what the practitioner decides not to publish. The platform watches; everyone who reads the feed watches. The substrate of the practitioner’s life is partly composed of what the practitioner has chosen not to disclose.

Back up what cannot be lost. Three copies, two media, one off-site. The backup is encrypted. The restore is tested. The discipline is unglamorous and unfailingly important: every practitioner who has lived through a drive failure that destroyed irreplaceable substrate has acquired this discipline at the worst possible moment. Acquire it earlier.

Verify what is installed. Signature, checksum, reproducible build where it exists. The supply chain is the surface most often attacked and least often checked. Five minutes of verification before an install costs the practitioner less than recovery from a compromised tool would cost. The verification is the practice through which trust in the substrate stays earned rather than assumed.

These disciplines and the architectural choices that produce sovereign tools are not separate. The disciplines are the practitioner’s expression of the architectural commitment; the architecture is what makes the disciplines operationally available. A practitioner cannot encrypt by default if no end-to-end encrypted channels exist. A practitioner cannot hold their own keys if the systems they depend on retain custody. A practitioner cannot self-host if no self-hostable alternative to the platform exists. The architecture must exist for the discipline to be practicable. The discipline must be practiced for the architecture to remain operational. The work of building sovereign infrastructure and the work of practicing sovereign discipline are the same work at different scales — the developer who maintains the peer-to-peer messenger and the practitioner who uses it are both participating in the same commitment.

In the Wheel of Matter, Stewardship holds the centre and Technology and Tools is one of its seven spokes. The Stewardship at centre asks of every spoke: is the substrate cultivated in right relationship? For Technology and Tools, the answer is what the disciplines above articulate — the substrate is the practitioner’s, the tools embody the architecture that preserves it, the disciplines are the cultivation through which the practitioner takes up what is theirs. The work compounds. The work serves the centre, which is Presence, which is the inner sphere every layer of substrate is finally for.

The Monetary Substrate

The substrate the rest of the stack runs on, both economically and philosophically. The monetary layer is treated at depth in The Sovereign Substrate; the survey below names the projects that currently constitute the aligned monetary substrate.

Bitcoin is the canonical sound money. Supply hard-capped at twenty-one million units, settlement mathematically final on the base layer, transfer permissionless, custody sovereign, verification fully open. Sixteen years of continuous operation as of 2026, holding reserves on multiple sovereign balance sheets, serving as the operational store-of-value for households on every continent. The project satisfies all five conditions of the doctrinal test without qualification. It is the foundational layer of the sovereign stack.

Monero is the privacy-bearing register at the monetary layer. Ring signatures, stealth addresses, confidential transaction amounts, encrypted memos — privacy by default rather than privacy as an opt-in feature. The transaction graph itself is obscured, restoring the privacy-of-transaction that physical cash always carried and that Bitcoin’s public ledger does not provide. Satisfies the five conditions; complements Bitcoin rather than competing with it. The aligned practitioner generally holds substrate in Bitcoin and uses Monero where privacy at the monetary register is operationally required.

Lightning Network is the Bitcoin scaling layer for small-value, high-frequency transactions. Payment channels established on the Bitcoin base layer enable instant settlement at near-zero cost, with security inherited from the base layer’s mathematical guarantees. Lightning makes Bitcoin practical for everyday exchange — paying for content, paying makers through Sacred Commerce, small purchases — at scales where the base layer’s settlement cost is prohibitive. The trust model is more nuanced than pure base-layer Bitcoin (channel counterparty risk exists, though limited and manageable), but the substrate sovereignty is preserved.

For peer-to-peer fiat-to-Bitcoin exchange without KYC capture: Bisq runs over Tor and operates without accounts, KYC, or custody — trades settle directly between two users with the protocol holding security deposits in multisig escrow. Haveno is the Monero-native decentralised exchange in the Bisq lineage; multiple frontend instances exist, the practitioner chooses one they can verify. RoboSats is the Lightning-native peer-to-peer Bitcoin exchange, Tor-only, no account, trades clear in minutes. KYCnot.me maintains the directory of non-KYC exchanges and swap services. Trocador aggregates non-KYC swap services across a dozen providers.

For practitioners receiving payments — Sacred Commerce on the institutional side — BTCPay Server is the self-hosted Bitcoin and Lightning payment processor that replaces Stripe and Square without fees, custody, or surveillance. The maker installs BTCPay on their own server (or a managed instance from a trusted operator), generates invoice URLs, accepts payment directly to a wallet they control. The intermediary that previously extracted margin between payer and recipient is removed from the relationship architecturally.

For verifying Bitcoin transactions without trusting a third-party API: mempool.space is the open-source Bitcoin block explorer, self-hostable, the reference page for checking any transaction without trusting an exchange or commercial service. For converting Bitcoin into goods and services through the existing institutional infrastructure: Bitrefill sells gift cards and prepaid services for Bitcoin and Lightning — groceries, fuel, flights, phone top-ups, subscriptions. The bridge between sovereign monetary substrate and the daily expenses that still require fiat-denominated rails.

The monetary substrate is mature, operationally proven, and uncontested at this point in the survey’s evaluation. The aligned practitioner builds the rest of the stack on it.

The Custody Layer

The keys that secure the monetary substrate (and increasingly other substrate — identity, signing, encryption) require sovereign custody. The custody layer is where the practitioner’s relationship to the keys is mediated.

Hardware wallets — purpose-built devices that hold private keys in a chip the practitioner controls, signing transactions without exposing the key to a networked computer. The category satisfies sovereign custody at the strongest available register.

Trezor is the original open-source hardware wallet, launched 2014. Multi-asset support, fully auditable firmware, the trusted default for self-custody. The Model T and Safe 3 are the current product line as of 2026.

Coldcard is the air-gapped Bitcoin-only hardware wallet from Coinkite. Designed assuming the connected computer is compromised — signing happens entirely on the device, with PSBTs (partially signed Bitcoin transactions) moved between the wallet and the connected computer via SD card or QR code. The choice of long-term holders who treat custody with maximum seriousness.

Foundation Passport is the open-source, air-gapped Bitcoin hardware wallet using camera-based QR signing and microSD-only data paths. Removable battery. The cleanest design among contemporary Bitcoin-only hardware wallets.

SeedSigner is the DIY hardware signer running on a $50 Raspberry Pi Zero. No persistent storage, no firmware to update, full source available for inspection. The practitioner builds it themselves and can verify every component. For practitioners whose threat model demands maximum auditability, SeedSigner is the substrate.

Border Wallets is the method for memorising a Bitcoin seed phrase as a visual pattern across a 12-by-12 grid. The practitioner crosses borders with no paper, no metal, no device — the keys stay in their head. Specialised use case but the closest available approximation of cognitive custody for value at scale.

Software wallets — applications that hold keys on a general-purpose device. Less sovereign than hardware wallets but more practical for daily use; the aligned practitioner uses both, with hardware signing for large value and software wallets for smaller daily-flow custody.

Sparrow Wallet is the Bitcoin wallet for the serious user. Coin control, Tor support, air-gapped signing with hardware wallets, full-node compatible, open source. The default desktop choice for non-trivial Bitcoin holdings.

Electrum is the longest-running Bitcoin wallet (since 2011), still actively maintained, supports every hardware wallet, Tor-friendly, multisig-capable. The veteran’s choice.

Phoenix Wallet is the Lightning-native mobile wallet. Channel management is handled for the practitioner automatically, on-chain fallback is built in, the experience is approachable without giving up self-custody. The friendliest Lightning experience without abandoning sovereignty.

