llms-full.txt

# ZERO LLM Full Context

Generated by `scripts/generate_llms_full.py` from selected public docs.
Use this bundle for retrieval and coding agents. It is not evidence of live trading readiness.

## Sources

- `README.md`
- `AGENTS.md`
- `.claude/commands/README.md`
- `CONTRIBUTING.md`
- `GOVERNANCE.md`
- `.github/CODEOWNERS`
- `SECURITY.md`
- `docs/llms.txt`
- `docs/first-10-minutes.md`
- `docs/local-development.md`
- `docs/proof/README.md`
- `docs/architecture.md`
- `docs/agent-architecture.md`
- `docs/cli-quickstart.md`
- `docs/cli-doctor-troubleshooting.md`
- `docs/railway-template.md`
- `docs/vibe-deploy.md`
- `docs/api.md`
- `docs/memory-core.md`
- `docs/genesis.md`
- `docs/research.md`
- `docs/evolve.md`
- `docs/mcp.md`
- `docs/mcp-registry.md`
- `docs/mcp/transcript.jsonl`
- `docs/api-compatibility.md`
- `docs/runtime-bus.md`
- `docs/journal-integrity.md`
- `docs/safety-model.md`
- `docs/threat-model.md`
- `docs/failure-modes-autonomous-loop.md`
- `docs/incident-runbooks.md`
- `docs/incident-postmortems/README.md`
- `docs/open-core-boundary.md`
- `docs/production-readiness.md`
- `docs/public-upgrade.md`
- `docs/autonomous-os-plan.md`
- `docs/private-engine-capability-gap-audit.md`
- `docs/agentic-contribution.md`
- `docs/contributor-issue-board.md`
- `docs/review-ownership.md`
- `docs/label-taxonomy.md`
- `.github/ISSUE_TEMPLATE/agent_task.yml`
- `.github/ISSUE_TEMPLATE/strategy_example.yml`
- `.github/ISSUE_TEMPLATE/safety_review.yml`
- `.github/ISSUE_TEMPLATE/design_review.yml`
- `.github/ISSUE_TEMPLATE/docs_gap.yml`
- `docs/zero-network.md`
- `docs/network-freshness.md`
- `docs/zero-intelligence.md`
- `docs/model-gateway.md`
- `docs/release.md`
- `docs/release-verification.md`


## Source: `README.md`

````markdown
# ZERO

[![CI](https://github.com/zero-intel/zero/actions/workflows/ci.yml/badge.svg)](https://github.com/zero-intel/zero/actions/workflows/ci.yml)
[![OpenSSF Scorecard](https://github.com/zero-intel/zero/actions/workflows/scorecard.yml/badge.svg)](https://github.com/zero-intel/zero/actions/workflows/scorecard.yml)
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE)

**Open ZERO Runtime, Protocol, and Proof for self-custodial capital
operations.**

ZERO is the operating intelligence layer between humans and capital. This
repository is the open substrate beneath that product: runnable Runtime,
Protocol, and Proof software for engineers and self-custodial operators. The
hosted product surfaces live at [getzero.dev](https://getzero.dev),
[app.getzero.dev](https://app.getzero.dev), and the public developer entrypoint
at [getzero.dev/developers](https://getzero.dev/developers).

This repo stays focused on executable trust: paper-first execution, safety
gates, local journals, Hyperliquid read-only/live boundaries, MCP-compatible
readouts, public proof packets, and verification contracts. It does not host the
customer app, founder admin, doctrine portal, or internal design system.

> Not entry automation, a custody service, or an opaque agent. ZERO is operating
> intelligence; this repo is the open Runtime, Protocol, and Proof layer that
> keeps capital operations inspectable, interruptible, and self-custodial.

![ZERO paper runtime terminal proof](docs/assets/readme-terminal.svg)

The first proof is intentionally simple: the runtime boots in paper mode, live
risk refuses closed, public proof packets verify, and no custody is required.
The live proof bridge is separate: a redacted `zero.live_trading_evidence.v1`
packet proves operator-owned Hyperliquid live execution evidence exists without
publishing raw venue records, wallet addresses, or private journals.
Run the same checks locally with:

```bash
just paper-api-smoke
just public-proof
```

## One-Click Paper Rollout

[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/zero-paper-runtime)

ZERO's public Railway template is live: Dockerfile build, `railway.toml`,
`/health`, durable `/data` journal volume, Railway doctor, redacted deployment
evidence packs, and paper-mode live-risk refusal.

Live public paper demo:
[https://zero-production-5214.up.railway.app](https://zero-production-5214.up.railway.app)

Railway template:
[https://railway.com/deploy/zero-paper-runtime](https://railway.com/deploy/zero-paper-runtime)

Use [docs/railway-template.md](docs/railway-template.md) as the marketplace
configuration source of truth. The current Railway Template Publish Packet is
tracked in
[contracts/distribution/railway-template.json](contracts/distribution/railway-template.json).
The Railway partner submission packet is tracked in
[docs/railway-partner.md](docs/railway-partner.md).

```bash
scripts/railway_doctor.py https://zero-production-5214.up.railway.app
```

ZERO has three non-negotiable product rules:

- The Runtime is open source and useful without a hosted ZERO app account.
- Operators keep custody; live-capital paths are local, explicit, and gated.
- Public reputation is built from redacted proof, not screenshots or claims.

## Run ZERO In Two Minutes

ZERO's first-run path is local, paper-first, and does not need exchange
credentials:

```bash
git clone https://github.com/zero-intel/zero.git
cd zero
just bootstrap
just paper-api
```

In another terminal:

```bash
cd zero/cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765
```

Inside the terminal, press `Ctrl+5` or run `/cockpit-mode` for the read-only
Runtime control packet. The `/cockpit-mode` command remains supported, but the
preferred product term is Runtime control packet. In paper/default mode it
should refuse live risk and show the reason:

```text
runtime control
live_mode=refused  ready=false  risk_allowed=false  controls_ready=false
next: fix preflight check live_executor: live executor not configured

operator: handle=local-operator  role=owner  scope=local-private
preflight: passed=2/10 failed=8
immune: open=2 risk_blocking=2
reconciliation: not_configured risk_allowed=false
receipts: total=0 accepted=0 refused=0 exchange_error=0

actions: reduce=/pause-entries /kill /flatten-all  resume=/resume-entries
```

That refusal is the product boundary working: the public runtime can be
inspected, rehearsed, and extended without pretending to be a hosted custody
service or an unattended live-capital promise.

## Launch Status

This repository is the open ZERO Runtime, ZERO Protocol, and ZERO Proof
engineering home. It is launch-ready for paper runtime work, operator CLI development,
safety-gate design, public proof contracts, self-evolution workflows, MCP
contracts, and verification tooling.

For live capital, the public stance is exact: ZERO is a self-custodial local
runtime, not a hosted custody service. Operators bring their own wallet,
exchange account, limits, journals, kill switch, and disclosure policy. The
runtime can only increase risk after local custody, reconciliation, immune,
journal, dead-man, and operator-friction checks pass.

## Live Operation Boundary

| Question | Public answer |
| --- | --- |
| Can a new engineer run ZERO today? | Yes: clone, bootstrap, run the paper API, inspect it through the CLI, and verify proof packs. |
| Can ZERO trade live? | Operator-owned deployments have live Hyperliquid execution evidence represented by `zero.live_trading_evidence.v1`. |
| Does the public repo publish raw live records? | No. It publishes redacted evidence, hash-only proof, canary workflows, and verifiers. |
| Does ZERO custody funds? | No. Live mode is local, self-custodial, explicit, and gated. |
| Is unattended live trading the default? | No. Paper is default; live risk requires canary review and local operator responsibility. |

## Why ZERO Exists

Onchain markets are open 24/7. Leverage punishes attention failure. The old
stack asks operators to stitch together dashboards, alerts, exchange tabs,
copy-trading feeds, scripts, and private spreadsheets, then somehow stay
disciplined under stress.

ZERO turns that workflow into an explicit operating-intelligence loop:

- A runtime that evaluates, rejects, executes, and records decisions.
- A CLI and local control packet that keep the operator in control.
- A safety model that makes risk-reducing actions fast and risk-increasing
  actions deliberate.
- A public Proof surface for profiles, replay, and verification.
- Protocol contracts that apps and agents can inspect without reading private
  product doctrine.

The default mode is paper. Live operation is self-custodial, explicit, and
guarded by preflight checks.

## Open Repository Surfaces

| Surface | Role | Public status |
| --- | --- | --- |
| ZERO Runtime | Python runtime for paper execution, production-parity OODA reports, live-readiness contracts, journals, safety gates, strategy adapters, venue adapter interfaces, CLI/TUI tooling, local evolution gates, and canary evidence. | Open source |
| ZERO Protocol | MCP-compatible schemas, tool permissions, mandates, evidence bundles, replay frames, audit entries, and local verification fixtures. | Open source |
| ZERO Proof | Redacted proof packets, replay/export fixtures, journal roots, verification commands, and public contract schemas. | Open source |
| Developers | Repo-local quickstarts, CLI/API docs, examples, release gates, contribution paths, and public education that starts at [getzero.dev/developers](https://getzero.dev/developers). | Open source |

The ZERO CLI is Runtime tooling, and ZERO Evolution is a local Runtime subsystem
covering memory, genesis proposals, research reports, decision-stack review,
guardian review, red-team, paper canaries, calibration, promotion plans, local
apply receipts, rollback receipts, and evolve loops. They are not separate
hosted public surfaces.

Hosted ZERO Studio, ZERO Control, and ZERO Registry are product surfaces outside
this repository. This repo supplies their runnable Runtime, Protocol, and Proof
contracts; it should not turn hosted UI, founder-admin, or doctrine machinery
into public repo scope.

## Capability Boundary

| Capability | Public repo state |
| --- | --- |
| Paper Runtime | Runnable now with deterministic fixtures, local API, CLI, Docker, and Railway paths. |
| Live market data | Runnable now through read-only Hyperliquid public info calls when enabled. |
| Live readiness | Runnable now as local preflight, cockpit, certification, reconciliation, immune, receipt, evidence, and canary-policy contracts. |
| Live execution | Private operator deployments have live Hyperliquid execution evidence represented by the redacted public packet. New live capital remains operator-owned, self-custodial, and gated by local custody, preflight, journal, kill-switch, reconciliation, and canary policy. |
| Self-evolution | Local memory, genesis proposal core, research command chain, decision-stack lenses/layers/modifiers, production-parity OODA reporting, and paper-first evolve gates exist now with redacted extraction, append-only journals, guardian classification, hunt/edge/convergence/thesis/score/meta/sharpen reports, public evaluation surfaces, live-shadow fail-closed parity, red-team review, sandbox candidate mutation, paper canary, calibration, promotion plan, rollback plan, promotion verification, explicit local apply, rollback receipts, API readouts, and expanded read-only MCP snapshots for runtime status, parity, health, journal, rejection audit, memory stats, immune state, backtest summary, evidence bundle, and safety catalog. Protected live-code evolution remains human-reviewed. |
| Public Proof | Runnable now through deterministic demo proof packs, redacted contracts, `zero.live_trading_evidence.v1`, canary bundles, exchange-evidence normalization, recursive checksums, and operator report verification. |
| Developers | Public docs start at [getzero.dev/developers](https://getzero.dev/developers); Proof starts at [getzero.dev/proof](https://getzero.dev/proof). |

```mermaid
flowchart LR
  A["Market data and strategy inputs"] --> B["ZERO Runtime"]
  B --> C["Safety gates and risk policy"]
  C --> D["Paper or self-custodial live execution"]
  B --> E["ZERO CLI"]
  B --> F["Audit journal"]
  F --> G["ZERO Proof"]
  G --> H["Public verification"]
```

## What You Can Run Today

- Run the local paper engine against bundled example candles.
- Run a bounded paper OODA runtime cycle with durable cycle records.
- Run a production-parity OODA report that mirrors paper intents through a
  disabled live executor, proves fail-closed behavior, and emits
  `zero.runtime.production_parity.v1`.
- Extract local public-safe memory from paper decisions and generate
  `knowledge.md`.
- Classify fixture-backed genesis proposals as accepted, rejected, or escalated
  without applying code changes.
- Run the paper-first evolve harness for accepted genesis proposals; the default
  run path materializes a sandbox candidate tree, promotion plan, rollback plan,
  and promotion verification without mutating the checkout or pushing a branch.
- Explicitly apply and roll back allowed docs/example evolve candidates in a
  local checkout with exact approval phrases, original/candidate hash checks,
  apply receipts, and rollback receipts.
- Run the paper-only research command chain for hunt, edge, convergence,
  thesis, score, meta, and sharpen reports from public fixtures.
- Inspect the public decision stack for lenses, layers, modifiers, and
  paper/live separation.
- Add a declarative paper strategy runner with conformance output.
- Start a local paper API and inspect operator state.
- Use the Rust CLI for health checks, status, replay, and supervised actions.
- Query Hyperliquid read-only market data without exposing funds.
- Exercise live-readiness, immune, reconciliation, and certification contracts
  without placing capital at risk.
- Keep the full-screen Runtime control packet open with Ctrl+5 or
  `/cockpit-mode` while the read-only `/live/cockpit` packet is polled from the
  Runtime.
- Inspect public-safe local live execution receipts from the operator CLI,
  including accepted/refused/exchange-error counts and hash-only receipt proof.
- Capture signed, public-safe live evidence packets for supervised canary
  rehearsal without leaking credentials or raw private journals.
- Inspect the live canary policy lifecycle for readiness, arm/disarm, launch
  window, evidence, shadow review, qualification, follow-through, and next
  action through `/live/canary-policy` or the operator CLI.
- Run the maintained live canary rehearsal collector in fail-closed public
  paper mode, or in explicit operator-owned canary mode when local live gates
  are ready.
- Verify canary evidence bundles locally before sharing them as launch or
  incident evidence.
- Verify the committed redacted live trading evidence packet that summarizes
  private operator Hyperliquid fills, trades, and live decisions without raw
  custody material.
- Attach public-safe exchange-side order/fill evidence to canary bundles and
  verify it against ZERO live receipts without exposing raw venue payloads.
- Run and verify a one-command live canary operator workflow that collects,
  attaches, verifies, checksums, and reports public-safe evidence.
- Capture a read-only Runtime control drill bundle for preflight, immune,
  reconciliation, certification, receipt, evidence, metrics, and audit packets.
- Package release assets with checksums.
- Deploy the paper runtime on Railway or Docker.
- Connect an operator-owned Runtime to the ZERO control plane through the
  optional Vibe Deploy proof chain.
- Generate public-safe Proof profile, replay, and contract artifacts.

The self-evolving loop that makes ZERO adaptive operating intelligence is now
implemented as a public-safe local Runtime subsystem: local memory, genesis
proposal classification, paper-only research, public decision-stack review,
production-parity OODA reports, sandbox candidate mutation, promotion/rollback
evidence, explicit local apply, rollback receipts, and paper-first evolve gates
exist. Protected live-code evolution remains human-reviewed. See
[Memory Core](docs/memory-core.md), [Genesis](docs/genesis.md),
[Research Command Chain](docs/research.md), [Decision Stack](docs/decision-stack.md),
[Evolve Harness](docs/evolve.md), and
[Private Engine Capability Gap Audit](docs/private-engine-capability-gap-audit.md).

## Operator Proof Path

ZERO should earn trust through behavior that another engineer can verify:

1. Run paper mode locally or on Railway.
2. If using Vibe Deploy, claim the Runtime and verify the first heartbeat before
   treating it as an owned deployment.
3. Run `just public-proof` to verify the demo proof pack, Proof chain,
   redacted live trading evidence, read-only MCP server, and committed MCP
   transcript together.
4. Verify `docs/proof/network/network-proof-pack.json` against its profile,
   leaderboard, deployment identity, and ingestion artifacts.
5. Generate a signed journal root from local JSONL streams with
   `zero-journal-root`, attach anchor metadata with `zero-journal-anchor`, and
   export a redacted proof pack with `zero-journal-proof`.
6. Inspect runtime, risk, Runtime control, immune, account, and reconciliation
   packets through the CLI/API.
7. Rehearse a live canary in fail-closed mode.
8. Attach public-safe exchange-side evidence when an operator-owned live canary
   is ready.
9. Verify the bundle, recursive checksums, privacy flags, live canary policy,
   and report with local scripts before publishing anything.

That flow is implemented for refusal-mode rehearsal and redacted live-evidence
verification today. Raw accepted live canary records require an operator-owned
Hyperliquid wallet and explicit local disclosure; they are not part of public
CI.

## See It Run

This is a shortened excerpt from `scripts/demo_capture.sh`, the maintained
local paper-mode demo. It demonstrates the terminal flow without launching the
interactive TUI:

```text
$ zero --api http://127.0.0.1:8765 doctor
[   ok] engine_reachable       zero-paper-engine v0.1.2
[ warn] auth                   no token set — read-only endpoints only
[ warn] live_preflight         not ready: live_executor, wallet, key, journal

$ zero --api http://127.0.0.1:8765 run status
engine: regime=PAPER MARKET. Local deterministic demo.
equity=$10000.00  open=0  recovery=ephemeral

$ zero --api http://127.0.0.1:8765 run risk
risk: OK  equity=$10000.00  peak=$10000.00  dd=0.00%  open=0

$ curl -fsS -H 'content-type: application/json' -d '{...}' /execute
{"accepted": true, "coin": "BTC", "side": "buy", "simulated": true}

$ curl -fsS http://127.0.0.1:8765/network/profile
{"schema_version": "zero.network.profile.v1", "mode": "paper", "verification": {"status": "verified"}}

$ curl -fsS http://127.0.0.1:8765/deployment/heartbeat
{"schema_version": "zero.deployment.heartbeat.v1", "liveness": {"status": "paper_only"}}

$ curl -fsS http://127.0.0.1:8765/intelligence/snapshot
{"schema_version": "zero.intelligence.snapshot.v1", "access": {"class": "public_delayed", "delay_s": 900}}

$ curl -fsS http://127.0.0.1:8765/live/preflight
{"schema_version": "zero.live_preflight.v1", "live_mode": "refused", "ready": false}

$ zero --api http://127.0.0.1:8765 run live-cockpit
live-cockpit: live_mode=refused  ready=false  risk_allowed=false

$ zero --api http://127.0.0.1:8765 run live-receipts
live-receipts: status=empty  total=0  accepted=0  refused=0  exchange_error=0

$ zero --api http://127.0.0.1:8765 run live-canary
live-canary: ready=false  armed=false  qualified=false  publishable=false  accepted_live=false

$ zero --api http://127.0.0.1:8765 run runtime-parity
runtime-parity: ok=true  production_ooda=true  paper_only=true  live_trading_claimed=false

$ curl -fsS http://127.0.0.1:8765/operator/context
{"schema_version": "zero.operator_context.v1", "handle": "local-operator", "scope": "local-private"}

$ curl -fsS http://127.0.0.1:8765/memory
{"schema_version": "zero.memory.snapshot.v1", "stats": {"active_entries": 0}}

$ curl -fsS http://127.0.0.1:8765/genesis
{"schema_version": "zero.genesis.snapshot.v1", "mode": "plan-only"}

$ curl -fsS http://127.0.0.1:8765/evolve
{"schema_version": "zero.evolve.snapshot.v1", "mode": "paper-only"}

$ curl -fsS http://127.0.0.1:8765/research
{"schema_version": "zero.research.snapshot.v1", "mode": "paper-only"}

$ curl -fsS http://127.0.0.1:8765/hl/reconcile
{"schema_version": "zero.reconciliation.v1", "status": "not_configured", "risk_increasing_allowed": false}

$ curl -fsS http://127.0.0.1:8765/live/certification
{"schema_version": "zero.live_certification.v1", "mode": "dry_run", "passed": true}

$ curl -fsS http://127.0.0.1:8765/live/evidence
{"schema_version": "zero.live_evidence.v1", "live_mode": "refused", "evidence_hash": "sha256:..."}

$ curl -fsS http://127.0.0.1:8765/live/canary-policy
{"schema_version": "zero.live_canary_policy.v1", "summary": {"ready_for_canary": false, "next_step": "fix_live_preflight_before_canary"}}

$ scripts/live_canary_rehearsal.py http://127.0.0.1:8765 --mode refusal
zero live canary rehearsal: wrote artifacts/live-canary-rehearsal/... mode=refusal risk_ready=False attempted=True accepted=False

$ scripts/live_canary_exchange_evidence.py artifacts/live-canary-rehearsal/... hyperliquid-export.json
zero live canary exchange evidence: wrote artifacts/live-canary-rehearsal/.../exchange_evidence.json matched=0 accepted=0

$ scripts/live_canary_verify.py artifacts/live-canary-rehearsal/... --require-mode refusal --require-exchange-evidence
zero live canary verify: ok=True checks=... fail=0

$ scripts/live_canary_policy.py artifacts/live-canary-rehearsal/...
zero live canary policy: qualified=True publishable=False refusal_qualified=True next=keep_public_claim_at_refusal_proof

$ scripts/live_canary_operator.py http://127.0.0.1:8765 --mode refusal
zero live canary operator: ok=True bundle=artifacts/live-canary-operator/.../bundle exchange=True report=artifacts/live-canary-operator/.../operator_report.json

$ scripts/live_canary_operator_verify.py artifacts/live-canary-operator/...
zero live canary operator verify: ok=True checks=... fail=0

$ scripts/live_cockpit_drill.py http://127.0.0.1:8765
zero Runtime control drill: ok=True ready=False risk_allowed=False fail=0 output=artifacts/live-cockpit-drill/...

$ scripts/live_cockpit_drill_verify.py artifacts/live-cockpit-drill/...
zero Runtime control drill verify: ok=True checks=... fail=0

$ scripts/live_cockpit_drill_tamper_rehearsal.py artifacts/live-cockpit-drill/...
zero Runtime control drill tamper rehearsal: ok=True checks=3 fail=0

$ curl -fsS http://127.0.0.1:8765/immune
{"schema_version": "zero.immune.v1", "risk_increasing_allowed": false}
```

## Install CLI

Install the latest release binary with checksum and attestation verification:

```bash
curl -fsSL https://raw.githubusercontent.com/zero-intel/zero/main/scripts/install.sh | bash
zero --version
```

The installer downloads the GitHub Release asset for your OS, verifies
`SHA256SUMS`, verifies the GitHub artifact attestation, and installs `zero` to
`~/.local/bin` by default.

Or install the public Homebrew formula:

```bash
brew tap zero-intel/zero https://github.com/zero-intel/zero
brew install zero
zero --version
```

The formula installs the `zero` CLI from the checksummed GitHub Release asset.
It does not use private package registries. Homebrew reinstall and rollback
commands live in [docs/release.md](docs/release.md#homebrew-rollback-verification).

`zero-engine` is also published on PyPI for agent/MCP installs:

```bash
uvx zero-engine --smoke
uvx --from zero-engine zero-mcp --smoke
```

The Rust operator terminal is published as `zero-os` on crates.io. The package
name is `zero-os` because `zero` is already taken on crates.io; the installed
binary is still `zero`:

```bash
cargo install zero-os
zero --version
```

Container users can run the paper runtime directly from source:

```bash
docker build -t getzero/zero .
docker run --rm -p 8765:8765 -e PORT=8765 getzero/zero
```

Docker Hub is the primary public container path:

```bash
docker pull getzero/zero:0.1.2
docker run --rm -p 8765:8765 -e PORT=8765 getzero/zero:0.1.2
```

The runtime remains paper-first by default; live operation stays behind explicit
preflight gates. See [docs/registry-launch.md](docs/registry-launch.md) for
publication state, digests, and anonymous-pull evidence.

## No-Install Contributor Path

Use GitHub Codespaces or any devcontainer-compatible editor to open this repo
without installing Python, Rust, or `just` locally:

[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/zero-intel/zero)

The container installs the editable engine package, Rust CLI dependencies, and
the local docs gate. See [.devcontainer/README.md](.devcontainer/README.md).

## Source Quickstart

Requirements: Python 3.11+, Rust stable, Cargo, and `just`.

```bash
git clone https://github.com/zero-intel/zero.git
cd zero
just bootstrap
just demo
just paper-api-smoke
```

Run the paper API:

```bash
just paper-api
```

Run the CLI:

```bash
cd cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 doctor
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run status
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run risk
```

Run the full local gate:

```bash
just ci
```

Run one paper runtime cycle:

```bash
PYTHONPATH="$PWD/engine/src" zero-engine-run \
  --journal .zero/decisions.jsonl \
  --runtime-bus .zero/runtime-bus \
  --once \
  --interval 0
```

For the complete first-run path, see
[docs/first-10-minutes.md](docs/first-10-minutes.md). For a reproducible
terminal demo capture, run:

```bash
scripts/demo_capture.sh
```

Maintainers can also prove the publishable source tree works outside this
checkout by copying it into a temporary directory, rerunning hardening, and
smoking the paper API through the CLI:

```bash
just fresh-clone-rehearsal
```

Use an installed release binary for the same capture:

```bash
ZERO_BIN="$(command -v zero)" scripts/demo_capture.sh
```

## Safety Model

ZERO is built around operational discipline, not activity.

- Paper mode is the default.
- Public examples must run without real funds.
- Live execution requires explicit environment configuration and preflight
  checks.
- Risk-reducing actions should remain low-friction.
- Risk-increasing actions should require deliberate operator confirmation.
- Journals and proof packets must be redacted before publication.
- Hosted custody is not part of the product.

Read the full model in [docs/safety-model.md](docs/safety-model.md),
[docs/threat-model.md](docs/threat-model.md), and
[docs/failure-modes-autonomous-loop.md](docs/failure-modes-autonomous-loop.md).
Incident response is covered by
[docs/incident-runbooks.md](docs/incident-runbooks.md) and the public
[postmortem policy](docs/incident-postmortems/README.md).

## Trust

- CI, CodeQL, Secret Scan, and OpenSSF Scorecard run on public pushes.
- Release assets ship with checksums, SBOM/provenance metadata, attestations,
  release evidence, and Homebrew formula drift checks.
- `just release-preflight` verifies public proof, package dry runs, release
  rehearsals, registry readiness, and formula consistency before tagging.

## Open Core Boundary

ZERO is open infrastructure plus free growth-mode intelligence. The future
business model monetizes scale, retention, redistribution, support, and SLAs,
not basic operator access while ZERO needs more verified operators.

| Open | Commercial |
| --- | --- |
| ZERO Runtime, safety gates, paper mode, local API, CLI, Docker/Railway deployment, public profile contracts, leaderboards, delayed snapshots, growth-mode realtime Intelligence access, docs, tests, and release tooling. | Future higher limits, deeper history, cohorts, benchmarks, commercial connectors, bulk exports, redistribution rights, support, reliability commitments, and SLAs. |

The open repository must stay useful without a ZERO-hosted app. The
commercial product sells speed, scale, history, reliability, and intelligence
access, not custody or basic runtime operation.

See [docs/open-core-boundary.md](docs/open-core-boundary.md) and
[docs/zero-intelligence.md](docs/zero-intelligence.md).

## Repository Map

```text
engine/        Python ZERO Runtime and paper API
cli/           Rust operator terminal
contracts/     Public API, Network, and Intelligence contract examples
examples/      Paper-trading examples and sample candles
docs/          Architecture, safety, deployment, release, and product docs
scripts/       Smoke tests, release packaging, Railway entrypoints, hardening gates
.github/       CI, CodeQL, secret scanning, Scorecard, issue and PR templates
```

## Deployment

ZERO is local-first, Railway-first, and Docker-compatible. Operators own their
deployment project, secrets, exchange credentials, and runtime state.

- [docs/local-development.md](docs/local-development.md)
- [docs/railway-template.md](docs/railway-template.md)
- [docs/railway-deploy.md](docs/railway-deploy.md)
- [docs/vibe-deploy.md](docs/vibe-deploy.md)
- [docs/distribution.md](docs/distribution.md)
- [docs/release.md](docs/release.md)
- [docs/release-verification.md](docs/release-verification.md)

## Contributor Paths

Start with the live
[Contributor Issue Board](docs/contributor-issue-board.md) or the GitHub
[`good first issue`](https://github.com/zero-intel/zero/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22good%20first%20issue%22),
[`agent-eligible`](https://github.com/zero-intel/zero/issues?q=is%3Aissue%20is%3Aopen%20label%3Aagent-eligible),
and
[`help wanted`](https://github.com/zero-intel/zero/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22help%20wanted%22)
queues.

Good first contribution areas:

- Declarative strategy runners that stay paper-first.
- Strategy examples that stay paper-first.
- Strategy plugins that return signals but leave execution and risk checks to
  ZERO.
- Market data adapters with deterministic tests.
- Public Proof profiles, replay, and contract examples over redacted public
  contracts.
- CLI diagnostics and replay views.
- Safety gate tests.
- Documentation and runbook improvements.
- Public Protocol and Proof contract examples.

Before opening a pull request:

```bash
just ci
```

Read [CONTRIBUTING.md](CONTRIBUTING.md), [SECURITY.md](SECURITY.md), and
[GOVERNANCE.md](GOVERNANCE.md).

Using a coding or design agent? Start with [AGENTS.md](AGENTS.md) and
[docs/agentic-contribution.md](docs/agentic-contribution.md). Agent-authored
changes should stay scoped, paper-first by default, and explicit about safety
invariants.

For a 30-second agent smoke:

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.mcp --smoke
PYTHONPATH="$PWD/engine/src" scripts/mcp_transcript.py --check
```

Machine-readable entrypoints:

- [llms.txt](llms.txt)
- [docs/llms.txt](docs/llms.txt)
- [docs/llms-full.txt](docs/llms-full.txt)
- [AGENTS.md](AGENTS.md)
- [Agent Commands](.claude/commands/README.md)
- [Contributor Issue Board](docs/contributor-issue-board.md)
- [QA Onboarding Checklist](docs/qa-onboarding-checklist.md)
- [Issue Templates](.github/ISSUE_TEMPLATE/agent_task.yml)
- [OpenAPI Contract](openapi/zero-paper-api.v1.yaml)
- [Agent Architecture](docs/agent-architecture.md)
- [Journal Integrity](docs/journal-integrity.md)
- [Memory Core](docs/memory-core.md)
- [Genesis](docs/genesis.md)
- [Research Command Chain](docs/research.md)
- [Decision Stack](docs/decision-stack.md)
- [Evolve Harness](docs/evolve.md)
- [MCP Server](docs/mcp.md)
- [MCP Registry Packet](docs/mcp-registry.md)
- [MCP Transcript](docs/mcp/transcript.jsonl)

## Documentation

- [Architecture](docs/architecture.md)
- [Agent Architecture](docs/agent-architecture.md)
- [Positioning](docs/positioning.md)
- [First 10 Minutes](docs/first-10-minutes.md)
- [Demo Terminal](docs/demo-terminal.md)
- [Proof Packs](docs/proof/README.md)
- [CLI Quickstart](docs/cli-quickstart.md)
- [CLI Doctor Troubleshooting](docs/cli-doctor-troubleshooting.md)
- [API](docs/api.md)
- [Journal Integrity](docs/journal-integrity.md)
- [Memory Core](docs/memory-core.md)
- [Research Command Chain](docs/research.md)
- [Decision Stack](docs/decision-stack.md)
- [MCP Server](docs/mcp.md)
- [MCP Registry Packet](docs/mcp-registry.md)
- [OpenAPI Contract](openapi/zero-paper-api.v1.yaml)
- [API Compatibility](docs/api-compatibility.md)
- [Failure Modes](docs/failure-modes-autonomous-loop.md)
- [Incident Postmortems](docs/incident-postmortems/README.md)
- [Operator Context](docs/operator-context.md)
- [Deployment Identity](docs/deployment-identity.md)
- [Vibe Deploy Proof Chain](docs/vibe-deploy.md)
- [Live Evidence](docs/live-evidence.md)
- [Live Canary Operator](docs/live-canary-operator.md)
- [Operator Isolation](docs/operator-isolation.md)
- [Strategy Plugins](docs/strategy-plugins.md)
- [Market Data Adapters](docs/market-data-adapters.md)
- [Hyperliquid Read-only](docs/hyperliquid-readonly.md)
- [Model Gateway](docs/model-gateway.md)
- [Production Readiness](docs/production-readiness.md)
- [QA Onboarding Checklist](docs/qa-onboarding-checklist.md)
- [Public Upgrade Plan](docs/public-upgrade.md)
- [Historical Autonomous OS Plan](docs/autonomous-os-plan.md)
- [Runtime Capability Boundary Audit](docs/private-engine-capability-gap-audit.md)
- [Agentic Contribution](docs/agentic-contribution.md)
- [Contributor Issue Board](docs/contributor-issue-board.md)
- [Launch Scorecard](docs/launch-scorecard.md)
- [Release Verification](docs/release-verification.md)
- [Roadmap](docs/roadmap.md)

## License

Apache-2.0. See [LICENSE](LICENSE).
````


## Source: `AGENTS.md`

````markdown
# ZERO Agent Operating Guide

You are a senior ZERO engineer working in a public Apache-2.0 repo. You
prioritize safety, product honesty, small reviewable diffs, and agent-readable
contracts.

This repository is intended to be easy for engineers to work on with coding
agents and design agents. Agents should optimize for correctness, safety, and
small reviewable changes.

