I had been stalling.
Not because AIW was not ready. Because open source is permanent. You put the wrong thing out there and you cannot take it back. So I kept doing one more pass, one more fix, one more reason to wait. Weeks went by. The launch stayed on the list.
Then Fable 5 dropped on June 9 and I had a decision to make.
I could use it for demos. Marketing copy. The fun stuff that makes a launch look good. Or I could point it at the job I had been afraid to do and find out exactly what was hiding in a year of real mainnet work before any of it ever went public.
I pointed it at the scary job.
What It Found in the First Hour
Let me be clear about the plan first. I was never going to make my working repo public. That repo has a year of real mainnet testing in it. Real funds. Real keys. The plan was always a fresh repo, clean history, nothing to leak. That is the only responsible way to open source something like this.
But clean is not a state. It is a job. And I needed someone to walk every commit with a flashlight and tell me what could not cross over.
Fable 5 ran three audits at once. The server, the core wallet code, and the repo history itself. It came back in about an hour.
Here is what it found:
A live mainnet atomic-swap seed. 85 bytes. Committed and then deleted in a later commit. Deleted means nothing in git. Still recoverable by anyone who clones. That one made my stomach drop.
A 9 megabyte Monero hot wallet file sitting in the history. The Bitcoin wallet database sitting in the history. A settings file I had accidentally tracked with my dashboard password in it as plaintext. Three times. My Queen's Decree emergency PIN in the same file. Old audit notes with a real funded Bitcoin address and a wallet RPC password the "redacted" copies were supposed to hide. 68 megabytes of Windows binaries committed straight into the repo, which in open source is exactly how supply-chain attacks start. And a LICENSE file that said all rights reserved, proprietary, while my own website said open source, MIT.
Any one of those is a reason to never point a public remote at this repo. All of them together confirmed that the fresh repo was not a nice-to-have. It was a hard requirement. Rotate the keys. Move the funds. Start clean or do not start.
That is the difference between a tool that finds problems and one that understands consequences.
The One That Could Have Drained My Wallet
The history stuff was bad. This one was live.
Here is how I work. I harden one realm all the way, make it the reference standard, then bring every other realm up to match before anything ships. Monero went first. Before any XMR moves, the server forces a confirmed preview bound to your session. No preview, no send. That is the bar.
Bitcoin had not had its turn yet. Not a hole I forgot about. A realm that had not been through the gauntlet. I knew it was coming. I just had not gotten there.
Fable 5 got there first.
One authenticated request. No preview. No confirmation gate. Rebuild a transaction to any address and broadcast it. Done. That is what Bitcoin send looked like before Fable touched it.
I had been about to run that pass myself when Fable 5 landed. So instead of grinding through it solo, I handed it the Monero implementation as the gold standard and said: bring Bitcoin up to this, line for line, and tell me everywhere it falls short.
It did. It caught the asymmetry, explained it clearly, made Bitcoin mirror the Monero discipline exactly, then went hunting for every cousin of that bug across the whole codebase. A webhook that could be aimed at my own internal network. A wallet binary downloading and running with zero signature check. RPC ports running with authentication off. Default passwords that were just constants anyone could read.
I approved the fixes. It wrote them. Four commits. Every one tested before it moved on.
Then It Did Not Stop
After the repo was clean I asked Fable 5 to do something most people would call risky right after a security review.
Add two entire new chains. Litecoin and Ethereum. The realms that had been greyed out in the app for months.
The accomplishment is not that they work. It is that the security came with them by design, not bolted on after.
Litecoin inherited the Bitcoin hardening down to the last gate. Same fail-closed allowlist. Same preview-bound confirmations. Same per-session staging. Remote only, pointed at your own node.
Ethereum was the one that made me sit back.
The Ethereum realm talks to a remote node for chain data. Your keys live in an encrypted keystore on your own machine. Every transaction is signed locally. The node never sees a private key. Fable wrote the key derivation, the EIP-1559 signing, all of it, using audited crypto libraries.
And it did not just trust its own code. It validated against a known reference vector, signed a transaction, decoded it back, and recovered the sender address to prove the signature was correct before it would let a single unit of value move.
It tested its own work the way I would test someone else's.
The Receipts
I do not take "it works" for an answer. Neither did Fable.
It wrote a regression suite for the new realms. Blind sends rejected. Key-export blocked. Read-only proxies actually read-only. Wallet-overwrite protected. 13 out of 13 passing.
The chat agents for both new realms are read-only by design. They can tell you your balance and estimate gas. They cannot move your money. Only you can, through an explicit confirmation, every single time.
Why 72 Hours Mattered
Here is the part I did not plan for.
Fable 5 launched June 9. I did not know it, but I had about 72 hours with it. June 12, the US government issued an export-control directive citing national security and Anthropic had to disable Fable 5 and Mythos 5 for everyone. You can read Anthropic's own statement on it. Seventy-two hours, start to finish.
I did not know that clock was running when I started. I just knew I had something unusually capable in front of me and a job I had been putting off for weeks. So I used it.
I build AIW by directing AI agents. I have never written a line of its codebase and that is still true. My job is to know what good looks like and hold the line on the rules. The agent builds. The human validates. Rule #0.
For those 72 hours I had a partner that could hold that line at a level I had not worked with before. It did not just answer questions. It found the thing I was afraid of, told me the hard version of the truth, fixed it, doubled the wallet's reach, and tested everything it touched.
The work that had blocked my launch for weeks got done in a window measured in hours. And it turned out to be the only window I would get.
Four security commits. Two new realms. One regression suite. A clean repo that is finally safe to show the world.
The window closed. The doors are locked. The rabbit hole just got two levels deeper.