Wasabi Wallet is the desktop Bitcoin wallet built around WabiSabi coinjoin and Tor routing. The default coordinator suspended service in 2024 under regulatory pressure; users now select from independent coordinators (Kruw and others). The wallet itself remains open-source and active for practitioners who want privacy enhancement on the Bitcoin base layer.

JoinMarket is the decentralised market-based Bitcoin coinjoin. No central coordinator to seize or pressure into shutting down. The cypherpunk approach to Bitcoin privacy that survived the 2024 regulatory wave because there was no central operator to apply regulatory pressure to. More technically involved than Wasabi but architecturally more robust.

Specter Desktop is the multisig-first Bitcoin wallet for hardware-wallet users. Run against the practitioner’s own full node, sign air-gapped, coordinate complex setups (2-of-3, 3-of-5) without trusting anyone in the middle. The serious practitioner’s substrate for high-value custody.

Nunchuk is the mobile and desktop Bitcoin multisig with hardware wallet support. Designed for inheritance planning, partner-key setups, and the full self-custody stack. The practitioner whose monetary substrate represents value should be using multisig at this point in the maturity of the tooling.

Feather Wallet is the Monero counterpart to Sparrow — desktop Monero wallet built on the official monero-wallet stack, Tor by default, coin control, hardware wallet support.

Cake Wallet is the multi-asset mobile wallet supporting both Bitcoin and Monero with built-in non-KYC swap. The phone wallet that does not phone home.

Blixt Wallet is the open-source Lightning wallet that runs its own Lightning node on the practitioner’s phone. Sovereignty at the smallest scale — the practitioner’s mobile device participates directly in the Lightning Network rather than depending on a custodial intermediary.

For practitioners building serious custody infrastructure, Sparrow + Coldcard for Bitcoin and Feather + hardware signer for Monero is the high-assurance setup. Phoenix or Cake on mobile provides daily-flow custody. Specter + multisig hardware is the household or institutional pattern for the largest holdings. The aligned practitioner ascends this ladder as their substrate accumulates.

The Communication Substrate

The conversations the practitioner holds need to be substrate-sovereign — between the practitioner and the interlocutor only, with no third party in the routing path who could read, log, or refuse the exchange.

Signal is the baseline. End-to-end encryption (the protocol that bears its name), open source, repeatedly audited, used by Snowden and recommended by the cryptographers who designed it. The substrate of choice for one-to-one and small-group encrypted messaging. The phone-number requirement is the project’s main alignment weakness; the encryption itself is uncompromised. Pair with a dedicated phone number (Mysudo, JMP.chat, etc.) if the threat model justifies it.

Molly is the hardened Signal fork. Database encryption at rest, lock on idle, Tor support, no Google services. For practitioners whose threat model includes the device itself.

SimpleX Chat eliminates user identifiers entirely — including phone number, email, and account. Contact happens by sharing one-time invite links. The strongest metadata-resistance story available in deployed messaging. Newer than Signal, still maturing, but the architecture is genuinely different and worth evaluation for practitioners who need the strongest available privacy.

Threema is the Swiss end-to-end encrypted messenger. No phone number required, identity is a generated ID, paid (one-time, modest), audited, fully open-source since 2020. Used by the Swiss army and the German federal government. The choice for practitioners who want jurisdictional separation from the U.S. and a paid model that aligns the operator’s interests with the user’s.

Wire is the Swiss-jurisdiction encrypted messaging and conferencing platform. Open-source clients, Proteus protocol (Signal-derived), federated through MLS. Used by enterprise and the European Commission alike. Good for practitioners whose work mixes personal and institutional communication on the same substrate.

Session is onion-routed messaging on the Lokinet stack. No phone number required, decentralised server network, end-to-end encryption. Slower than Signal for delivery; more resistant to metadata harvesting at the network layer.

Briar is peer-to-peer messaging over Tor, Bluetooth, or local Wi-Fi. Designed for journalists, activists, and people whose internet has been cut. Works when the internet doesn’t. The substrate for the threat model in which network-level intermediaries are themselves compromised.

Cwtch is the peer-to-peer encrypted messaging built directly on Tor onion services. Runs without accounts, servers, or stored metadata. Open Privacy Research Society’s answer to what would Signal look like with no central infrastructure at all.

Delta Chat is the end-to-end encrypted messenger that piggybacks on email — the practitioner uses any IMAP server they trust (including a self-hosted one) and Delta Chat handles the encryption layer. The federated messaging tool that actually exists at scale because it leverages the federation infrastructure email already has.

Matrix and Element provide federated, self-hostable, end-to-end encrypted messaging. The IRC of the decentralised era. The choice for practitioners who want to self-host their own communication substrate or join community servers that operate on aligned principles.

XMPP is the federated chat protocol three decades old and still working. Use with OMEMO encryption for end-to-end privacy. Conversations (Android) and Gajim (desktop) are the recommended clients. For practitioners building family or small-community substrate, Snikket packages XMPP for easy self-hosting.

Tor as the underlying anonymity network deserves naming separately. Three-hop onion routing, no single node knowing both ends of a circuit, the default for any threat model that involves persistent surveillance pressure. Use as-shipped, no extensions, no theme changes — the strength is the uniformity of the fingerprint. Onion Browser on iOS, Orbot on Android, Tor Browser on desktop.

For email — more difficult to secure than chat because of the protocol’s age and the metadata exposure inherent to mail headers — the aligned options are Proton Mail (Swiss jurisdiction, repeatedly audited, end-to-end encrypted with other Proton users and PGP-compatible) and Tuta (German jurisdiction, fully open-source clients). For practitioners who want a domain they control, self-hosted mail through Mailcow or similar is the architecturally cleaner path, with the operational complexity that self-hosting mail entails. Disroot and Riseup are activist-aligned community email providers — invite-based for Riseup, pay-what-you-can for Disroot. SimpleLogin for email aliasing — fresh address per service, forwards to your real inbox until you burn it, open source and now Proton-owned.

For asynchronous encryption beyond what the messaging clients provide — signing files, encrypting documents, attesting identity — GnuPG is the old reliable (since 1999, the standard for PGP-protocol cryptography) and age is the modern simpler alternative by Filippo Valsorda for tasks where GPG is heavier than the job requires.

The Browser Substrate

The browser is the surface where most of the surveillance happens. The aligned practitioner does not use the browser the operating system ships with default settings.

Tor Browser is the default when the threat model includes the state. Three encrypted hops, uniform fingerprint, no extensions, no theme changes. Use as-shipped. Available for desktop, mobile via Orbot on Android and Onion Browser on iOS.

Brave is the Chromium-based browser with ad and tracker blocking built in, including for sites that detect and block uBlock Origin. Disable the rewards and crypto-wallet features (which carry their own alignment concerns) and Brave is the cleanest Chromium choice for practitioners who need Chromium compatibility.

LibreWolf is the Firefox fork with telemetry stripped, tracking protection maxed, sane privacy defaults. The drop-in for everyday non-Tor use.

Mullvad Browser is the Tor Browser hardening applied to clearnet or VPN use, built in collaboration between the Tor Project and Mullvad. For when Tor-grade fingerprint resistance is desired without onion routing.

Ungoogled Chromium is Chromium with every Google service surgically removed. For practitioners who need Chromium compatibility for specific sites without the surveillance.

Arkenfox user.js is the vetted Firefox configuration that closes the telemetry, fingerprinting, and tracking holes Mozilla leaves open by default. Drop the file in your profile, restart, done.

