A code-signed Windows installer that compresses Claude's context 10 to 80 times. Built by one operator in Marco Island in 75 days.

You are reading this because someone forwarded you an installer signed by a single operator in Florida and asked whether your contractor org can run it on a workstation that touches CUI. The honest reaction is no. The next reaction should be: prove it.

The threat model for a one-person tool is not the same as the threat model for a SaaS dashboard, and it is not strictly worse. A SaaS dashboard is a remote agent inside your perimeter that updates without your consent, holds your prompts on infrastructure you cannot audit, and routes your API traffic through an envelope you did not sign. Orangebox is a local binary. It does what the installer says it does on the disk you control. The trust surface is finite and inspectable.

The rest of this document is the inspection.

Orangebox is a Windows executable that runs locally on the operator workstation and acts as a context-compression and routing layer between the operator and the Anthropic Claude API. It does not host models. It does not proxy traffic through a third-party server. The operator's Anthropic key is read from a local environment variable and used directly against api.anthropic.com over the operator's own egress.

The compression layer is called Crystal Lattice Compression. It encodes a conversation, document, or memory corpus as a lattice of entities, facts, decisions, and relationships plus a void map of rejections, boundaries, corrections, tone, and depth. Measured compression ratio on dense conversational source running roughly 300 tokens per message reaches 282x on the high end of the corpus and settles at a 10-80x working range for mixed material. The disclosure ID is ATOM-CLC-2026-0331. The math is published.

On top of the compression layer Orangebox runs a 14-department routing graph that takes an operator request, selects the departments it should pass through, and emits a tamper-evident receipt at every hop. Persistent memory across sessions is handled by a local lattice store; reusable skill primers live in a local skills directory the operator owns outright.

The Windows installer ships with an Authenticode signature issued to AtomEons Systems Laboratory. The signature is verifiable through standard Windows trust paths: right-click the .exe, Properties, Digital Signatures, view certificate, walk the chain to the issuing CA. The signature embeds a timestamp from a public RFC 3161 timestamp authority so revocation of the leaf cert does not invalidate installers that were signed before the revocation date.

The binary itself is SHA-256 stamped. The stamp is published next to the download. A red-team workstation can compute the SHA-256 of the downloaded file with PowerShell Get-FileHash and compare to the published value before the file is permitted to execute. If the hashes diverge, the file is rejected at the gate and no further steps are taken. This is the same posture you would apply to a driver from an OEM vendor.

Every action the local Orangebox runtime takes emits a receipt containing the operator identity, the timestamp, the input hash, the output hash, the department chain, and the constitutional guardrails that fired. Receipts are written to a local append-only log. The log is not transmitted off-machine. If you want to ship the log to a SIEM you ship it explicitly; Orangebox does not phone home with it.

A SaaS vendor in this category typically holds: your prompts in transit, your prompts at rest, your output history, your account credentials, your billing identity, your team graph, and a JavaScript delivery surface that can mutate between your last review and your next session. Each of those is a separate exfiltration risk and a separate compliance question. The dashboard model concentrates risk on a server you do not run, on JavaScript you cannot pin, on telemetry you did not opt into, and on a release cadence you cannot stop.

Orangebox concentrates risk on one .exe and one local config directory. The .exe is signed and hash-stamped. The config directory is read by your existing endpoint controls. The model API call goes from the operator workstation to api.anthropic.com over your egress, which means your existing DLP, your existing TLS inspection, your existing proxy rules already see it. Nothing new sits in the middle.

The honest weakness of the local model is patching. A SaaS vendor can push a critical fix in an afternoon. Orangebox ships fixes as new signed installers that the operator must consciously install. That is a feature for a regulated environment and a bug for a consumer use case. This product is shipped for the regulated environment.

The runtime ships with 27 named guardrails that are drift-audited on every release. The audit runs against the canonical node file at runtime/node.py and verifies the guardrails have not been removed, weakened, or routed around. The audit emits its own receipt that is attached to the release.

Gate 0 is the Lattice Integrity gate, called LBCE. It runs first on every chain. If the input lattice fails integrity (corrupt frame, missing void map, hash mismatch) the chain halts before any downstream gate executes. This is structurally equivalent to a deny-by-default firewall rule sitting in front of the application stack.