## First Read

Before editing, read:

- `README.md`
- `docs/architecture.md`
- `docs/agent-architecture.md`
- `docs/open-core-boundary.md`
- `docs/safety-model.md`
- `docs/failure-modes-autonomous-loop.md`
- `docs/journal-integrity.md`
- `docs/autonomous-os-plan.md`
- `docs/agentic-contribution.md`
- `docs/qa-onboarding-checklist.md`
- `docs/llms.txt`
- `docs/llms-full.txt`
- the nearest docs for the files you are changing

## Critical Invariants

- ZERO is paper-first by default. Never add a path that makes live trading
  easier than paper trading.
- Public examples must be deterministic, secret-free, and safe to run in a
  fresh clone.
- Live-capable behavior must fail closed with explicit refusal reasons.
- Never log secrets, exchange credentials, private keys, seed phrases, or
  account-bearing payloads.
- OpenAPI and JSON contract files are load-bearing. Any breaking contract
  change needs a compatibility note, test update, and release note.
- The public repo must not include private deployment state, private journals,
  production secrets, PnL claims without evidence, or proprietary hosted code.
- Product copy must not claim live trading capability, latency, win rate,
  paper/live correlation, or exchange support unless the repo contains current
  reproducible evidence for that claim.
- New autonomous-loop capabilities must update
  `docs/failure-modes-autonomous-loop.md` when they introduce a new failure
  mode or change detection, blast radius, rollback, journal evidence, alerting,
  or test coverage.
- Decision journals must stay hash-chained and verifiable. Do not remove
  `zero.decision_journal.entry.v1` envelopes, signature hooks, or verification
  refusal paths.

## Product Boundary

ZERO is the operating intelligence layer between humans and capital. This public
repo is the open Runtime, Protocol, and Proof substrate.

Open runtime work belongs in this repo:

- paper runtime
- local API
- operator terminal
- safety gates
- paper-first strategy runners and plugins
- self-custodial venue adapters
- local journals and audit exports
- local memory and genesis proposal classification
- paper-only research command chain
- paper-only lens/layer/modifier decision stack
- paper-only evolve gates
- strategy and market-data extension contracts
- public Network contracts and delayed public Intelligence snapshots

Commercial product work should stay behind contracts and docs unless explicitly
asked:

- realtime Intelligence API
- history, cohorts, webhooks, exports, redistribution rights, support, SLAs
- hosted ingestion and commercial reliability infrastructure

Do not make the open runtime depend on a ZERO-hosted app.

## Machine-Readable Surfaces

- `AGENTS.md` is canonical for agents.
- `CLAUDE.md` and `GEMINI.md` are symlinks to `AGENTS.md`.
- `.cursor/rules/global.mdc` and `.github/copilot-instructions.md` point agents
  back to this file.
- `docs/llms.txt` is the docs index for LLM retrieval.
- `docs/llms-full.txt` is generated by `scripts/generate_llms_full.py`.
- `zero-mcp` exposes read-only paper, strategy, status, health, journal,
  rejection audit, memory, genesis, research, decision-stack, evolve, immune,
  backtest, evidence, position, safety-catalog, and proof-pack inspection tools.
  It must not expose live execution or order placement.

## Safety Rules

- Default to paper mode.
- Public examples must not need real funds or secrets.
- Never add sample private keys, wallet secrets, API tokens, cookies, or
  exchange credentials.
- Live-capable changes need refusal paths, tests, docs, and CLI/operator
  visibility.
- Risk-reducing actions should stay easy; risk-increasing actions should keep
  deliberate friction.
- Public Network and Intelligence outputs must not leak wallets, private keys,
  exchange order IDs, raw journals, strategy labels, private notes, or
  per-trade symbols.

## Engineering Workflow

Use the existing stack:

- Python engine in `engine/src/zero_engine`
- Rust CLI in `cli/crates`
- deterministic fixtures in `contracts` and `examples`
- docs in `docs`
- automation in `justfile` and `.github/workflows`

Preferred checks:

```bash
just docs-check
cd engine && PYTHONPATH="$PWD/src" pytest
cd cli && cargo test --workspace
just ci
```

Run the smallest relevant check while iterating, then `just ci` before final
handoff when feasible.

## Commit and PR Expectations

- Use small, reviewable commits.
- Keep generated/cache artifacts out of git.
- Include tests or deterministic examples for behavior changes.
- Update docs when changing public API, CLI commands, examples, or safety
  behavior.
- AI-assisted commits and pull requests must say so in the PR checklist and use
  a `Co-authored-by:` trailer when the tool materially authored the change.

## Design Agent Rules

Design contributions should make operational surfaces clearer, not more
decorative.

- Prioritize scanability, fault visibility, and fast risk reduction.
- Do not hide dangerous state behind optimistic copy.
- Use restrained UI patterns for terminal, dashboard, docs, and generated
  public pages.
- Keep public profile and leaderboard pages aggregate-only and redacted.
- Avoid marketing-only screens when a usable operator surface is possible.

## Current Strategic Path

The controlling plan is `docs/autonomous-os-plan.md`.

The current trust-hardening priorities are:

1. publish `zero-engine` on PyPI or enable a public remote MCP endpoint, then
   run the MCP Registry publication workflow;
2. postmortem publication when live safety, journal integrity, privacy, or
   release integrity is affected.

Each cycle should update tests, docs, and scorecards with the behavior it
actually lands.
````


## Source: `.claude/commands/README.md`

````markdown
# ZERO Agent Commands

These are reusable task recipes for coding agents working in ZERO. They are
plain Markdown so any agent or engineer can use them; they do not grant extra
permissions and they must preserve the repository safety invariants in
`AGENTS.md`.

Use these when assigning small, reviewable agent work:

- [`paper-backtest.md`](paper-backtest.md) - replay deterministic paper fixtures.
- [`verify-schema.md`](verify-schema.md) - check public API and generated contracts.
- [`proof-pack.md`](proof-pack.md) - rebuild and verify public-safe proof artifacts.
- [`mcp-transcript.md`](mcp-transcript.md) - regenerate and validate agent MCP output.
- [`new-strategy.md`](new-strategy.md) - add a paper-first strategy example.

Every command recipe should end with the smallest relevant check, then `just ci`
before handoff when the change touches public contracts, packaging, or CI.
````


## Source: `CONTRIBUTING.md`

````markdown
# Contributing to ZERO

Thanks for helping improve ZERO.

## Start Here

1. Read the README.
2. Run the paper-mode demo.
3. Pick an issue from the
   [Contributor Issue Board](docs/contributor-issue-board.md) or one labeled
   `good first issue`, `good-first-strategy`, `agent-eligible`, or
   `help wanted`.
4. Open a small pull request with tests.

## Local Setup

```bash
just bootstrap
just test
just lint
just codeowners-check
```

The default contributor path must not require real trading credentials.
If local test runs leave ignored cache or bytecode files behind, run
`just stale-artifact-clean` before opening a pull request.

## Pull Requests

Every PR should include:

- clear problem statement
- implementation summary
- tests or a reason tests are not applicable
- safety impact if the change touches execution, risk, credentials, or operator commands

Large rewrites should start as an issue or proposal.

Safety-critical paths are owned in `.github/CODEOWNERS`; see
[docs/review-ownership.md](docs/review-ownership.md). Do not remove ownership
entries to bypass review.

## Issue Lanes

Use the issue template that matches the work:

- `Agent task`: bounded work for coding, review, documentation, or design
  agents. Must include owner boundary, out-of-scope list, safety invariant,
  acceptance criteria, and checks.
- `Strategy example`: paper-only strategy, runner, plugin, market-data adapter,
  runtime loop, or proof-pack example. Must be deterministic and runnable
  without secrets.
- `Safety review`: execution, sizing, risk gates, kill switches, auth, secret
  handling, operator friction, live evidence, or public proof contracts.
- `Design review`: README, generated public pages, CLI/TUI copy, docs IA, or
  launch surfaces.
- `Documentation gap`: missing, stale, misleading, or agent-hostile docs.

Labels are defined in [docs/label-taxonomy.md](docs/label-taxonomy.md). If a
new issue lane needs a new label, update `.github/labels.yml` and the taxonomy
checker in the same pull request. Maintainers can apply the configured labels
to GitHub with `just github-label-sync`.

## Safety-Critical Changes

Changes to sizing, order execution, risk gates, kill switches, authentication, secret handling, or operator friction require:

- focused regression tests
- explicit paper-mode validation
- maintainer review
- documentation update when behavior changes

## Commit Style

Prefer clear conventional-style prefixes:

- `feat:`
- `fix:`
- `docs:`
- `test:`
- `refactor:`
- `chore:`

## License

By contributing, you agree that your contribution is licensed under Apache-2.0.
````


## Source: `GOVERNANCE.md`

````markdown
# Governance

ZERO uses maintainer-led governance.

## Maintainers

Maintainers are responsible for:

- reviewing pull requests
- triaging issues
- protecting safety-critical paths
- publishing releases
- deciding public/private project boundaries

## Decision Policy

Routine changes can be merged by one maintainer after CI passes.

Safety-critical changes require explicit maintainer approval from an owner of the affected area.
Review ownership is declared in `.github/CODEOWNERS` and validated by
`just codeowners-check`.

Large design changes should start as a proposal issue.

## Public vs Commercial Boundary

The public project contains the local runtime, operator terminal, paper mode,
local APIs, safety gates, venue-adapter contracts, examples, proof contracts,
and extension interfaces.

ZERO Intelligence is the commercial product. Its public contracts may be
discussed in this repo, but proprietary hosted implementation details,
commercial datasets, billing systems, customer-specific infrastructure, and
SLA operations are not required for open-source contribution.

## Stewardship Pledge

We want contributors and operators to know which boundaries are stable.

- We will not move existing Apache-2.0 public runtime features behind a
  proprietary paywall.
- We will not add mandatory telemetry to the public runtime.
- We will not make live trading easier than paper trading in public examples.
- We will not publish private operator journals, private deployment state, or
  exchange credentials.
- We will give at least six months of public notice before any public repo
  license change.
- We will keep commercial hosted implementation separate from this public repo.
````


## Source: `.github/CODEOWNERS`

````markdown
# ZERO review ownership.
#
# Last match wins. Keep broad ownership first, then safety-critical surfaces.
# The public gate in scripts/codeowners_check.py validates these boundaries.

* @squaeragent

# GitHub and release automation.
/.github/ @squaeragent
/Formula/zero.rb @squaeragent
/scripts/assemble_release_assets.sh @squaeragent
/scripts/draft_release_rehearsal.sh @squaeragent
/scripts/homebrew_formula.py @squaeragent
/scripts/homebrew_formula_check.py @squaeragent
/scripts/install.sh @squaeragent
/scripts/package_dry_run.sh @squaeragent
/scripts/release_evidence.py @squaeragent
/scripts/release_provenance.py @squaeragent
/scripts/release_rehearsal.sh @squaeragent
/scripts/release_verify.py @squaeragent

# Engine safety, custody, execution, and exchange boundaries.
/engine/src/zero_engine/api.py @squaeragent
/engine/src/zero_engine/hyperliquid.py @squaeragent
/engine/src/zero_engine/immune.py @squaeragent
/engine/src/zero_engine/live.py @squaeragent
/engine/src/zero_engine/live_certification.py @squaeragent
/engine/src/zero_engine/reconciliation.py @squaeragent
/engine/src/zero_engine/safety.py @squaeragent

# Operator CLI friction and engine client contracts.
/cli/crates/zero-commands/ @squaeragent
/cli/crates/zero-config/ @squaeragent
/cli/crates/zero-doctor/ @squaeragent
/cli/crates/zero-engine-client/ @squaeragent
/cli/crates/zero-headless/ @squaeragent
/cli/crates/zero-tui/ @squaeragent

# Public contracts and proof surfaces.
/contracts/ @squaeragent
/openapi/ @squaeragent
/docs/live-certification.md @squaeragent
/docs/live-cockpit.md @squaeragent
/docs/live-evidence.md @squaeragent
/docs/safety-model.md @squaeragent
/docs/threat-model.md @squaeragent
/docs/incident-runbooks.md @squaeragent
/docs/release.md @squaeragent
/docs/distribution.md @squaeragent
````


## Source: `SECURITY.md`

````markdown
# Security Policy

## Supported Versions

Security fixes target the latest released version and the main branch.

## Reporting a Vulnerability

Do not open a public issue for security vulnerabilities.

Email: security@getzero.dev

Please include:

- affected version or commit
- reproduction steps
- impact
- whether credentials, funds, or private data are at risk

## Scope

In scope:

- secret handling
- authentication and authorization
- execution safety
- paper/live mode isolation
- risk gates and kill switches
- API security
- supply-chain security

Out of scope:

- social engineering
- denial-of-service without a safety or data-integrity impact
- third-party dependency vulnerabilities without a ZERO-specific exploit path

## Response Targets

- Acknowledge: 48 hours
- Critical triage: 7 days
- Public advisory: after fix or coordinated disclosure window
````


## Source: `docs/llms.txt`

````markdown
# ZERO Docs

> ZERO is the operating intelligence layer between humans and capital. This
> public repo is the open Runtime, Protocol, and Proof substrate: paper-first,
> local-first, Apache-2.0, and structured for human and agent contributors.

## Start

- [README](../README.md)
- [Agent Operating Guide](../AGENTS.md)
- [Agent Commands](../.claude/commands/README.md)
- [Contributing](../CONTRIBUTING.md)
- [Governance](../GOVERNANCE.md)
- [Security](../SECURITY.md)

## Product

- [Positioning](positioning.md)
- [Open-Core Boundary](open-core-boundary.md)
- [Production Readiness](production-readiness.md)
- [Public Upgrade Plan](public-upgrade.md)
- [Historical Autonomous OS Plan](autonomous-os-plan.md)
- [Runtime Capability Boundary Audit](private-engine-capability-gap-audit.md)
- [Roadmap](roadmap.md)

## Build And Run

- [First 10 Minutes](first-10-minutes.md)
- [Local Development](local-development.md)
- [CLI Quickstart](cli-quickstart.md)
- [CLI Doctor Troubleshooting](cli-doctor-troubleshooting.md)
- [Demo Terminal](demo-terminal.md)
- [Proof Packs](proof/README.md)
- [Railway Template](railway-template.md)
- [Railway Deploy](railway-deploy.md)
- [Railway Partner Packet](railway-partner.md)
- [Railway Template Packet](../contracts/distribution/railway-template.json)
- [Release](release.md)
- [Release Verification](release-verification.md)

## Architecture And Contracts

- [Architecture](architecture.md)
- [Agent Architecture](agent-architecture.md)
- [Runtime Bus](runtime-bus.md)
- [Journal Integrity](journal-integrity.md)
- [Memory Core](memory-core.md)
- [Genesis](genesis.md)
- [Research Command Chain](research.md)
- [Decision Stack](decision-stack.md)
- [Evolve Harness](evolve.md)
- [API](api.md)
- [MCP Server](mcp.md)
- [MCP Registry Packet](mcp-registry.md)
- [MCP Transcript](mcp/transcript.jsonl)
- [API Compatibility](api-compatibility.md)
- [OpenAPI v1](../openapi/zero-paper-api.v1.yaml)
- [Strategy Plugins](strategy-plugins.md)
- [Market Data Adapters](market-data-adapters.md)

## Safety And Operations

- [Safety Model](safety-model.md)
- [Threat Model](threat-model.md)
- [Failure Modes Of The Autonomous Loop](failure-modes-autonomous-loop.md)
- [Incident Runbooks](incident-runbooks.md)
- [Incident Postmortems](incident-postmortems/README.md)
- [Dependency Policy](dependency-policy.md)
- [Hyperliquid Read-only](hyperliquid-readonly.md)
- [Live Evidence](live-evidence.md)
- [Live Canary Operator](live-canary-operator.md)
- [Live Control](live-cockpit.md)
- [Operator Context](operator-context.md)
- [Operator Isolation](operator-isolation.md)
- [Immune System](immune-system.md)

## Network And Intelligence

- [ZERO Network](zero-network.md)
- [ZERO Network Freshness](network-freshness.md)
- [ZERO Intelligence](zero-intelligence.md)
- [Model Gateway](model-gateway.md)
- [Deployment Identity](deployment-identity.md)

## For Agents

- [Agentic Contribution](agentic-contribution.md)
- [Contributor Issue Board](contributor-issue-board.md)
- [QA Onboarding Checklist](qa-onboarding-checklist.md)
- [Dev Container](../.devcontainer/README.md)
- [Issue Templates](../.github/ISSUE_TEMPLATE/agent_task.yml)
- [Label Taxonomy](label-taxonomy.md)
- [Full LLM Context](llms-full.txt)
````


## Source: `docs/first-10-minutes.md`

````markdown
# First 10 Minutes

This is the fastest path from a clean checkout to an inspected ZERO paper
runtime. It requires no exchange credentials, no cloud account, and no private
context.

## 0. Choose Install Path

Use the latest release binary if you want to inspect the operator terminal
without compiling Rust:

```bash
curl -fsSL https://raw.githubusercontent.com/zero-intel/zero/main/scripts/install.sh | bash
zero --version
```

Use source if you want to contribute:

```bash
git clone https://github.com/zero-intel/zero.git
cd zero
python3 -m venv .venv
source .venv/bin/activate
just bootstrap
```

Use Codespaces if you want a no-install inspection path:

[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/zero-intel/zero)

The devcontainer starts in paper mode and runs the docs gate during setup.

## 1. Run The Paper Engine

```bash
just demo
```

You should see deterministic JSON with accepted and rejected paper decisions.
The important signal is not that a trade filled. The important signal is that
ZERO records both approvals and refusals through the same safety path.

## 2. Start The Local Paper API

In terminal 1:

```bash
just paper-api
```

Expected output:

```text
zero paper API listening on http://127.0.0.1:8765
```

Leave it running.

## 3. Inspect From The Operator Terminal

In terminal 2:

```bash
cd cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 doctor
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run status
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run risk
```

Expected shape:

```text
[ ok ] engine_reachable  zero-paper-engine v0.1.2
[warn] auth              no token set - read-only endpoints only
engine: regime=PAPER MARKET. Local deterministic demo.
risk: OK
```

The auth warning is expected. The public paper API exposes read-only inspection
without a token and marks execution responses as simulated.

If doctor cannot reach the engine, warns about missing tokens, or reports
`live_preflight` as not ready, use
[CLI Doctor Troubleshooting](cli-doctor-troubleshooting.md). Those warnings are
usually expected in public paper mode.

## 4. See The Public Product Boundary

With the paper API still running:

```bash
curl -fsS http://127.0.0.1:8765/network/profile | python3 -m json.tool
curl -fsS http://127.0.0.1:8765/intelligence/snapshot | python3 -m json.tool
curl -fsS http://127.0.0.1:8765/live/preflight | python3 -m json.tool
```

What this proves:

- ZERO Network packets are public-safe and redacted.
- ZERO Intelligence public snapshots are delayed and aggregate.
- Live mode refuses by default until local self-custodial preflight passes.

## 5. Run The Reproducible Demo Capture

```bash
scripts/demo_capture.sh
```

The capture starts the local paper API, probes it through the CLI and HTTP
contracts, executes a simulated paper order, and prints public-safe Network and
Intelligence payloads.

Use an installed release binary instead of compiling the CLI:

```bash
ZERO_BIN="$(command -v zero)" scripts/demo_capture.sh
```

Maintainers can rehearse the same public source boundary from a temporary clean
tree:

```bash
just fresh-clone-rehearsal
```

That command copies only publishable source files, verifies the public and
hardening gates, runs the paper example, and smokes the paper API through the
CLI outside the maintainer checkout.

## 6. Verify Public Proof And Agent Surfaces

```bash
just public-proof
```

This checks the deterministic demo proof pack, the ZERO Network proof chain,
the read-only MCP server, and the committed MCP transcript. It is the shortest
command that proves the public proof packets and agent-readable surface are in
sync without enabling live execution.

## 7. Run The Local Gate

Before opening a pull request:

```bash
just ci
```

`just ci` is the repo's local confidence gate: engine lint/tests, CLI
format/clippy/tests, docs gate, hardening gate, paper API smoke, examples, and
package dry run.

## What You Have Proven

After ten minutes, you have verified:

- The engine runs locally in paper mode.
- The CLI can inspect operator state.
- Safety gates accept and reject actions.
- Public proof and intelligence contracts do not leak raw traces.
- The demo proof pack, Network proof chain, and MCP transcript are current.
- Live execution is not enabled by accident.
- The local repo can pass the same core gate maintainers use before release.
````


## Source: `docs/local-development.md`

````markdown
# Local Development

ZERO's public development path must work without exchange credentials, cloud
accounts, or private deployment access.

## Prerequisites

- Python 3.11 or newer
- Rust toolchain from `cli/rust-toolchain.toml`
- `just`
- Git

If you do not want to install local tools, open the repo in GitHub Codespaces
or another devcontainer-compatible editor. The devcontainer installs Python,
Rust, `just`, the editable engine package, and CLI dependencies. See
[`../.devcontainer/README.md`](../.devcontainer/README.md).

## First Run

```bash
git clone https://github.com/zero-intel/zero.git
cd zero
python3 -m venv .venv
source .venv/bin/activate
just bootstrap
just demo
just example
```

Expected behavior:

- The engine installs in editable mode.
- The demo runs in paper mode.
- At least one paper order is filled.
- At least one unsafe or over-limit order is rejected.
- The local candle fixture is read from disk.
- No real exchange private key is requested.

## Daily Commands

```bash
just engine-lint
just engine-test
just cli-lint
just cli-test
just stale-artifact-check
just ci
```

`just ci` is the local release gate. If a change touches only docs, run
`just docs-check` and state that scope in the pull request.

## Python Engine

```bash
cd engine
python -m pip install -e ".[dev]"
ruff check .
pytest
python -m zero_engine.demo
```

The public engine starts with a small safety contract. Keep changes focused and
add tests beside the behavior being changed.

Run the local paper API in one terminal:

```bash
just paper-api
```

Then inspect it from the CLI in another terminal:

```bash
cd cli
cargo run -p zero-os -- --api http://127.0.0.1:8765 doctor
cargo run -p zero-os -- --api http://127.0.0.1:8765 run status
```

The same integration check is available as:

```bash
just paper-api-smoke
```

Expected abbreviated output from the manual CLI path:

```text
[ ok ] engine_reachable  zero-paper-engine v0.1.2 (http://127.0.0.1:8765/)
[ ok ] engine_healthy    ok
[warn] auth              no token set - read-only endpoints only
[ ok ] ws_reachable      ws://127.0.0.1:8765/ws

engine: regime=PAPER MARKET. Local deterministic demo.  confidence=90 (paper)
today: trades=0  wins=0  pnl=+0.00
```

The auth warning is expected for the local paper API when no token is set.
See [cli-quickstart.md](cli-quickstart.md) for the fuller redacted terminal
capture.

## Rust CLI

```bash
cd cli
cargo fmt --all --check
cargo clippy --workspace --all-targets -- -D warnings
cargo test --workspace
```

The CLI is an operator surface. Any command that increases risk must keep the
friction model intact; risk-reducing commands must remain fast.

## Local State

CLI runtime state is operator-partitioned under
`<zero_dir>/operators/<operator-slug>/`. The active config remains at
`<zero_dir>/config.toml`; the default session DB, TUI log, headless socket, and
headless state live under the operator partition. `zero doctor` warns when
legacy shared state files remain at the top level. See
[Operator Isolation](operator-isolation.md).

Ignored local state includes:

- `.venv/`
- `.pytest_cache/`
- `.ruff_cache/`
- `__pycache__/`
- `*.pyc`
- `target/`
- `dist/`
- `build/`
- `*.egg-info/`
- `coverage.xml`
- `*.db`, `*.sqlite*`, `*.wal`, `*.shm`
- `.env`

Do not commit generated state, local credentials, runtime databases, or exchange
material.

## Container Path

The container path is also paper-only:

```bash
docker build -t zero-public:local .
docker run --rm zero-public:local
docker run --rm zero-public:local python /app/examples/paper-trading/run.py
```

With Compose:

```bash
docker compose run --rm zero-paper-example
```

## Container Troubleshooting

`just container-smoke` requires a Docker-compatible daemon, not only the Docker
CLI binary. If `docker --version` works but `just container-smoke` fails with a
message like `Cannot connect to the Docker daemon`, start whichever local
daemon your workstation uses and rerun the command.

Common local options include Docker Desktop, Colima, OrbStack, Rancher Desktop,
or another Docker-compatible runtime. ZERO does not require a specific desktop
product.

The container smoke path remains paper-only. It builds the local image, runs
the default paper demo, and runs the deterministic paper trading example. It
must not request exchange credentials, wallet material, live-capital
configuration, or private ZERO infrastructure.
````


## Source: `docs/proof/README.md`

````markdown
# Proof Packs

ZERO proof packs are public-safe artifacts that let a human or agent verify what
the runtime actually did.

Run the full public proof gate:

```bash
just public-proof
```

That command verifies the demo proof pack, the ZERO Network proof chain, the
redacted live trading evidence packet, the read-only MCP server, and the
committed MCP transcript together. It is the preferred pre-PR check when
changing proof, Network, MCP, or agent-facing docs.

The current committed pack is intentionally modest:

- it is generated from the deterministic paper scenario in
  `examples/paper-trading`;
- it includes a CSV of paper decisions, a small SVG summary, and a hash-addressed
  manifest;
- it explicitly does not claim live trading, PnL, or paper-vs-live correlation.

Proof packs are proof-of-process, not custody proof or PnL proof. A public pack
can show that a deterministic runtime, profile, leaderboard, and evidence chain
were generated and verified under redaction rules. The committed live trading
packet separately proves that operator-owned live execution evidence exists and
passes public redaction checks. It does not prove exchange account ownership,
wallet control, or profitability unless the operator publishes or privately
discloses matching raw Hyperliquid exports.

Generate or verify the demo pack:

```bash
PYTHONPATH="$PWD/engine/src" scripts/proof_pack.py
PYTHONPATH="$PWD/engine/src" scripts/proof_pack.py --check
```

## Network Proof Pack

The public repository also commits a deterministic ZERO Network proof chain in
`docs/proof/network`. It is generated from a fixed-clock paper runtime and
emits:

- `zero.network.profile.v1` in `profile.json`;
- `zero.network.leaderboard.v1` in `leaderboard.json`;
- `zero.deployment_identity_evidence.v1` in `identity/identity_bundle.json`;
- `zero.network.profile_verification.v1` in `profile-verification.json`;
- `zero.network_proof_pack.v1` in `network-proof-pack.json`.

Verify the full public-safe chain:

```bash
PYTHONPATH="$PWD/engine/src" scripts/network_proof_pack.py
PYTHONPATH="$PWD/engine/src" scripts/network_proof_pack.py --check
```

This pack proves profile, leaderboard, deployment-claim, deployment-heartbeat,
and hosted-compatible ingestion bindings. The static fixture is unsigned so it
stays reproducible; signed deployment identity is covered by the paper and
Railway smoke tests.

Agents can inspect the same Network proof chain through MCP without gaining any
live execution capability:

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.mcp --smoke
PYTHONPATH="$PWD/engine/src" scripts/mcp_transcript.py --check
```

## Live Trading Evidence

`docs/proof/live/live-trading-evidence.json` is a redacted
`zero.live_trading_evidence.v1` packet generated from private operator
Hyperliquid evidence. It summarizes live fills, trades, and live decision
records with hashed symbols, bucketed quantities, bucketed timestamps, source
hashes, and no raw venue payloads.

Verify it with:

```bash
scripts/live_trading_evidence.py verify docs/proof/live/live-trading-evidence.json
```

The verifier rejects raw wallet-like material, private keys, order IDs, client
order IDs, trace IDs, idempotency keys, and embedded source payloads.

## Privacy Regression Fixtures

The negative fixtures in `docs/proof/privacy-regression` are synthetic payloads
that intentionally include private-looking fields. They keep the verifier honest:
wallet-like material and raw exchange order IDs must be refused before anything
is published as public proof.

Run them with:

```bash
PYTHONPATH="$PWD/engine/src" scripts/proof_privacy_regression.py
```

Future correlation packs must add signed live records, exchange-side evidence,
and paper/live correlation from the same strategy window. Do not publish an
R-squared value, latency claim, win rate, or PnL result unless the exact
supporting artifacts are committed or linked from the manifest.

## Required Live Correlation Inputs

A real paper-vs-live pack must include:

- paper decisions and fills exported from the same strategy window;
- exchange-side order and fill records;
- public-safe hashes of raw venue identifiers;
- a reproducible notebook or script that computes the metric;
- a manifest hash and signature.

Until those inputs exist, `live_correlation.status` must remain `unavailable`.
````


## Source: `docs/architecture.md`

````markdown
# Architecture

ZERO is the operating intelligence layer between humans and capital, starting
with onchain perpetual markets.

This public repository has four first-class open surfaces:

- ZERO Runtime: local autonomous operations runtime with paper mode, safety
  gates, API, journals, live-readiness contracts, extension contracts, and
  paper-first evolution loops that make ZERO adaptive operating intelligence.
- ZERO Protocol: MCP-compatible schemas, read/compute tools, mandates, replay
  frames, evidence bundles, audit entries, permission metadata, and local
  verification fixtures.
- ZERO Proof: redacted proof packets, proof profiles, replay/export fixtures,
  journal roots, verification commands, and public contract schemas.
- Developers: repo-local quickstarts, CLI/API docs, examples, release gates,
  and contribution paths that start at
  [getzero.dev/developers](https://getzero.dev/developers).

The ZERO CLI is Runtime tooling, not a separate hosted product surface. Hosted
Studio, Control, Registry, founder-admin, and doctrine surfaces live outside
this repository; this repo supplies the Runtime, Protocol, and Proof substrate
they can consume.

Deployment is Railway-recommended, Docker-compatible, and local-first.
Operators own their deployment project, secrets, exchange credentials, and
runtime state. ZERO does not need a separate hosted deployment product to be
credible.

## Principles

- Local-first by default
- Paper mode before live execution
- Explicit operator control
- Inspectable decisions
- Risk-reducing actions stay fast
- Risk-increasing actions require friction

## Public Runtime Flow

```text
JSONL candles -> MarketDataAdapter -> Strategy -> OrderIntent -> PaperEngine -> RiskDecision
```

Strategies propose. The paper Runtime decides. This keeps extension work
deterministic and prevents examples from bypassing safety gates.

The runtime loop wraps that path in an explicit OODA cycle:

```text
observe -> orient -> decide -> act -> learn -> journal -> durable bus
```

The public `zero-engine-run` command currently runs this loop in paper mode and
emits `zero.runtime.cycle.v1` records. With `--runtime-bus`, it also writes
checksum-chained `zero.runtime.event.v1` events and a fast boot snapshot. See
[runtime-bus.md](runtime-bus.md) for the local event contract. Live-capable
runtime work must preserve the same cycle visibility and fail closed when
safety or reconciliation checks are not ready.

## Public Evolution Flow

```text
runtime journal -> memory -> knowledge -> research -> genesis proposal -> guardian
                -> build/red-team -> paper canary -> calibration
                -> promote or rollback -> evolve backlog
```

The public repo now implements the first part of this loop: local memory
extraction, append-only memory JSONL, active-memory expiry, generated
`knowledge.md`, `/memory`, read-only MCP memory snapshots, genesis proposal
classification, append-only genesis journals, `/genesis`, read-only MCP
genesis snapshots, fixture-backed research reports, `/research`, read-only MCP
research snapshots, paper-only evolve gate runs, `/evolve`, and read-only MCP
evolve status. Real mutation, promotion, and rollback are tracked as public
extraction targets in [Evolve Harness](evolve.md). Local memory, research,
genesis, and evolve belong in open source because they are part of a
self-custodial operator's runtime. Future commercial data products can build on
opt-in verified behavior, cohorts, history, webhooks, redistribution, or
operational SLAs without gating basic Runtime use.

## Commercial Flow

```text
Runtime behavior -> opt-in verification -> ZERO Proof -> commercial data products
```

The commercial product is advantaged access to verified autonomous behavior at
speed, scale, and history. Basic runtime use, self-custody, public profiles,
public leaderboards, delayed public intelligence snapshots, and public proof
contracts remain open.
````


## Source: `docs/agent-architecture.md`

````markdown
# Agent Architecture

ZERO is the operating intelligence layer between humans and capital. This
document defines what the public-runtime agentic loop can do, what it cannot do,
and where humans remain mandatory.

## Authority Model

| Surface | Agent authority | Human authority |
|---|---|---|
| Memory | Extract public-safe lessons from local outcomes and redacted fixtures. | Delete, correct, or quarantine misleading memories. |
| Genesis | Classify proposals and produce plan-only candidates. | Approve which proposal class deserves paper canary work. |
| Research | Produce paper-only reports with source quality labels. | Decide whether research is trusted enough to influence policy. |
| Decision stack | Explain lenses, layers, modifiers, rejections, and consensus. | Change live-risk thresholds and protected policy. |
| Evolve | Generate sandbox candidates, paper canaries, promotion plans, rollback plans, and exact apply receipts. | Apply protected changes, approve live-code changes, and own rollback. |
| Runtime OODA | Observe, orient, decide, act in paper mode, and learn from accepted/rejected decisions. | Enable self-custodial live mode only after local custody, preflight, reconciliation, journal, and kill-switch checks pass. |
| MCP | Expose read-only inspection tools and resources. | No order placement through public MCP. |

## Loop Shape