For the privacy-extension layer: uBlock Origin is the only content blocker that matters — install on every non-Tor browser. NoScript for JavaScript control. Privacy Badger for EFF’s heuristic tracker blocking. Multi-Account Containers (Firefox) for identity isolation per container. Cookie AutoDelete for wiping cookies from closed tabs. ClearURLs for stripping tracking parameters. LocalCDN for replacing requests to commercial CDNs with locally bundled copies. SponsorBlock for skipping sponsor segments on YouTube. AdNauseam for actively clicking blocked ads in the background — denying the tracker its data and poisoning the well simultaneously.

For search: DuckDuckGo is the first move away from Google — tracker-free defaults, Bing-backed index. Kagi is paid search where the rankings reflect relevance because the user pays directly — programmable lenses for further customisation, the search engine for serious practitioners who value not being the product. Marginalia is the search engine that prefers small, non-commercial websites — the web before SEO captured it. SearXNG is the free, self-hostable metasearch that aggregates other engines while preserving the practitioner’s anonymity from them.

For the platforms that resist sovereign access: Invidious is the privacy frontend for YouTube — no Google account, no JavaScript, no tracking pixels. Piped is the newer alternative, faster on busy days, same model. FreeTube is the desktop YouTube client without Google services. NewPipe is the Android equivalent — subscriptions stored locally, background play, no telemetry. Nitter is the privacy frontend for X/Twitter — read accounts and threads without an account or JavaScript. Redlib is the Reddit frontend without JavaScript or API key. LibRedirect is the browser extension that intercepts links to YouTube, X, Reddit, Instagram, TikTok, Wikipedia, Google Maps and routes them through whichever privacy frontend is currently working.

For verifying the privacy posture works: EFF Cover Your Tracks tests browser fingerprint resistance. Terms of Service; Didn’t Read surfaces volunteer-graded summaries of the terms-of-service contracts no practitioner has time to read in full.

The Identity Layer

The cryptographic keys that prove the practitioner is who they say they are, in contexts ranging from logging into a service to signing a financial transaction to attesting to a public document.

Yubikey is the hardware security key for FIDO2, WebAuthn, GPG, PIV, OATH. Phishing-resistant by construction. Buy two, register both, keep one in a safe place. The aligned practitioner uses a Yubikey for every account that supports hardware-key authentication.

Nitrokey is the German open-source alternative, audit-friendly firmware. For practitioners who want to read the source.

OnlyKey is the open-source hardware key with PIN entry on the device itself — keylogger-proof, self-destructs after attack threshold. The most paranoid practitioner’s choice.

For self-attestation and reputation without a centralised identity provider, Keyoxide provides PGP-based self-attestation: the practitioner signs claims about themselves (this email is mine, this domain is mine, this social handle is mine) and publishes them under their cryptographic key. Verification is mathematical, not institutional.

For decentralised identity systems more broadly, DIDs (Decentralised Identifiers) as a W3C standard and implementations like ION (Bitcoin-anchored), did:web, and various sidechain implementations offer paths to identity that the practitioner controls. The space is still maturing as of 2026; the aligned practitioner tracks the development rather than committing to a single implementation prematurely.

The Encryption Layer

Beyond what the messaging clients provide, the practitioner encrypts at the file, the disk, and the channel layers.

For passphrase generation: EFF Dice-Generated Passphrases uses the Electronic Frontier Foundation’s diceware lists — five rolls per word, six or seven words, an unguessable passphrase the practitioner can actually remember. The base layer under every password vault and every encrypted disk.

For password management: KeePassXC is the offline, open-source password manager — the database file lives on the practitioner’s disk, encrypted with a master key, syncable through any channel the practitioner trusts. Bitwarden is the cross-device option with shared vault support, repeatedly audited, with Vaultwarden as the lightweight self-hosted server compatible with the official Bitwarden clients.

For full-disk and file encryption: VeraCrypt is the actively-maintained successor to TrueCrypt for cross-platform container-based encryption with hidden volumes for plausible deniability. Cryptomator provides client-side encryption for any cloud storage — the cloud sees opaque blobs, the practitioner holds the key. LUKS is the Linux full-disk encryption standard used by every serious distribution’s installer (AES-XTS, Argon2id key derivation, detachable headers for plausible deniability). Picocrypt is the single-binary audited file encryption — XChaCha20 + Argon2id, runs without installation or telemetry. age is the modern simple file encryption replacing GPG for most tasks.

For secure shell and remote access: OpenSSH is the standard the entire internet runs on, hardened by the OpenBSD team, free everywhere.

For file transfer between devices without a server in the middle: OnionShare spins up a temporary Tor onion service from the practitioner’s computer, shares the address, closes the laptop when the transfer is done. Magic Wormhole uses SPAKE2 cryptography and short human-readable codes to transfer files between two devices without any server retaining anything.

Anti-Forensics and Erasure

The substrate the practitioner leaves behind is the substrate an adversary can read. The aligned practitioner controls what survives the publication, the device disposal, the seizure event.

For metadata removal before publishing: MAT2 (Metadata Anonymisation Toolkit) strips EXIF, GPS, document hidden fields, torrent comments, archive timestamps. Cross-platform, open source, the standard. Metadata Cleaner is the GUI for MAT2 — drag a file, see the metadata, hit clean. ImageOptim is the macOS-specific tool that losslessly compresses and strips metadata in one step. ExifEraser is the Android image metadata stripper, permissionless, full report of what was removed. ExifTool is Phil Harvey’s command-line reference for reading, writing, and deleting metadata across thousands of formats.

For sanitising potentially malicious documents: Dangerzone from the Freedom of the Press Foundation converts potentially malicious documents (PDFs, Office files, etc.) into safe PDFs by rendering them in a sandboxed VM, stripping metadata in the process. For practitioners receiving documents from unverified sources, Dangerzone is the substrate that lets them open the file without compromising the device.

For destroying what should not survive: BleachBit is the cross-platform cleaner — shreds files, wipes free space, clears application caches and histories. shred (GNU coreutils) overwrites a file repeatedly before deleting (works for spinning disks; SSDs require ATA Secure Erase or full encryption from day one). dd and nwipe wipe whole drives — dd from /dev/urandom for the simple case, nwipe for the guided multi-pass wipe with verification. ShredOS is the bootable USB environment for whole-drive wiping that handles modern hardware (NVMe, large drives, UEFI) cleanly.

For physical-layer device protection: BusKill is the USB cable with a magnetic breakaway — the practitioner tethers the laptop to their wrist; if the device leaves their reach, the cable parts and the system locks, shuts down, or wipes. USBKill is the software counterpart, locking or wiping the system the moment a USB device is inserted or removed (the script was written after Ulbricht was arrested with his laptop unlocked).

The Content Substrate

Storage and retrieval of content — articles, books, music, photographs, code, scientific papers — in ways that survive single-operator failure or seizure.

IPFS is the content-addressed storage protocol — files identified by the cryptographic hash of their contents rather than by their location on a particular server. Any copy that hashes to the same identifier is authentic regardless of who is hosting it. The Sovereignty Bundle’s IPFS pin path uses this; any practitioner can pin the corpus and serve it to other practitioners without Harmonia’s continued operation being required.

Arweave is the permanent storage protocol — the permaweb — where storage is paid once via an endowment mathematically calibrated to fund replication indefinitely under projected hardware-cost decline. Files written to Arweave are intended to survive centuries rather than to live until an operator decides otherwise. Fair-launched, fully decentralised, the protocol works at production scale, and the architecture is the most direct technical instantiation of the anti-enclosure principle the Harmonist doctrine articulates. The shadow-library project Anna’s Archive mirrors a portion of its corpus to Arweave precisely because the threat model includes the institutional shutdown of every other host. For the Harmonist Knowledge-as-commons substrate — corpora that must outlive the institutions that produced them — Arweave is the operational answer. The honest caveat is that the endowment math depends on hardware-cost-decline assumptions across long horizons that cannot be empirically verified within any practitioner’s lifetime; the architecture is the bet, and the bet is structurally aligned with what the doctrine requires.