Human Final Stop authority is reachable from every autonomous execution path. The operator can interrupt any chain at any gate. There is no path in the runtime where a department can refuse to yield control to the human at the keyboard. This is verified by the drift audit.

The identity secret is read from the ATOMEONS_IDENTITY_SECRET environment variable. It is never hardcoded in the binary. A contractor environment can rotate the secret by rotating the variable; no re-installation is required.

The procurement question this answers is: what happens if the operator gets hit by a bus. The answer is in the license. Section 4A of the license is a no-SaaS, perpetual grant: one purchase, the right to run the installed binary forever, no subscription, no server-side dependency that can be revoked. If AtomEons Systems Laboratory ceases to exist tomorrow, every installed copy of Orangebox continues to function against the operator's own Anthropic key with no degradation. The product does not require a phone-home for license validation.

Source escrow is available on request. The operator who built this binary has shipped 31 peer-readable papers under CC-BY 4.0, publishes the disclosure IDs for every major subsystem, and maintains the corpus and registry SHA-256 in the public CLAUDE.md. The trust model is not personality; it is artifact provenance.

No team is not the same as no oversight. There is also no investor pressure to ship before the drift audit passes, no growth team tuning telemetry behind your back, and no roadmap whiplash from a Series B repositioning. The release law is published in the repository and it blocks ship on unclear rollback, missing evidence, or unacknowledged security risk.

The receipt is not a UI flourish. It is a row in an append-only log that the next chain reads. If a receipt is missing or its hash chain breaks, the runtime refuses the next action. This is the local-machine equivalent of a transaction log on a database that will not accept writes until the log is consistent.

No third-party server in the middle. No vendor-controlled relay. No background analytics call. The only outbound traffic from a working install is the call to api.anthropic.com that you have already approved for the Claude API.

Orangebox is free for the launch week and $99 perpetual after. The $99 is a one-time charge. There is no renewal, no per-seat creep, no metered surcharge on the operator's own API spend. The operator brings their own Anthropic key and pays Anthropic directly; AtomEons takes zero markup on API usage and has no view into the operator's call volume.

Section 4A of the license is the no-SaaS clause. Plain reading: the purchased copy of the binary continues to operate against the operator's key in perpetuity, with no obligation on AtomEons to maintain a server, a license validator, an update channel, or any other ongoing service. The operator's working install does not break if the vendor disappears.

Orangebox has not been independently penetration-tested by a third-party firm. A pen test is on the roadmap; the absence is stated openly here because the receipt for a pen test is a report from a named firm, and that report does not exist yet. If your procurement process requires one, this primer should tell you the answer is wait or commission.

Orangebox has not received a FedRAMP authorization. Orangebox is not, today, a FedRAMP candidate, because FedRAMP is a control set for cloud service offerings and Orangebox is a local binary. The equivalent question for a local binary is whether the workstation it runs on is authorized to run signed third-party software, and that question is yours, not the vendor's.

Orangebox has not been formally verified. The drift audit is structural, not symbolic; it checks that guardrails exist, are named, are reachable, and have not been removed between releases. It does not prove the guardrails are sufficient in the mathematical sense. No vendor in this category proves that and the ones who say they do are selling marketing copy.

1. Download the installer to an isolated workstation that does not touch CUI.
2. Compute SHA-256 of the .exe and compare against the published stamp. Reject on mismatch.
3. Verify the Authenticode signature chain and timestamp. Reject on chain failure.
4. Install. Inspect the local config directory. Confirm no outbound telemetry endpoint is registered.
5. Run a benign session. Capture network traffic. Confirm the only outbound destination is api.anthropic.com.
6. Inspect the receipt log after the session. Confirm hash chain continuity.
7. Pull the disclosure papers (CLC, HRE, GlyphSpeak) and verify the published math against the runtime behavior on your own corpus.
8. Decide. If anything in steps 1-7 fails, the answer is no and the vendor is on record asking you to make that call.

Source on request to qualified evaluators. Disclosure IDs are public. The operator publishes from Marco Island, Florida, under the lab name AtomEons Systems Laboratory. Papers, registry hashes, and the canonical CLAUDE.md are versioned and dated.