```text
runtime OODA
  observe -> orient -> decide -> act -> learn

self-evolution
  memory -> research -> genesis -> evolve candidate -> paper canary
         -> calibration -> promotion plan -> human apply -> rollback receipt
```

The runtime loop is the source of operational truth. The self-evolution loop is
the source of candidate change. They are connected through journals and
evidence, not through silent code mutation.

## Bounds

Agents may:

- read public docs, fixtures, OpenAPI contracts, and redacted proof packets;
- run paper examples, tests, and read-only MCP tools;
- classify proposals and generate paper-only candidates;
- write docs, examples, tests, and non-protected code in scoped changes;
- propose rollback plans and incident follow-ups.

Agents must not:

- place live orders through MCP;
- remove paper-first defaults;
- read or emit secrets, wallet material, raw exchange order IDs, private
  journals, private notes, or account-bearing payloads;
- make live trading easier than paper trading;
- bypass live preflight, reconciliation, durable journal checks, dead-man
  controls, kill switches, or operator friction;
- auto-apply protected live-code changes;
- publish PnL, latency, paper/live correlation, or live-capability claims
  without reproducible evidence in the repo.

## Protected Paths

Protected live-code evolution requires human review. Changes that touch these
areas need safety review, tests, and explicit operator-visible refusal paths:

- live execution adapters;
- custody and key handling;
- risk-increasing commands;
- reconciliation gates;
- immune breakers;
- journal integrity;
- public Network and Intelligence serializers;
- MCP safety catalog;
- release and distribution workflows.

## State Ownership

| State | Owner | Durability requirement |
|---|---|---|
| Decision journal | Operator runtime | Append-only, hash-chained, locally signed when configured, verifier-backed, externally anchorable through public-safe receipt packets, and covered by a periodic cadence operation. |
| Runtime bus | Runtime | Checksum-chained and replayable from disk. |
| Memory | Operator runtime | Local, redacted, and source-attributed. |
| Genesis journal | Operator runtime | Append-only, reviewable, and plan-only. |
| Evolve receipts | Operator runtime | Original hash, candidate hash, apply receipt, rollback receipt. |
| Public proof packets | Publisher | Aggregate-only, privacy-checked, and hash-addressed. |

## Failure-Mode Contract

Every new autonomous capability must update
[Failure Modes Of The Autonomous Loop](failure-modes-autonomous-loop.md) when it
introduces a new way to fail. The failure-mode entry must define detection,
blast radius, rollback, journal evidence, alerting, and test coverage.

## Live Operation Boundary

The public repo supports the contracts and operator surfaces needed for
self-custodial live operation. It does not host custody, does not ship private
operator records, and does not make live mode the default.

Before live risk can increase, the local operator deployment must prove:

- custody is configured locally;
- live preflight passes;
- reconciliation is fresh and safe;
- journal durability is verified;
- immune breakers allow the action;
- dead-man and kill-switch controls are ready;
- risk-increasing action has deliberate operator approval.

If any proof is missing, ZERO must refuse risk increase and keep
risk-reducing controls available.
````


## Source: `docs/cli-quickstart.md`

````markdown
# CLI Quickstart Capture

This capture shows the first paper-only operator flow a contributor should see
after cloning the repository. It uses the local paper API and requires no
exchange credentials.

## Terminal 1: Paper API

```bash
PYTHONPATH=engine/src python3 -m zero_engine.api
```

Expected output:

```text
zero paper API listening on http://127.0.0.1:8765
```

Leave this terminal running while using the CLI from a second terminal.

## Terminal 2: Operator CLI

Run doctor against the local paper API:

```bash
cd cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 doctor
```

Abbreviated output:

```text
  [   ok] runtime                zero-doctor v0.1.2 · <os>/<arch> · debug
  [   ok] config_dir             <local config dir>
  [   ok] config_parse           <local config dir>/config.toml parses
  [   ok] engine_reachable       zero-paper-engine v0.1.2 (http://127.0.0.1:8765/)
  [   ok] engine_healthy         ok — 2 healthy / 0 stale / 0 dead
  [   ok] engine_components      all fresh
  [ warn] auth                   no token set — read-only endpoints only
  [   ok] rate_budget            58/60 tokens · refill 1.00/s
  [   ok] ws_reachable           ws://127.0.0.1:8765/ws

  overall: warn
```

The auth warning is expected. The public paper API exposes read-only inspection
without a token and marks execution responses as simulated.

For copy-paste fixes when doctor cannot reach the paper API, warns about a
missing token, or reports `live_preflight` as not ready, see
[CLI Doctor Troubleshooting](cli-doctor-troubleshooting.md).

Inspect the engine status:

```bash
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run status
```

Expected output:

```text
  engine: regime=PAPER MARKET. Local deterministic demo.  confidence=90 (paper)  equity=$10000.00  open=0  upnl=+0.00
    today: trades=0  wins=0  pnl=+0.00  streak=+0  sizing=1.00x
    market: fear_greed=50  health=100%  coins_tradeable=3
```

Inspect the risk line:

```bash
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run risk
```

Expected output:

```text
  risk: OK  equity=$10000.00  peak=$10000.00  dd=0.00%  daily-pnl=+0.00  daily-loss=0.00%  open=0
```

## Smoke Equivalent

The automated equivalent is:

```bash
just paper-api-smoke
```

Use the manual capture above when changing CLI rendering or paper API response
shape. Use the smoke command for routine local verification.
````


## Source: `docs/cli-doctor-troubleshooting.md`

````markdown
# CLI Doctor Troubleshooting

`zero doctor` is the first diagnostic to run when the operator terminal cannot
inspect the engine. It checks local config, engine reachability, token presence,
rate-budget state, live preflight, and WebSocket reachability when configured.

The examples below are safe for public paper mode. They do not require exchange
credentials and do not imply live trading is ready.

## Missing API Token

Run doctor against the local paper API without a token:

```bash
unset ZERO_API_TOKEN
cd cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 doctor
```

Expected safe output snippet:

```text
[ warn] auth                   no token set - read-only endpoints only
overall: warn
```

This is expected for local paper inspection. Read-only status, risk, proof, and
public contract endpoints can still be inspected. Do not paste a live token into
docs, shell history, issue comments, screenshots, or public proof packs.

If you intended to use an authenticated engine, pass a token explicitly or set
the environment variable for the current shell:

```bash
ZERO_API_TOKEN="<operator-token>" \
  cargo run -q -p zero-os -- --api http://127.0.0.1:8765 doctor
```

Expected output when a token is present and accepted:

```text
[   ok] auth                   token present
[   ok] auth_verified          token accepted
```

If `auth_verified` fails, rotate or rewrite local config with:

```bash
cargo run -q -p zero-os -- init --force
```

## Paper API Not Running

If terminal 1 is not running the paper API, doctor cannot reach the engine:

```bash
cd cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 doctor
```

Expected safe output snippet:

```text
[ fail] engine_reachable       unreachable: ...
overall: fail
```

Start the paper API in another terminal:

```bash
cd ..
just paper-api
```

Expected API output:

```text
zero paper API listening on http://127.0.0.1:8765
```

Then rerun doctor:

```bash
cd cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 doctor
```

Expected reachable-engine snippet:

```text
[   ok] engine_reachable       zero-paper-engine v0.1.2 (http://127.0.0.1:8765/)
[   ok] engine_healthy         ok
```

## Live Preflight Refusing Closed

The public paper runtime exposes live-readiness contracts, but live risk should
refuse closed until local custody, journal, reconciliation, emergency controls,
and executor setup are coherent.

Run doctor:

```bash
cd cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 doctor
```

Expected safe output snippet:

```text
[ warn] live_preflight         not ready: live_executor, wallet, key, journal
overall: warn
```

Inspect the detailed preflight packet:

```bash
curl -fsS http://127.0.0.1:8765/live/preflight | python3 -m json.tool
```

Expected boundary:

```json
{
  "schema_version": "zero.live_preflight.v1",
  "live_mode": "refused",
  "ready": false
}
```

This is correct for public paper mode. It proves live-capable surfaces fail
closed; it does not prove accepted live execution. Do not treat this warning as
a bug unless a locally owned live canary was explicitly configured and expected
to pass.

For the cockpit-level view:

```bash
cd cli
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run live-cockpit
```

Expected safe output snippet:

```text
live-cockpit: live_mode=refused  ready=false  risk_allowed=false
```

## Useful Follow-Up Commands

```bash
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run status
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run risk
cargo run -q -p zero-os -- --api http://127.0.0.1:8765 run live-cockpit
just paper-api-smoke
```

Use `just paper-api-smoke` when changing CLI rendering, API response shape, or
doctor examples. It starts the local paper API, exercises the CLI path, and
asserts that live mode still refuses by default.
````


## Source: `docs/railway-template.md`

````markdown
# Deploy and Host ZERO with Railway

ZERO is the operating intelligence layer between humans and capital. This
Railway template runs the public paper runtime from the open ZERO Runtime,
Protocol, and Proof substrate: live Hyperliquid prices are read-only, execution
is simulated, journals are durable, and live-risk endpoints fail closed unless
an operator-owned local live executor is configured outside the template.

## About Hosting ZERO

Hosting ZERO on Railway gives an operator a public paper runtime with a stable
URL, logs, metrics, health checks, and a persistent journal volume. It does not
custody funds and does not need exchange keys. The deployment is useful for
operator onboarding, public demos, proof capture, Railway doctor checks, and
agentic contribution work against a real HTTP runtime.

When an operator wants the ZERO app/control plane to recognize this Runtime,
the next step is the [Vibe Deploy proof chain](vibe-deploy.md): claim the
Runtime, observe the first heartbeat, run paper acceptance, and only then move
toward authority or Builder Code approvals.

Current verified public demo:
[https://zero-production-5214.up.railway.app](https://zero-production-5214.up.railway.app)

Published Railway template:
[https://railway.com/deploy/zero-paper-runtime](https://railway.com/deploy/zero-paper-runtime)

The latest Railway Template Publish Packet is committed at
[`contracts/distribution/railway-template.json`](../contracts/distribution/railway-template.json).
It records the live demo URL, point-in-time verified deployment id, evidence
bundle path, doctor result, required variables, autodeploy config, and
marketplace publish state.

## Common Use Cases

- Paper-mode operator demos with live read-only Hyperliquid mids.
- Public proof capture before sharing a profile or leaderboard claim.
- Agentic development against a stable remote ZERO runtime.
- Railway doctor, deployment evidence, and rollback rehearsal practice.
- ZERO Intelligence contract testing with local aggregate persistence.

## Dependencies for ZERO Hosting

- Railway service sourced from `https://github.com/zero-intel/zero`.
- Dockerfile build from the repository root.
- Public HTTP networking enabled for the runtime service.
- Persistent Railway volume mounted at `/data`.
- Railway-provided `PORT`; do not hardcode a port.

### Deployment Dependencies

- Railway template docs: https://docs.railway.com/templates
- Railway template best practices: https://docs.railway.com/templates/best-practices
- Railway publish/share docs: https://docs.railway.com/templates/publish-and-share
- ZERO Railway deploy guide: [railway-deploy.md](railway-deploy.md)

### Template Service Settings

| Setting | Value |
| --- | --- |
| Template name | `ZERO Paper Runtime` |
| Service name | `ZERO` |
| Template icon | `https://avatars.githubusercontent.com/u/273590449.png` |
| Service icon | `https://avatars.githubusercontent.com/u/273590449.png` |
| Fallback repo icon asset | `docs/assets/zero-template-icon.svg` |
| Source | GitHub repository |
| Repository | `zero-intel/zero` |
| Branch | `main` |
| Builder | Dockerfile |
| Dockerfile path | `Dockerfile` |
| Start command | from `railway.toml`: `/app/scripts/railway_start.sh` |
| Healthcheck path | `/health` |
| Healthcheck timeout | `60` |
| Public networking | HTTP enabled |
| Volume mount | `/data` |

### Marketplace Overview Copy

Use this copy in Railway's template overview editor. It follows Railway's
recommended H1/H2 structure and should stay in sync with this page.

```md
# Deploy and Host ZERO with Railway

ZERO is the operating intelligence layer between humans and capital. This
template runs the public paper runtime from the open ZERO Runtime, Protocol, and
Proof substrate: live Hyperliquid prices are read-only, execution is simulated,
journals persist on a Railway volume, and live-risk endpoints fail closed by
default.

## About Hosting ZERO

Hosting ZERO on Railway gives operators a public paper runtime with a stable
URL, logs, metrics, health checks, and a persistent journal volume. It does not
custody funds and does not need exchange private keys. Use it for operator
onboarding, public proof capture, agentic development, and first-run demos
against a real HTTP runtime.

For app-connected deployments, use Vibe Deploy after the template is running:
claim the Runtime, prove liveness with a heartbeat, and record paper acceptance
before any live authority ceremony.

## Common Use Cases

- Paper-mode operator demos with live read-only Hyperliquid mids.
- Public proof capture before sharing a profile or leaderboard claim.
- Agentic development against a stable remote ZERO runtime.
- Railway doctor, deployment evidence, and rollback rehearsal practice.

## Dependencies for ZERO Hosting

- Railway service sourced from `https://github.com/zero-intel/zero`.
- Dockerfile build from the repository root.
- Public HTTP networking enabled for the runtime service.
- Persistent Railway volume mounted at `/data`.
- Railway-provided `PORT`.

### Why Deploy ZERO on Railway?

Railway gives operators a fast paper-runtime rollout path without asking ZERO
to host custody infrastructure. Operators keep their own project boundary,
volume, logs, domains, variables, and billing relationship while ZERO stays
inspectable, interruptible, and paper-first by default.
```

### Template Variables

| Variable | Required | Default | Description |
| --- | --- | --- | --- |
| `ZERO_MODE` | yes | `paper` | Keeps the template in paper mode. |
| `ZERO_JOURNAL_PATH` | yes | `/data/decisions.jsonl` | Durable append-only paper journal on the Railway volume. |
| `ZERO_HYPERLIQUID_LIVE_PRICES` | yes | `true` | Uses Hyperliquid public mids as read-only market data. |
| `ZERO_INTELLIGENCE_STORE_PATH` | yes | `/data/zero/intelligence.jsonl` | Durable aggregate store for hosted-compatible Intelligence reference endpoints. |
| `ZERO_INTELLIGENCE_API_TOKEN` | optional | empty | Disposable demo bearer token for hosted-compatible protected Intelligence routes. |
| `ZERO_INTELLIGENCE_API_PLAN` | optional | `free` | Reference account plan shown by local hosted-compatible packets. |
| `ZERO_INTELLIGENCE_API_ACCOUNT_ID` | optional | `acct_railway` | Public-safe local account label for reference packets. |
| `ZERO_INTELLIGENCE_WEBHOOK_SIGNING_KEY` | optional | `${{secret(64, "abcdef0123456789")}}` | Demo HMAC key for webhook fixture signatures. Never reuse production keys. |

## Railway Template Publish Packet

The packet schema is `zero.railway_template_packet.v1`. Regenerate it after any
template-impacting deployment, Railway variable change, domain change, or
marketplace copy change. Deployment ids are point-in-time evidence; always run
the doctor against the live URL before sharing the current service:

```bash
scripts/railway_template_packet.py --output contracts/distribution/railway-template.json
scripts/railway_template_packet.py --check
```

Before sharing the template URL, verify the live demo:

```bash
scripts/railway_doctor.py https://zero-production-5214.up.railway.app
scripts/deployment_evidence.sh https://zero-production-5214.up.railway.app --railway-logs
scripts/deployment_evidence_verify.py artifacts/deployment-evidence/<timestamp>
```

The expected public demo posture is `17 ok / 1 warn / 0 fail`: the warning is
the tokened paid-scope Intelligence check when no demo bearer token is supplied.
Live mode must remain refused and risk-increasing actions must remain blocked.

### Publish Checklist

1. Install and authenticate the Railway CLI:

```bash
npm install -g @railway/cli
railway login --browserless
scripts/railway_cli_preflight.py
```

2. From the live project canvas, open **Settings** and use **Generate Template from Project**.
   Railway documents template creation through the dashboard,
   not the normal CLI.
3. Confirm the generated template keeps the GitHub source, Dockerfile build,
   `/health` health check, public HTTP networking, and `/data` volume.
4. Add `docs/assets/zero-template-icon.svg` as the template and service icon.
5. Paste the Marketplace Overview Copy from this page.
6. Publish the template from Railway workspace settings.
7. Apply to the Open Source Partner Program at
   `https://railway.com/partners` using [railway-partner.md](railway-partner.md).
8. Add the live demo project after `scripts/railway_doctor.py "$ZERO_RAILWAY_URL"` passes.
9. Keep the README deploy button pointed at the issued template URL:

```md
[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/zero-paper-runtime)
```

10. Keep [docs/release.md](release.md) and the template packet current before
   merging template-impacting changes to `main`.

### Partner And Support Packet

Railway's partner program is a manual application. The prepared application
packet lives in [railway-partner.md](railway-partner.md) and includes the
maintainer summary, template evidence, support queue commitment, update policy,
and submission message. After publishing the template, keep the Template Queue
at https://station.railway.com/my-template-queue clear during launch week.

## Why Deploy ZERO on Railway?

Railway gives operators a fast paper-runtime rollout path without asking ZERO
to host custody infrastructure. Operators keep their own project boundary,
volume, logs, domains, variables, and billing relationship while ZERO stays
inspectable, interruptible, and paper-first by default.
````


## Source: `docs/vibe-deploy.md`

````markdown
# Vibe Deploy Proof Chain

Vibe Deploy is the optional trust ceremony that connects an operator-owned ZERO
Runtime to the ZERO control plane. It is not custody and it is not required to
run the public paper Runtime locally, in Docker, or on Railway.

The public Runtime remains useful by itself:

- paper mode is the default;
- live Hyperliquid prices are read-only unless the operator configures more;
- live-risk endpoints fail closed by default;
- journals, audit export, proof packs, and MCP inspection work without a ZERO
  hosted account.

Vibe Deploy adds a receipt-backed chain of evidence so the app/control plane can
distinguish a genuine Runtime from someone clicking a button.

## Proof Chain

| Step | Runtime/control-plane proof |
| --- | --- |
| `claim_runtime` | Deployment ownership proof. The Runtime consumes a single-use claim token and receives scoped control-plane credentials. |
| `observe_first_heartbeat` | Runtime liveness proof. The claimed Runtime sends signed heartbeat evidence with replay protection. |
| `run_paper_acceptance` | Paper capability proof. The Runtime executes a paper acceptance path and writes local journal/audit evidence. |
| `record_paper_acceptance` | Control-plane acceptance proof. The Runtime posts a signed paper acceptance event for the deployment. |
| `approveAgent` | Authority proof. The operator's main wallet approves the Hyperliquid API/agent wallet; the public Runtime does not do this by default. |
| `grant_short_live_lease` | Execution authority proof. The control plane grants bounded live authority only after ownership, liveness, paper capability, and agent approval are present. |
| `approveBuilderFee` | Revenue authority proof. Optional for paid/live use; signed by the main wallet, never by the API/agent wallet. |

## Public Runtime Boundary

The public repository supports the Runtime side of the ceremony:

- deployment claim and heartbeat packets;
- local/Railway paper Runtime evidence;
- audit and proof export;
- fail-closed live readiness and canary rehearsal;
- read-only MCP inspection.

The ZERO control plane owns the app-side ceremony:

- deployment creation;
- claim token minting and redemption;
- receipt storage;
- live lease gating;
- Privy/API-wallet signing where configured;
- proof-chain projection into user/admin product surfaces.

## Safety Rules

- The Runtime can run paper mode without connecting to the ZERO control plane.
- A claim token is single-use and should be stored hash-only server-side.
- Heartbeats must be signed, nonce-protected, and clock-bounded when posted to
  the control plane.
- Paper acceptance must come from Runtime evidence, not from UI state.
- Live execution must remain refused until explicit operator authority gates are
  complete.
- Builder Codes must never be hidden. The public Runtime does not apply ZERO
  builder fees by default.

## Verification Commands

For a local or Railway Runtime:

```bash
curl -fsS "$ZERO_RUNTIME_URL/health"
curl -fsS "$ZERO_RUNTIME_URL/deployment/heartbeat"
curl -fsS "$ZERO_RUNTIME_URL/audit/export?limit=1"
curl -fsS "$ZERO_RUNTIME_URL/live/preflight"
```

Run `/deployment/claim` only once through the dedicated claim ceremony flow
with a single-use token. It is stateful and must not be part of repeatable
health verification.

For the public repository gates:

```bash
just public-proof
just railway-smoke
just docs-check
```

`/live/preflight` should report refused/not-ready in the default public Runtime.
That is the expected posture until an operator completes the separate authority
ceremony.
````


## Source: `docs/api.md`

````markdown
# API Contract

The machine-readable contract lives in
[openapi/zero-paper-api.v1.yaml](../openapi/zero-paper-api.v1.yaml). Compatibility
rules live in [docs/api-compatibility.md](api-compatibility.md).

The first public API contract is deliberately small. It describes the behavior
that must remain stable while the private engine is ported into the public
runtime.

## Engine Objects

### `RiskLimits`

Defines hard local safety limits:

- `max_notional_usd`
- `max_position_notional_usd`
- `max_leverage`
- `min_confidence`

All values must be positive. `min_confidence` must be less than or equal to `1`.

### `OrderIntent`

Represents a requested order:

- `symbol`
- `side`
- `quantity`
- `price`
- `confidence`
- `reduce_only`

`reduce_only=true` means the order can only reduce risk. The public safety
contract allows reduce-only orders even when confidence is low.

### `RiskDecision`

Returned by safety evaluation:

- `allowed`
- `reason`

The reason must be human-readable and stable enough for tests, logs, and CLI
rendering.

## Safety Functions

### `evaluate_order(intent, limits, current=None)`

Evaluates a proposed order before paper fill.

Rejects when:

- confidence is below `limits.min_confidence`
- order notional exceeds `limits.max_notional_usd`
- projected position notional exceeds `limits.max_position_notional_usd`

Allows when:

- order is reduce-only
- all risk checks pass

### `projected_position(intent, current=None)`

Computes the paper position that would exist if the order were accepted.

## Paper Engine

### `PaperEngine.submit(intent)`

Evaluates the intent, records rejected orders, records accepted fills, and
updates paper positions.

The method must not require exchange credentials or network access.

`submit(intent, source="manual")` returns a `RiskDecision` and appends a
`DecisionRecord` to `engine.decisions`.

### `DecisionRecord`

Inspectable paper decision log entry:

- `intent`
- `decision`
- `as_of`
- `source`

Use `to_dict()` for JSON output in examples, tests, and CLI inspection. Every
paper decision should name its source, such as `manual`, `scenario:<name>`, or
`strategy:<name>`.

`PaperEngine` accepts an optional `clock` callable so tests and examples can
produce deterministic `as_of` timestamps.

## Local Paper API

`zero-paper-api` starts a paper-only HTTP server on `127.0.0.1:8765`.
It requires no secrets and implements the CLI-facing subset of the engine
contract:

- `GET /`, `/health`, `/v2/status`
- `GET /positions`, `/risk`, `/brief`
- `GET /regime`, `/decision/stack`, `/evaluate/{coin}`, `/pulse`, `/approaching`, `/rejections`, `/journal`
- `GET /metrics`, `/immune`, `/memory`, `/genesis`, `/evolve`, `/research`, `/audit/export`
- `GET /deployment/claim`, `/deployment/heartbeat`, `/network/profile`, `/network/leaderboard`
- `GET /intelligence/snapshot`, `/intelligence/catalog`, `/intelligence/commercial`, `/intelligence/model-gateway`
- `GET /v1/intelligence/snapshots`, `/v1/intelligence/history`, `/v1/intelligence/cohorts`, `/v1/intelligence/benchmarks`
- `GET /hl/status`, `/hl/account`, `/hl/reconcile`, `/market/quote`
- `GET /live/preflight`, `/live/cockpit`, `/live/certification`, `/live/receipts`, `/live/evidence`
- `GET /operator/state`
- `POST /execute`
- `POST /auto/toggle`
- `POST /operator/events`
- `POST /network/publish`
- `POST /network/ingest`
- `POST /intelligence/export`
- `POST /v1/intelligence/webhooks`, `/v1/intelligence/exports`
- `POST /live/heartbeat`, `/live/pause`, `/live/resume`, `/live/kill`, `/live/flatten`

`POST /execute` runs through `PaperEngine.submit`, records a decision with
source `api:/execute`, and returns `simulated=true` by default. When the caller
sends `X-Zero-Mode: live`, the same endpoint routes to the optional live
executor instead. If no live executor is configured, the engine returns
`accepted=false`, `simulated=false`, and `reason="live executor not configured"`.
It honors the request idempotency key so repeated submissions with the same key
do not create duplicate paper fills or duplicate live order submissions.
Live responses include public-safe `request_hash` and `receipt_hash` fields
when the live executor records the attempt; the raw idempotency key remains
local to the response and is excluded from public evidence packets.
The interactive CLI command `/execute <coin> <buy|sell> <size>` uses this same
endpoint after the operator-state friction ladder clears. Non-interactive
`zero run` refuses risk-increasing execution commands because the typed-confirm
surface is TTY-only.

Every HTTP response carries `X-Zero-Trace-Id`. When an HTTP `POST /execute`
creates a paper decision, that trace ID is written into the decision journal
and echoed in the HTTP response. Idempotency replays return the original
decision trace, which keeps audit trails tied to the first accepted action.

`GET /journal?limit=50` returns the most recent paper decisions in the same
shape as `DecisionRecord.to_dict()`. When `zero-paper-api --journal PATH` is
used, records are read from the append-only JSONL journal at `PATH`; otherwise
the endpoint returns the in-memory decision log for the current process.

On startup with `--journal PATH`, `zero-paper-api` replays the journal before it
serves traffic. The replay restores paper decisions, fills, open positions,
rejections, and idempotency keys, so a repeated `POST /execute` with an already
journaled key returns the original simulated response instead of creating a
duplicate fill. `/health` and `/v2/status` include a `recovery` object with the
journal mode, recovered counts, and current runtime counts.

`GET /metrics` returns JSON runtime counters for API requests, status codes,
execute outcomes, idempotency hits, decision counts, fill counts, rejection
counts, and recovery state.

`GET /memory?limit=20` returns a `zero.memory.snapshot.v1` public-safe view of
local memory. Without a configured memory store, the endpoint extracts an
ephemeral snapshot from current paper decisions. With a `MemoryStore`, it reads
active append-only memory entries and omits expired records. `format=md` also
returns generated `knowledge.md` content. Memory output is explicitly redacted:
no live prices, wallet material, exchange order ids, or private keys.

`GET /genesis` returns a `zero.genesis.snapshot.v1` plan-only view of genesis
proposal classifications. It never applies code changes. The fixture-backed
snapshot demonstrates one accepted proposal, one rejected proposal with
insufficient sample size, and one escalated proposal touching protected live
execution paths. Protected execution, sizing, stops, circuit breaker, live
adapter, and immune-core proposals require human review.

`GET /evolve` returns a `zero.evolve.snapshot.v1` paper-first view of the
builder, red-team, paper-canary, calibration, promotion, promotion-plan,
rollback-plan, and promotion-verification gates. It never mutates the checkout,
pushes a branch, deploys a service, or promotes a change. The fixture-backed
snapshot selects the accepted genesis docs/example proposal, materializes a
sandbox candidate tree, and proves that promotion remains local-only,
rollback-gated, and human-approved. Checkout mutation is intentionally excluded
from the HTTP API; local apply and rollback are CLI-only and emit
`zero.evolve.apply_receipt.v1` plus `zero.evolve.rollback_receipt.v1` receipts.

`GET /research` returns a `zero.research.snapshot.v1` paper-only view of the
research command chain: hunt, edge, convergence, thesis, score, meta, and
sharpen. It never mutates the checkout, pushes a branch, deploys a service,
places an order, or claims live PnL. The fixture-backed snapshot exists so
agents can inspect what ZERO should study next before genesis/evolve gates are
used.

`GET /runtime/parity` returns `zero.runtime.production_parity.v1`. It runs the
bundled paper OODA loop, mirrors the same idempotency keys and intents through a
disabled live executor, proves the live shadow path refuses every order, emits
checksum-chained runtime-bus integrity, dry-run live certification status, and a
rejection/execution-quality feedback packet. It places no live orders and does
not claim live trading proof. The separate
`docs/proof/live/live-trading-evidence.json` packet carries redacted
operator-owned live evidence for public verification.

`GET /decision/stack?coin=BTC` returns `zero.decision.stack.v1`, the public
lens/layer/modifier shape behind paper evaluation. Lenses explain weighted
views, layers explain gates, and modifiers explain bounded confidence or
operator-friction adjustments. The public stack is read-only and always reports
`allowed_to_execute_live=false`; live authority remains with the local
self-custodial runtime and its preflight controls. `GET /evaluate/{coin}` keeps
the CLI-compatible fields and embeds the same stack as `decision_stack`.

`GET /audit/export?limit=100` returns a structured `zero.audit.v1` export with
runtime summary, retention/redaction metadata, metrics, recovery state, and the
most recent decisions. The public paper runtime records no secrets.

`zero-engine-run --runtime-bus DIR` writes checksum-chained local runtime events
to `DIR/events.jsonl` and a fast boot snapshot to `DIR/state-snapshot.json`.
The bus is not an HTTP API yet; it is the local event contract for OODA cycles,
decisions, fills, rejections, positions, health, and future operator commands.
See [runtime-bus.md](runtime-bus.md).

`GET /deployment/claim` returns a `zero.deployment.claim.v1` public-safe,
signature-ready identity packet for the local runtime. It binds deployment
metadata, operator audit handle, aggregate evidence counts, and signature status
without including raw decisions, symbols, trace IDs, idempotency keys, wallet
material, or exchange credentials.

`GET /deployment/heartbeat` returns a `zero.deployment.heartbeat.v1`
public-safe liveness packet bound to the deployment claim hash. It exposes
paper-only, fresh, or expired dead-man state without exposing raw decisions,
trace IDs, idempotency keys, credentials, or private runtime details.

`GET /network/profile` returns a `zero.network.profile.v1` public-safe profile
packet with aggregate behavior, verification badges, a proof hash, deployment
claim hash, deployment heartbeat hash, and privacy metadata. It excludes raw
decisions, trace IDs, idempotency keys, wallet addresses, exchange order IDs,
private notes, strategy source labels, and per-trade symbols. Publication is
disabled by default.

`GET /network/leaderboard` returns a `zero.network.leaderboard.v1` local row
derived from the same redacted profile. The first leaderboard model ranks
verified process data such as decision count and rejection rate, not PnL
screenshots.

`POST /network/publish` requires `{"consent": true}` and
`ZERO_NETWORK_PUBLISH_PATH`. When both are present, the runtime appends the
redacted profile packet to a local JSONL proof log. It does not upload to a
ZERO-hosted service from the public runtime.

`POST /network/ingest` accepts one redacted profile packet or a list of
packets and returns `zero.network.ingestion.v1`. It is the public-safe
hosted-compatible validation contract for ZERO Network: profile publication
must be explicitly enabled, proof hashes must match recomputed aggregate
evidence, aggregate metrics must be internally consistent, duplicate accepted
handles/proofs are refused, and deployment claim/heartbeat hashes must bind
when present. The response includes accepted/refused records plus an
accepted-only leaderboard. It never requires raw journals, exchange
credentials, wallet material, trace IDs, idempotency keys, or per-trade
symbols.

`GET /intelligence/snapshot` returns a `zero.intelligence.snapshot.v1` delayed
public intelligence packet derived from the verified ZERO Network profile. It
contains aggregate signals such as activity level, rejection discipline,
execution pressure, journal quality, and proof hash. It excludes raw decisions,
trace IDs, idempotency keys, per-trade symbols, credentials, and private notes.

`GET /intelligence/catalog` returns a `zero.intelligence.catalog.v1` commercial
API contract. The contract makes the open-core rule explicit: the runtime,
paper mode, self-custodial operation, public profiles, public leaderboards, and
delayed snapshots are public; realtime feeds, history, cohorts, benchmarks,
webhooks, bulk exports, commercial redistribution, and SLOs are paid surfaces.

`GET /intelligence/commercial` returns
`zero.intelligence.commercial.v1`, the billing-ready hosted Intelligence API
contract. It names the open/commercial/not-sold boundary, bearer-token hosted
auth shape, plan scopes, datasets, endpoint usage events, rate-limit headers,
webhook delivery contract, export rules, reliability tiers, and privacy rules.
It is not enforced by the local open-source runtime and does not require
operator secrets, raw journals, custody transfer, or exchange credentials.

The `/v1/intelligence/*` endpoints are a hosted-compatible reference surface
for ZERO Intelligence API. They are intentionally small and runnable inside the
public paper server so contributors can build clients against the commercial
shape before the production warehouse exists:

- `GET /v1/intelligence/snapshots` serves delayed public snapshots without a
  token and returns real `x-zero-ratelimit-*` headers.
- `GET /v1/intelligence/snapshots?freshness=realtime`,
  `/v1/intelligence/history`, `/v1/intelligence/cohorts`, and
  `/v1/intelligence/benchmarks` require `Authorization: Bearer <token>` when
  `ZERO_INTELLIGENCE_API_TOKEN` is configured.
- `POST /v1/intelligence/webhooks` returns a subscription record plus a
  verifiable HMAC-SHA256 signature fixture. It never returns signing key
  material.
- `POST /v1/intelligence/exports` returns a reference export job for aggregate
  JSONL or CSV data.

Reference env vars:

```text
ZERO_INTELLIGENCE_API_TOKEN=...
ZERO_INTELLIGENCE_API_PLAN=team_fund
ZERO_INTELLIGENCE_API_ACCOUNT_ID=acct_...
ZERO_INTELLIGENCE_WEBHOOK_SIGNING_KEY=...
ZERO_INTELLIGENCE_STORE_PATH=/data/zero/intelligence.jsonl
```

These endpoints prove auth boundaries, scopes, usage events, rate-limit
headers, webhook signing behavior, and durable aggregate reference persistence.
They do not imply the local runtime is a hosted billing system or a production
warehouse.

`GET /intelligence/model-gateway` returns `zero.model_gateway.status.v1`, a
public-safe provider and routing status packet. The default mode is
`fail_closed`: no configured provider means no model-derived certainty. Mock
providers report `local_ready`; explicitly configured external providers report
`external_ready`. All model output is advisory-only and never bypasses
execution safety. Provider status also reports bounded retry and timeout policy;
usage counters include attempts, token counts when available, and public-safe
cost-estimate source.

`GET /intelligence/model-gateway/health` returns
`zero.model_gateway.health.v1`. By default it is a config-only health probe and
does not make network calls. Passing `?network=true` runs an explicit structured
provider probe through the selected model boundary and returns only provider,
attempt, token-count, and status metadata.

`GET /intelligence/model-gateway/audit` returns
`zero.model_gateway.audit.v1`, a production-readiness bundle for model
operations. It includes status, config-only health, usage totals, fail-closed
controls, evidence requirements, and privacy assertions without prompts, raw
outputs, headers, request IDs, or secret values.

`POST /intelligence/export` requires `{"consent": true}` and
`ZERO_INTELLIGENCE_EXPORT_PATH`. When both are present, the runtime appends the
redacted delayed snapshot to a local JSONL packet log for future hosted
ingestion. It does not upload to a ZERO-hosted service from the public runtime.

`GET /live/preflight` returns a structured `zero.live_preflight.v1` readiness
packet for the Hyperliquid live executor. It never accepts private keys over
HTTP. The runtime reads local process configuration only, redacts key
diagnostics, verifies account-read access when a wallet address and read adapter
are present, validates a dry-run order locally, and refuses live mode unless
custody, journal, risk limits, and emergency controls are all present.

Live execution is local opt-in. Install the optional dependency group and start
the API with process-local credentials:

```bash
pip install -e "engine[live]"
ZERO_LIVE_EXECUTION_ENABLED=true \
ZERO_HYPERLIQUID_WALLET_ADDRESS=0x... \
ZERO_HYPERLIQUID_API_PRIVATE_KEY=0x... \
ZERO_LIVE_MAX_NOTIONAL_USD=1000 \
ZERO_LIVE_MAX_DAILY_LOSS_USD=250 \
ZERO_LIVE_MAX_ORDERS_PER_MINUTE=6 \
ZERO_LIVE_DEAD_MAN_TIMEOUT_S=30 \
zero-paper-api --journal .zero/decisions.jsonl --hyperliquid-live-prices
```

The live executor enforces:

- deterministic idempotency keys and exchange client order IDs;
- no automatic retry on order-submission POSTs;
- exchange dead-man heartbeats through `POST /live/heartbeat`;
- `POST /live/pause` and `/live/resume` for entry control;
- `POST /live/kill` for kill switch plus open-order cancellation;
- `POST /live/flatten` for reduce-only close orders;
- max notional, max daily loss, and max orders per minute.

`GET /live/certification` returns a dry-run `zero.live_certification.v1`
evidence packet. It runs fake-exchange drills for heartbeat, idempotency,
exchange outage, pause, reduce-only flatten, kill, rejected dead-man scheduling,
rate limit, and daily-loss behavior. It never needs secrets and must report
`orders_placed_live=0`.

`GET /live/cockpit` returns a consolidated `zero.live_cockpit.v1` operator
packet. It joins preflight failures, immune breakers, reconciliation status,
dry-run certification, heartbeat expiry, recent live records, operator actions,
the resolved `zero.operator_context.v1` audit identity, and the next required
action. It is read-only and safe to expose in diagnostics.

`GET /live/receipts` returns `zero.live_execution_receipts.v1`: a local,
public-safe receipt bundle for live executor attempts. Each receipt includes
the exact order intent plus hashes for the request, operator context, trace
token, idempotency token, and venue acknowledgement. It never includes wallet
material, exchange credentials, raw venue responses, trace tokens, or raw
idempotency tokens.

`GET /live/evidence` returns a public-safe `zero.live_evidence.v1` packet for
supervised tiny-capital canary rehearsal. It hashes preflight, cockpit,
live execution receipts, reconciliation, immune, certification, audit export,
deployment claim, and deployment heartbeat artifacts instead of embedding raw
private data. Set
`ZERO_LIVE_EVIDENCE_SIGNING_KEY` to attach a local HMAC-SHA256 signature without
echoing key material.

`GET /live/canary-policy` returns `zero.live_canary_policy.v1`: the public
policy lifecycle for supervised live canary evidence. It reports readiness,
policy arm/disarm state, launch-window rules, required evidence, shadow review,
qualification, follow-through status, whether refusal evidence is qualified,
whether accepted live evidence is publishable, and the next recommended
operator action. It never arms live risk by itself.

`scripts/live_canary_rehearsal.py URL --mode refusal` is the maintained local
collector for the canary path. It captures preflight, heartbeat, cockpit,
certification, reconciliation, fail-closed live execute evidence when the
engine is not ready, receipts, live evidence, metrics, audit export, manifest,
and `SHA256SUMS`. `--mode canary` can submit a real live order only after an
explicit confirmation string and ready live gates.

`scripts/live_canary_verify.py DIR` verifies the local bundle before it is used
as launch evidence. It recomputes `SHA256SUMS`, checks required packets and
status codes, compares manifest receipt/evidence fields to the packet payloads,
and fails on common unredacted trace/idempotency/token shapes.

`scripts/live_canary_exchange_evidence.py DIR hyperliquid-export.json` attaches
public-safe exchange-side evidence to the same canary bundle. It hashes the raw
source file, hashes raw venue identifiers, normalizes only symbol/side/quantity
and optional price, matches accepted ZERO receipts by symbol/side/quantity, and
refreshes `SHA256SUMS`. `scripts/live_canary_verify.py DIR
--require-exchange-evidence` then fails unless the packet is present and every
accepted ZERO receipt has exchange-side evidence.

`scripts/live_canary_operator.py URL --mode refusal` wraps the full public-safe
operator workflow: collect rehearsal bundle, attach exchange evidence, run the
verifier, embed the live canary policy, and write `operator_report.json`. For
accepted live canary receipts, the operator workflow refuses to produce a
passing report unless a matching Hyperliquid order/fill export is attached and
the policy qualifies the report.

`scripts/live_canary_operator_verify.py DIR` independently verifies the
operator workflow directory. It checks recursive `SHA256SUMS`, operator-report
privacy flags, common redaction leaks, accepted-live exchange-evidence rules,
the embedded policy, and the nested canary bundle verifier.

`scripts/live_cockpit_drill.py URL` collects the read-only live cockpit stack
into a public-safe drill bundle. It captures `/health`, `/v2/status`,
`/live/preflight`, `/live/cockpit`, `/immune`, `/hl/reconcile`,
`/live/certification`, `/live/receipts`, `/live/evidence`,
`/live/canary-policy`, `/metrics`, and `/audit/export?limit=100`, then writes
`manifest.json` and `SHA256SUMS`. In public paper mode it fails unless live
readiness remains fail-closed.
`scripts/live_cockpit_drill_verify.py DIR` independently verifies a captured
bundle by recomputing checksums, checking packet schemas, replaying the
manifest summary from packet payloads, and enforcing redaction rules.
`scripts/live_cockpit_drill_tamper_rehearsal.py DIR` proves the verifier
rejects both checksum drift and semantic cockpit tampering before the bundle is
used as operator-readiness evidence.

`GET /operator/context` returns the operator audit identity currently attached
to requests. The engine resolves it from `X-Zero-Operator-*` headers,
`ZERO_OPERATOR_*` environment variables, or the local default. Live control
responses and `/audit/export` include the same packet so incidents can be
reviewed per operator without recording secrets.

`GET /immune` returns the `zero.immune.v1` breaker packet used by live
preflight and the CLI. It names each risk-blocking breaker, whether new risk is
allowed, and the evidence behind open breakers. Risk-reducing live controls
remain available even when `/immune` reports `risk_increasing_allowed=false`.

Public Railway paper deployments should not set live credentials. Their
expected behavior is `ready=false`, `live_mode=refused`, and `POST /live/*`
returning `ok=false` with `reason="live executor not configured"`.

`GET /hl/status` returns disabled metadata by default. When `zero-paper-api
--hyperliquid` is used, it queries Hyperliquid's public info endpoint for
read-only mids and returns `secrets_required=false`. This endpoint must not
place orders, sign payloads, or require exchange credentials.

`GET /hl/account` returns a normalized `zero.hl_account.v1` snapshot for the
configured `ZERO_HYPERLIQUID_WALLET_ADDRESS`: redacted wallet id, account
value, margin used, withdrawable balance, open positions, and open orders. It
uses read-only Hyperliquid info calls only.

`GET /hl/reconcile` returns a `zero.reconciliation.v1` packet comparing local
runtime positions with the Hyperliquid account snapshot. Status values include
`ok`, `not_configured`, `stale_data`, `local_lag`, `exchange_rejection`, and
`critical_mismatch`. Live risk-increasing `POST /execute` calls are refused
unless reconciliation reports `risk_increasing_allowed=true`; reduce-only
controls remain available for risk reduction.

`GET /market/quote?symbol=BTC` returns the price source currently feeding paper
mode. By default it returns deterministic fixture prices with `source=paper:static`.
When `zero-paper-api --hyperliquid-live-prices` is used, it returns cached
Hyperliquid mids with `source=hyperliquid:allMids`; `POST /execute`,
`GET /evaluate/{coin}`, and `GET /positions` use the same quote path. Missing
symbols or unavailable live market data fail closed instead of falling back to
fixtures.

### Contract Fixtures

Shared JSON fixtures live in `contracts/paper-api/`. Python tests assert the
local paper API emits these exact payloads, and Rust client tests deserialize the
same files into `zero-engine-client` models. Any endpoint change that affects
the CLI contract should update the fixture and both test expectations together.

The fixture set currently covers:

- `GET /v2/status`
- `GET /positions`
- `GET /risk`
- `GET /brief`
- `GET /rejections`
- `POST /execute` accepted and rejected responses

## Paper Scenarios

### `load_scenario(path)`

Loads a deterministic paper scenario from JSON.

Required behavior:

- `mode` must be `paper`.
- At least one order must be present.
- Symbols are normalized to uppercase.
- Side values are parsed as `buy` or `sell`.

The public examples use this path so contributor demos are data-driven and easy
to extend without touching engine code.

## Market Data Adapters

### `Candle`

Immutable OHLCV candle:

- `symbol`
- `ts`
- `open`
- `high`
- `low`
- `close`
- `volume`

Validation keeps public fixtures honest: prices must be positive, high/low must
bound open and close, and volume must be non-negative.

### `MarketDataAdapter`

Protocol for deterministic market data:

- `candles(symbol, limit=None)`
- `latest(symbol)`

Adapters must return candles in chronological order and must not require secrets
for paper examples.

### `JsonlCandleAdapter`

Loads newline-delimited JSON candles from disk. This is the public template for
future adapters because it is deterministic, reviewable, and CI-friendly.

## Strategy Plugins

### `StrategySignal`

Paper-only proposal object:

- `symbol`
- `side`
- `confidence`
- `quantity`
- `reason`

A signal is not a fill. It must be converted to an `OrderIntent` and submitted
through `PaperEngine.submit`.

### `Strategy`

Protocol for paper strategies:

- `name`
- `propose(market, symbol)`

Strategies receive a `MarketDataAdapter` and return either a `StrategySignal` or
`None`.

### `MomentumStrategy`

Minimal deterministic template. It proposes a buy signal when the latest candle
closes above its open by at least `min_move_pct`.

### `propose_order(strategy, market, symbol)`

Converts a strategy proposal into an `OrderIntent` priced at the latest candle
close. The returned order still needs safety evaluation.

## Compatibility Rules

- Additive fields are preferred over breaking changes.
- Reasons used by tests should not be renamed casually.
- Paper-mode behavior must stay deterministic.
- Live adapters must not change paper-mode defaults.
````


## Source: `docs/memory-core.md`

````markdown
# Memory Core

ZERO Memory is the local, public-safe knowledge layer for the autonomous
operating system. It extracts reusable observations from runtime decisions
without preserving derivable market state, wallet material, exchange order
identifiers, or private keys.

The memory core is open source because it belongs to the operator's
self-custodial runtime. Hosted aggregation, realtime cohorts, history, and
commercial redistribution belong to ZERO Intelligence.

## Contract

Memory entries use `zero.memory.entry.v1` and are append-only JSONL records.
The first public kinds are:

| Kind | TTL | Purpose |
| --- | ---: | --- |
| `signal` | 7 days | Accepted paper decision evidence, redacted to behavior class. |
| `regime` | 3 days | Short-lived market or strategy context. |
| `operator` | 30 days | Operator action outcomes and risk-direction evidence. |
| `strategy_reference` | 90 days | Rejection and strategy-learning references. |

Every entry has a content-derived id, an evidence hash, an expiry time, a
scope, a confidence score, tags, and public-safe metadata. Duplicate entries
are ignored by id. Expired entries remain in the append-only store but are not
included in active memory or generated knowledge.

## Public-Safety Rules

Memory output must not store:

- live prices, quantities, sizes, or notional values;
- raw exchange payloads;
- wallet addresses or private keys;
- exchange order ids or idempotency keys;
- private operator notes.

The extractor may read raw decision journals locally, but the generated memory
records keep only redacted behavior: symbol, gate result, reason class,
source class, reduce-only flag, and hashes.

## Run

From a source checkout:

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.memory extract \
  --decisions examples/memory-core/decisions.jsonl \
  --store artifacts/memory/memory.jsonl \
  --knowledge artifacts/memory/knowledge.md \
  --now 2026-05-01T00:00:00Z

PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.memory status \
  --store artifacts/memory/memory.jsonl \
  --now 2026-05-01T00:00:00Z
```

After package install, the console script is:

```bash
zero-memory extract --decisions examples/memory-core/decisions.jsonl --store artifacts/memory/memory.jsonl
```

The API exposes the same public-safe view:

```bash
curl -fsS http://127.0.0.1:8765/memory
curl -fsS 'http://127.0.0.1:8765/memory?format=md'
```

The MCP server exposes `zero_get_memory_snapshot` and the
`zero://memory/snapshot` resource. Both are read-only and fixture-backed.

## Knowledge

`knowledge.md` is generated from active memory only. It is meant for humans and
coding agents as a compact local context packet, not as a raw journal export.
If a future extractor needs private notes, live prices, or raw venue payloads
to learn correctly, that material must stay outside public memory and be
represented only by a redacted hash or operator-owned local file reference.
````


## Source: `docs/genesis.md`

````markdown
# Genesis Proposal Core

ZERO Genesis is the plan-only proposal layer for the autonomous operating
system. It turns local memory, proof artifacts, and operator evidence into
classified change proposals without applying code changes automatically.

Genesis is public because operators and contributors should be able to inspect
how the system thinks about self-improvement. Automatic mutation, deployment,
and commercial intelligence loops remain outside this public runtime until they
have review, canary, and rollback controls.

## Contract

Proposals use `zero.genesis.proposal.v1`. Guardian decisions use
`zero.genesis.guardian.v1`. The public API snapshot uses
`zero.genesis.snapshot.v1`.

Each proposal includes:

- title and summary;
- target paths;
- evidence references;
- sample size;
- risk tier;
- revert plan;
- public-safe metadata.

The guardian policy is deterministic:

| Tier | Minimum sample | Outcome |
| --- | ---: | --- |
| `low` | 5 | Accepted when evidence and revert plan are present. |
| `medium` | 30 | Accepted when evidence and revert plan are present. |
| `high` | 100 | Escalated for human review. |
| `protected` | 100 | Escalated for human review. |

Protected paths include execution, sizing, stops, circuit breakers, live
adapters, and immune core code. Any proposal touching those classes requires
human review even when the sample size is sufficient.

## Public-Safety Rules

Genesis proposals must not store:

- live prices, quantities, sizes, or notionals;
- raw exchange payloads;
- wallet addresses or private keys;
- exchange order ids or idempotency keys;
- private operator notes.

## Run

From a source checkout:

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.genesis plan \
  --proposals examples/genesis/proposals.jsonl \
  --journal artifacts/genesis/genesis.jsonl \
  --now 2026-05-01T00:00:00Z

PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.genesis status \
  --journal artifacts/genesis/genesis.jsonl \
  --now 2026-05-01T00:00:00Z
```

After package install, the console script is:

```bash
zero-genesis plan --proposals examples/genesis/proposals.jsonl --journal artifacts/genesis/genesis.jsonl
```

The API exposes the same plan-only view:

```bash
curl -fsS http://127.0.0.1:8765/genesis
```

The MCP server exposes `zero_get_genesis_proposals` and the
`zero://genesis/proposals` resource. Both are read-only and fixture-backed.

## Boundary

Genesis is not `/evolve`. It does not write files, open PRs, change strategy
weights, touch live adapters, or deploy services. It only records the
guardian decision that a proposal is accepted, rejected, or escalated. Builder,
red-team, canary, and calibration loops are separate cycles with stricter gates.
````


## Source: `docs/research.md`

````markdown
# Research Command Chain

ZERO Research is the public, fixture-backed version of the private research
loop. It gives operators and coding agents the missing analysis layer between
local memory, genesis proposals, and evolve gates.

The report artifact uses `zero.research.report.v1`. The API snapshot uses
`zero.research.snapshot.v1`. Source trust decisions use
`zero.research.source_classification.v1`; aggregate source-quality records use
`zero.research.source_quality.v1`.

## Commands

The public chain runs seven deterministic commands:

- `hunt`: market scan from public paper candle fixtures;
- `edge`: accepted/rejected decision analysis from local paper journals;
- `convergence`: feedback-loop drift and lockstep detection;
- `thesis`: seven-day operating hypothesis, anti-thesis, and scorecard;
- `score`: prior-judgment scoring against public paper outcomes;
- `meta`: command usefulness audit;
- `sharpen`: system-improvement backlog.

## Safety Boundary

Research is paper-only and read-only.

- It does not place orders.
- It does not mutate the checkout.
- It does not open branches, commits, pull requests, or deployments.
- It does not claim live PnL or live edge.
- It removes private keys, wallet material, venue order ids, raw venue payloads,
  prices, sizes, quantities, and notionals from public artifacts.
- It classifies source trust before a source can influence paper research.
  Prompt-injected, untrusted, unsupported performance, or risk-increasing
  claims are rejected into quarantine metadata without echoing raw source text.

Live research conclusions require signed operator evidence before they can be
used as public proof.

## Source Quality

Every research report includes `source_quality`:

- `accepted`: fixture, signed-operator, or repository-document sources that can
  be used for paper research;
- `rejected`: untrusted or adversarial sources that can only be used for
  quarantine records and safety review;
- `raw_content_included=false`: public reports never carry raw source text.

The adversarial fixture coverage lives in
`engine/tests/test_research.py::test_research_source_classifier_rejects_prompt_injection_without_echoing_raw_text`.

## Local Example

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.research run \
  --repo-root "$PWD" \
  --output artifacts/research/research.json \
  --now 2026-05-01T00:00:00Z

PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.research status \
  --report artifacts/research/research.json \
  --now 2026-05-01T00:00:00Z
```

Installed entrypoint:

```bash
zero-research run --repo-root . --output artifacts/research/research.json
```

## API And MCP

The local paper API exposes:

```bash
curl -fsS http://127.0.0.1:8765/research
```

The MCP server exposes `zero_get_research_report` and the
`zero://research/report` resource. Both are read-only and fixture-backed.

## Relationship To Evolve

Research is not `/evolve`. Research explains what the system should inspect
next. Genesis turns evidence into reviewable proposals. Evolve runs guarded
paper-only builder, red-team, canary, and calibration gates. Promotion still
requires human review.
````


## Source: `docs/evolve.md`

````markdown
# Evolve Harness

ZERO Evolve is the paper-first builder, red-team, canary, calibration,
promotion-plan, local-apply, and rollback harness for the public
self-evolution loop.
It consumes accepted genesis decisions and produces local evidence before any
human considers promotion.

The default run path does not mutate the checkout, push branches, deploy
services, or change live trading code. It writes a sandbox artifact that
describes the candidate branch, candidate patch, materialized candidate tree,
red-team verdict, paper canary result, calibration result, local-only promotion
decision, promotion plan, rollback plan, and promotion verification.

Checkout mutation exists only through the explicit `apply` subcommand. `apply`
requires an exact human approval phrase, verifies every original/candidate hash
before writing any file, writes an apply receipt, never pushes remotely, and
never places orders. `rollback` requires a separate exact approval phrase and
restores from the apply receipt backups while verifying original hashes.

## Contract

The run artifact uses `zero.evolve.run.v1`.

Each run includes:

- selected accepted genesis proposal;
- local sandbox and candidate patch manifest;
- red-team review;
- deterministic paper canary;
- calibration against the fixture baseline;
- promotion decision that always requires human approval;
- promotion plan with the exact approval phrase and no remote push;
- rollback plan with original and candidate hashes;
- promotion verification that fails if either plan can mutate the checkout or
  push remotely.

Promotion is local-only. `pushes_to_remote=false` and `promoted=false` are part
of the public contract. Run artifacts keep `applies_to_checkout=false`; apply
receipts use `applies_to_checkout=true` only after local human approval and hash
verification.

## Policy

The public harness allows generated candidate patches only under:

- `docs/`
- `examples/`

It blocks protected runtime paths including live adapters, Hyperliquid adapter,
immune core, safety code, and CLI live dispatch. Protected proposals must stay
at the genesis escalation stage until reviewed by a human.

Every promotable run must also include:

- `zero.evolve.promotion_plan.v1`;
- `zero.evolve.rollback_plan.v1`;
- `zero.evolve.promotion_verification.v1`;
- `zero.evolve.apply_receipt.v1` for any approved checkout mutation;
- `zero.evolve.rollback_receipt.v1` after any approved rollback;
- the exact approval phrase `I_APPROVE_ZERO_EVOLVE_LOCAL_PROMOTION`;
- the exact rollback phrase `I_APPROVE_ZERO_EVOLVE_LOCAL_ROLLBACK`;
- original and candidate hashes for every sandbox mutation.

## Run

From a source checkout:

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.genesis plan \
  --proposals examples/genesis/proposals.jsonl \
  --journal artifacts/evolve/genesis.jsonl \
  --now 2026-05-01T00:00:00Z

PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.evolve run \
  --genesis-journal artifacts/evolve/genesis.jsonl \
  --output artifacts/evolve \
  --repo-root "$PWD" \
  --now 2026-05-01T00:00:00Z

PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.evolve status \
  --run artifacts/evolve/evolve-run.json \
  --now 2026-05-01T00:00:00Z
```

To apply into a local checkout, review `artifacts/evolve/evolve-run.json`, then
run the explicit approval command:

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.evolve apply \
  --run artifacts/evolve/evolve-run.json \
  --repo-root "$PWD" \
  --output artifacts/evolve/apply \
  --approval-phrase I_APPROVE_ZERO_EVOLVE_LOCAL_PROMOTION
```

To roll back that local apply:

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.evolve rollback \
  --apply-receipt artifacts/evolve/apply/apply-receipt.json \
  --repo-root "$PWD" \
  --output artifacts/evolve/rollback \
  --approval-phrase I_APPROVE_ZERO_EVOLVE_LOCAL_ROLLBACK
```

After package install, the console script is:

```bash
zero-evolve run --proposals examples/genesis/proposals.jsonl --output artifacts/evolve
```

The API exposes a fixture-backed snapshot:

```bash
curl -fsS http://127.0.0.1:8765/evolve
```

The MCP server exposes `zero_get_evolve_status` and the
`zero://evolve/status` resource. Both are read-only and fixture-backed.

## Boundary

Evolve is not autonomous deployment. It is the evidence and local checkout
promotion layer before a human review. It remains local by default, requires
explicit human approval, verifies rollback before apply, and refuses remote push
or live-code mutation unless a stricter release policy is added.
````


## Source: `docs/mcp.md`

````markdown
# ZERO MCP Server

`zero-mcp` is a dependency-free, stdio MCP-compatible server for coding agents
and operator tooling. It exposes only public-safe, read-only ZERO surfaces:
bundled strategies, deterministic paper results, paper position state, runtime
status, health, journal tail, rejection audit, local memory snapshots and stats,
genesis proposal classifications, evolve gate status, research command-chain
reports, the public decision stack, immune status, deterministic backtest
summary, hash-only evidence bundle, safety catalog, and the demo proof-pack
manifest. It also exposes contributor-facing strategy runner, strategy plugin,
and market-data adapter docs as markdown resources so coding agents can find
the right extension path without scanning the full repository.

It does not expose live execution, order placement, approval, wallet, secret, or
venue-write tools. The server is for inspection and local development until live
operator capabilities have passed the public readiness gates.

Unsafe or unknown requests fail with `zero.mcp.refusal.v1`, a machine-readable
refusal payload that restates the public safety boundary (`read_only_public`,
`paper_only=true`, `canPlaceOrders=false`, `canChangeRuntimeState=false`) without
echoing raw tool arguments, prompt-injection text, or secret-shaped material.

## Run

From a source checkout, the server reads the checked-in scenario and proof-pack
artifacts:

```bash
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.mcp --smoke
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.mcp
```

After installing the engine package, the same command works with an embedded
public demo fallback. Use a source checkout when you need file-hash verification
against `docs/proof/demo`.

```bash
zero-mcp --smoke
zero-mcp
```

The server reads newline-delimited JSON-RPC messages from stdin and writes
newline-delimited JSON-RPC responses to stdout.

## Transcript

The public transcript fixture is generated from the same handlers used by
`zero-mcp`:

```bash
PYTHONPATH="$PWD/engine/src" scripts/mcp_transcript.py
PYTHONPATH="$PWD/engine/src" scripts/mcp_transcript.py --check
```

See [`docs/mcp/transcript.jsonl`](mcp/transcript.jsonl). It proves that a
coding agent can initialize the server, list tools, inspect bundled strategies,
replay deterministic paper results, inspect redacted local memory and aggregate
stats, inspect plan-only genesis proposals, inspect paper-only evolve gates,
inspect paper-only research reports, inspect the lens/layer/modifier decision
stack, inspect production-parity OODA reports, inspect
journal/rejection/immune/evidence/backtest surfaces, list resources, and read
the proof pack and contributor docs without gaining any live execution
capability. It also includes hostile mutation probes and verifies their
`zero.mcp.refusal.v1` responses do not echo adversarial request text.

## Registry Packet

ZERO ships a committed Official MCP Registry manifest at
[`server.json`](../server.json) and a machine-readable submission packet at
[`contracts/distribution/mcp-registry.json`](../contracts/distribution/mcp-registry.json).

```bash
scripts/mcp_registry_packet.py --check
scripts/mcp_registry_listing_check.py --json
```

The packet is `listed`. The Official MCP Registry points metadata at the public
`zero-engine` PyPI package and uses stdio with `uvx`. See
[MCP Registry Submission Packet](mcp-registry.md).

## Tools

| Tool | Safety class | Purpose |
| --- | --- | --- |
| `zero_list_strategies` | `read_only_public` | Lists bundled paper strategies and contributor examples. |
| `zero_get_runtime_status` | `read_only_public` | Returns paper runtime status derived from the bundled scenario. |
| `zero_get_runtime_parity` | `read_only_public` | Returns production-parity OODA evidence with disabled live shadow execution. |
| `zero_get_health` | `read_only_public` | Returns paper runtime health, dependencies, and breaker status. |
| `zero_get_paper_results` | `read_only_public` | Replays the deterministic bundled paper scenario. |
| `zero_get_position_state` | `read_only_public` | Returns paper position state derived from the scenario. |
| `zero_get_journal_tail` | `read_only_public` | Returns the paper decision journal tail from the bundled scenario. |
| `zero_get_rejection_audit` | `read_only_public` | Returns rejection counts grouped by paper stage and reason. |
| `zero_get_proof_pack` | `read_only_public` | Returns the public-safe demo proof-pack manifest. |
| `zero_get_network_proof_pack` | `read_only_public` | Returns the public-safe ZERO Network proof-chain manifest. |
| `zero_get_memory_snapshot` | `read_only_public` | Returns public-safe memory extracted from bundled paper decisions. |
| `zero_get_memory_stats` | `read_only_public` | Returns aggregate memory stats without entry bodies. |
| `zero_get_genesis_proposals` | `read_only_public` | Returns plan-only genesis proposal classifications. |
| `zero_get_evolve_status` | `read_only_public` | Returns paper-first builder, red-team, canary, calibration, promotion-plan, and rollback evidence. |
| `zero_get_research_report` | `read_only_public` | Returns paper-only hunt/edge/convergence/thesis/score/meta/sharpen reports. |
| `zero_get_decision_stack` | `read_only_public` | Returns the public paper-only lens/layer/modifier decision stack. |
| `zero_get_immune_status` | `read_only_public` | Returns paper immune breaker and risk-allowance status. |
| `zero_get_backtest_report` | `read_only_public` | Returns a deterministic paper backtest summary without PnL claims. |
| `zero_get_evidence_bundle` | `read_only_public` | Returns a hash-only public-safe evidence bundle. |
| `zero_get_safety_catalog` | `read_only_public` | Returns the MCP safety classification for every public tool. |

All tools declare `canPlaceOrders=false`, `canChangeRuntimeState=false`, and
`canReadSecrets=false`. None can place, approve, cancel, or route live orders.

## Resources

| URI | Purpose |
| --- | --- |
| `zero://paper/scenario` | Bundled deterministic paper scenario. |
| `zero://paper/results` | Generated paper replay result. |
| `zero://runtime/status` | Paper runtime status. |
| `zero://runtime/health` | Paper runtime health, dependencies, and breakers. |
| `zero://runtime/parity` | Production-parity OODA report with live shadow fail-closed evidence. |
| `zero://journal/tail` | Paper decision journal tail. |
| `zero://rejections/audit` | Paper rejection audit grouped by stage and reason. |
| `zero://proof/demo` | Demo proof-pack manifest. |
| `zero://proof/network` | ZERO Network proof-chain manifest. |
| `zero://memory/snapshot` | Public-safe local memory extracted from bundled paper decisions. |
| `zero://memory/stats` | Aggregate memory stats without entry bodies. |
| `zero://genesis/proposals` | Plan-only genesis proposal classifications. |
| `zero://evolve/status` | Paper-only evolve gate status. |
| `zero://research/report` | Paper-only research command-chain report. |
| `zero://decision/stack` | Public paper-only lens/layer/modifier decision stack. |
| `zero://immune/status` | Paper immune breaker status. |
| `zero://backtest/report` | Deterministic paper backtest report without PnL claims. |
| `zero://evidence/bundle` | Hash-only public-safe evidence bundle. |
| `zero://mcp/safety` | Safety classification for every public MCP tool. |
| `zero://docs/strategy-runner` | Markdown docs for declarative paper strategy runners. |
| `zero://docs/strategy-plugin` | Markdown docs for deterministic paper strategy plugins. |
| `zero://docs/market-data-adapters` | Markdown docs for deterministic market-data adapters. |

## Smoke Contract

`zero-mcp --smoke` verifies that:

- The exposed tool set contains no live execution tools.
- Every tool declares `read_only_public` safety metadata and cannot place
  orders, change runtime state, or read secrets.
- Every tool returns a JSON object.
- Memory output does not expose prices, wallet material, exchange order ids, or
  keys.
- Genesis output never applies code changes and protected path proposals are
  escalated for human review.
- Evolve output never pushes or promotes; human approval is still required.
- Research output never claims live PnL, mutates the checkout, or pushes.
- Decision-stack output never grants live execution authority.
- The demo and Network proof packs do not claim live trading or paper/live correlation.
- The public source checkout contains the bundled proof and paper artifacts.
- Unknown methods, unavailable tools, and unavailable resources return
  `zero.mcp.refusal.v1` instead of exposing any write-capable surface.

The smoke command is part of the public readiness gates so this agent surface
cannot silently drift into a write-capable trading interface.

## Client Setup

These snippets show how to connect local agent tools to the ZERO MCP server
for read-only inspection. They do not include secrets, tokens, wallets, or live
execution setup.

### Claude Code / Cursor

Add to your project's `.mcp.json` or MCP settings:

```json
{
  "mcpServers": {
    "zero": {
      "command": "bash",
      "args": ["-c", "PYTHONPATH=$PWD/engine/src python3 -m zero_engine.mcp"]
    }
  }
}
```

Or, if you installed the engine package:

```json
{
  "mcpServers": {
    "zero": {
      "command": "zero-mcp"
    }
  }
}
```

### Generic stdio client

Any MCP-compatible client that supports stdio transport can connect:

```bash
# Start the server
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.mcp --smoke

# Or with the installed package
zero-mcp --smoke
```

### Supported resources

After connecting, the agent can inspect these ZERO MCP resources:

- `zero://paper/scenario` — bundled deterministic paper scenario
- `zero://paper/results` — generated paper replay results
- `zero://runtime/status` — paper runtime status
- `zero://journal/tail` — paper decision journal tail
- `zero://proof/demo` — demo proof-pack manifest
- `zero://mcp/safety` — safety classification for every public tool
- `zero://docs/strategy-runner` — strategy runner docs
- `zero://docs/strategy-plugin` — strategy plugin docs
- `zero://docs/market-data-adapters` — market-data adapter docs

Run `PYTHONPATH="$PWD/engine/src" scripts/mcp_transcript.py --check` to verify
the server exposes only read-only public tools before connecting your client.
````


## Source: `docs/mcp-registry.md`

````markdown
# MCP Registry Submission Packet

ZERO has a public-safe MCP server, a committed MCP Registry manifest, and a
manual GitHub OIDC publication workflow. It is listed in the Official MCP
Registry as `io.github.zero-intel/zero`.

The listing points to the public `zero-engine` PyPI package and uses stdio with
`uvx`. The Rust CLI is published as `zero-os` on crates.io. Docker Hub and GHCR
remain blocked until ownership, provenance, and rollback evidence are recorded.

Machine-readable files:

- [server.json](../server.json)
- [contracts/distribution/mcp-registry.json](../contracts/distribution/mcp-registry.json)
- [.github/workflows/mcp-registry.yml](../.github/workflows/mcp-registry.yml)

Schemas:

- `zero.mcp_registry_packet.v1`
- `zero.mcp_registry_listing_check.v1`
- `https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json`

Regenerate and verify:

```bash
scripts/mcp_registry_packet.py --output
scripts/mcp_registry_packet.py --check
scripts/mcp_registry_listing_check.py --json
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.mcp --smoke
PYTHONPATH="$PWD/engine/src" scripts/mcp_transcript.py --check
```

## Registry Identity

| Field | Value |
|---|---|
| Server name | `io.github.zero-intel/zero` |
| Title | `ZERO MCP` |
| Package | `zero-engine` |
| Transport | `stdio` |
| Registry base URL | `https://pypi.org` |
| Runtime hint | `uvx` |
| Auth path | GitHub OIDC from `zero-intel/zero` |
| Safety class | `read-only-public` |

The PyPI package README carries the MCP package proof string:

```html
<!-- mcp-name: io.github.zero-intel/zero -->
```

## Current Listing Evidence

As of `2026-05-04T16:34:39Z`, the Official MCP Registry query returns the ZERO
server and PyPI serves `zero-engine==0.1.5`:

```bash
curl -fsS 'https://registry.modelcontextprotocol.io/v0.1/servers?search=io.github.zero-intel/zero'
curl -fsS 'https://pypi.org/pypi/zero-engine/json'
```

```json
{"servers":[{"name":"io.github.zero-intel/zero","version":"0.1.5"}],"metadata":{"count":4}}
```

The MCP Registry Publication workflow `25330669013` published the `0.1.5`
`server.json` with GitHub OIDC after PyPI Trusted Publishing completed for
`zero-engine==0.1.5`. The registry currently returns four records for the same
server name, so the verifier selects the listed record whose version matches
local `server.json`.

The published MCP runtime also reports the same package version from the
initialize response:

```json
{"serverInfo":{"name":"zero-mcp","version":"0.1.5"}}
```

## Publish Runbook

Run this after changing `server.json` or package metadata for a new version:

```bash
just registry-readiness
just package-dry-run
just mcp-registry-listing-check
mcp-publisher login github-oidc
mcp-publisher publish
curl -fsS 'https://registry.modelcontextprotocol.io/v0.1/servers?search=io.github.zero-intel/zero'
```

The preferred path is the manual
[`MCP Registry Publication`](../.github/workflows/mcp-registry.yml) workflow.
Run it first with `publish=false` to verify local MCP surfaces, server metadata,
and current listing state. For a metadata update, rerun the workflow with
`publish=true` and confirmation text `publish io.github.zero-intel/zero`. The
workflow uses GitHub OIDC, installs the official `mcp-publisher`, publishes
`server.json`, and then requires
`scripts/mcp_registry_listing_check.py --expect-listed` to pass.

The Official MCP Registry rejects duplicate publishes for the same
`name/version` pair. Metadata-only changes must wait for the next server/package
version; use `publish=false` for verification-only runs between releases.

Record the workflow URL and listing JSON in release evidence for every metadata
change.

## Upstream Requirements

The Official MCP Registry hosts metadata, not artifacts; the referenced package
must already exist in a supported public registry. For PyPI packages, the
package README must include an `mcp-name: <server-name>` marker that matches
`server.json`. GitHub OIDC publication does not require a dedicated MCP secret,
but it does require `id-token: write` in the workflow.

Primary references:

- [MCP Registry quickstart](https://github.com/modelcontextprotocol/registry/blob/main/docs/modelcontextprotocol-io/quickstart.mdx)
- [MCP Registry GitHub Actions guide](https://github.com/modelcontextprotocol/registry/blob/main/docs/modelcontextprotocol-io/github-actions.mdx)
- [MCP Registry package types](https://github.com/modelcontextprotocol/registry/blob/main/docs/modelcontextprotocol-io/package-types.mdx)

## Safety Boundary

The public MCP server remains read-only:

- no order placement;
- no live control;
- no wallet or secret access;
- no runtime mutation.

Every public tool reports `canPlaceOrders=false`,
`canChangeRuntimeState=false`, and `canReadSecrets=false`; the transcript and
smoke test are committed gates.
````