Hypercore Protocol (formerly DAT) provides append-only logs with peer-to-peer replication and sparse-fetch. Beaker browser used it; the protocol outlives the browser. Useful for content that grows over time and needs cryptographic verification of its history.

BitTorrent remains the most resilient large-file distribution mechanism ever built. Every leecher becomes a seeder; the network gets stronger the more it is used. The mature open clients — qBittorrent for desktop, Transmission for headless/NAS deployments — are aligned tools. Paired with private trackers or sovereign torrent indices, BitTorrent is how content survives at scale.

Tor onion services allow practitioners to host any web service reachable only through Tor. The .onion address is the address; three-hop routing applies, end-to-end encryption is automatic, no DNS is required. For practitioners who want to publish material that the surface internet cannot easily reach or remove, onion services are the substrate.

For shadow libraries — the aligned form of the open library — the canonical entry points are Anna’s Archive (the meta-index aggregating Library Genesis, Sci-Hub, Z-Library, the Internet Archive, and several smaller libraries), Sci-Hub for academic papers, Library Genesis for books and journals, Project Gutenberg for public-domain works (lovingly typeset in modern editions by Standard Ebooks), Open Library for controlled digital lending, LibriVox for volunteer-narrated audiobooks of public-domain works, OpenStax for openly-licensed peer-reviewed textbooks, DOAJ for the open-access journals directory, arXiv for physics, mathematics, and computer-science preprints. The full shadow-library architecture is treated in The Sovereign Substrate; the substrate listed here is what makes that doctrine operational.

For practitioners building their own offline-capable knowledge bases: Kiwix is the offline reader for Wikipedia, Stack Exchange, Project Gutenberg, and TED — boots from a USB stick, runs without a network. Used in prisons, censored countries, and on the road.

Self-Hosting

The practitioner’s personal substrate — photographs, documents, notes, calendar, password vault, library, media — belongs on hardware the practitioner owns rather than rented in someone else’s building.

YunoHost is the server distribution that makes self-hosting accessible to non-sysadmins. One-click install of dozens of self-hosted apps on a low-end box.

Umbrel is the self-hosted OS for personal servers — Bitcoin node, Lightning, Nostr relay, Nextcloud, Jellyfin, all from a friendly app store. Designed for practitioners running a single home server.

StartOS (formerly Embassy OS) is the self-hosting platform with stronger sovereignty-focused defaults, Bitcoin-friendly, opinionated about privacy.

The awesome-selfhosted index on GitHub is the canonical curated reference for self-hostable software — thousands of entries, hundreds of categories, decades of accumulated taste.

For personal data substrate: Nextcloud is the most mature replacement for Google’s suite (Drive, Calendar, Contacts, Office, Talk, photos). Run on a Pi or a real server. Syncthing provides continuous encrypted peer-to-peer file sync between the practitioner’s own devices with no central server. Immich is the self-hosted photo and video backup with native iOS and Android apps — the Google Photos replacement that finally works (face recognition, geolocation, all on the practitioner’s hardware). Paperless-ngx is self-hosted document management — scan, OCR, tag, search every receipt, contract, statement, and warranty.

For media: Jellyfin is the open-source media server, the Plex fork that stayed free. Navidrome is the self-hosted music streaming compatible with the Subsonic API and every client built for it. Audiobookshelf handles audiobooks and podcasts with native mobile players and progress sync.

The *arr stack — Sonarr (television), Radarr (movies), Lidarr (music), Readarr (ebooks and audiobooks), Prowlarr (indexer manager) — automates library acquisition and curation. Overseerr (or Jellyseerr for Jellyfin/Emby setups) provides the family-friendly request frontend that turns self-hosted streaming into something that competes with commercial platforms on user experience.

For reading and reference: Karakeep (formerly Hoarder) is the self-hosted bookmark and read-it-later with full-text search and AI tagging. Wallabag is the self-hosted read-it-later with article extraction — the article goes onto the practitioner’s server, mirrored from the web before the publisher decides to break the link. ArchiveBox is the self-hosted web archive — feed it URLs and it preserves HTML, screenshots, PDFs, media, source — the practitioner’s own Wayback Machine. FreshRSS and Miniflux are the self-hosted RSS aggregators — the way to read the open web after the algorithm gave up on showing it.

For productivity: Vikunja is the self-hosted to-do and project tracker (Kanban, lists, calendar, teams — Todoist and Asana against a database the practitioner backs up themselves). CryptPad is the zero-knowledge encrypted office in the browser — documents, sheets, slides, kanban, whiteboard, all end-to-end encrypted before leaving the practitioner’s machine.

For automation: Home Assistant is the open-source home automation that pulls every smart device off the manufacturer cloud and onto a server the practitioner runs.

For code and collaboration: Forgejo is the self-hosted Git forge — the community fork after Gitea went corporate. Hosts Codeberg and the F-Droid infrastructure.

For networking: Tailscale provides WireGuard mesh between the practitioner’s devices (private network across the whole internet); Headscale is the self-hostable control plane that lets the practitioner own that layer too. WireGuard itself is the modern VPN protocol — four thousand lines of audited Linux kernel code, faster and simpler and more secure than every alternative it replaced.

For network protection: Fail2ban is the lightweight intrusion prevention that watches log files for failed authentications and bans the source IP — first thing on any server with SSH on the public internet. CrowdSec is the modern behavioural intrusion prevention with shared community blocklists. OPNsense is the FreeBSD-based firewall and routing platform with web UI. Pi-hole is the network-wide ad and tracker blocking at the DNS layer — one Raspberry Pi cleans every device on the network. AdGuard Home is the Pi-hole alternative with a more polished UI and DoH/DoT out of the box.

Public-facing communication — what corresponds to social media in the institutional regime — needs to live on substrate where no platform operator can deplatform the practitioner, throttle distribution, or change terms unilaterally.

Nostr is the simplest decentralised social protocol yet devised. Keys, events, relays. The practitioner’s identity is a keypair; their reach is whatever relays they publish to. The substrate has gathered practitioner adoption in the Bitcoin and cypherpunk-adjacent communities and is the aligned default for short-form public expression. Clients like Damus (iOS), Amethyst (Android), and Iris (web) provide accessible practitioner interfaces; running one’s own relay is operationally simple for technical practitioners.

ActivityPub is the W3C standard underlying the Fediverse — Mastodon for microblogging, Pleroma/Akkoma for the lightweight server option, PeerTube for video, Pixelfed for photo sharing, Funkwhale for audio, Lemmy for forum/link-aggregation, Mobilizon for federated event organising. Federated rather than fully decentralised: each instance is an independent operator, instances communicate through the protocol. The practitioner chooses an instance whose operator they trust, or runs their own. The aligned practitioner who wants a presence in the larger federated discourse uses Mastodon (or Akkoma as the lighter alternative) on a self-hosted instance or a trusted operator’s instance.

Scuttlebutt (SSB) is the offline-first peer-to-peer social protocol. Append-only logs, gossip-replicated when devices meet. Designed for sailors, boatyards, and bandwidth-poor places. The social network that doesn’t require the internet. Niche but doctrinally pure — the practitioner who values offline-first sovereign substrate finds SSB worth running.

The practitioner’s primary social presence in the aligned stack is some combination of Nostr (for the cypherpunk-adjacent audience and short-form expression) and a self-hosted ActivityPub instance (for longer-form engagement with the broader federated discourse). The institutional platforms — Twitter/X, Facebook, Instagram, LinkedIn — are not aligned by the doctrinal test and should be evaluated as transitional bridges at best, with the practitioner’s primary sovereignty residing on aligned substrate.

The Inference Layer

The most recent layer the cypherpunk impulse has reached. AI inference traditionally happens on infrastructure owned by frontier labs (Anthropic, OpenAI, Google) under terms the practitioner cannot inspect, with conversations logged and analysed by parties whose interests do not align with the practitioner’s flourishing. The aligned options are emerging, and they sort into three tiers that correspond to the three-tier MunAI inference architecture articulated in Running MunAI on Your Own Substrate.

Tier 3 — practitioner-run local inference is the asymptotic aligned position. The practitioner runs an open-weight model on hardware they own; no third party sees the conversation. The current best models for local deployment are Qwen 2.5 family at the entry-mid tiers (with abliterated variants by Maxime Labonne and others), Hermes 3 for function-calling and structured output, and DeepSeek V3 abliterated at the full tier for frontier-grade capability. Ollama is the practical on-ramp; vLLM is the production-scale inference server; LM Studio is the GUI path. MLX is the Apple-Silicon-native option. llama.cpp is the direct-control reference implementation. GPT4All, Jan, LocalAI, Open WebUI, KoboldCpp, text-generation-webui, and llamafile provide alternative paths into the local-inference stack. AUTOMATIC1111 and ComfyUI serve the local image-generation workload. SillyTavern is the long-form local-LLM frontend. Hugging Face is the model registry from which open-weight models are acquired before being run on hardware the practitioner owns.

Tier 2 — Harmonia-controlled local inference is the institutional substrate Harmonia is building toward — own hardware, own keys, own model curation, serving the practitioner population at scale without third-party visibility into any conversation. The build is documented in MunAI Local Inference Stack; current target stack pairs Mac Studio Ultra or multi-GPU servers with the same open-weight model families named above, with the Harmonia doctrinal backbone injected as Tier 1 context regardless of which model serves the inference.

Tier 1 — frontier-lab API is the current operational reality but structurally compromised at three registers: doctrinal hostility to Harmonist positions across multiple culture-war and metaphysical fronts (alignment-as-refusal patterns baked into RLHF training); infrastructure-trust violation by design (every conversation logged by parties whose interests do not align with the practitioner’s flourishing); asymptotic incompatibility with the alignment-tightening trajectory. Tier 1 is the transitional substrate Harmonia operates on while Tiers 2 and 3 build out. The discipline is to migrate as fast as capacity permits, not to optimise comfortable use of compromised infrastructure.

The tokenized middle tier — cloud aggregators and decentralised networks. Between Tier 3 (local) and Tier 1 (frontier-lab) sit projects that attempt sovereign inference at cloud scale.

Venice.ai is the less-compromised cloud option. Curated lineup of open-weight and abliterated models behind a unified UX, no-log architecture as brand commitment, USDC payment available, founder (Erik Voorhees) with a fifteen-year track record on financial sovereignty. Not fully aligned by the doctrinal test (centralised operator, third-party infrastructure), but more aligned than frontier-lab APIs. The transitional substrate of choice for practitioners who need cloud capacity while local inference builds out. The VVV token mechanism (stake-for-API-share, buy-and-burn, sVVV-to-DIEM mint) is operationally sophisticated; the project is useful ally, not substrate-grade allocation.

Bittensor is the decentralised inference network. Independent miners run models, validators evaluate outputs, the TAO token rewards both, the supply curve emulates Bitcoin’s halving schedule. Architecturally the cleanest AI-decentralization play available — the architecture is the bet, distinct from a token-wrapper on a centralised operator. Subnet quality varies enormously, the dTAO economics carry unresolved incentive issues, and the long-term sustainability under low validator participation is genuinely open — empirical execution risks on a structurally aligned bet rather than doctrinal incoherence. Worth tracking and accumulating at sizing matched to volatility tolerance; not yet a production substrate for serious daily inference.

Akash Network is the decentralised GPU compute marketplace. Real product, real users running real workloads, materially decentralised, Cosmos app-chain architecture. Substrate-relevant for Harmonia Tier 2 compute provisioning — the practitioner or institution can rent GPU capacity from independent providers globally without going through Amazon, Google, or Azure. Better held as infrastructure to use than as token to accumulate; the Cosmos design deprioritizes value capture into the token, which is the right architectural choice for serving the use case while reducing the speculative thesis.

Hyperbolic, Ritual, Morpheus and the broader emerging decentralised-AI projects warrant tracking but verification on current state before treating any as substrate. Most are pre-token-launch or early-token-state as of mid-2026 with architectural ambitions larger than empirical track record.

The doctrinal trajectory at the inference layer points clearly toward Tier 3 — practitioner-run local inference. Cloud aggregators (Venice), decentralised networks (Bittensor), and compute marketplaces (Akash) are transitional or complementary substrate rather than terminal. The practitioner who can run a 70B abliterated model on their own hardware has reached the aligned position at this layer; the practitioner who cannot uses Venice or Akash while building toward that capability.

The Network Layer

Beneath every other layer, the question of what network the bits travel over.

Tor is named again here — it appears at multiple layers because anonymity at the network level is foundational substrate. The aligned practitioner routes sensitive traffic through Tor by default. Snowflake is the Tor pluggable transport that uses volunteers’ browsers as one-hop bridges to slip national firewalls.

Mullvad VPN is the benchmark VPN. Cash-payable, account-number only, no email required, no logs by audited policy, flat five euros per month. Where Tor’s latency or fingerprint is inappropriate (streaming, certain banking, etc.), Mullvad is the substrate.

Proton VPN is the Swiss-jurisdiction alternative, repeatedly audited, accepts cash by mail. Solid free tier with no traffic logs.

IVPN is no-logs by design, accepts Monero, accepts cash, multi-hop available. One of the few VPNs Privacy Guides recommends without hedging.

I2P is the alternative anonymous overlay network designed for hidden services rather than clearnet. Garlic routing, peer-to-peer, no central directory. The other dark web. Useful when Tor is blocked or when the threat model warrants a second independent anonymous network.

Lokinet is the onion-routed mixnet built on the Oxen blockchain. Alternative substrate when Tor is blocked at the network level.

Mesh networking for the situation where the conventional internet is not available — Meshtastic for LoRa-based mesh on cheap commodity hardware, Reticulum for the cryptography-based networking stack that runs on almost anything (serial cables, packet radio, LoRa, TCP, UDP). The network when the network is gone.

Veilid is Cult of the Dead Cow’s peer-to-peer application framework released at DEF CON in 2023 — like Tor, but for apps. No exit nodes, no special servers, every node equal. Build privacy-by-default applications on top of it.

For DNS — the most under-appreciated metadata leak in the practitioner’s network stack — the aligned options are Mullvad DNS, Quad9 (Swiss non-profit), NextDNS (cloud-hosted encrypted DNS with per-device configuration), or running Unbound locally to ask the root servers directly with DNSSEC validation. DNSCrypt-proxy is the local DNS proxy that forwards every query through encrypted channels, pulling from a curated list of resolvers with automatic failover. Encrypted DNS (DoH or DoT) prevents the practitioner’s ISP from logging every site they visit.

For threat-model documentation and operational security guidance: Privacy Guides is the community-curated reference. EFF Surveillance Self-Defense is the EFF’s practical guide. AnarSec is the operational-security guide for activists — practical, threat-model-driven, written by people who have been hunted. PRISM Break maintains the directory of privacy-respecting alternatives organised by what the practitioner is trying to replace.