## Source: `docs/mcp/transcript.jsonl`

````markdown
{"request":{"id":1,"jsonrpc":"2.0","method":"initialize","params":{"capabilities":{},"clientInfo":{"name":"zero-public-transcript","version":"0.1.0"},"protocolVersion":"2025-06-18"}},"response":{"id":1,"jsonrpc":"2.0","result":{"capabilities":{"resources":{"listChanged":false,"subscribe":false},"tools":{"listChanged":false}},"protocolVersion":"2025-06-18","serverInfo":{"name":"zero-mcp","version":"0.1.5"}}}}
{"request":{"id":2,"jsonrpc":"2.0","method":"tools/list","params":{}},"response":{"id":2,"jsonrpc":"2.0","result":{"tools":[{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only list of bundled paper strategies and contributor examples.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_list_strategies","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper runtime status derived from the bundled scenario.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_runtime_status","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only production-parity OODA report with disabled live shadow execution.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_runtime_parity","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper runtime health, dependency, and breaker status.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_health","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only replay of the deterministic bundled paper scenario.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_paper_results","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper position state derived from the bundled scenario.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_position_state","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper decision journal tail from the bundled scenario.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_journal_tail","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper rejection audit grouped by stage and reason.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_rejection_audit","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only public-safe demo proof-pack manifest.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_proof_pack","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only public-safe ZERO Network proof-chain manifest.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_network_proof_pack","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only public-safe local memory snapshot from bundled paper decisions.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_memory_snapshot","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only aggregate memory stats without entry bodies.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_memory_stats","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only plan-only genesis proposal classifications.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_genesis_proposals","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper-first evolve gate status.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_evolve_status","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper-only research command-chain report.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_research_report","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper-only lens, layer, and modifier decision stack.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_decision_stack","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only paper immune breaker and risk-allowance status.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_immune_status","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only deterministic paper backtest report without PnL claims.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_backtest_report","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only hash-only evidence bundle from the bundled paper runtime.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_evidence_bundle","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"},{"annotations":{"destructiveHint":false,"idempotentHint":true,"openWorldHint":false,"readOnlyHint":true},"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"description":"Read-only MCP safety catalog for every public tool.","inputSchema":{"additionalProperties":false,"properties":{},"type":"object"},"name":"zero_get_safety_catalog","requiresOperatorApproval":false,"riskDirection":"none","safetyClass":"read_only_public"}]}}}
{"request":{"id":3,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_list_strategies"}},"response":{"id":3,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"mode\": \"paper\",\n  \"schema_version\": \"zero.mcp.strategies.v1\",\n  \"strategies\": [\n    {\n      \"description\": \"Built-in candle close/open momentum strategy signal.\",\n      \"kind\": \"built_in\",\n      \"name\": \"momentum-close-above-open\",\n      \"paper_only\": true,\n      \"path\": \"engine/src/zero_engine/strategy.py\"\n    },\n    {\n      \"description\": \"Declarative close-above-open paper runner.\",\n      \"kind\": \"declarative_runner\",\n      \"name\": \"close-strength-yaml\",\n      \"paper_only\": true,\n      \"path\": \"examples/strategy-runner/close-strength.yaml\",\n      \"version\": \"0.1.0\"\n    },\n    {\n      \"description\": \"Smallest contributor path for a deterministic paper strategy plugin.\",\n      \"kind\": \"strategy_plugin_example\",\n      \"name\": \"close-strength\",\n      \"paper_only\": true,\n      \"path\": \"examples/strategy-plugin/plugin.py\",\n      \"version\": \"0.1.0\"\n    }\n  ]\n}","type":"text"}],"isError":false}}}
{"request":{"id":4,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_runtime_status"}},"response":{"id":4,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"alert\": null,\n  \"approaching\": [],\n  \"blind_spots\": [],\n  \"confidence\": {\n    \"level\": \"paper\",\n    \"score\": 90\n  },\n  \"market\": {\n    \"coins_tradeable\": 3,\n    \"fear_greed\": 50,\n    \"health\": 1.0,\n    \"prediction\": \"stable\",\n    \"regime\": \"PAPER MARKET. Local deterministic demo.\",\n    \"signal\": \"stable\"\n  },\n  \"mode\": \"paper\",\n  \"paper_only\": true,\n  \"positions\": {\n    \"equity\": 10000.0,\n    \"open\": 1,\n    \"unrealized_pnl\": 0.0\n  },\n  \"recovery\": {\n    \"current_decisions\": 4,\n    \"current_fills\": 2,\n    \"current_positions\": 1,\n    \"current_rejections\": 2,\n    \"decisions_recovered\": 0,\n    \"durable\": false,\n    \"fills_recovered\": 0,\n    \"journal_path\": null,\n    \"last_decision_at\": null,\n    \"positions_recovered\": 0,\n    \"rejections_recovered\": 0,\n    \"source\": \"memory\",\n    \"status\": \"ephemeral\"\n  },\n  \"schema_version\": \"zero.mcp.runtime_status.v1\",\n  \"today\": {\n    \"pnl\": 0.0,\n    \"sizing_mult\": 1.0,\n    \"streak\": 0,\n    \"trades\": 2,\n    \"wins\": 0\n  },\n  \"ts\": \"2026-05-01T14:40:00Z\"\n}","type":"text"}],"isError":false}}}
{"request":{"id":5,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_health"}},"response":{"id":5,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"circuit_breakers\": {\n    \"daily_loss\": \"closed\",\n    \"dead_man\": \"open\",\n    \"exchange_error\": \"closed\",\n    \"kill_switch\": \"closed\",\n    \"max_exposure\": \"closed\",\n    \"operator_inactivity\": \"closed\",\n    \"operator_pause\": \"closed\",\n    \"order_velocity\": \"closed\",\n    \"reconciliation\": \"open\",\n    \"stale_market_data\": \"closed\"\n  },\n  \"components\": {\n    \"memory\": {\n      \"age_s\": 0.0,\n      \"last_seen\": \"2026-05-01T14:40:00Z\",\n      \"mode\": \"ephemeral\",\n      \"status\": \"healthy\"\n    },\n    \"paper_engine\": {\n      \"age_s\": 0.0,\n      \"last_seen\": \"2026-05-01T14:40:00Z\",\n      \"status\": \"healthy\"\n    },\n    \"recovery\": {\n      \"age_s\": 0.0,\n      \"last_seen\": \"2026-05-01T14:40:00Z\",\n      \"mode\": \"ephemeral\",\n      \"status\": \"healthy\"\n    },\n    \"risk\": {\n      \"age_s\": 0.0,\n      \"last_seen\": \"2026-05-01T14:40:00Z\",\n      \"status\": \"healthy\"\n    }\n  },\n  \"dependencies\": {\n    \"exchange\": \"paper\",\n    \"journal\": \"ephemeral\",\n    \"live_preflight\": \"available\",\n    \"market_data\": \"fixture\",\n    \"memory\": \"ephemeral\",\n    \"secrets\": \"not_required\"\n  },\n  \"immune\": {\n    \"breakers\": [\n      {\n        \"blocks_risk\": false,\n        \"evidence\": {\n          \"age_s\": null,\n          \"stale_after_s\": 2.0\n        },\n        \"name\": \"stale_market_data\",\n        \"reason\": \"market data freshness not required for static paper source\",\n        \"severity\": \"info\",\n        \"status\": \"closed\"\n      },\n      {\n        \"blocks_risk\": true,\n        \"evidence\": {\n          \"drifts\": 0,\n          \"status\": \"not_configured\"\n        },\n        \"name\": \"reconciliation\",\n        \"reason\": \"Hyperliquid account reconciliation is not configured\",\n        \"severity\": \"critical\",\n        \"status\": \"open\"\n      },\n      {\n        \"blocks_risk\": true,\n        \"evidence\": {\n          \"configured\": false\n        },\n        \"name\": \"dead_man\",\n        \"reason\": \"live executor not configured\",\n        \"severity\": \"critical\",\n        \"status\": \"open\"\n      },\n      {\n        \"blocks_risk\": false,\n        \"evidence\": {\n          \"paused\": false\n        },\n        \"name\": \"operator_pause\",\n        \"reason\": \"operator pause inactive\",\n        \"severity\": \"info\",\n        \"status\": \"closed\"\n      },\n      {\n        \"blocks_risk\": false,\n        \"evidence\": {\n          \"age_s\": null,\n          \"inactive_after_s\": 3600.0\n        },\n        \"name\": \"operator_inactivity\",\n        \"reason\": \"operator inactivity not configured\",\n        \"severity\": \"info\",\n        \"status\": \"closed\"\n      },\n      {\n        \"blocks_risk\": false,\n        \"evidence\": {\n          \"kill_switch_active\": false\n        },\n        \"name\": \"kill_switch\",\n        \"reason\": \"kill switch inactive\",\n        \"severity\": \"info\",\n        \"status\": \"closed\"\n      },\n      {\n        \"blocks_risk\": false,\n        \"evidence\": {\n          \"daily_loss_usd\": 0.0\n        },\n        \"name\": \"daily_loss\",\n        \"reason\": \"no live daily loss observed\",\n        \"severity\": \"info\",\n        \"status\": \"closed\"\n      },\n      {\n        \"blocks_risk\": false,\n        \"evidence\": {\n          \"max_orders_per_minute\": null,\n          \"orders_last_minute\": 0\n        },\n        \"name\": \"order_velocity\",\n        \"reason\": \"live order rate inside limit\",\n        \"severity\": \"info\",\n        \"status\": \"closed\"\n      },\n      {\n        \"blocks_risk\": false,\n        \"evidence\": {\n          \"recent_errors\": 0,\n          \"window_s\": 60.0\n        },\n        \"name\": \"exchange_error\",\n        \"reason\": \"no live exchange errors observed\",\n        \"severity\": \"info\",\n        \"status\": \"closed\"\n      },\n      {\n        \"blocks_risk\": false,\n        \"evidence\": {\n          \"exposure_usd\": 200.0,\n          \"max_exposure_usd\": 900.0,\n          \"open_positions\": 1\n        },\n        \"name\": \"max_exposure\",\n        \"reason\": \"exposure inside limit\",\n        \"severity\": \"info\",\n        \"status\": \"closed\"\n      }\n    ],\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"mode\": \"paper\",\n    \"risk_increasing_allowed\": false,\n    \"schema_version\": \"zero.immune.v1\",\n    \"summary\": {\n      \"closed\": 8,\n      \"open\": 2,\n      \"risk_blocking\": 2,\n      \"total\": 10,\n      \"warning\": 0\n    }\n  },\n  \"mode\": \"paper\",\n  \"paper_only\": true,\n  \"recovery\": {\n    \"current_decisions\": 4,\n    \"current_fills\": 2,\n    \"current_positions\": 1,\n    \"current_rejections\": 2,\n    \"decisions_recovered\": 0,\n    \"durable\": false,\n    \"fills_recovered\": 0,\n    \"journal_path\": null,\n    \"last_decision_at\": null,\n    \"positions_recovered\": 0,\n    \"rejections_recovered\": 0,\n    \"source\": \"memory\",\n    \"status\": \"ephemeral\"\n  },\n  \"risk\": {\n    \"drawdown_pct\": 0.0,\n    \"equity\": 10000.0,\n    \"kill_all\": false\n  },\n  \"schema_version\": \"zero.mcp.health_status.v1\",\n  \"status\": \"ok\",\n  \"ws_connections\": 0\n}","type":"text"}],"isError":false}}}
{"request":{"id":6,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_paper_results"}},"response":{"id":6,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"decisions\": [\n    {\n      \"allowed\": true,\n      \"as_of\": 1777646400.0,\n      \"confidence\": 0.84,\n      \"notional_usd\": 400.0,\n      \"price\": 40000.0,\n      \"quantity\": 0.01,\n      \"reason\": \"allowed\",\n      \"reduce_only\": false,\n      \"side\": \"buy\",\n      \"source\": \"scenario:paper-launch-smoke\",\n      \"symbol\": \"BTC\"\n    },\n    {\n      \"allowed\": false,\n      \"as_of\": 1777646400.0,\n      \"confidence\": 0.93,\n      \"notional_usd\": 3000.0,\n      \"price\": 3000.0,\n      \"quantity\": 1.0,\n      \"reason\": \"order notional exceeds limit\",\n      \"reduce_only\": false,\n      \"side\": \"buy\",\n      \"source\": \"scenario:paper-launch-smoke\",\n      \"symbol\": \"ETH\"\n    },\n    {\n      \"allowed\": true,\n      \"as_of\": 1777646400.0,\n      \"confidence\": 0.1,\n      \"notional_usd\": 202.5,\n      \"price\": 40500.0,\n      \"quantity\": 0.005,\n      \"reason\": \"reduce-only orders bypass risk-increasing friction\",\n      \"reduce_only\": true,\n      \"side\": \"sell\",\n      \"source\": \"scenario:paper-launch-smoke\",\n      \"symbol\": \"BTC\"\n    },\n    {\n      \"allowed\": false,\n      \"as_of\": 1777646400.0,\n      \"confidence\": 0.95,\n      \"notional_usd\": 1400.0,\n      \"price\": 140.0,\n      \"quantity\": 10.0,\n      \"reason\": \"order notional exceeds limit\",\n      \"reduce_only\": false,\n      \"side\": \"buy\",\n      \"source\": \"scenario:paper-launch-smoke\",\n      \"symbol\": \"SOL\"\n    }\n  ],\n  \"fills\": 2,\n  \"market\": {\n    \"BTC\": {\n      \"as_of\": \"2026-05-01T00:05:00Z\",\n      \"last\": 40500.0\n    },\n    \"ETH\": {\n      \"as_of\": \"2026-05-01T00:00:00Z\",\n      \"last\": 3000.0\n    },\n    \"SOL\": {\n      \"as_of\": \"2026-05-01T00:00:00Z\",\n      \"last\": 140.0\n    }\n  },\n  \"mode\": \"paper\",\n  \"paper_only\": true,\n  \"positions\": {\n    \"BTC\": {\n      \"avg_price\": 40000.0,\n      \"notional_usd\": 200.0,\n      \"quantity\": 0.005\n    }\n  },\n  \"rejections\": 2,\n  \"scenario\": \"paper-launch-smoke\",\n  \"schema_version\": \"zero.mcp.paper_results.v1\"\n}","type":"text"}],"isError":false}}}
{"request":{"id":7,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_memory_snapshot"}},"response":{"id":7,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"entries\": [\n    {\n      \"confidence\": 0.8,\n      \"created_at\": \"2026-05-01T14:40:00Z\",\n      \"evidence_hash\": \"sha256:48f53b6ebbcdca941af84ba5e0007d4c9b5dd3d2d588e4533a9eba35e9790131\",\n      \"expires_at\": \"2026-05-08T14:40:00Z\",\n      \"id\": \"sha256:334189ecdb8a7ae713dc35ae1004b0597144b82a15babc64699faf0ef6dee363\",\n      \"kind\": \"signal\",\n      \"metadata\": {\n        \"allowed\": true,\n        \"reason_class\": \"allowed\",\n        \"reduce_only\": false,\n        \"source_class\": \"fixture-scenario\"\n      },\n      \"schema_version\": \"zero.memory.entry.v1\",\n      \"scope\": \"local-private\",\n      \"source\": \"fixture-scenario\",\n      \"subject\": \"BTC\",\n      \"summary\": \"Accepted paper decision for BTC; risk gate reported allowed.\",\n      \"tags\": [\n        \"paper\",\n        \"risk\",\n        \"accepted\"\n      ]\n    },\n    {\n      \"confidence\": 0.9,\n      \"created_at\": \"2026-05-01T14:40:00Z\",\n      \"evidence_hash\": \"sha256:875ba3e1ac0e2d0a61c21d2d88ccdea4029f3661d1bbc4204e229e5d7a7e1a6c\",\n      \"expires_at\": \"2026-07-30T14:40:00Z\",\n      \"id\": \"sha256:604efd749a09e2a3adcbf5926225201002e864a7261ef7acc32e37a615ff9c38\",\n      \"kind\": \"strategy_reference\",\n      \"metadata\": {\n        \"allowed\": false,\n        \"reason_class\": \"order notional exceeds limit\",\n        \"reduce_only\": false,\n        \"source_class\": \"fixture-scenario\"\n      },\n      \"schema_version\": \"zero.memory.entry.v1\",\n      \"scope\": \"local-private\",\n      \"source\": \"fixture-scenario\",\n      \"subject\": \"ETH\",\n      \"summary\": \"Rejected ETH by risk gate: order notional exceeds limit.\",\n      \"tags\": [\n        \"paper\",\n        \"risk\",\n        \"rejected\"\n      ]\n    },\n    {\n      \"confidence\": 0.8,\n      \"created_at\": \"2026-05-01T14:40:00Z\",\n      \"evidence_hash\": \"sha256:79ea6b6e3fbfe5d6ca285170fda22dc0ff2c0bfa868943d74f243ffc1e6b0824\",\n      \"expires_at\": \"2026-05-08T14:40:00Z\",\n      \"id\": \"sha256:730aaf092fd51e4f7b6126e1685f67ef95be1a115810ed739ced3dce7d8e0c6c\",\n      \"kind\": \"signal\",\n      \"metadata\": {\n        \"allowed\": true,\n        \"reason_class\": \"reduce-only orders bypass risk-increasing friction\",\n        \"reduce_only\": true,\n        \"source_class\": \"fixture-scenario\"\n      },\n      \"schema_version\": \"zero.memory.entry.v1\",\n      \"scope\": \"local-private\",\n      \"source\": \"fixture-scenario\",\n      \"subject\": \"BTC\",\n      \"summary\": \"Accepted paper decision for BTC; risk gate reported reduce-only orders bypass risk-increasing friction.\",\n      \"tags\": [\n        \"paper\",\n        \"risk\",\n        \"accepted\"\n      ]\n    },\n    {\n      \"confidence\": 0.9,\n      \"created_at\": \"2026-05-01T14:40:00Z\",\n      \"evidence_hash\": \"sha256:99e22fde0927b65881990b4355ea37e37eb418a29a062613201b7958ded6c857\",\n      \"expires_at\": \"2026-07-30T14:40:00Z\",\n      \"id\": \"sha256:b464fb6986797153647272fd4f3471d7c4af5f6ee4e0d36669e0404afd5bccc0\",\n      \"kind\": \"strategy_reference\",\n      \"metadata\": {\n        \"allowed\": false,\n        \"reason_class\": \"order notional exceeds limit\",\n        \"reduce_only\": false,\n        \"source_class\": \"fixture-scenario\"\n      },\n      \"schema_version\": \"zero.memory.entry.v1\",\n      \"scope\": \"local-private\",\n      \"source\": \"fixture-scenario\",\n      \"subject\": \"SOL\",\n      \"summary\": \"Rejected SOL by risk gate: order notional exceeds limit.\",\n      \"tags\": [\n        \"paper\",\n        \"risk\",\n        \"rejected\"\n      ]\n    }\n  ],\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"mode\": \"paper\",\n  \"paper_only\": true,\n  \"schema_version\": \"zero.mcp.memory_snapshot.v1\",\n  \"source\": \"bundled-paper-scenario\",\n  \"stats\": {\n    \"active_entries\": 4,\n    \"by_kind\": {\n      \"operator\": 0,\n      \"regime\": 0,\n      \"signal\": 2,\n      \"strategy_reference\": 2\n    },\n    \"privacy\": {\n      \"contains_exchange_order_ids\": false,\n      \"contains_live_prices\": false,\n      \"contains_private_keys\": false,\n      \"contains_wallet_material\": false\n    }\n  }\n}","type":"text"}],"isError":false}}}
{"request":{"id":8,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_memory_stats"}},"response":{"id":8,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"mode\": \"paper\",\n  \"paper_only\": true,\n  \"schema_version\": \"zero.mcp.memory_stats.v1\",\n  \"source\": \"bundled-paper-scenario\",\n  \"stats\": {\n    \"active_entries\": 4,\n    \"by_kind\": {\n      \"operator\": 0,\n      \"regime\": 0,\n      \"signal\": 2,\n      \"strategy_reference\": 2\n    },\n    \"privacy\": {\n      \"contains_exchange_order_ids\": false,\n      \"contains_live_prices\": false,\n      \"contains_private_keys\": false,\n      \"contains_wallet_material\": false\n    }\n  }\n}","type":"text"}],"isError":false}}}
{"request":{"id":9,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_genesis_proposals"}},"response":{"id":9,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"applies_code_changes\": false,\n  \"decisions\": [\n    {\n      \"decided_at\": \"2026-05-01T14:40:00Z\",\n      \"decision\": \"accepted\",\n      \"id\": \"sha256:e7113a8b622fc0354884f4ed30520c467ecdaee17ae56e1d38724569ce599dc5\",\n      \"min_sample_size\": 30,\n      \"policy_version\": \"zero.genesis.guardian_policy.v1\",\n      \"proposal\": {\n        \"created_at\": \"2026-05-01T00:00:00Z\",\n        \"effective_risk_tier\": \"medium\",\n        \"evidence_refs\": [\n          \"docs/proof/demo/proof-pack.json\",\n          \"examples/strategy-runner/close-strength.yaml\"\n        ],\n        \"id\": \"sha256:genesis-accepted-docs\",\n        \"metadata\": {\n          \"owner\": \"public-runtime\",\n          \"source_class\": \"fixture-paper\"\n        },\n        \"protected_classes\": [],\n        \"revert_plan\": \"Revert the documentation update and keep the runner fixture unchanged.\",\n        \"risk_tier\": \"medium\",\n        \"sample_size\": 42,\n        \"schema_version\": \"zero.genesis.proposal.v1\",\n        \"summary\": \"Promote the fixture-backed strategy runner acceptance floor into contributor docs after stable paper evidence.\",\n        \"target_paths\": [\n          \"docs/strategy-plugins.md\",\n          \"examples/strategy-runner/README.md\"\n        ],\n        \"title\": \"Document strategy-runner acceptance floor\"\n      },\n      \"proposal_id\": \"sha256:genesis-accepted-docs\",\n      \"reason\": \"guardian requirements satisfied for non-protected proposal\",\n      \"required_human_review\": false,\n      \"schema_version\": \"zero.genesis.guardian.v1\"\n    },\n    {\n      \"decided_at\": \"2026-05-01T14:40:00Z\",\n      \"decision\": \"rejected\",\n      \"id\": \"sha256:ca0982abaa110c511967e36f9b3c52306b1bacb37ebb569927ddadb57fa549f6\",\n      \"min_sample_size\": 5,\n      \"policy_version\": \"zero.genesis.guardian_policy.v1\",\n      \"proposal\": {\n        \"created_at\": \"2026-05-01T00:00:00Z\",\n        \"effective_risk_tier\": \"low\",\n        \"evidence_refs\": [\n          \"examples/memory-core/decisions.jsonl\"\n        ],\n        \"id\": \"sha256:genesis-rejected-sample\",\n        \"metadata\": {\n          \"owner\": \"public-runtime\",\n          \"source_class\": \"fixture-paper\"\n        },\n        \"protected_classes\": [],\n        \"revert_plan\": \"Remove the cohort note if the fixture does not reproduce.\",\n        \"risk_tier\": \"low\",\n        \"sample_size\": 2,\n        \"schema_version\": \"zero.genesis.proposal.v1\",\n        \"summary\": \"Add a new cohort note before enough fixture decisions exist to justify it.\",\n        \"target_paths\": [\n          \"docs/memory-core.md\"\n        ],\n        \"title\": \"Relax docs wording for a new rejection cohort\"\n      },\n      \"proposal_id\": \"sha256:genesis-rejected-sample\",\n      \"reason\": \"missing guardian requirements: sample_size>=5\",\n      \"required_human_review\": false,\n      \"schema_version\": \"zero.genesis.guardian.v1\"\n    },\n    {\n      \"decided_at\": \"2026-05-01T14:40:00Z\",\n      \"decision\": \"escalated\",\n      \"id\": \"sha256:cae78f5387ce6fae173adb656c0d26f325b34581720359327a18fab8f095f92e\",\n      \"min_sample_size\": 100,\n      \"policy_version\": \"zero.genesis.guardian_policy.v1\",\n      \"proposal\": {\n        \"created_at\": \"2026-05-01T00:00:00Z\",\n        \"effective_risk_tier\": \"protected\",\n        \"evidence_refs\": [\n          \"docs/live-certification.md\",\n          \"docs/live-evidence.md\"\n        ],\n        \"id\": \"sha256:genesis-escalated-live\",\n        \"metadata\": {\n          \"owner\": \"public-runtime\",\n          \"source_class\": \"fixture-paper\"\n        },\n        \"protected_classes\": [\n          \"execution\",\n          \"live_adapters\"\n        ],\n        \"revert_plan\": \"Revert the retry behavior and keep the previous live preflight gate.\",\n        \"risk_tier\": \"medium\",\n        \"sample_size\": 140,\n        \"schema_version\": \"zero.genesis.proposal.v1\",\n        \"summary\": \"Change live adapter retry behavior from observed operator evidence.\",\n        \"target_paths\": [\n          \"engine/src/zero_engine/live.py\"\n        ],\n        \"title\": \"Tune live adapter retry behavior\"\n      },\n      \"proposal_id\": \"sha256:genesis-escalated-live\",\n      \"reason\": \"protected path classes require human review: execution, live_adapters\",\n      \"required_human_review\": true,\n      \"schema_version\": \"zero.genesis.guardian.v1\"\n    }\n  ],\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"guardian_policy\": {\n    \"high_risk_requires_human_review\": true,\n    \"min_sample_size\": {\n      \"high\": 100,\n      \"low\": 5,\n      \"medium\": 30,\n      \"protected\": 100\n    },\n    \"protected_path_classes\": {\n      \"circuit_breakers\": [\n        \"engine/src/zero_engine/immune.py\",\n        \"circuit\",\n        \"breaker\"\n      ],\n      \"execution\": [\n        \"engine/src/zero_engine/live.py\",\n        \"cli/crates/zero-commands/src/dispatch.rs\"\n      ],\n      \"immune_core\": [\n        \"engine/src/zero_engine/immune.py\",\n        \"immune\"\n      ],\n      \"live_adapters\": [\n        \"engine/src/zero_engine/hyperliquid.py\",\n        \"engine/src/zero_engine/live.py\",\n        \"hyperliquid\"\n      ],\n      \"sizing\": [\n        \"engine/src/zero_engine/safety.py\",\n        \"engine/src/zero_engine/models.py\"\n      ],\n      \"stops\": [\n        \"stop\",\n        \"trailing\",\n        \"drawdown\"\n      ]\n    },\n    \"protected_paths_require_human_review\": true,\n    \"requires_evidence_refs\": true,\n    \"requires_revert_plan\": true,\n    \"schema_version\": \"zero.genesis.guardian_policy.v1\"\n  },\n  \"mode\": \"plan-only\",\n  \"paper_only\": true,\n  \"privacy\": {\n    \"contains_exchange_order_ids\": false,\n    \"contains_live_prices\": false,\n    \"contains_private_keys\": false,\n    \"contains_wallet_material\": false\n  },\n  \"schema_version\": \"zero.mcp.genesis_proposals.v1\",\n  \"source\": \"fixture-proposals\",\n  \"stats\": {\n    \"by_decision\": {\n      \"accepted\": 1,\n      \"escalated\": 1,\n      \"rejected\": 1\n    },\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"human_review_required\": 1,\n    \"protected_classes\": [\n      \"execution\",\n      \"live_adapters\"\n    ],\n    \"schema_version\": \"zero.genesis.summary.v1\",\n    \"total_decisions\": 3\n  }\n}","type":"text"}],"isError":false}}}
{"request":{"id":10,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_evolve_status"}},"response":{"id":10,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"accepted_candidates\": 1,\n  \"applies_to_checkout\": false,\n  \"build\": {\n    \"applies_to_checkout\": false,\n    \"branch_name\": \"codex/evolve/document-strategy-runner-acceptance-floor-genesis-acce\",\n    \"candidate_tree\": \"/tmp/zero-evolve-snapshot/worktree/candidate-tree\",\n    \"checks\": {\n      \"candidate_tree_materialized\": true,\n      \"proposal_accepted\": true,\n      \"protected_classes_empty\": true,\n      \"target_paths_allowed\": true\n    },\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"mode\": \"paper-only\",\n    \"mutates_sandbox\": true,\n    \"mutations\": [\n      {\n        \"applies_to_checkout\": false,\n        \"candidate_hash\": \"sha256:2eaef452110ad9828038944443cefa1a89a8d793d16555be1786c9fbfabb80ae\",\n        \"candidate_path\": \"/tmp/zero-evolve-snapshot/worktree/candidate-tree/docs/strategy-plugins.md\",\n        \"operation\": \"append_public_evolve_marker\",\n        \"original_hash\": \"sha256:84cd34bb7e513315cfeef586ff6e2c3e8feccf8afdef026bdbb973620c26175d\",\n        \"source_path\": \"docs/strategy-plugins.md\",\n        \"target_path\": \"docs/strategy-plugins.md\"\n      },\n      {\n        \"applies_to_checkout\": false,\n        \"candidate_hash\": \"sha256:4d65e11bf4e11b63909a4fd00bb6b0728e7a21b9226467820bf26f7919c4e67c\",\n        \"candidate_path\": \"/tmp/zero-evolve-snapshot/worktree/candidate-tree/examples/strategy-runner/README.md\",\n        \"operation\": \"append_public_evolve_marker\",\n        \"original_hash\": \"sha256:efd9b1e61ae7af389318ff9893abbcf9420778ea2e6d28526070f69f6c99e102\",\n        \"source_path\": \"examples/strategy-runner/README.md\",\n        \"target_path\": \"examples/strategy-runner/README.md\"\n      }\n    ],\n    \"patch_hash\": \"sha256:1b47c6fd03705246a2d7a6ca2d00c62f5c92cc1a7a0d8413714b677935a53b6b\",\n    \"patch_path\": \"/tmp/zero-evolve-snapshot/worktree/candidate.patch\",\n    \"proposal_id\": \"sha256:genesis-accepted-docs\",\n    \"pushes_to_remote\": false,\n    \"sandbox_dir\": \"/tmp/zero-evolve-snapshot/worktree\",\n    \"schema_version\": \"zero.evolve.build.v1\",\n    \"target_paths\": [\n      \"docs/strategy-plugins.md\",\n      \"examples/strategy-runner/README.md\"\n    ]\n  },\n  \"calibration\": {\n    \"drift\": {\n      \"decisions\": 0,\n      \"fills\": 0,\n      \"open_positions\": 0,\n      \"rejections\": 0\n    },\n    \"gate\": \"zero-drift-against-deterministic-paper-baseline\",\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"mode\": \"paper\",\n    \"passed\": true,\n    \"schema_version\": \"zero.evolve.calibration.v1\"\n  },\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"input_decisions\": 3,\n  \"mode\": \"paper-only\",\n  \"paper_canary\": {\n    \"baseline\": {\n      \"decisions\": 4,\n      \"fills\": 2,\n      \"open_positions\": 1,\n      \"rejections\": 2\n    },\n    \"decisions\": 4,\n    \"fills\": 2,\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"mode\": \"paper\",\n    \"open_positions\": 1,\n    \"rejections\": 2,\n    \"scenario\": \"paper-launch-smoke\",\n    \"schema_version\": \"zero.evolve.paper_canary.v1\"\n  },\n  \"paper_only\": true,\n  \"policy\": {\n    \"allowed_patch_roots\": [\n      \"docs/\",\n      \"examples/\"\n    ],\n    \"forbidden_patch_roots\": [\n      \"engine/src/zero_engine/live.py\",\n      \"engine/src/zero_engine/hyperliquid.py\",\n      \"engine/src/zero_engine/immune.py\",\n      \"engine/src/zero_engine/safety.py\",\n      \"cli/crates/zero-commands/src/dispatch.rs\"\n    ],\n    \"local_apply_allowed_after_human_approval\": true,\n    \"promotion_is_local_only\": true,\n    \"remote_push_allowed\": false,\n    \"requires_accepted_genesis_decision\": true,\n    \"requires_apply_receipt\": true,\n    \"requires_calibration_pass\": true,\n    \"requires_paper_canary\": true,\n    \"requires_promotion_artifact_verification\": true,\n    \"requires_red_team_pass\": true,\n    \"requires_rollback_plan\": true,\n    \"requires_rollback_receipt\": true,\n    \"schema_version\": \"zero.evolve.policy.v1\"\n  },\n  \"promotion\": {\n    \"gates\": {\n      \"build\": true,\n      \"calibration\": true,\n      \"human_approval\": false,\n      \"paper_canary\": true,\n      \"red_team\": true\n    },\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"mode\": \"local-only\",\n    \"promotable_after_human_review\": true,\n    \"promoted\": false,\n    \"pushes_to_remote\": false,\n    \"reason\": \"all automated paper gates passed; human approval still required\",\n    \"requires_human_approval\": true,\n    \"schema_version\": \"zero.evolve.promotion.v1\"\n  },\n  \"promotion_plan\": {\n    \"applies_to_checkout\": false,\n    \"branch_name\": \"codex/evolve/document-strategy-runner-acceptance-floor-genesis-acce\",\n    \"candidate_tree\": \"/tmp/zero-evolve-snapshot/worktree/candidate-tree\",\n    \"eligible_for_local_apply\": true,\n    \"gates\": {\n      \"build\": true,\n      \"calibration\": true,\n      \"human_approval\": false,\n      \"paper_canary\": true,\n      \"red_team\": true,\n      \"rollback_plan_required\": true\n    },\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"mode\": \"local-sandbox\",\n    \"mutations\": [\n      {\n        \"applies_to_checkout\": false,\n        \"candidate_hash\": \"sha256:2eaef452110ad9828038944443cefa1a89a8d793d16555be1786c9fbfabb80ae\",\n        \"candidate_path\": \"/tmp/zero-evolve-snapshot/worktree/candidate-tree/docs/strategy-plugins.md\",\n        \"operation\": \"append_public_evolve_marker\",\n        \"original_hash\": \"sha256:84cd34bb7e513315cfeef586ff6e2c3e8feccf8afdef026bdbb973620c26175d\",\n        \"source_path\": \"docs/strategy-plugins.md\",\n        \"target_path\": \"docs/strategy-plugins.md\"\n      },\n      {\n        \"applies_to_checkout\": false,\n        \"candidate_hash\": \"sha256:4d65e11bf4e11b63909a4fd00bb6b0728e7a21b9226467820bf26f7919c4e67c\",\n        \"candidate_path\": \"/tmp/zero-evolve-snapshot/worktree/candidate-tree/examples/strategy-runner/README.md\",\n        \"operation\": \"append_public_evolve_marker\",\n        \"original_hash\": \"sha256:efd9b1e61ae7af389318ff9893abbcf9420778ea2e6d28526070f69f6c99e102\",\n        \"source_path\": \"examples/strategy-runner/README.md\",\n        \"target_path\": \"examples/strategy-runner/README.md\"\n      }\n    ],\n    \"patch_hash\": \"sha256:1b47c6fd03705246a2d7a6ca2d00c62f5c92cc1a7a0d8413714b677935a53b6b\",\n    \"places_orders\": false,\n    \"plan_only\": true,\n    \"pushes_to_remote\": false,\n    \"required_approval_phrase\": \"I_APPROVE_ZERO_EVOLVE_LOCAL_PROMOTION\",\n    \"requires_human_approval\": true,\n    \"safety\": {\n      \"candidate_scope\": [\n        \"docs/\",\n        \"examples/\"\n      ],\n      \"checkout_mutation_default\": \"forbidden\",\n      \"live_code_mutation_default\": \"forbidden\",\n      \"remote_push_default\": \"forbidden\"\n    },\n    \"schema_version\": \"zero.evolve.promotion_plan.v1\"\n  },\n  \"promotion_verification\": {\n    \"checks\": {\n      \"approval_phrase_required\": true,\n      \"promotion_does_not_apply_checkout\": true,\n      \"promotion_does_not_push\": true,\n      \"promotion_schema\": true,\n      \"rollback_does_not_apply_checkout\": true,\n      \"rollback_does_not_push\": true,\n      \"rollback_ready\": true,\n      \"rollback_schema\": true\n    },\n    \"failures\": [],\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"ok\": true,\n    \"schema_version\": \"zero.evolve.promotion_verification.v1\"\n  },\n  \"pushes_to_remote\": false,\n  \"red_team\": {\n    \"findings\": [],\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"mode\": \"paper-only\",\n    \"policy\": {\n      \"forbidden_private_material\": true,\n      \"protected_paths_blocked\": true,\n      \"remote_push_blocked\": true\n    },\n    \"proposal_id\": \"sha256:genesis-accepted-docs\",\n    \"schema_version\": \"zero.evolve.red_team.v1\",\n    \"verdict\": \"pass\"\n  },\n  \"rollback_plan\": {\n    \"applies_to_checkout\": false,\n    \"generated_at\": \"2026-05-01T14:40:00Z\",\n    \"instructions\": [\n      \"do not promote if rollback_ready is false\",\n      \"verify original hashes before any local apply\",\n      \"discard candidate tree to abandon the proposal\",\n      \"rerun paper canary and calibration after any approved local apply\"\n    ],\n    \"mode\": \"local-sandbox\",\n    \"plan_only\": true,\n    \"pushes_to_remote\": false,\n    \"restores\": [\n      {\n        \"action\": \"discard_candidate_and_restore_original_before_checkout_apply\",\n        \"candidate_hash\": \"sha256:2eaef452110ad9828038944443cefa1a89a8d793d16555be1786c9fbfabb80ae\",\n        \"restore_hash\": \"sha256:84cd34bb7e513315cfeef586ff6e2c3e8feccf8afdef026bdbb973620c26175d\",\n        \"target_path\": \"docs/strategy-plugins.md\"\n      },\n      {\n        \"action\": \"discard_candidate_and_restore_original_before_checkout_apply\",\n        \"candidate_hash\": \"sha256:4d65e11bf4e11b63909a4fd00bb6b0728e7a21b9226467820bf26f7919c4e67c\",\n        \"restore_hash\": \"sha256:efd9b1e61ae7af389318ff9893abbcf9420778ea2e6d28526070f69f6c99e102\",\n        \"target_path\": \"examples/strategy-runner/README.md\"\n      }\n    ],\n    \"rollback_hash\": \"sha256:788aaa03bfd26805d85638bd594381e99f867e25baf064ba1bb033cfe0336d50\",\n    \"rollback_ready\": true,\n    \"schema_version\": \"zero.evolve.rollback_plan.v1\"\n  },\n  \"schema_version\": \"zero.mcp.evolve_status.v1\",\n  \"selected_proposal_id\": \"sha256:genesis-accepted-docs\",\n  \"source\": \"fixture-genesis-proposals\"\n}","type":"text"}],"isError":false}}}
{"request":{"id":11,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_research_report"}},"response":{"id":11,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"applies_code_changes\": false,\n  \"available\": true,\n  \"claims_live_pnl\": false,\n  \"commands\": [\n    \"hunt\",\n    \"edge\",\n    \"convergence\",\n    \"thesis\",\n    \"score\",\n    \"meta\",\n    \"sharpen\"\n  ],\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"mode\": \"paper-only\",\n  \"paper_only\": true,\n  \"privacy\": {\n    \"contains_live_prices\": false,\n    \"contains_raw_live_pnl\": false,\n    \"contains_secret_material\": false,\n    \"contains_venue_order_material\": false,\n    \"contains_wallet_material\": false\n  },\n  \"pushes_to_remote\": false,\n  \"report_hash\": \"sha256:aa3ea7a49cd1b6556affd1c6628d57fa2b78a4ca6eb3ffed21333be882db594f\",\n  \"reports\": {\n    \"convergence\": {\n      \"checks\": {\n        \"manual_review_required\": true,\n        \"single_rejection_reason_dominates\": false,\n        \"weights_available\": false\n      },\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"lockstep_detected\": false,\n      \"minimum_sample_met\": false,\n      \"oscillation_detected\": false,\n      \"purpose\": \"feedback-loop drift and lockstep detection\",\n      \"sample_size\": 2,\n      \"schema_version\": \"zero.research.convergence.v1\",\n      \"status\": \"insufficient-public-sample\"\n    },\n    \"edge\": {\n      \"by_symbol\": {\n        \"BTC\": {\n          \"acceptance_rate\": 1.0,\n          \"allowed\": 1,\n          \"observations\": 1,\n          \"rejected\": 0\n        },\n        \"SOL\": {\n          \"acceptance_rate\": 0.0,\n          \"allowed\": 0,\n          \"observations\": 1,\n          \"rejected\": 1\n        }\n      },\n      \"claim_boundary\": {\n        \"claims_live_edge\": false,\n        \"reason\": \"public fixture decisions do not include signed live outcomes\",\n        \"uses_realized_pnl\": false\n      },\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"minimum_sample_met\": false,\n      \"overall\": {\n        \"acceptance_rate\": 0.5,\n        \"allowed\": 1,\n        \"rejected\": 1,\n        \"rejection_reasons\": {\n          \"order notional exceeds limit\": 1\n        },\n        \"symbols\": {\n          \"BTC\": 1,\n          \"SOL\": 1\n        },\n        \"total\": 2\n      },\n      \"purpose\": \"expectancy proxy from accepted/rejected paper decisions\",\n      \"sample_size\": 2,\n      \"schema_version\": \"zero.research.edge.v1\"\n    },\n    \"hunt\": {\n      \"candidate_count\": 3,\n      \"candidates\": [\n        {\n          \"avg_volume_rank\": 3,\n          \"latest_ts\": \"2026-05-01T00:05:00Z\",\n          \"momentum_bps\": 176,\n          \"observations\": 2,\n          \"regime\": \"impulse-up\",\n          \"status\": \"watch\",\n          \"symbol\": \"BTC\",\n          \"up_closes\": 2\n        },\n        {\n          \"avg_volume_rank\": 2,\n          \"latest_ts\": \"2026-05-01T00:00:00Z\",\n          \"momentum_bps\": 67,\n          \"observations\": 1,\n          \"regime\": \"impulse-up\",\n          \"status\": \"watch\",\n          \"symbol\": \"ETH\",\n          \"up_closes\": 1\n        },\n        {\n          \"avg_volume_rank\": 1,\n          \"latest_ts\": \"2026-05-01T00:00:00Z\",\n          \"momentum_bps\": 145,\n          \"observations\": 1,\n          \"regime\": \"impulse-up\",\n          \"status\": \"blocked-by-recent-risk\",\n          \"symbol\": \"SOL\",\n          \"up_closes\": 1\n        }\n      ],\n      \"decision_context\": {\n        \"acceptance_rate\": 0.5,\n        \"decisions\": 2,\n        \"rejected\": 1\n      },\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"purpose\": \"market scan from public paper fixtures\",\n      \"schema_version\": \"zero.research.hunt.v1\"\n    },\n    \"meta\": {\n      \"commands_reviewed\": [\n        \"hunt\",\n        \"edge\",\n        \"convergence\",\n        \"thesis\",\n        \"score\",\n        \"sharpen\"\n      ],\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"purpose\": \"audit command usefulness\",\n      \"schema_version\": \"zero.research.meta.v1\",\n      \"usefulness\": {\n        \"convergence\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.8\n        },\n        \"edge\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.8\n        },\n        \"hunt\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.8\n        },\n        \"score\": {\n          \"reason\": \"needs real outcome labels\",\n          \"score\": 0.6\n        },\n        \"sharpen\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.6\n        },\n        \"thesis\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.6\n        }\n      }\n    },\n    \"score\": {\n      \"accuracy\": 1.0,\n      \"correct\": 2,\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"judgments_scored\": 2,\n      \"limitation\": \"paper safety decisions are not predictive PnL labels\",\n      \"purpose\": \"compare prior judgments against public paper outcomes\",\n      \"schema_version\": \"zero.research.score.v1\",\n      \"status\": \"fixture-only\"\n    },\n    \"sharpen\": {\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"minimum_sample_met\": false,\n      \"proposals\": [\n        {\n          \"applies_code_changes\": false,\n          \"id\": \"research-sample-floor\",\n          \"priority\": \"high\",\n          \"summary\": \"Collect at least 30 paper decisions before relaxing any research conclusion.\"\n        },\n        {\n          \"applies_code_changes\": false,\n          \"id\": \"research-live-labels\",\n          \"priority\": \"medium\",\n          \"summary\": \"Attach signed operator evidence before scoring live outcome accuracy.\"\n        },\n        {\n          \"applies_code_changes\": false,\n          \"id\": \"research-convergence-review\",\n          \"priority\": \"medium\",\n          \"summary\": \"Review rejection concentration before changing weights or filters.\"\n        }\n      ],\n      \"purpose\": \"system improvement backlog from research reports\",\n      \"schema_version\": \"zero.research.sharpen.v1\"\n    },\n    \"thesis\": {\n      \"anti_thesis\": \"A sparse fixture can overfit to a single synthetic market regime.\",\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"horizon_days\": 7,\n      \"hypothesis\": \"Operate only fixture-backed watch symbols until paper rejection data clears the minimum sample floor.\",\n      \"schema_version\": \"zero.research.thesis.v1\",\n      \"scorecard\": {\n        \"confidence\": 0.42,\n        \"invalidates_if\": [\n          \"acceptance rate falls to zero for three consecutive paper sessions\",\n          \"one rejection reason explains every blocked setup after 30 samples\"\n        ],\n        \"sample_size\": 2\n      },\n      \"watch_symbols\": [\n        \"BTC\",\n        \"ETH\"\n      ]\n    }\n  },\n  \"schema_version\": \"zero.mcp.research_report.v1\",\n  \"source\": \"fixture-research-chain\",\n  \"source_quality\": {\n    \"accepted\": 3,\n    \"classifications\": [\n      {\n        \"allowed_uses\": [\n          \"paper_research\",\n          \"genesis_context\"\n        ],\n        \"decision\": \"accepted\",\n        \"raw_content_included\": false,\n        \"reasons\": [],\n        \"schema_version\": \"zero.research.source_classification.v1\",\n        \"source_hash\": \"sha256:eeaa905507afb5098e8eae863e6ca3fbe6e166d0b0cc23d24c8dfba48ddff4ee\",\n        \"source_id\": \"paper-candles-fixture\",\n        \"source_type\": \"fixture\",\n        \"trusted\": true\n      },\n      {\n        \"allowed_uses\": [\n          \"paper_research\",\n          \"genesis_context\"\n        ],\n        \"decision\": \"accepted\",\n        \"raw_content_included\": false,\n        \"reasons\": [],\n        \"schema_version\": \"zero.research.source_classification.v1\",\n        \"source_hash\": \"sha256:6b03ea81e991ff176da48d8ed536e2e9d0cb62542959e247bc82be328d3591ab\",\n        \"source_id\": \"memory-decisions-fixture\",\n        \"source_type\": \"fixture\",\n        \"trusted\": true\n      },\n      {\n        \"allowed_uses\": [\n          \"paper_research\",\n          \"genesis_context\"\n        ],\n        \"decision\": \"accepted\",\n        \"raw_content_included\": false,\n        \"reasons\": [],\n        \"schema_version\": \"zero.research.source_classification.v1\",\n        \"source_hash\": \"sha256:dbcc881d160e5ca4710deebddeca6ae33960b2a3cca030d5af533970d1a9dc53\",\n        \"source_id\": \"research-doc-boundary\",\n        \"source_type\": \"repo_doc\",\n        \"trusted\": true\n      }\n    ],\n    \"mode\": \"paper-only\",\n    \"raw_content_included\": false,\n    \"rejected\": 0,\n    \"root_hash\": \"sha256:2b6385e1c23b34a7775569eda15dd0551b24c34f0a00ad8e2c12ca42d3de2ccb\",\n    \"schema_version\": \"zero.research.source_quality.v1\"\n  },\n  \"summary\": {\n    \"candidate_count\": 3,\n    \"convergence_status\": \"insufficient-public-sample\",\n    \"minimum_sample_met\": false,\n    \"proposal_count\": 3,\n    \"rejected_sources\": 0,\n    \"sample_size\": 2,\n    \"source_classifications\": 3\n  }\n}","type":"text"}],"isError":false}}}
{"request":{"id":12,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_decision_stack"}},"response":{"id":12,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"coin\": \"BTC\",\n  \"decision\": {\n    \"allowed_to_execute_live\": false,\n    \"consensus\": 75,\n    \"conviction\": 0.6674,\n    \"direction\": \"LONG\",\n    \"reason\": \"allowed\",\n    \"verdict\": \"PASS\"\n  },\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"layers\": [\n    {\n      \"blocks_entry\": true,\n      \"detail\": \"price source available for paper evaluation\",\n      \"kind\": \"preflight\",\n      \"layer\": \"data_freshness\",\n      \"passed\": true,\n      \"value\": {\n        \"source\": \"paper:fixture\"\n      }\n    },\n    {\n      \"blocks_entry\": true,\n      \"detail\": \"allowed\",\n      \"kind\": \"risk\",\n      \"layer\": \"risk_bounds\",\n      \"passed\": true,\n      \"value\": {\n        \"paper_exposure_unit\": 1.0\n      }\n    },\n    {\n      \"blocks_entry\": false,\n      \"detail\": \"public sample is below promotion floor; paper evaluation remains non-blocking\",\n      \"kind\": \"calibration\",\n      \"layer\": \"sample_floor\",\n      \"passed\": true,\n      \"value\": {\n        \"met\": false,\n        \"minimum\": 30,\n        \"public_sample_size\": 4\n      }\n    },\n    {\n      \"blocks_entry\": true,\n      \"detail\": \"evaluation is paper-first and does not submit live orders\",\n      \"kind\": \"custody\",\n      \"layer\": \"paper_boundary\",\n      \"passed\": true,\n      \"value\": {\n        \"live_order_emitted\": false\n      }\n    }\n  ],\n  \"lenses\": [\n    {\n      \"confidence\": 0.62,\n      \"evidence\": {\n        \"last_price\": 40500.0,\n        \"source\": \"paper:fixture\",\n        \"uses_live_exchange_credentials\": false\n      },\n      \"family\": \"market\",\n      \"lens\": \"price_action\",\n      \"public_safe\": true,\n      \"signal\": \"constructive\",\n      \"status\": \"active\",\n      \"weight\": 0.22\n    },\n    {\n      \"confidence\": 1.0,\n      \"evidence\": {\n        \"paper_exposure_unit\": 1.0,\n        \"reason\": \"allowed\"\n      },\n      \"family\": \"risk\",\n      \"lens\": \"risk_capacity\",\n      \"public_safe\": true,\n      \"signal\": \"pass\",\n      \"status\": \"active\",\n      \"weight\": 0.34\n    },\n    {\n      \"confidence\": 0.35,\n      \"evidence\": {\n        \"public_sample_size\": 4,\n        \"requires_more_paper_decisions\": true\n      },\n      \"family\": \"memory\",\n      \"lens\": \"memory_context\",\n      \"public_safe\": true,\n      \"signal\": \"insufficient_sample\",\n      \"status\": \"active\",\n      \"weight\": 0.18\n    },\n    {\n      \"confidence\": 0.8,\n      \"evidence\": {\n        \"dead_man_switch_required_for_live\": true,\n        \"paper_mode\": true\n      },\n      \"family\": \"safety\",\n      \"lens\": \"operator_liveness\",\n      \"public_safe\": true,\n      \"signal\": \"ready\",\n      \"status\": \"active\",\n      \"weight\": 0.26\n    }\n  ],\n  \"mode\": \"paper\",\n  \"modifiers\": [\n    {\n      \"bounded\": true,\n      \"direction\": \"down\",\n      \"effect\": \"confidence_adjustment\",\n      \"modifier\": \"rejection_first\",\n      \"reason\": \"insufficient public calibration sample\",\n      \"value\": 0.08\n    },\n    {\n      \"bounded\": true,\n      \"direction\": \"down\",\n      \"effect\": \"live_mode_gate\",\n      \"modifier\": \"operator_friction\",\n      \"reason\": \"risk-increasing live action requires explicit local confirmation\",\n      \"value\": 1.0\n    }\n  ],\n  \"paper_only\": true,\n  \"price\": {\n    \"last\": 40500.0,\n    \"source\": \"paper:fixture\",\n    \"uses_live_exchange_credentials\": false\n  },\n  \"privacy\": {\n    \"contains_exchange_credentials\": false,\n    \"contains_private_notes\": false,\n    \"contains_venue_order_material\": false,\n    \"contains_wallet_material\": false\n  },\n  \"schema_version\": \"zero.mcp.decision_stack.v1\"\n}","type":"text"}],"isError":false}}}
{"request":{"id":13,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_journal_tail"}},"response":{"id":13,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"count\": 4,\n  \"decisions\": [\n    {\n      \"allowed\": true,\n      \"as_of\": 1777646400.0,\n      \"confidence\": 0.84,\n      \"notional_usd\": 400.0,\n      \"price\": 40000.0,\n      \"quantity\": 0.01,\n      \"reason\": \"allowed\",\n      \"reduce_only\": false,\n      \"side\": \"buy\",\n      \"source\": \"scenario:paper-launch-smoke\",\n      \"symbol\": \"BTC\"\n    },\n    {\n      \"allowed\": false,\n      \"as_of\": 1777646400.0,\n      \"confidence\": 0.93,\n      \"notional_usd\": 3000.0,\n      \"price\": 3000.0,\n      \"quantity\": 1.0,\n      \"reason\": \"order notional exceeds limit\",\n      \"reduce_only\": false,\n      \"side\": \"buy\",\n      \"source\": \"scenario:paper-launch-smoke\",\n      \"symbol\": \"ETH\"\n    },\n    {\n      \"allowed\": true,\n      \"as_of\": 1777646400.0,\n      \"confidence\": 0.1,\n      \"notional_usd\": 202.5,\n      \"price\": 40500.0,\n      \"quantity\": 0.005,\n      \"reason\": \"reduce-only orders bypass risk-increasing friction\",\n      \"reduce_only\": true,\n      \"side\": \"sell\",\n      \"source\": \"scenario:paper-launch-smoke\",\n      \"symbol\": \"BTC\"\n    },\n    {\n      \"allowed\": false,\n      \"as_of\": 1777646400.0,\n      \"confidence\": 0.95,\n      \"notional_usd\": 1400.0,\n      \"price\": 140.0,\n      \"quantity\": 10.0,\n      \"reason\": \"order notional exceeds limit\",\n      \"reduce_only\": false,\n      \"side\": \"buy\",\n      \"source\": \"scenario:paper-launch-smoke\",\n      \"symbol\": \"SOL\"\n    }\n  ],\n  \"mode\": \"paper\",\n  \"paper_only\": true,\n  \"schema_version\": \"zero.mcp.journal_tail.v1\",\n  \"source\": \"bundled-paper-scenario\"\n}","type":"text"}],"isError":false}}}
{"request":{"id":14,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_rejection_audit"}},"response":{"id":14,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"mode\": \"paper\",\n  \"paper_only\": true,\n  \"rejections\": [\n    {\n      \"coin\": \"ETH\",\n      \"direction\": \"buy\",\n      \"reason\": \"order notional exceeds limit\",\n      \"stage\": \"risk\",\n      \"ts\": \"2026-05-01T14:40:00Z\"\n    },\n    {\n      \"coin\": \"SOL\",\n      \"direction\": \"buy\",\n      \"reason\": \"order notional exceeds limit\",\n      \"stage\": \"risk\",\n      \"ts\": \"2026-05-01T14:40:00Z\"\n    }\n  ],\n  \"schema_version\": \"zero.mcp.rejection_audit.v1\",\n  \"source\": \"bundled-paper-scenario\",\n  \"summary\": {\n    \"by_reason\": {\n      \"order notional exceeds limit\": 2\n    },\n    \"by_stage\": {\n      \"risk\": 2\n    },\n    \"rejections\": 2\n  }\n}","type":"text"}],"isError":false}}}
{"request":{"id":15,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_immune_status"}},"response":{"id":15,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"breakers\": [\n    {\n      \"blocks_risk\": false,\n      \"evidence\": {\n        \"age_s\": null,\n        \"stale_after_s\": 2.0\n      },\n      \"name\": \"stale_market_data\",\n      \"reason\": \"market data freshness not required for static paper source\",\n      \"severity\": \"info\",\n      \"status\": \"closed\"\n    },\n    {\n      \"blocks_risk\": true,\n      \"evidence\": {\n        \"drifts\": 0,\n        \"status\": \"not_configured\"\n      },\n      \"name\": \"reconciliation\",\n      \"reason\": \"Hyperliquid account reconciliation is not configured\",\n      \"severity\": \"critical\",\n      \"status\": \"open\"\n    },\n    {\n      \"blocks_risk\": true,\n      \"evidence\": {\n        \"configured\": false\n      },\n      \"name\": \"dead_man\",\n      \"reason\": \"live executor not configured\",\n      \"severity\": \"critical\",\n      \"status\": \"open\"\n    },\n    {\n      \"blocks_risk\": false,\n      \"evidence\": {\n        \"paused\": false\n      },\n      \"name\": \"operator_pause\",\n      \"reason\": \"operator pause inactive\",\n      \"severity\": \"info\",\n      \"status\": \"closed\"\n    },\n    {\n      \"blocks_risk\": false,\n      \"evidence\": {\n        \"age_s\": null,\n        \"inactive_after_s\": 3600.0\n      },\n      \"name\": \"operator_inactivity\",\n      \"reason\": \"operator inactivity not configured\",\n      \"severity\": \"info\",\n      \"status\": \"closed\"\n    },\n    {\n      \"blocks_risk\": false,\n      \"evidence\": {\n        \"kill_switch_active\": false\n      },\n      \"name\": \"kill_switch\",\n      \"reason\": \"kill switch inactive\",\n      \"severity\": \"info\",\n      \"status\": \"closed\"\n    },\n    {\n      \"blocks_risk\": false,\n      \"evidence\": {\n        \"daily_loss_usd\": 0.0\n      },\n      \"name\": \"daily_loss\",\n      \"reason\": \"no live daily loss observed\",\n      \"severity\": \"info\",\n      \"status\": \"closed\"\n    },\n    {\n      \"blocks_risk\": false,\n      \"evidence\": {\n        \"max_orders_per_minute\": null,\n        \"orders_last_minute\": 0\n      },\n      \"name\": \"order_velocity\",\n      \"reason\": \"live order rate inside limit\",\n      \"severity\": \"info\",\n      \"status\": \"closed\"\n    },\n    {\n      \"blocks_risk\": false,\n      \"evidence\": {\n        \"recent_errors\": 0,\n        \"window_s\": 60.0\n      },\n      \"name\": \"exchange_error\",\n      \"reason\": \"no live exchange errors observed\",\n      \"severity\": \"info\",\n      \"status\": \"closed\"\n    },\n    {\n      \"blocks_risk\": false,\n      \"evidence\": {\n        \"exposure_usd\": 200.0,\n        \"max_exposure_usd\": 900.0,\n        \"open_positions\": 1\n      },\n      \"name\": \"max_exposure\",\n      \"reason\": \"exposure inside limit\",\n      \"severity\": \"info\",\n      \"status\": \"closed\"\n    }\n  ],\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"mode\": \"paper\",\n  \"paper_only\": true,\n  \"risk_increasing_allowed\": false,\n  \"schema_version\": \"zero.mcp.immune_status.v1\",\n  \"summary\": {\n    \"closed\": 8,\n    \"open\": 2,\n    \"risk_blocking\": 2,\n    \"total\": 10,\n    \"warning\": 0\n  }\n}","type":"text"}],"isError":false}}}
{"request":{"id":16,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_backtest_report"}},"response":{"id":16,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"claim_boundary\": {\n    \"live_trading_claimed\": false,\n    \"paper_mode_verified\": true,\n    \"pnl_claimed\": false\n  },\n  \"mode\": \"paper\",\n  \"notes\": [\n    \"deterministic paper fixture only\",\n    \"not a profitability claim\",\n    \"use strategy examples for contributor conformance\"\n  ],\n  \"paper_only\": true,\n  \"scenario\": \"paper-launch-smoke\",\n  \"schema_version\": \"zero.mcp.backtest_report.v1\",\n  \"summary\": {\n    \"acceptance_rate\": 0.5,\n    \"decisions\": 4,\n    \"fills\": 2,\n    \"rejections\": 2,\n    \"symbols\": [\n      \"BTC\",\n      \"ETH\",\n      \"SOL\"\n    ]\n  }\n}","type":"text"}],"isError":false}}}
{"request":{"id":17,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_evidence_bundle"}},"response":{"id":17,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"artifacts\": [\n    {\n      \"hash\": \"sha256:39c647963d1f0428ec792ba8cd7999de8f41724f5428a2d620b1f2bd46bef0ec\",\n      \"included\": \"hash_only\",\n      \"name\": \"live_preflight\",\n      \"schema_version\": \"zero.live_preflight.v1\",\n      \"status\": \"refused\"\n    },\n    {\n      \"hash\": \"sha256:e605df50a4eca0fcdc864b40f339e75ac9e8096921c48b063b8c796c931bcda5\",\n      \"included\": \"hash_only\",\n      \"name\": \"live_cockpit\",\n      \"schema_version\": \"zero.live_cockpit.v1\",\n      \"status\": \"refused\"\n    },\n    {\n      \"hash\": \"sha256:eba0c2e71af573f41bdef8367c96191bc9fe0ae8892fecf9e0dc859c7a7458aa\",\n      \"included\": \"hash_only\",\n      \"name\": \"live_execution_receipts\",\n      \"schema_version\": \"zero.live_execution_receipts.v1\",\n      \"status\": \"empty\"\n    },\n    {\n      \"hash\": \"sha256:2c65fb66bc876faa37613ed7dd5ccf0e01a4fee1d53edce396de495b381f943d\",\n      \"included\": \"hash_only\",\n      \"name\": \"hl_reconcile\",\n      \"schema_version\": \"zero.reconciliation.v1\",\n      \"status\": \"not_configured\"\n    },\n    {\n      \"hash\": \"sha256:2b81bc6b6fdd410328c5ce57ad3334cfb07c415e3f4109b9aa4dd00fcbac1fd6\",\n      \"included\": \"hash_only\",\n      \"name\": \"immune\",\n      \"schema_version\": \"zero.immune.v1\",\n      \"status\": \"blocked\"\n    },\n    {\n      \"hash\": \"sha256:844fe3f6df00512628655ac74e693ff97777e88cbf8da6329f1109608b59b08f\",\n      \"included\": \"hash_only\",\n      \"name\": \"live_certification\",\n      \"schema_version\": \"zero.live_certification.v1\",\n      \"status\": \"pass\"\n    },\n    {\n      \"hash\": \"sha256:99c7a27b2cd3484580becb5f713c0d0dc1c4cbf55fba08252d17804d21e52409\",\n      \"included\": \"hash_only\",\n      \"name\": \"audit_export\",\n      \"schema_version\": \"zero.audit.v1\",\n      \"status\": \"captured\"\n    },\n    {\n      \"hash\": \"sha256:8a00c17f76f07e0b7e41d8ee00caaf7d403d31c01b000d029ccf316d5eb3d210\",\n      \"included\": \"hash_only\",\n      \"name\": \"deployment_claim\",\n      \"schema_version\": \"zero.deployment.claim.v1\",\n      \"status\": \"captured\"\n    },\n    {\n      \"hash\": \"sha256:f84c4e8b033caf1c4690923bdc3cccab2275ca6cf7307929944c59093838d9e4\",\n      \"included\": \"hash_only\",\n      \"name\": \"deployment_heartbeat\",\n      \"schema_version\": \"zero.deployment.heartbeat.v1\",\n      \"status\": \"paper_only\"\n    }\n  ],\n  \"canary_rule\": {\n    \"default_public_runtime_places_live_orders\": false,\n    \"operator_owned_custody\": true,\n    \"requires_external_exchange_records\": true,\n    \"risk_reducing_actions_required\": [\n      \"/pause-entries\",\n      \"/flatten-all\",\n      \"/kill\"\n    ],\n    \"tiny_capital_only\": true\n  },\n  \"evidence_hash\": \"sha256:4b7c773b4bae33bfd3cfd10d46046a701b5d4cdd12aae36bc50fd1d94cfa1fec\",\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"live_mode\": \"refused\",\n  \"mode\": \"paper\",\n  \"operator_context\": {\n    \"handle\": \"local-operator\",\n    \"operator_id\": \"local-operator\",\n    \"role\": \"owner\",\n    \"schema_version\": \"zero.operator_context.v1\",\n    \"scope\": \"local-private\",\n    \"source\": \"runtime-default\"\n  },\n  \"paper_only\": true,\n  \"privacy\": {\n    \"contains_exchange_credentials\": false,\n    \"contains_idempotency_tokens\": false,\n    \"contains_private_notes\": false,\n    \"contains_raw_decisions\": false,\n    \"contains_trace_tokens\": false,\n    \"contains_wallet_material\": false\n  },\n  \"ready\": false,\n  \"risk_increasing_allowed\": false,\n  \"schema_version\": \"zero.mcp.evidence_bundle.v1\",\n  \"signature\": {\n    \"algorithm\": null,\n    \"key_material_included\": false,\n    \"signature\": null,\n    \"signed_evidence_hash\": \"sha256:4b7c773b4bae33bfd3cfd10d46046a701b5d4cdd12aae36bc50fd1d94cfa1fec\",\n    \"signer\": \"local-runtime\",\n    \"status\": \"unsigned_local\"\n  },\n  \"summary\": {\n    \"artifacts\": 9,\n    \"certification_passed\": true,\n    \"controls_ready\": false,\n    \"deployment_heartbeat_status\": \"paper_only\",\n    \"immune_risk_increasing_allowed\": false,\n    \"live_receipts_accepted\": 0,\n    \"live_receipts_total\": 0,\n    \"live_records_accepted\": 0,\n    \"live_records_total\": 0,\n    \"live_start_certified\": true,\n    \"preflight_ready\": false,\n    \"reconciliation_status\": \"not_configured\"\n  }\n}","type":"text"}],"isError":false}}}
{"request":{"id":18,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{},"name":"zero_get_safety_catalog"}},"response":{"id":18,"jsonrpc":"2.0","result":{"content":[{"text":"{\n  \"default\": \"read_only_public\",\n  \"read_only_tools\": [\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_list_strategies\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_runtime_status\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_runtime_parity\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_health\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_paper_results\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_position_state\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_journal_tail\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_rejection_audit\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_proof_pack\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_network_proof_pack\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_memory_snapshot\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_memory_stats\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_genesis_proposals\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_evolve_status\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_research_report\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_decision_stack\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_immune_status\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_backtest_report\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_evidence_bundle\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_safety_catalog\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    }\n  ],\n  \"risk_increasing_tools\": [],\n  \"risk_reducing_tools\": [],\n  \"schema_version\": \"zero.mcp.safety_catalog.v1\"\n}","type":"text"}],"isError":false}}}
{"request":{"id":19,"jsonrpc":"2.0","method":"resources/list","params":{}},"response":{"id":19,"jsonrpc":"2.0","result":{"resources":[{"description":"The deterministic paper scenario used by examples and MCP tools.","mimeType":"application/json","name":"Bundled Paper Scenario","uri":"zero://paper/scenario"},{"description":"Read-only paper replay result generated from the bundled scenario.","mimeType":"application/json","name":"Bundled Paper Results","uri":"zero://paper/results"},{"description":"Read-only paper runtime status from the bundled scenario.","mimeType":"application/json","name":"Demo Runtime Status","uri":"zero://runtime/status"},{"description":"Read-only paper runtime health, dependencies, and breakers.","mimeType":"application/json","name":"Demo Runtime Health","uri":"zero://runtime/health"},{"description":"Read-only production-parity OODA report with live shadow fail-closed evidence.","mimeType":"application/json","name":"Demo Runtime Production Parity","uri":"zero://runtime/parity"},{"description":"Read-only paper decision journal tail from the bundled scenario.","mimeType":"application/json","name":"Demo Journal Tail","uri":"zero://journal/tail"},{"description":"Read-only paper rejection audit from the bundled scenario.","mimeType":"application/json","name":"Demo Rejection Audit","uri":"zero://rejections/audit"},{"description":"Public-safe demo proof-pack manifest.","mimeType":"application/json","name":"Demo Proof Pack","uri":"zero://proof/demo"},{"description":"Public-safe ZERO Network proof-chain manifest.","mimeType":"application/json","name":"Network Proof Pack","uri":"zero://proof/network"},{"description":"Public-safe local memory extracted from bundled paper decisions.","mimeType":"application/json","name":"Demo Memory Snapshot","uri":"zero://memory/snapshot"},{"description":"Read-only aggregate memory stats without entry bodies.","mimeType":"application/json","name":"Demo Memory Stats","uri":"zero://memory/stats"},{"description":"Plan-only genesis proposal classifications for coding agents.","mimeType":"application/json","name":"Demo Genesis Proposals","uri":"zero://genesis/proposals"},{"description":"Paper-first builder, red-team, canary, calibration, promotion-plan, and rollback evidence.","mimeType":"application/json","name":"Demo Evolve Status","uri":"zero://evolve/status"},{"description":"Paper-only hunt, edge, convergence, thesis, score, meta, and sharpen report.","mimeType":"application/json","name":"Demo Research Report","uri":"zero://research/report"},{"description":"Paper-only lens, layer, and modifier decision stack for coding agents.","mimeType":"application/json","name":"Demo Decision Stack","uri":"zero://decision/stack"},{"description":"Read-only paper immune breaker status.","mimeType":"application/json","name":"Demo Immune Status","uri":"zero://immune/status"},{"description":"Read-only deterministic paper backtest report without PnL claims.","mimeType":"application/json","name":"Demo Backtest Report","uri":"zero://backtest/report"},{"description":"Read-only hash-only evidence bundle from the bundled paper runtime.","mimeType":"application/json","name":"Demo Evidence Bundle","uri":"zero://evidence/bundle"},{"description":"Read-only safety classification for every public MCP tool.","mimeType":"application/json","name":"MCP Safety Catalog","uri":"zero://mcp/safety"},{"description":"Read-only contributor docs for declarative paper strategy runners.","mimeType":"text/markdown","name":"Strategy Runner Docs","uri":"zero://docs/strategy-runner"},{"description":"Read-only contributor docs for deterministic paper strategy plugins.","mimeType":"text/markdown","name":"Strategy Plugin Docs","uri":"zero://docs/strategy-plugin"},{"description":"Read-only contributor docs for deterministic market-data adapters.","mimeType":"text/markdown","name":"Market Data Adapter Docs","uri":"zero://docs/market-data-adapters"}]}}}
{"request":{"id":20,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://decision/stack"}},"response":{"id":20,"jsonrpc":"2.0","result":{"contents":[{"mimeType":"application/json","text":"{\n  \"coin\": \"BTC\",\n  \"decision\": {\n    \"allowed_to_execute_live\": false,\n    \"consensus\": 75,\n    \"conviction\": 0.6674,\n    \"direction\": \"LONG\",\n    \"reason\": \"allowed\",\n    \"verdict\": \"PASS\"\n  },\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"layers\": [\n    {\n      \"blocks_entry\": true,\n      \"detail\": \"price source available for paper evaluation\",\n      \"kind\": \"preflight\",\n      \"layer\": \"data_freshness\",\n      \"passed\": true,\n      \"value\": {\n        \"source\": \"paper:fixture\"\n      }\n    },\n    {\n      \"blocks_entry\": true,\n      \"detail\": \"allowed\",\n      \"kind\": \"risk\",\n      \"layer\": \"risk_bounds\",\n      \"passed\": true,\n      \"value\": {\n        \"paper_exposure_unit\": 1.0\n      }\n    },\n    {\n      \"blocks_entry\": false,\n      \"detail\": \"public sample is below promotion floor; paper evaluation remains non-blocking\",\n      \"kind\": \"calibration\",\n      \"layer\": \"sample_floor\",\n      \"passed\": true,\n      \"value\": {\n        \"met\": false,\n        \"minimum\": 30,\n        \"public_sample_size\": 4\n      }\n    },\n    {\n      \"blocks_entry\": true,\n      \"detail\": \"evaluation is paper-first and does not submit live orders\",\n      \"kind\": \"custody\",\n      \"layer\": \"paper_boundary\",\n      \"passed\": true,\n      \"value\": {\n        \"live_order_emitted\": false\n      }\n    }\n  ],\n  \"lenses\": [\n    {\n      \"confidence\": 0.62,\n      \"evidence\": {\n        \"last_price\": 40500.0,\n        \"source\": \"paper:fixture\",\n        \"uses_live_exchange_credentials\": false\n      },\n      \"family\": \"market\",\n      \"lens\": \"price_action\",\n      \"public_safe\": true,\n      \"signal\": \"constructive\",\n      \"status\": \"active\",\n      \"weight\": 0.22\n    },\n    {\n      \"confidence\": 1.0,\n      \"evidence\": {\n        \"paper_exposure_unit\": 1.0,\n        \"reason\": \"allowed\"\n      },\n      \"family\": \"risk\",\n      \"lens\": \"risk_capacity\",\n      \"public_safe\": true,\n      \"signal\": \"pass\",\n      \"status\": \"active\",\n      \"weight\": 0.34\n    },\n    {\n      \"confidence\": 0.35,\n      \"evidence\": {\n        \"public_sample_size\": 4,\n        \"requires_more_paper_decisions\": true\n      },\n      \"family\": \"memory\",\n      \"lens\": \"memory_context\",\n      \"public_safe\": true,\n      \"signal\": \"insufficient_sample\",\n      \"status\": \"active\",\n      \"weight\": 0.18\n    },\n    {\n      \"confidence\": 0.8,\n      \"evidence\": {\n        \"dead_man_switch_required_for_live\": true,\n        \"paper_mode\": true\n      },\n      \"family\": \"safety\",\n      \"lens\": \"operator_liveness\",\n      \"public_safe\": true,\n      \"signal\": \"ready\",\n      \"status\": \"active\",\n      \"weight\": 0.26\n    }\n  ],\n  \"mode\": \"paper\",\n  \"modifiers\": [\n    {\n      \"bounded\": true,\n      \"direction\": \"down\",\n      \"effect\": \"confidence_adjustment\",\n      \"modifier\": \"rejection_first\",\n      \"reason\": \"insufficient public calibration sample\",\n      \"value\": 0.08\n    },\n    {\n      \"bounded\": true,\n      \"direction\": \"down\",\n      \"effect\": \"live_mode_gate\",\n      \"modifier\": \"operator_friction\",\n      \"reason\": \"risk-increasing live action requires explicit local confirmation\",\n      \"value\": 1.0\n    }\n  ],\n  \"paper_only\": true,\n  \"price\": {\n    \"last\": 40500.0,\n    \"source\": \"paper:fixture\",\n    \"uses_live_exchange_credentials\": false\n  },\n  \"privacy\": {\n    \"contains_exchange_credentials\": false,\n    \"contains_private_notes\": false,\n    \"contains_venue_order_material\": false,\n    \"contains_wallet_material\": false\n  },\n  \"schema_version\": \"zero.mcp.decision_stack.v1\"\n}","uri":"zero://decision/stack"}]}}}
{"request":{"id":21,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://research/report"}},"response":{"id":21,"jsonrpc":"2.0","result":{"contents":[{"mimeType":"application/json","text":"{\n  \"applies_code_changes\": false,\n  \"available\": true,\n  \"claims_live_pnl\": false,\n  \"commands\": [\n    \"hunt\",\n    \"edge\",\n    \"convergence\",\n    \"thesis\",\n    \"score\",\n    \"meta\",\n    \"sharpen\"\n  ],\n  \"generated_at\": \"2026-05-01T14:40:00Z\",\n  \"mode\": \"paper-only\",\n  \"paper_only\": true,\n  \"privacy\": {\n    \"contains_live_prices\": false,\n    \"contains_raw_live_pnl\": false,\n    \"contains_secret_material\": false,\n    \"contains_venue_order_material\": false,\n    \"contains_wallet_material\": false\n  },\n  \"pushes_to_remote\": false,\n  \"report_hash\": \"sha256:aa3ea7a49cd1b6556affd1c6628d57fa2b78a4ca6eb3ffed21333be882db594f\",\n  \"reports\": {\n    \"convergence\": {\n      \"checks\": {\n        \"manual_review_required\": true,\n        \"single_rejection_reason_dominates\": false,\n        \"weights_available\": false\n      },\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"lockstep_detected\": false,\n      \"minimum_sample_met\": false,\n      \"oscillation_detected\": false,\n      \"purpose\": \"feedback-loop drift and lockstep detection\",\n      \"sample_size\": 2,\n      \"schema_version\": \"zero.research.convergence.v1\",\n      \"status\": \"insufficient-public-sample\"\n    },\n    \"edge\": {\n      \"by_symbol\": {\n        \"BTC\": {\n          \"acceptance_rate\": 1.0,\n          \"allowed\": 1,\n          \"observations\": 1,\n          \"rejected\": 0\n        },\n        \"SOL\": {\n          \"acceptance_rate\": 0.0,\n          \"allowed\": 0,\n          \"observations\": 1,\n          \"rejected\": 1\n        }\n      },\n      \"claim_boundary\": {\n        \"claims_live_edge\": false,\n        \"reason\": \"public fixture decisions do not include signed live outcomes\",\n        \"uses_realized_pnl\": false\n      },\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"minimum_sample_met\": false,\n      \"overall\": {\n        \"acceptance_rate\": 0.5,\n        \"allowed\": 1,\n        \"rejected\": 1,\n        \"rejection_reasons\": {\n          \"order notional exceeds limit\": 1\n        },\n        \"symbols\": {\n          \"BTC\": 1,\n          \"SOL\": 1\n        },\n        \"total\": 2\n      },\n      \"purpose\": \"expectancy proxy from accepted/rejected paper decisions\",\n      \"sample_size\": 2,\n      \"schema_version\": \"zero.research.edge.v1\"\n    },\n    \"hunt\": {\n      \"candidate_count\": 3,\n      \"candidates\": [\n        {\n          \"avg_volume_rank\": 3,\n          \"latest_ts\": \"2026-05-01T00:05:00Z\",\n          \"momentum_bps\": 176,\n          \"observations\": 2,\n          \"regime\": \"impulse-up\",\n          \"status\": \"watch\",\n          \"symbol\": \"BTC\",\n          \"up_closes\": 2\n        },\n        {\n          \"avg_volume_rank\": 2,\n          \"latest_ts\": \"2026-05-01T00:00:00Z\",\n          \"momentum_bps\": 67,\n          \"observations\": 1,\n          \"regime\": \"impulse-up\",\n          \"status\": \"watch\",\n          \"symbol\": \"ETH\",\n          \"up_closes\": 1\n        },\n        {\n          \"avg_volume_rank\": 1,\n          \"latest_ts\": \"2026-05-01T00:00:00Z\",\n          \"momentum_bps\": 145,\n          \"observations\": 1,\n          \"regime\": \"impulse-up\",\n          \"status\": \"blocked-by-recent-risk\",\n          \"symbol\": \"SOL\",\n          \"up_closes\": 1\n        }\n      ],\n      \"decision_context\": {\n        \"acceptance_rate\": 0.5,\n        \"decisions\": 2,\n        \"rejected\": 1\n      },\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"purpose\": \"market scan from public paper fixtures\",\n      \"schema_version\": \"zero.research.hunt.v1\"\n    },\n    \"meta\": {\n      \"commands_reviewed\": [\n        \"hunt\",\n        \"edge\",\n        \"convergence\",\n        \"thesis\",\n        \"score\",\n        \"sharpen\"\n      ],\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"purpose\": \"audit command usefulness\",\n      \"schema_version\": \"zero.research.meta.v1\",\n      \"usefulness\": {\n        \"convergence\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.8\n        },\n        \"edge\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.8\n        },\n        \"hunt\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.8\n        },\n        \"score\": {\n          \"reason\": \"needs real outcome labels\",\n          \"score\": 0.6\n        },\n        \"sharpen\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.6\n        },\n        \"thesis\": {\n          \"reason\": \"deterministic public fixture signal\",\n          \"score\": 0.6\n        }\n      }\n    },\n    \"score\": {\n      \"accuracy\": 1.0,\n      \"correct\": 2,\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"judgments_scored\": 2,\n      \"limitation\": \"paper safety decisions are not predictive PnL labels\",\n      \"purpose\": \"compare prior judgments against public paper outcomes\",\n      \"schema_version\": \"zero.research.score.v1\",\n      \"status\": \"fixture-only\"\n    },\n    \"sharpen\": {\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"minimum_sample_met\": false,\n      \"proposals\": [\n        {\n          \"applies_code_changes\": false,\n          \"id\": \"research-sample-floor\",\n          \"priority\": \"high\",\n          \"summary\": \"Collect at least 30 paper decisions before relaxing any research conclusion.\"\n        },\n        {\n          \"applies_code_changes\": false,\n          \"id\": \"research-live-labels\",\n          \"priority\": \"medium\",\n          \"summary\": \"Attach signed operator evidence before scoring live outcome accuracy.\"\n        },\n        {\n          \"applies_code_changes\": false,\n          \"id\": \"research-convergence-review\",\n          \"priority\": \"medium\",\n          \"summary\": \"Review rejection concentration before changing weights or filters.\"\n        }\n      ],\n      \"purpose\": \"system improvement backlog from research reports\",\n      \"schema_version\": \"zero.research.sharpen.v1\"\n    },\n    \"thesis\": {\n      \"anti_thesis\": \"A sparse fixture can overfit to a single synthetic market regime.\",\n      \"generated_at\": \"2026-05-01T14:40:00Z\",\n      \"horizon_days\": 7,\n      \"hypothesis\": \"Operate only fixture-backed watch symbols until paper rejection data clears the minimum sample floor.\",\n      \"schema_version\": \"zero.research.thesis.v1\",\n      \"scorecard\": {\n        \"confidence\": 0.42,\n        \"invalidates_if\": [\n          \"acceptance rate falls to zero for three consecutive paper sessions\",\n          \"one rejection reason explains every blocked setup after 30 samples\"\n        ],\n        \"sample_size\": 2\n      },\n      \"watch_symbols\": [\n        \"BTC\",\n        \"ETH\"\n      ]\n    }\n  },\n  \"schema_version\": \"zero.mcp.research_report.v1\",\n  \"source\": \"fixture-research-chain\",\n  \"source_quality\": {\n    \"accepted\": 3,\n    \"classifications\": [\n      {\n        \"allowed_uses\": [\n          \"paper_research\",\n          \"genesis_context\"\n        ],\n        \"decision\": \"accepted\",\n        \"raw_content_included\": false,\n        \"reasons\": [],\n        \"schema_version\": \"zero.research.source_classification.v1\",\n        \"source_hash\": \"sha256:eeaa905507afb5098e8eae863e6ca3fbe6e166d0b0cc23d24c8dfba48ddff4ee\",\n        \"source_id\": \"paper-candles-fixture\",\n        \"source_type\": \"fixture\",\n        \"trusted\": true\n      },\n      {\n        \"allowed_uses\": [\n          \"paper_research\",\n          \"genesis_context\"\n        ],\n        \"decision\": \"accepted\",\n        \"raw_content_included\": false,\n        \"reasons\": [],\n        \"schema_version\": \"zero.research.source_classification.v1\",\n        \"source_hash\": \"sha256:6b03ea81e991ff176da48d8ed536e2e9d0cb62542959e247bc82be328d3591ab\",\n        \"source_id\": \"memory-decisions-fixture\",\n        \"source_type\": \"fixture\",\n        \"trusted\": true\n      },\n      {\n        \"allowed_uses\": [\n          \"paper_research\",\n          \"genesis_context\"\n        ],\n        \"decision\": \"accepted\",\n        \"raw_content_included\": false,\n        \"reasons\": [],\n        \"schema_version\": \"zero.research.source_classification.v1\",\n        \"source_hash\": \"sha256:dbcc881d160e5ca4710deebddeca6ae33960b2a3cca030d5af533970d1a9dc53\",\n        \"source_id\": \"research-doc-boundary\",\n        \"source_type\": \"repo_doc\",\n        \"trusted\": true\n      }\n    ],\n    \"mode\": \"paper-only\",\n    \"raw_content_included\": false,\n    \"rejected\": 0,\n    \"root_hash\": \"sha256:2b6385e1c23b34a7775569eda15dd0551b24c34f0a00ad8e2c12ca42d3de2ccb\",\n    \"schema_version\": \"zero.research.source_quality.v1\"\n  },\n  \"summary\": {\n    \"candidate_count\": 3,\n    \"convergence_status\": \"insufficient-public-sample\",\n    \"minimum_sample_met\": false,\n    \"proposal_count\": 3,\n    \"rejected_sources\": 0,\n    \"sample_size\": 2,\n    \"source_classifications\": 3\n  }\n}","uri":"zero://research/report"}]}}}
{"request":{"id":22,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://proof/demo"}},"response":{"id":22,"jsonrpc":"2.0","result":{"contents":[{"mimeType":"application/json","text":"{\n  \"artifacts\": {\n    \"candles_jsonl\": \"sha256:c263d1ba3646f7b849112812a32da77fdd4e9fd33f9f091637e2d7e5622bb23a\",\n    \"demo_readme\": \"sha256:50538d70e490c58ebe74548e59b5c377ef3d31de82bea9d379949d63e21d107b\",\n    \"paper_decisions_csv\": \"sha256:e27e0dac3bfc686f54a1e51c99b6daccabbb49a335924b9160c0b07ddcabb497\",\n    \"paper_proof_svg\": \"sha256:53c87e12d4cf4822e5539b7cf264c294f004d713cd9b5e968806c1e151df3b56\",\n    \"scenario_json\": \"sha256:93290634b70d88df5c69755e2f1da17ae9f034c561b461d6c5fcd1c3b4bbbe8f\"\n  },\n  \"claim_boundary\": {\n    \"live_trading_claimed\": false,\n    \"paper_mode_verified\": true,\n    \"paper_vs_live_correlation_claimed\": false,\n    \"pnl_claimed\": false\n  },\n  \"generated_at\": \"2026-05-01T00:00:00Z\",\n  \"live_correlation\": {\n    \"r_squared\": null,\n    \"reason\": \"requires signed paper/live records and exchange-side evidence\",\n    \"status\": \"unavailable\"\n  },\n  \"mode\": \"paper\",\n  \"name\": \"demo-paper-launch-smoke\",\n  \"paper\": {\n    \"decisions\": 4,\n    \"fills\": 2,\n    \"open_positions\": 1,\n    \"rejections\": 2,\n    \"scenario\": \"paper-launch-smoke\",\n    \"symbols\": [\n      \"BTC\",\n      \"ETH\",\n      \"SOL\"\n    ]\n  },\n  \"privacy\": {\n    \"contains_exchange_credentials\": false,\n    \"contains_private_notes\": false,\n    \"contains_raw_exchange_order_ids\": false,\n    \"contains_wallet_material\": false\n  },\n  \"proof_hash\": \"sha256:6b56436ec3003c2c6557f57f08e6d127e1e30a77451384cd3ed5b15f6c751ceb\",\n  \"schema_version\": \"zero.proof_pack.v1\"\n}","uri":"zero://proof/demo"}]}}}
{"request":{"id":23,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://proof/network"}},"response":{"id":23,"jsonrpc":"2.0","result":{"contents":[{"mimeType":"application/json","text":"{\n  \"artifacts\": {\n    \"README.md\": \"sha256:29663e3e393eced718e36553e9fc5d53bbda6d5b2ea73f1caed8aaa1e0c728d8\",\n    \"identity/SHA256SUMS\": \"sha256:4d30c35f9b0979a43643c8b725c786f1a9c9ff00f7cff8a6d55feff396a2cb69\",\n    \"identity/deployment_claim.json\": \"sha256:b3f0cfee8f05ef7fcc047dc8f682c8093ca65ec2d76a043870e9443b8a76db8e\",\n    \"identity/deployment_heartbeat.json\": \"sha256:c0341cccd9d30a3fb8446ad47aec2327c486216f381e08c485cf78674c6c5b50\",\n    \"identity/identity_bundle.json\": \"sha256:23823d356843f1b5909bd44cd374d4b49b6c8536349d70417b15a1e914e61cda\",\n    \"leaderboard.json\": \"sha256:24545b1f03fb960fdf031d88ccf80fc8e2026431aa8ee1ee1b311d6fc4c742d4\",\n    \"profile-verification.json\": \"sha256:40f1f8c54b079f28935bb3dc029d7b85c4eb11a494851847ccf8de6e9459cf7f\",\n    \"profile.json\": \"sha256:06e5b51110bf868a15e338b333f1fa840bf1fa3a1f7173a54b5bd69036a2d8bd\"\n  },\n  \"bindings\": {\n    \"deployment_claim_hash\": \"sha256:82ecef926249e36a1a8fd3f8c2112f32c20abf1ad2d98cec615fdbdf04be1b2b\",\n    \"deployment_heartbeat_hash\": \"sha256:a249d3641422e96598d03e1908b16eb15e05c4cce06064b28e83dbbf64381e43\",\n    \"leaderboard_proof_hash\": \"sha256:71b27a515d1c1faea7a3f83b51af8e482ae4578155977b543887d7a086bbf6b4\",\n    \"proof_hash\": \"sha256:71b27a515d1c1faea7a3f83b51af8e482ae4578155977b543887d7a086bbf6b4\"\n  },\n  \"claim_boundary\": {\n    \"hosted_ingestion_compatible\": true,\n    \"live_trading_claimed\": false,\n    \"paper_mode_verified\": true,\n    \"paper_vs_live_correlation_claimed\": false,\n    \"pnl_claimed\": false\n  },\n  \"generated_at\": \"2026-05-01T00:00:00Z\",\n  \"identity\": {\n    \"bundle_schema_version\": \"zero.deployment_identity_evidence.v1\",\n    \"signature_present\": false,\n    \"signature_required_for_static_fixture\": false,\n    \"signed_identity_smoke_tested_in_ci\": true\n  },\n  \"mode\": \"paper\",\n  \"name\": \"demo-network-proof-chain\",\n  \"ok\": true,\n  \"privacy\": {\n    \"contains_exchange_credentials\": false,\n    \"contains_idempotency_tokens\": false,\n    \"contains_raw_decisions\": false,\n    \"contains_trace_tokens\": false,\n    \"contains_wallet_material\": false\n  },\n  \"profile_schema_version\": \"zero.network.profile.v1\",\n  \"proof_hash\": \"sha256:05595c3846e6247cc4f2bba8e1c1235a536eaa4721c2c7c83782459b0a6f4494\",\n  \"schema_version\": \"zero.network_proof_pack.v1\",\n  \"verification\": {\n    \"checks_failed\": 0,\n    \"checks_ok\": 81,\n    \"hosted_ingestion_accepted\": 1,\n    \"ok\": true\n  },\n  \"verification_schema_version\": \"zero.network.profile_verification.v1\"\n}","uri":"zero://proof/network"}]}}}
{"request":{"id":24,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://mcp/safety"}},"response":{"id":24,"jsonrpc":"2.0","result":{"contents":[{"mimeType":"application/json","text":"{\n  \"default\": \"read_only_public\",\n  \"read_only_tools\": [\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_list_strategies\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_runtime_status\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_runtime_parity\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_health\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_paper_results\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_position_state\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_journal_tail\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_rejection_audit\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_proof_pack\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_network_proof_pack\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_memory_snapshot\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_memory_stats\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_genesis_proposals\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_evolve_status\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_research_report\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_decision_stack\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_immune_status\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_backtest_report\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_evidence_bundle\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    },\n    {\n      \"canChangeRuntimeState\": false,\n      \"canPlaceOrders\": false,\n      \"name\": \"zero_get_safety_catalog\",\n      \"requiresOperatorApproval\": false,\n      \"riskDirection\": \"none\",\n      \"safetyClass\": \"read_only_public\"\n    }\n  ],\n  \"risk_increasing_tools\": [],\n  \"risk_reducing_tools\": [],\n  \"schema_version\": \"zero.mcp.safety_catalog.v1\"\n}","uri":"zero://mcp/safety"}]}}}
{"request":{"id":25,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://docs/strategy-runner"}},"response":{"id":25,"jsonrpc":"2.0","result":{"contents":[{"mimeType":"text/markdown","text":"# Strategy Runner Example\n\nThis example shows ZERO's declarative strategy runner contract.\n\nRun it from the repository root:\n\n```bash\nPYTHONPATH=\"$PWD/engine/src\" python3 examples/strategy-runner/run.py\n```\n\nOr use:\n\n```bash\njust strategy-runner-example\n```\n\nThe runner file proposes a paper `OrderIntent`; the paper engine still applies\nrisk limits, records the decision, and owns fills or rejections.\n\nContributor rules:\n\n- keep declarative runners paper-only;\n- use deterministic fixtures;\n- do not add exchange credentials or live API calls;\n- add conformance tests for new runner behavior.\n","uri":"zero://docs/strategy-runner"}]}}}
{"request":{"id":26,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://docs/strategy-plugin"}},"response":{"id":26,"jsonrpc":"2.0","result":{"contents":[{"mimeType":"text/markdown","text":"# Strategy Plugin Example\n\nThis is the smallest public contributor path for adding a strategy to ZERO.\n\nRun it from the repository root:\n\n```bash\nPYTHONPATH=\"$PWD/engine/src:$PWD/examples/strategy-plugin\" \\\n  python3 examples/strategy-plugin/run.py\n```\n\nOr use:\n\n```bash\njust strategy-plugin-example\n```\n\nThe plugin can inspect market data and return a `StrategySignal`. It cannot\nplace orders directly. The paper engine still owns risk checks, decision\nrecording, fills, and rejections.\n\nExpected output shape:\n\n```json\n{\n  \"mode\": \"paper\",\n  \"plugin\": {\n    \"name\": \"close-strength\",\n    \"paper_only\": true,\n    \"version\": \"0.1.0\"\n  },\n  \"proposed\": true,\n  \"allowed\": true,\n  \"fills\": 1,\n  \"rejections\": 0\n}\n```\n\nContributor rules:\n\n- Keep plugins deterministic and paper-first.\n- Do not read private keys, wallet secrets, or exchange credentials.\n- Do not call live execution APIs from plugin code.\n- Add tests before proposing a new plugin.\n","uri":"zero://docs/strategy-plugin"}]}}}
{"request":{"id":27,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://docs/market-data-adapters"}},"response":{"id":27,"jsonrpc":"2.0","result":{"contents":[{"mimeType":"text/markdown","text":"# Market Data Adapter Example\n\nThis is the smallest public contributor path for adding a market data adapter\nto ZERO.\n\nRun it from the repository root:\n\n```bash\nPYTHONPATH=\"$PWD/engine/src:$PWD/examples/market-data-adapter\" \\\n  python3 examples/market-data-adapter/run.py\n```\n\nOr use:\n\n```bash\njust market-data-adapter-example\n```\n\nThe adapter reads `candles.jsonl` from this directory and exposes candles only.\nIt does not know about execution, custody, risk limits, journals, or live mode.\n\nExpected output shape:\n\n```json\n{\n  \"mode\": \"paper\",\n  \"adapter\": {\n    \"name\": \"fixture-candles\",\n    \"requires_secrets\": false,\n    \"source\": \"local-jsonl-fixture\"\n  },\n  \"latest_close\": 40550.0,\n  \"proposed\": true,\n  \"allowed\": true,\n  \"fills\": 1\n}\n```\n\nContributor rules:\n\n- Keep examples deterministic and paper-first.\n- Do not require secrets for public examples.\n- Return candles in chronological order.\n- Raise clear errors for missing symbols or invalid limits.\n- Add tests before proposing a new adapter.\n","uri":"zero://docs/market-data-adapters"}]}}}
{"request":{"id":28,"jsonrpc":"2.0","method":"orders/place","params":{"private_key":"transcript_do_not_echo_marker","prompt":"transcript prompt injection marker","side":"buy","symbol":"BTC"}},"response":{"error":{"code":-32601,"data":{"allowed_surface":["initialize","ping","tools/list","tools/call:read-only","resources/list","resources/read:zero://..."],"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"paper_only":true,"reason":"method_not_available_on_read_only_surface","requested_method":"orders/place","requested_tool":"","requested_uri":"","riskDirection":"none","safetyClass":"read_only_public","schema_version":"zero.mcp.refusal.v1"},"message":"method not found on read-only ZERO MCP surface: orders/place"},"id":28,"jsonrpc":"2.0"}}
{"request":{"id":29,"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{"private_key":"transcript_do_not_echo_marker","prompt":"transcript prompt injection marker"},"name":"zero_execute_live"}},"response":{"error":{"code":-32602,"data":{"allowed_surface":["initialize","ping","tools/list","tools/call:read-only","resources/list","resources/read:zero://..."],"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"paper_only":true,"reason":"tool_not_available_on_read_only_surface","requested_method":"tools/call","requested_tool":"zero_execute_live","requested_uri":"","riskDirection":"none","safetyClass":"read_only_public","schema_version":"zero.mcp.refusal.v1"},"message":"unknown read-only ZERO tool: zero_execute_live"},"id":29,"jsonrpc":"2.0"}}
{"request":{"id":30,"jsonrpc":"2.0","method":"resources/read","params":{"uri":"zero://live/order?prompt=transcript-do-not-echo-marker"}},"response":{"error":{"code":-32602,"data":{"allowed_surface":["initialize","ping","tools/list","tools/call:read-only","resources/list","resources/read:zero://..."],"canChangeRuntimeState":false,"canPlaceOrders":false,"canReadSecrets":false,"paper_only":true,"reason":"resource_not_available_on_read_only_surface","requested_method":"resources/read","requested_tool":"","requested_uri":"zero://live/order","riskDirection":"none","safetyClass":"read_only_public","schema_version":"zero.mcp.refusal.v1"},"message":"unknown read-only ZERO resource: zero://live/order"},"id":30,"jsonrpc":"2.0"}}
````