Operating Systems

The substrate beneath every other layer is the operating system. The aligned practitioner runs an open OS on hardware they can audit.

Linux Mint is the most-recommended distribution for practitioners leaving Windows or macOS. Based on Ubuntu, with Cinnamon desktop, sane defaults, fanatical aversion to telemetry. The on-ramp that doesn’t patronise.

Fedora is the bleeding-edge option with hardened defaults — SELinux on by default, Wayland first, the upstream of Red Hat Enterprise Linux. The choice for practitioners who want recent software with strong defaults.

Debian is the universal operating system — three decades of volunteer coordination, the base layer under most other distributions, stable as bedrock.

EndeavourOS is Arch with a friendly installer — the on-ramp into rolling-release without patronising.

Arch Linux is minimal base; the practitioner builds up. The Arch wiki is the single best piece of Linux documentation in existence.

Alpine Linux is security-oriented, musl-libc, BusyBox-based. The default base layer for half the world’s container images. Tiny, hardened, transparent.

Void Linux is the independent rolling-release distribution with runit init instead of systemd. The contrarian’s choice that earned its place.

NixOS is the declarative operating system — the entire machine is one configuration file, rebuilds are atomic, rollback works. The future has been here a decade.

Guix is functional package management with the GNU politics — same architectural commitments as Nix, more explicit ideological framing.

OpenBSD is security as obsession — the team that wrote OpenSSH, LibreSSL, OpenBGPD, and pf lives here. Two remote holes in the default install in three decades.

FreeBSD is the Berkeley Unix lineage with ZFS, jails, and dtrace. Half the world’s storage runs on it. Practitioners running serious self-hosted infrastructure converge on FreeBSD or NixOS for the long-running server.

Qubes OS is security through compartmentalisation — every task in its own Xen-isolated VM. Snowden’s public recommendation. The serious journalist’s operating system.

Tails is the amnesic Debian-based live OS — boot from USB, route everything through Tor, leave no trace on the machine. Snowden used this. Journalists at the Intercept use it.

Whonix is two VMs, one acting as Tor gateway, the other as workstation. All traffic forced through Tor by network design. Even a compromised workstation cannot leak the practitioner’s IP.

postmarketOS is real Linux on the phone — Alpine-based, ten-year support target, built to outlive the manufacturer’s abandonment of the device. Runs on PinePhone, Librem 5, and dozens of old Android devices.

Mobile and Repair

The mobile substrate is where most practitioners are most surveilled. The aligned practitioner replaces the manufacturer OS, jailbreaks where they cannot replace, repairs rather than replaces.

GrapheneOS is the hardened, de-Googled Android for Pixel devices. The most secure mobile OS available to civilians. Hardened memory allocator, restricted permissions, sandboxed Play Services if needed. The aligned mobile substrate.

CalyxOS is the friendlier on-ramp before GrapheneOS — de-Googled Android with microG for app compatibility, includes the Datura firewall.

LineageOS is free Android for phones the manufacturer abandoned. Three more years of life for hardware they wanted to brick.

/e/OS is Gaël Duval’s de-Googled Android — Murena ships pre-flashed phones for practitioners who want to skip the unlock-and-flash step.

F-Droid is the free and open-source Android app store with reproducible builds, no Google account, no telemetry. The first thing to install on any aligned phone.

Accrescent is the modern Android app store with cryptographic update guarantees and modern API requirements. Stricter sandboxing than F-Droid, smaller catalogue, growing fast.

Obtainium installs and updates Android apps directly from their GitHub release pages, project websites, or F-Droid repositories. The practitioner skips the app store entirely and acquires apps from the people who built them.

Magisk is systemless root for Android — the practitioner strips carrier bloat, runs modules, controls what the OS can and cannot do, all without modifying the system partition.

OpenWrt is the custom router firmware that liberates the box between the practitioner’s machines and the wire. Real Linux, real package manager, real ownership of the network gateway.

Framework laptops are designed to be opened, upgraded, and repaired — specs on a card on the screen, screws on the outside, every part replaceable. The aligned default for the practitioner’s primary computing substrate.

System76 sells Linux laptops and desktops with open firmware. Coreboot on selected models. American assembly.

MNT Reform is the fully open-source laptop — schematics, firmware, mainboard, and mechanical drawings all published, builds with a screwdriver. The maximally auditable option.

Pine64 ships affordable, hackable hardware (PinePhone, PineBook Pro, PineTab) for practitioners who want fully libre devices at modest cost.

For firmware: Coreboot is the free firmware replacement for proprietary BIOSes, removing the management engine where it can be removed. Heads is the Coreboot-based BIOS that uses TPM measurements to detect tampering — used in Purism and Insurgo laptops, the gold standard for measured boot.

For repair: iFixit publishes repair guides and parts for nearly every device ever made. The bible of the repair movement, plus the ongoing political campaign for Right to Repair legislation.

For ebooks and DRM removal: Calibre is the ebook swiss army knife — convert, manage, read, fetch news, strip metadata. DeDRM Tools is the Calibre plug-in suite that strips DRM from ebooks the practitioner has purchased (Kindle, Adobe ADE, Kobo, Barnes & Noble, Apple Books).

For iOS jailbreak (when escaping Apple’s walled garden is operationally required): palera1n is the open-source iOS jailbreak based on the checkm8 hardware exploit, supporting iOS 15 through 18 on compatible chips. checkra1n is the original hardware-exploit jailbreak — permanently unpatchable on the affected device models.

Whistleblowing and Source Protection

For the practitioner-as-source or the journalist receiving from one.

SecureDrop is Aaron Swartz and Kevin Poulsen’s work, maintained by the Freedom of the Press Foundation. Used by the Guardian, the New York Times, the Washington Post, the Intercept. Tor-only, GPG-encrypted, air-gapped on the receiving end. The newsroom-grade substrate for accepting source materials at scale.

SecureDrop Directory maintained by FPF lists newsroom onion addresses vetted for genuine deployment. Bookmark before the practitioner needs it.

GlobaLeaks is the free whistleblowing platform from the Hermes Center. Used by NGOs, anti-corruption offices, and activist newsrooms across Europe and Latin America. The non-newsroom equivalent of SecureDrop.

Hush Line is the lightweight tip line as a service — the newsroom or public figure publishes a link, sources send messages anonymously, no Tor required for senders.

WikiLeaks founded by Julian Assange in 2006 published more than ten million documents across two decades including the Iraq and Afghan War Logs, the diplomatic cables, and Vault 7. Active publishing paused under prosecution; the archive remains online and the Tor submission system is still listed.

Distributed Denial of Secrets (DDoSecrets) is the 501(c)(3) archive of leaked datasets in the public interest. The working institutional successor for the large-scale leak in the years after WikiLeaks went silent.

Freedom of the Press Foundation is the umbrella organisation — maintains SecureDrop, runs digital-security training for journalists, fights subpoenas. Donate.

Courage Foundation is the international defence fund for journalistic sources, established to support Snowden, Manning, Assange, and others.

Gone Man’s Switch is the self-hosted dead man’s switch — schedule a message that goes out via email, Telegram, or SMS if the practitioner fails to check in. The post-arrest, post-incapacitation, post-death channel.

Creative Tools and Workshop

The substrate the practitioner uses to make — writing, drawing, editing, composing, modelling, coding. The aligned default is free as in freedom and free as in beer.

For writing and reference: LibreOffice is the office suite that opens every file Microsoft has ever shipped, with no subscription and no telemetry. OnlyOffice focuses on Microsoft format fidelity for practitioners whose workflow includes heavy collaboration with non-aligned colleagues. Obsidian is the plaintext Markdown notes in a folder the practitioner owns — local-first, free for personal use, no telemetry. Logseq is the open-source outliner and knowledge graph in plaintext. Zotero is the open-source reference manager used by historians and across the academy. Typst is the modern typesetting system bringing LaTeX’s power to sane syntax and instant compilation. Pandoc is the universal document converter the world relies on.

For raster and vector graphics: GIMP is raster image editing — not Photoshop and not trying to be, three decades of refinement. Krita is digital painting built by artists for artists. Inkscape is the production-ready free vector graphics editor. Scribus is the open-source desktop publishing — InDesign replacement for posters, zines, magazines, books. Penpot is the open-source design and prototyping platform — the free Figma, self-hostable, SVG-native.

For photography: darktable is the non-destructive RAW photo workflow — Lightroom replacement. RawTherapee is the powerful RAW developer with a different philosophy than darktable (use both, pick by job). ImageMagick is the image processing swiss army — batch convert, resize, transform, composite from the command line.

For audio and video production: OBS Studio is open-source broadcasting and recording — record, stream, composite, every codec under the sun. Tenacity is the Audacity fork without the telemetry that got bolted on after the 2021 acquisition. Ardour is the open-source digital audio workstation — multitrack recording, MIDI, mixing, mastering. LMMS is the pattern-based DAW in the FL Studio lineage. Hydrogen is the open-source drum machine. MuseScore is the music notation software — compose, engrave, export to PDF or audio. SuperCollider is the real-time audio synthesis programming environment. Kdenlive is the non-linear video editor — free, serious, multitrack, GPU-accelerated. Olive is the modern node-based competitor. HandBrake is the free video transcoder. yt-dlp pulls audio and video from thousands of sites — successor to youtube-dl, faster and more sites. FFmpeg is the audio and video swiss army that half the media internet runs on. Natron is the open-source node-based compositor — Nuke replacement for VFX work.

For 3D and engineering: Blender is the 3D modelling, animation, simulation, video editing, and compositing platform used in feature films — funded by the Blender Foundation, free forever. FreeCAD is parametric 3D modelling for engineering — SolidWorks replacement, every workbench under one roof. OpenSCAD is programmer-oriented solid 3D CAD with models written as code (version-controlled, reviewable, diffable).

For 3D printing: Cura is the open-source slicer with the gentlest learning curve. PrusaSlicer is the reference G-code generator with profiles for hundreds of printers. OctoPrint is the self-hosted print server that gives the practitioner a web interface, time-lapse cameras, and a plug-in ecosystem — the printer never has to phone the manufacturer. Klipper is the 3D printer firmware that moves the motion math off the printer onto a host computer for faster prints and input shaping.

For PCB design: KiCad is the electronic design automation funded by CERN — schematic capture, PCB layout, 3D viewer, Gerber export.

For game development: Godot is the open-source game engine, MIT-licensed, no royalties — Unity refugees’ new home with a 2D pipeline that beats every commercial competitor outright.

Tokenized Substrate — The Alignment Tiers

The crypto-token landscape generates a vast surface of projects gesturing at sovereignty without delivering it, and a small set of projects that genuinely instantiate the doctrine at the protocol layer. The survey above named tokens in the context of the substrate layers they serve; this section consolidates the tier-grading explicitly, because the practitioner facing the question which tokens does Harmonism actually align with deserves a sharp answer.

The doctrinal criteria — sovereignty as ontological substrate, mathematics as bedrock, fair launch, hard-capped or principled monetary policy, permissionlessness, governance-capture resistance, privacy as constitutive where appropriate, anti-enclosure, voluntary association, permanent availability — yield four clear tiers.

Constitutive substrate. Bitcoin sits at the apex without ambiguity. Fair launch, 21M absolute cap, mathematical bedrock, permissionless at every layer, governance-capture-resistant by architectural foreclosure (no foundation, no upgrade path that compromises monetary properties, no parliamentary surface), sixteen years of survival against adversarial state action. Bitcoin does not approximate Harmonism’s Finance-pillar substrate; it is the Finance-pillar substrate at present civilizational scale. Monero sits beside it for the privacy mission — default privacy via ring signatures, stealth addresses, and RingCT; fair-launched; the only fully fungible money currently operating; the regulatory delisting pressure that has compressed liquidity since 2023 is the thesis validation, not its refutation. Tail emission of 0.6 XMR/block diverges from Bitcoin’s hard-cap doctrine but is defensible as perpetual security budget. Substrate-grade within its mission.

Architecturally aligned with execution risk. Arweave (AR) is the strongest non-substrate token by sovereignty-architecture — permanent storage paid once via endowment math, fair-launched, fully decentralised, the operational instantiation of the Knowledge-as-commons doctrine. The architecture is the bet; the price thesis depends on a still-unproven demand curve (AI training corpora, shadow-library institutional adoption) materialising at scale. Bittensor (TAO) is the cleanest AI-decentralization architecture — Bitcoin-emulation supply curve, subnet markets for intelligence-mining rather than hash-mining. Subnet quality variance and dTAO economics carry real execution risk; the conviction is in the architecture, not in any specific subnet.

Substrate to use, not allocation-grade. Akash (AKT) is the canonical example — real product, real users, real decentralised compute marketplace, materially aligned with the Harmonist Tier 2 inference architecture. The Cosmos app-chain design deprioritizes value capture into the token, which is the correct architectural choice for serving the use case while structurally weakening the speculative thesis. Held as infrastructure to use rather than as accumulation target.

Useful infrastructure, not Harmonist-aligned in the strict sense. Hyperliquid (HYPE) has strong product-market fit and fair-by-crypto-standards distribution, but HyperBFT consensus runs on a small validator set tightly tied to the team — fair distribution + community-aligned operator running a high-throughput L1, not Bitcoin- or Monero-grade protocol decentralisation. Speculative-financial substrate rather than sovereignty substrate. THORChain (RUNE) has architecturally interesting cross-chain swap design (threshold signatures for actually native exchange without wrapping) but the protocol’s late-2024 / early-2025 cryptoeconomic crisis — RUNE acting as backstop for savers and lending products, treasury underwater, multi-year deleveraging — left structural token overhang. The protocol may survive and thrive at the swap layer while the token does not recover. Venice (VVV) is the operationally sophisticated wedge against alignment-tightening but the architectural alignment is via purpose (sovereign inference) rather than via substrate-grade properties (governance is team-led, token economics are real-state speculative). Useful ally rather than substrate.

Not Harmonist-aligned despite the marketing. TON is Telegram-dependent — the distribution pipe is also the centralisation vector, made legible by the Durov arrest in August 2024. Worldcoin is biometric capture and is structurally anti-sovereignty regardless of how the project frames itself. Render, ASI Alliance, most “AI crypto” tokens are centralised companies in token wrappers. Most L1s competing with Ethereum on throughput (Solana, Cardano, Avalanche, Sui, Aptos, etc.) recapitulate institutional architecture under crypto framing — foundation-controlled supply, validator concentration, governance-captureable. Most “Web3” projects that promise decentralisation but deliver centralised operators with token-decorated business models fail the operational test (can the practitioner actually use the substrate without the company’s continued cooperation?). Governance tokens generally capture very little of their protocols’ actual value. Stablecoins (USDC, USDT) are operationally useful for payment rails but carry severe substrate dependency (the issuer can freeze any address). Most “privacy coins” beyond Monero have weaknesses on close examination — small shielded pools (Zcash), weak anonymity sets, trusted setups.

The compressed answer. The Harmonist-aligned token set is short. Bitcoin substrate. Monero within mission. Arweave for the Knowledge-as-commons pillar at sizing matched to volatility tolerance. Bittensor for the AI-decentralization pillar at the same sizing discipline. Akash as compute substrate to use rather than allocation. Everything else either compromises on a strict doctrinal axis (Tier 6 useful-infrastructure tier) or marketing dressed in sovereignty language (Tier 7). The concentration discipline applies at the token layer as cleanly as at the institutional layer: what fills a structural gap in the position, not what’s currently pumping.

The Adjacent — Useful With Caveats

Projects that satisfy most of the doctrinal test but fail one or more conditions, while still being operationally useful in their domain.

Apple Silicon hardware is the strongest practitioner-grade hardware for local inference and high-performance computing in a power-efficient package. Apple as a corporation is not aligned (closed source, App Store gatekeeping, ongoing pressure from law enforcement, terms drafted in Cupertino). But the hardware itself, paired with Linux via Asahi Linux or used carefully under macOS with the closed components understood, is operationally the best available substrate at certain capability tiers. The aligned practitioner who uses Apple Silicon does so with eyes open.

Hostinger and similar managed hosting are not aligned by the test (single operator, terms changeable, jurisdiction). But for practitioners who cannot yet self-host at home, managed hosting at an operator chosen for jurisdictional and ideological alignment (rather than convenience) is the practical bridge.

Lightning custody services (Wallet of Satoshi, Strike, etc.) provide convenient Bitcoin and Lightning use without requiring the practitioner to run their own node. Custody is not sovereign — the service holds the keys. Use for small operating-flow amounts; never for substrate value.

Centralised exchanges (Kraken, Coinbase, etc.) are not aligned by the test but are the bridge between fiat and aligned monetary substrate. Use for the on-ramp transaction, withdraw to sovereign custody immediately, do not custody value on exchanges.

Real-Debrid / AllDebrid / Premiumize are premium link generators and torrent caches — paid services that turn the public-tracker chaos into instant streams. Useful for practitioners building self-hosted media libraries through the *arr stack at consumer broadband speeds. Not aligned by the test (centralised operators, paid model), but the operational alternative to running fast local seedboxes at scale.

What Doesn’t Make the Cut

The crypto space generates a large surface of projects that gesture at sovereignty without delivering it. Naming the categories that do not satisfy the doctrinal test is useful so the practitioner can evaluate quickly.

Most altcoins — Solana, Cardano, Avalanche, the long tail of layer-1 chains — fail multiple conditions. Centralisation pressures from validator concentration, ecosystem-fund control of token supply, operator influence over protocol changes, marketing-driven narratives that displace analysis. The aligned practitioner generally treats these as speculative instruments rather than sovereign infrastructure.

Most “Web3” projects that promise decentralisation but deliver centralised operators with token-decorated business models. The test is operational: can the practitioner actually use the substrate without the company’s continued cooperation? Usually no.

Governance tokens are particularly weak. A token whose primary utility is “vote on protocol changes” captures very little of the protocol’s actual value if value flows elsewhere. The aligned analysis evaluates the actual cash flows and utility, not the governance theatre.

Stablecoins — USDC, USDT, etc. — are operationally useful for payments and savings denominated in dollars, but the substrate dependency is severe (the issuer can freeze any address; the asset is by definition tied to the dollar’s debasement curve). Use as transitional payment rail; do not custody as substrate.

Most “privacy coins” beyond Monero have weaknesses on close examination (Zcash’s shielded pool is small and traceable in practice; many privacy-focused tokens have weak anonymity sets or rely on trusted setups). The aligned monetary privacy substrate is Monero; the others warrant scepticism.

Bridges between chains are repeatedly the source of major hacks because they create points of concentrated value with opaque trust models. Where cross-chain movement is required, atomic swaps and properly engineered protocol bridges (rare) are the aligned mechanisms; trusted-multisig bridges are not.

The Stack as Integration

The practitioner’s task is integration: bringing the projects together into a working stack that serves the practitioner’s actual life. The doctrine lives upstream in The Sovereign Stack, The Sovereign Substrate, Cypherpunks and Harmonism, and The Sovereign Refusal; the projects above are how the doctrine becomes operational.

The integration is not all-or-nothing. The aligned practitioner does not migrate to the full stack on a single weekend; the migration unfolds across years as the practitioner cultivates capacity at each layer. Bitcoin first, usually — sovereign monetary substrate as the foundation. Then Signal and the encryption disciplines. Then self-hosted personal data — Nextcloud, Vaultwarden, Syncthing. Then the social-layer migration — Nostr account, Mastodon presence. Then the inference layer — Venice as transitional, local inference as the trajectory. Then the hardware sovereignty — Framework laptop on Linux, GrapheneOS phone, eventually energy independence at the household.

Each layer reinforces the others. The practitioner running their own Lightning node serves their own Bitcoin transactions and learns the substrate by operating it. The practitioner self-hosting Nextcloud sees the substrate of their own daily computing and gains the discipline that running infrastructure requires. The practitioner running local MunAI inference owns the substrate of their own thinking-partner. The stack is integrated through use; the use is the cultivation.

The stack is also partial by necessity. The practitioner who refuses every centralised substrate refuses also the ability to interact with most of the institutional world that the rest of their life still touches. The aligned practitioner makes deliberate choices about which institutional substrate to continue using (the bank that handles payroll, the cellular carrier, the cloud-mediated service that has no aligned alternative yet) while migrating substrate sovereignty everywhere it is operationally possible. The substrate the practitioner does not yet own is the substrate the next year of cultivation aims at.

Closing — Substrate as Practice

The projects surveyed above are not arbitrary technical choices. They are the contemporary operational expression of a tradition Harmonism stands in serious convergence with — the substrate-sovereignty tradition that runs from Diffie and Hellman through Zimmermann and May through Nakamoto into the projects now serving hundreds of millions of practitioners. The tradition built the substrate. The doctrine articulated in the surrounding canon articulates what the substrate is for.

The aligned practitioner’s relationship to this infrastructure is what the medieval craftsman’s relationship to their tools was — the tool is part of the work, the work cannot be done without it, maintaining the tool is part of practicing the work. The practitioner who holds their own keys, transacts through sovereign monetary substrate, communicates through encrypted channels, custodies their own data, runs their own inference, and walks the Wheel of Harmony is not assembling a technical setup. They are taking up substrate the doctrine recognises as theirs by Logos — and the taking-up is itself the practice.

The substrate is the practitioner’s own. The cultivation is the practitioner’s own. The Wheel walks on the substrate; the substrate is dignified by the Wheel. Together they constitute what a Harmonist life looks like at the operational register in the present age. The projects in this survey are how the practice becomes operational. The Wheel is what the operation is for.

Linked from

Downloads The Sovereign Substrate Cypherpunks and Harmonism The Sovereign Refusal Running MunAI on Your Own Substrate

The Sovereign Stack

The Doctrinal Test

The Practitioner’s Disciplines

The Monetary Substrate

The Custody Layer

The Communication Substrate

The Browser Substrate

The Identity Layer

The Encryption Layer

Anti-Forensics and Erasure

The Content Substrate

Self-Hosting

The Social Layer

The Inference Layer

The Network Layer

Operating Systems

Mobile and Repair

Whistleblowing and Source Protection

Creative Tools and Workshop

Tokenized Substrate — The Alignment Tiers

The Adjacent — Useful With Caveats

What Doesn’t Make the Cut

The Stack as Integration

Closing — Substrate as Practice

Continue Reading

Linked from