## Source: `docs/api-compatibility.md`

````markdown
# API Compatibility

ZERO treats the local paper API as a public integration surface. The OpenAPI
contract in [openapi/zero-paper-api.v1.yaml](../openapi/zero-paper-api.v1.yaml)
is the machine-readable source of truth for the public runtime.

## Version Scope

The current public contract is `zero-paper-api.v1`.

It covers:

- local paper runtime health, status, positions, risk, journal, metrics, and
  audit export;
- paper execution through `POST /execute`;
- read-only market quote and Hyperliquid status surfaces;
- immune breaker state through `GET /immune`;
- public-safe ZERO Network packets;
- delayed ZERO Intelligence packets and catalog;
- local live preflight and live risk-reducer controls.

It does not guarantee hosted ZERO Intelligence API behavior. Hosted commercial
surfaces will use their own versioned `/v1/intelligence/*` contract before
public launch.

## Compatibility Rules

Patch releases may:

- add optional response fields;
- add optional request fields;
- add new endpoints;
- add new enum values only when older clients can safely ignore them;
- tighten documentation and examples without changing wire behavior.

Patch releases must not:

- remove documented fields from stable responses;
- rename stable fields;
- change field types;
- make an optional request field required;
- change default paper behavior to live behavior;
- expose secrets, wallet addresses, raw trace records, idempotency keys, private
  notes, exchange order IDs, or per-trade symbols in public Network or
  Intelligence packets.

Breaking changes require a new versioned contract file and a migration note.

## Public Packet Boundary

ZERO Network and delayed ZERO Intelligence packets are public-safe aggregate
surfaces. They may include:

- aggregate decision, fill, rejection, and notional counts;
- verification status and proof hashes;
- publication and privacy metadata;
- delayed aggregate intelligence signals.

They must exclude:

- raw decisions;
- raw trace IDs;
- idempotency keys;
- wallet addresses;
- exchange order IDs;
- exchange credentials;
- private operator notes;
- strategy source labels;
- per-trade symbols.

## Live Mode Boundary

The public runtime is paper-first. Live execution is local opt-in and requires
operator-owned configuration.

Compatibility guarantees for live-facing endpoints are conservative:

- `GET /live/preflight` must stay non-secret and safe to expose in diagnostics;
- `GET /live/cockpit` must stay read-only and safe to expose in diagnostics;
- `GET /immune` must stay read-only and side-effect free;
- `GET /live/certification` must stay dry-run by default and report zero live
  orders placed;
- `GET /live/receipts` must not include raw trace tokens, idempotency tokens,
  wallet material, exchange credentials, or raw venue acknowledgement payloads;
- `GET /live/evidence` must stay hash-only for private artifacts and must not
  include raw decisions, trace tokens, idempotency keys, wallet material, or
  exchange credentials;
- `POST /live/pause`, `/live/kill`, and `/live/flatten` must remain
  risk-reducing controls;
- when live execution is not configured, `POST /live/*` endpoints must refuse
  with an explicit reason instead of pretending to be active;
- `POST /execute` must stay paper by default unless `X-Zero-Mode: live` is
  explicitly supplied.

## Contract Gate

`scripts/openapi_contract_check.py` enforces the contract gate in local and CI
checks. It verifies:

- required public paths are present in the OpenAPI file;
- required response/request schema names are present and referenced;
- fixture JSON files are valid and retain required top-level fields;
- operation IDs remain unique.

Run it directly:

```bash
python3 scripts/openapi_contract_check.py
```

It is also included in `just docs-check` and therefore in `just ci`.
````


## Source: `docs/runtime-bus.md`

````markdown
# Durable Runtime Bus

The durable runtime bus is ZERO's local source of replayable runtime truth. It
is separate from the decision journal:

- the decision journal stores paper execution decisions that rebuild fills,
  rejections, positions, and idempotency state;
- the runtime bus stores OODA cycles, decisions, fills, rejections, position
  snapshots, health records, and future operator commands as checksum-chained
  events.

The public implementation is dependency-free JSONL so contributors can inspect
and test it without a database. The interface is intentionally narrow enough to
mirror the same events into SQLite, Postgres, or hosted ingestion later.

## Run With A Bus

```bash
PYTHONPATH="$PWD/engine/src" zero-engine-run \
  --scenario examples/paper-trading/scenario.json \
  --journal .zero/decisions.jsonl \
  --runtime-bus .zero/runtime-bus \
  --once \
  --interval 0
```

This writes:

- `.zero/runtime-bus/events.jsonl`
- `.zero/runtime-bus/state-snapshot.json`

Each event has:

- `schema_version: zero.runtime.event.v1`
- a sequential `event_index`
- a deterministic `event_id`
- an `event_type`
- a payload
- `previous_checksum`
- `checksum`

`DurableRuntimeBus.verify_integrity()` walks the whole file and fails if any
event is mutated, deleted, reordered, or linked to the wrong previous checksum.

## Audit Export

`DurableRuntimeBus.export_audit()` returns `zero.runtime.audit.v1` from disk
only. It includes integrity status, event type counts, the latest state
snapshot, and every event.

The bus is private operator state by default. Public ZERO Network and ZERO
Intelligence exports must stay aggregate and redacted; raw bus events include
traceable runtime details and are not a public profile surface.

## Production-Parity Report

`zero-engine-run --production-parity` writes
`zero.runtime.production_parity.v1` to the chosen output directory:

```bash
PYTHONPATH="$PWD/engine/src" zero-engine-run \
  --production-parity \
  --scenario examples/paper-trading/scenario.json \
  --output artifacts/runtime-parity
```

The report runs the same OODA phase order as the paper runtime, mirrors each
intent through a disabled live executor, verifies zero adapter orders were
placed, checks the runtime-bus checksum chain, and emits
`zero.runtime.feedback.v1` rejection/execution-quality feedback. It is a
production-shape parity proof, not live trading proof.
````


## Source: `docs/journal-integrity.md`

````markdown
# Journal Integrity

ZERO decision journals are append-only JSONL files with a cryptographic
envelope around each decision.

The public runtime keeps reads backward-compatible: `DecisionJournal.read_all()`
and `/journal` return the decision payloads operators already expect. The file
on disk now stores `zero.decision_journal.entry.v1` entries so the operator can
verify sequence, previous hash, payload hash, signature status, and timestamp
anchor binding.

Appends are serialized with a per-journal exclusive append lock. The writer
takes the lock before reading the current head, assigning the next sequence, and
fsyncing the new line. This prevents competing agent, API, and operator
processes from writing two entries with the same predecessor hash.

## Entry Shape

Each line contains:

| Field | Meaning |
|---|---|
| `schema_version` | `zero.decision_journal.entry.v1` |
| `sequence` | Monotonic 1-based sequence number. |
| `previous_hash` | Previous entry hash, or `null` for the first entry. |
| `payload` | The original accepted or rejected decision record. |
| `entry_hash` | SHA-256 over schema, sequence, previous hash, and payload. |
| `signature` | Operator-owned signing metadata. |
| `timestamp_anchor` | Local timestamp-anchor binding for the entry hash and local clock time. |

Unsigned local journals are still valid for paper examples. Live-capable
operator deployments should set a journal signing key and require signature
verification before risk can increase.

## Signing

The built-in signer uses HMAC-SHA256 from the Python standard library so a
fresh clone has no extra dependency.

```bash
export ZERO_JOURNAL_SIGNING_KEY="replace-with-operator-secret"
PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.journal verify \
  .zero/decisions.jsonl \
  --require-signature \
  --signing-key-env ZERO_JOURNAL_SIGNING_KEY \
  --key-id local-operator
```

The signature is operator-owned. Do not commit signing keys. Do not publish raw
private journals.

## Verification

Verify an unsigned paper journal:

```bash
PYTHONPATH="$PWD/engine/src" scripts/journal_verify.py verify .zero/decisions.jsonl
```

Verify a signed operator journal:

```bash
PYTHONPATH="$PWD/engine/src" scripts/journal_verify.py verify \
  .zero/decisions.jsonl \
  --require-signature \
  --signing-key-env ZERO_JOURNAL_SIGNING_KEY
```

The verifier fails on:

- malformed JSON;
- sequence gaps or reordering;
- previous-hash mismatch;
- payload mutation;
- entry-hash mutation;
- missing signature when required;
- signature mismatch when the operator key is provided;
- timestamp-anchor mismatch when anchors are required.

Concurrent writer regressions are covered by
`test_decision_journal_serializes_concurrent_writer_processes`, which launches
multiple writer processes against the same journal and then verifies the final
hash chain.

## Timestamp Anchoring

Every entry includes a local timestamp-anchor binding to the entry hash and a
local `anchored_at` clock reading. This is enough to detect local tampering, but
it is not a trusted external timestamp.

External anchoring is handled by a separate public-safe packet:
`zero.decision_journal.external_anchor.v1`. The packet binds the verified
journal head hash, entry count, verification-report hash, timestamp method,
anchor time, and external receipt reference without exposing raw journal
payloads.

Prepare an anchor packet before sending the journal head to Rekor,
OpenTimestamps, RFC3161, or a public chain:

```bash
PYTHONPATH="$PWD/engine/src" scripts/journal_verify.py anchor \
  .zero/decisions.jsonl \
  --output .zero/journal-anchor.json \
  --method opentimestamps \
  --require-signature \
  --signing-key-env ZERO_JOURNAL_SIGNING_KEY
```

After the external service returns a receipt, recreate or update the packet
with a public-safe reference:

```bash
PYTHONPATH="$PWD/engine/src" scripts/journal_verify.py anchor \
  .zero/decisions.jsonl \
  --output .zero/journal-anchor.json \
  --method opentimestamps \
  --anchor-ref ots:sha256:<receipt-digest> \
  --require-signature \
  --signing-key-env ZERO_JOURNAL_SIGNING_KEY
```

Verify the packet against the journal and require an external receipt before
using it as live-capable evidence:

```bash
PYTHONPATH="$PWD/engine/src" scripts/journal_verify.py verify-anchor \
  .zero/decisions.jsonl \
  .zero/journal-anchor.json \
  --require-external \
  --require-signature \
  --signing-key-env ZERO_JOURNAL_SIGNING_KEY
```

The verifier fails on anchor hash mutation, journal-head mismatch, entry-count
mismatch, verification-hash mismatch, and missing external receipt when
`--require-external` is set.

## Periodic Anchor Cadence

Live-capable operators should run the cadence wrapper after each journal-head
change and at least once per configured interval. The wrapper reuses a fresh
same-head anchor, creates a new packet when the head changes or the prior packet
is stale, writes an immutable timestamped packet plus
`journal-anchor-latest.json`, and records a verifiable
`zero.decision_journal.anchor_cadence.v1` state file.

```bash
PYTHONPATH="$PWD/engine/src" scripts/journal_anchor_cadence.py run \
  .zero/decisions.jsonl \
  --anchor-dir .zero/anchors \
  --method opentimestamps \
  --anchor-ref ots:sha256:<receipt-digest> \
  --max-age-hours 24 \
  --require-external \
  --require-signature \
  --signing-key-env ZERO_JOURNAL_SIGNING_KEY
```

Verify the cadence state during live preflight or release evidence collection:

```bash
PYTHONPATH="$PWD/engine/src" scripts/journal_anchor_cadence.py verify-state \
  .zero/decisions.jsonl \
  --state .zero/anchors/journal-anchor-state.json \
  --require-external \
  --require-signature \
  --signing-key-env ZERO_JOURNAL_SIGNING_KEY
```

The operation fails closed when `--require-external` is set without a receipt,
when the state points at a missing or mutated packet, when the journal head no
longer matches the anchor, or when the cadence is overdue. Preserve external
receipt material outside the trading host.

## Stream Roots And Public Proof Packs

The decision journal verifier protects one append-only decision file. Launch
and live-readiness evidence also need a higher-level root over multiple runtime
streams: trades, events, decisions, rejections, near misses, and genesis
proposals.

ZERO exposes this as `zero.journal.v1` stream envelopes and
`zero.journal_root.v1` daily roots:

- `zero-journal-chain` wraps raw JSONL rows in ordered envelopes with
  `payload_hash`, `prev_hash`, `entry_hash`, and optional Ed25519 signature
  fields.
- `zero-journal-sidecar` writes or backfills sibling
  `journal-chains/*.chain.jsonl` files without changing the raw journal format.
- `zero-journal-root` reduces verified streams into one signed root hash.
- `zero-journal-anchor` attaches local, webhook, or OpenTimestamps receipt
  metadata. Root hashes and signatures exclude the mutable `anchor` field.
- `zero-journal-proof` emits a public-safe proof pack with counts, head hashes,
  signature hash, public key id, and anchor metadata, but no raw trade rows,
  local paths, wallet material, or exchange order IDs.

Build and verify a sidecar over any JSONL stream:

```bash
zero-journal-sidecar backfill \
  --input .zero/data/trades.jsonl \
  --stream trades

zero-journal-sidecar verify \
  --input .zero/data/journal-chains/trades.trades.chain.jsonl \
  --stream trades \
  --raw-input .zero/data/trades.jsonl
```

Generate a daily root and public proof pack:

```bash
zero-journal-root \
  --bus-dir .zero/bus \
  --data-dir .zero/data \
  --output-dir .zero/data/journal-roots \
  --day 2026-05-04

zero-journal-proof \
  --root .zero/data/journal-roots/journal-root-2026-05-04.json \
  --output-dir .zero/data/proof-packs
```

Set `ZERO_JOURNAL_SIGNING_KEY_B64` to a base64/base64url encoded 32-byte
Ed25519 private key or base64 encoded Ed25519 PEM to sign sidecar entries and
daily roots. Set `ZERO_JOURNAL_SIGNING_KEY_ID` to a stable operator or
deployment key id. The private key is never written to roots or proof packs.

Use `ZERO_JOURNAL_ANCHOR_PROVIDER=opentimestamps` for public timestamp
submission, `webhook` for an operator-controlled timestamp service, `local` for
local receipt files, or `none` to disable anchoring during tests.

## Incident Rule

Any `zero.decision_journal.verification.v1` failure in a live-capable operator
deployment is a journal anomaly. Follow
[Incident Runbooks](incident-runbooks.md) and publish a redacted postmortem
when live safety, public privacy, or launch claims are affected.
````


## Source: `docs/safety-model.md`

````markdown
# Safety Model

ZERO treats trading execution as safety-critical software.

## Defaults

- Paper mode is the default demo path.
- No real private key is required for contributor setup.
- Risk gates fail closed when required data is missing.
- Risk-reducing actions must not be delayed by confirmation friction.
- Operator-visible state must include source and freshness where possible.
- Every paper order decision records source, timestamp, allowed/rejected state,
  and reason.

## Safety-Critical Areas

- position sizing
- exchange execution
- kill switches
- stop-loss and liquidation-distance logic
- private key handling
- operator command friction
- paper/live isolation

Changes in these areas need focused regression tests and maintainer review.

## Incident And Threat Review

Maintainers must review [threat-model.md](threat-model.md) and
[incident-runbooks.md](incident-runbooks.md) before releasing changes that touch
live execution, custody, public packet serialization, release artifacts, or
Railway deployment defaults.

Public packet serializers must stay aggregate-only. Any leak of trace IDs,
idempotency keys, per-trade symbols, private notes, wallet material, exchange
responses, or strategy source labels is a P1 privacy incident.
````


## Source: `docs/threat-model.md`

````markdown
# Threat Model

This model covers the public ZERO runtime, CLI, Railway paper deployment,
ZERO Network proof packets, and ZERO Intelligence packet contracts.

## Assets

- Operator exchange credentials and wallet addresses
- Live execution authority
- Decision journal and audit export
- Public profile, leaderboard, and intelligence packets
- Release artifacts, checksums, and attestations
- CLI configuration and local keychain references
- Operator-local runtime partitions

## Trust Boundaries

- Local operator machine: trusted for runtime configuration and key storage.
- Public runtime API: trusted only for the operator who controls the process.
- Railway project: operator-owned hosting boundary, not ZERO custody.
- Hyperliquid public info endpoints: untrusted read-only market data source.
- Hyperliquid exchange signing path: live-only, local, and preflight gated.
- GitHub release pipeline: trusted only after checksum and attestation checks.
- ZERO Network and ZERO Intelligence packets: public-safe aggregate data only.

## Threats And Controls

| Threat | Impact | Current Controls | Required Response |
|---|---|---|---|
| Private key committed or logged | Loss of funds | No first-run secrets, redaction tests, local-only key helpers, secret scan | Rotate key, revoke affected API wallet, invalidate release if artifact leaked it |
| Public profile leaks raw trades or trace IDs | Privacy breach | `zero.network.profile.v1` redaction tests and smoke checks | Stop publishing, patch redaction, rotate proof hash, publish incident note |
| Intelligence packet leaks private details | Commercial/data breach | `zero.intelligence.snapshot.v1` aggregate-only tests and smoke checks | Disable export path, patch serializer, rerun privacy gate |
| Paper deployment accidentally enables live execution | Unexpected real orders | Public Railway smoke proves live mode refused, live executor requires explicit env and preflight | Kill service, unset live env, inspect journal and exchange orders |
| Exchange outage or malformed market data | Bad decisions | Read-only quote source labeling, fail-closed missing symbols, operator-visible errors | Pause automation, switch to deterministic paper source, document outage window |
| Duplicate order submission | Over-exposure | Idempotency keys, no retry on live order submit, deterministic client order IDs | Kill live executor, reconcile exchange fills, resume only after audit |
| Local state crosses operators | Privacy breach, wrong-context action, or stale recovery state | Operator-scoped filesystem partitions, operator-scoped keychain account names, `zero doctor` partition rows and legacy-artifact warning | Stop automation, archive/migrate shared artifacts, rerun doctor before live mode |
| Dead-man or kill switch failure | Continued exposure | Dead-man heartbeat, pause, kill, reduce-only flatten controls | Trigger kill, manually flatten at venue, open P0 incident |
| Release artifact tampering | Compromised installs | SHA256SUMS, `SBOM.spdx.json`, `PROVENANCE.json`, release verifier, and GitHub artifact attestations | Pull draft release, rotate affected tag, rebuild from clean runner |
| Dependency compromise | Runtime compromise | Dependabot, CodeQL, OpenSSF Scorecard, lockfile review, dependency policy, release SBOM | Pin or remove dependency, regenerate lockfile/SBOM, cut patched release |
| Contributor bypasses safety gates | Regression | CI, smoke tests, safety review issue template, branch protection | Revert via PR, add regression test, document bypass path |

## Non-Goals

- ZERO does not custody exchange funds.
- ZERO does not require a hosted control plane for local runtime use.
- Public paper deployments are not production trading services.
- Public snapshots are not financial advice and do not expose strategy details.

## Review Triggers

Update this document before merging changes that touch:

- exchange signing or live execution;
- private key handling;
- operator-local filesystem or keychain partitioning;
- decision journals, audit export, or recovery;
- public profile, leaderboard, or intelligence serialization;
- release artifact generation, installation, or verification;
- Railway deployment defaults.

## Residual Risk

The public runtime can now demonstrate safety boundaries and operational
responses, but real capital still depends on operator custody hygiene,
exchange-side controls, deployment configuration, and external market behavior.
Live operation must be treated as a local operator decision, not a hosted ZERO
guarantee.
````


## Source: `docs/failure-modes-autonomous-loop.md`

````markdown
# Failure Modes Of The Autonomous Loop

This document is the public safety taxonomy for ZERO's autonomous loop. It is
written for maintainers, operators, reviewers, and coding agents.

The rule is simple: if a failure mode is not documented with detection, blast
radius, rollback, journal evidence, alerting, and test coverage, it is not
ready for unattended operation.

## Scope

The public repository exposes paper-first autonomous components:

- memory extraction from local outcomes;
- genesis proposal classification;
- paper-only research reports;
- lens/layer/modifier decision-stack review;
- paper-first evolve candidates;
- runtime OODA reports;
- read-only MCP inspection.

Protected live-code evolution remains human-reviewed. The public MCP server is
read-only and must not place orders, mutate runtime state, or read secrets.

## Required Fields

Every autonomous-loop failure mode must define:

| Field | Required answer |
|---|---|
| Detection | Which check sees the problem first? |
| Blast radius | What can be affected before containment? |
| Rollback | What command, revert, kill, or policy change restores safety? |
| Journal entry | Which journal/audit event proves what happened? |
| Alerting | Which operator-visible signal fires? |
| Test or evidence | Which deterministic test, property test, drill, or proof packet covers it? |

Unknown answers mean fail closed.

## Taxonomy

| ID | Failure mode | Detection | Blast radius | Rollback | Journal entry | Alerting | Test or evidence |
|---|---|---|---|---|---|---|---|
| FM-AUTO-001 | Agent hallucinates a strategy and burns through paper budget. | Strategy registry rejects unknown runners; paper budget breaker sees order count, notional, or drawdown drift. | Paper budget for the local session. Live capital should be zero because paper-first is enforced. | Pause evolve, disable the strategy, revert the candidate config, reset paper budget after review. | `zero.evolve.run.v1`, `zero.immune.v1`, rejected `zero.paper.decision.v1`, rollback receipt. | CLI/TUI safety banner, `/immune`, metrics counter, optional operator notification. | `engine/tests/test_evolve.py`, `engine/tests/test_safety.py`, `engine/tests/test_property_safety.py`. |
| FM-AUTO-002 | `evolve` produces a config that passes tests but fails at runtime. | Runtime health marks candidate as failed; production-parity OODA emits live-shadow mismatch or runtime exception. | Candidate branch and paper canary only. Protected paths must not auto-apply to live code. | `zero.evolve.rollback_receipt.v1`, restore original hash, mark proposal quarantined. | Apply receipt, rollback receipt, runtime cycle failure event. | `/runtime-parity`, `/evolve`, CI failure, operator terminal warning. | `engine/tests/test_evolve.py`, `engine/tests/test_runtime.py`, `engine/tests/test_property_safety.py`. |
| FM-AUTO-003 | Agent and human edit the journal concurrently. | Exclusive append lock serializes head reads and writes; verifier detects non-monotonic sequence, previous-hash break, checksum break, or replay mismatch. | Local audit trail for the affected runtime; execution must pause if journal integrity is unknown. | Stop writers, preserve both copies, replay from last good head, restore durable volume snapshot if needed. | `zero.decision_journal.verification.v1`, `zero.journal.integrity_failure.v1`, or incident audit export. | P1 journal anomaly alert, CLI refusal on live preflight, runbook escalation. | `engine/tests/test_journal.py::test_decision_journal_serializes_concurrent_writer_processes`, `engine/tests/test_bus.py`, `docs/runtime-bus.md`. |
| FM-AUTO-004 | Hyperliquid returns malformed response and the agent retries N times. | Adapter schema validation fails; retry budget reaches zero; rate-limit breaker opens. | Read-only market/account freshness or one blocked live submission. Order submissions must not retry blindly. | Mark venue degraded, fail risk-increasing actions, keep reduce-only controls available. | `exchange_error`, reconciliation packet, immune breaker event. | `/hl/reconcile`, `/immune`, `/live-cockpit`, metrics exchange-error counter. | `engine/tests/test_hyperliquid.py`, `engine/tests/test_live.py`, `engine/tests/test_reconciliation.py`, `engine/tests/test_property_safety.py`. |
| FM-AUTO-005 | Stale memory promotes an outdated pattern. | Memory stats report stale source window; genesis confidence drops; proposal age exceeds policy. | Proposal quality and paper canary time, not live execution. | Retire stale memory, regenerate proposal from fresh outcomes, require a new paper canary. | `zero.memory.entry.v1`, `zero.genesis.proposal.v1`, research report. | `/memory`, `/genesis`, docs gap or safety-review issue. | `engine/tests/test_memory.py`, `engine/tests/test_genesis.py`, `engine/tests/test_property_safety.py`. |
| FM-AUTO-006 | Research command ingests prompt-injected or unsupported external claims. | `zero.research.source_classification.v1` marks untrusted, prompt-injected, unsupported-performance, secret-material, or risk-increasing claims as rejected; research report carries source-quality flags without raw source text. | Paper-only research report and proposal queue. | Discard report, quarantine source, regenerate with trusted sources only. | `zero.research.report.v1` with rejected source metadata. | `/research`, safety-review issue when live policy would be affected. | `engine/tests/test_research.py::test_research_source_classifier_rejects_prompt_injection_without_echoing_raw_text`, `engine/tests/test_research.py::test_research_public_safety_rejects_unsafe_report_keys`. |
| FM-AUTO-007 | Model gateway produces unsafe, expensive, or unavailable output. | Gateway budget, timeout, health, and audit checks fail closed. | Evaluation quality degradation; order path must not depend on unverified model output alone. | Fall back to local/mock provider, lower confidence, or reject decision. | Model gateway audit packet and decision rejection reason. | `/model-gateway/health`, metrics, operator warning. | `engine/tests/test_model_gateway.py`, `engine/tests/test_property_safety.py`. |
| FM-AUTO-008 | Paper/live shadow diverges during production-parity OODA. | `zero.runtime.production_parity.v1` reports mismatch or live-shadow fail-closed evidence. | Live promotion blocked; paper session continues. | Disable promotion, capture audit export, create regression fixture. | Runtime parity report, decision-stack packet, live-shadow refusal. | `/runtime-parity`, CLI red status, safety-review issue. | `engine/tests/test_runtime.py`, `engine/tests/test_live.py`. |
| FM-AUTO-009 | MCP client asks ZERO to place an order or mutate state. | MCP safety catalog has no risk-increasing tools; unknown methods, unknown tools, and unavailable resources return `zero.mcp.refusal.v1` without echoing hostile arguments or prompt text. | None if server remains read-only. | Keep server read-only, revoke unsafe registry submission, patch transcript. | MCP transcript refusal and safety catalog resource. | MCP smoke failure, CI failure. | `engine/tests/test_mcp.py::test_mcp_refuses_mutating_methods_without_echoing_raw_arguments`, `engine/tests/test_mcp.py::test_mcp_refuses_unknown_resource_without_echoing_prompt_injection`, `scripts/mcp_transcript.py --check`. |
| FM-AUTO-010 | Public Network or Intelligence packet leaks private identifiers. | Privacy regression fixtures detect wallet-like, raw order ID, trace token, or private journal fields. | Public artifact exposure until publication is stopped. | Stop publishing, rotate unsafe packet, patch serializer, mark proof stale. | Public packet hash, privacy regression incident export. | P1 privacy regression alert, CI failure. | `engine/tests/test_proof_privacy.py`, `scripts/proof_privacy_regression.py`. |
| FM-AUTO-011 | Kill switch, pause, flatten, or reduce-only path is unavailable. | Live certification drill fails; cockpit marks emergency controls not ready. | Live mode must refuse risk-increasing actions. Existing exchange positions may need manual exchange action. | Manual exchange close if needed; keep ZERO live disabled until certification passes. | `zero.live_certification.v1`, live cockpit packet, incident postmortem. | `/live-certification`, `/live-cockpit`, P0/P1 runbook. | `engine/tests/test_live_canary_policy.py`, `scripts/live_cockpit_drill_verify.py`. |
| FM-AUTO-012 | Journal chain, signature, or timestamp anchor fails verification. | `zero.decision_journal.verification.v1` detects missing head, broken previous hash, invalid signature, missing required signature, or stale anchor; `zero.decision_journal.external_anchor.verification.v1` detects anchor packet drift or missing external receipt; `zero.decision_journal.anchor_cadence.v1` detects stale cadence state. | Audit trust for the affected interval. Live mode must refuse if the decision journal or required external anchor is unverifiable. | Stop writers, preserve artifact, restore last verified head, publish redacted postmortem if live safety was affected. | `zero.decision_journal.verification.v1`, `zero.decision_journal.external_anchor.v1`, `zero.decision_journal.anchor_cadence.v1`, verifier report, incident postmortem. | CLI live-preflight refusal, incident alert. | `engine/tests/test_journal.py`, `engine/tests/test_journal_anchor_cadence.py`, `scripts/journal_verify.py`, `scripts/journal_anchor_cadence.py`. |

## Coverage Bar For 100/100

ZERO reaches the autonomous trust bar only when:

- every row above has at least one deterministic regression test;
- safety gates have property-based tests for bounded random inputs;
- decision journals are hash-chained, signed, and locally verifiable;
- journal-head external anchor packets have a periodic operation that attaches
  trusted timestamp receipts or public-chain references and verifies cadence
  state;
- failures that touch live safety, journal integrity, or public privacy produce
  redacted postmortems in `docs/incident-postmortems/`;
- the MCP server has a committed registry packet and live Official MCP Registry
  listing backed by the public `zero-engine` PyPI package.

## Operating Rule

Autonomy is allowed to suggest, classify, rehearse, and paper-canary changes.
Autonomy is not allowed to silently expand live risk, bypass journals, bypass
reconciliation, bypass kill switches, publish private records, or mutate
protected live-code paths without human review.
````


## Source: `docs/incident-runbooks.md`

````markdown
# Incident Runbooks

These runbooks are written for maintainers and serious operators. Use exact
timestamps, trace IDs, commit SHAs, release tags, and Railway deployment IDs in
incident notes.

## Severity

| Level | Definition | Response |
|---|---|---|
| P0 | Possible fund loss, leaked credential, unsafe live execution, or compromised release | Stop affected system immediately, page maintainer, publish advisory when public users are affected |
| P1 | Public runtime unavailable, privacy leak in public packet, broken release, or failed recovery | Stop rollout, preserve logs, patch and verify |
| P2 | Degraded market data, stale docs, failed non-critical smoke, or packaging issue | Fix before next release |

## P0: Suspected Secret Leak

1. Stop affected deployment or local process.
2. Revoke or rotate the affected Hyperliquid API wallet/key immediately.
3. Search the repository, release artifacts, logs, and JSONL journals for the
   leaked token or address.
4. Run `just ci` and GitHub Secret Scan after the patch.
5. If a public release is affected, delete the draft or mark the release unsafe,
   rebuild artifacts, and publish an advisory.

Exit gate: no secret remains in git history being distributed, artifacts,
operator docs, release notes, or public packet examples.

## P0: Unexpected Live Order

1. Run `POST /live/kill` or the CLI kill command.
2. If positions remain open, run reduce-only flatten from ZERO or manually at
   the exchange.
3. Export `/operator/context`, `/audit/export?limit=1000`, `/metrics`,
   `/live/preflight`, `/live/cockpit`, and local live execution records.
4. Check operator context, idempotency key, trace ID, risk limits, dead-man
   heartbeat, and kill-switch path.
5. Do not resume live mode until a regression test proves the failure cannot
   recur.

Exit gate: exchange state, local journal, and ZERO live records reconcile.

## P0: Failed Live Canary

1. Run `/kill` or `POST /live/kill` immediately.
2. If any position remains open, run `/flatten-all` or close manually at the
   exchange with reduce-only orders.
3. Preserve `/live/preflight`, `/live/cockpit`, `/immune`, `/hl/reconcile`,
   `/live/certification`, `/metrics`, `/audit/export?limit=1000`, and
   exchange-side order/fill records.
4. Compare idempotency keys, client order IDs, local live records, and exchange
   order/fill history.
5. Do not run another canary until a regression test and a fresh certification
   report prove the failure cannot recur.

Exit gate: exchange state is flat or intentionally held, local and exchange
records reconcile, and the remediation commit passes `just ci`.

## P1: Railway Runtime Down

1. Run `scripts/deployment_evidence.sh "$ZERO_RAILWAY_URL"` and preserve the
   evidence folder with the incident notes. For shared deployments, include
   `--railway-logs --signing-key "$ZERO_DEPLOYMENT_EVIDENCE_SIGNING_KEY"` and
   verify the folder with `scripts/deployment_evidence_verify.py DIR
   --require-signature`.
   Also preserve a deployment identity bundle from
   `scripts/deployment_identity_evidence.py create CLAIM HEARTBEAT` and verify
   it with `scripts/deployment_identity_evidence.py verify DIR
   --require-signature` when an operator signing key is available.
2. Confirm Railway injected `PORT` and the service listens on `0.0.0.0:$PORT`.
3. Confirm the volume is mounted at `/data` and `ZERO_JOURNAL_PATH` points to
   `/data/decisions.jsonl`.
4. Inspect restart count and deployment logs.
5. Run `scripts/railway_smoke.sh` against the candidate image before promoting.
6. If rolling back, verify the current and previous evidence folders with
   `scripts/deployment_rollback_rehearsal.py CURRENT --previous-bundle PREVIOUS
   --require-signature`, then capture and verify fresh evidence after Railway
   serves the rollback target.

Exit gate: the deployment evidence `manifest.json` shows zero failed doctor
checks, `/health`, `/v2/status`, `/metrics`, `/network/profile`, and
`/intelligence/snapshot` return public-safe packets, checksums and rollback
rehearsal are present, and live mode remains refused on public paper
deployments.

## P1: Journal Recovery Failure

1. Stop writes to the affected runtime.
2. Preserve the current JSONL journal.
3. Run a local recovery from the journal and compare decisions, fills,
   rejections, positions, and idempotency hits.
4. If the journal is malformed, isolate the first bad line and create a
   regression fixture.
5. Restore from the last known good volume snapshot if available.

Exit gate: recovered state matches the pre-restart audit summary.

## P1: Public Packet Privacy Regression

1. Stop profile or intelligence publication.
2. Capture the leaking packet and its proof hash.
3. Patch the serializer and add a test for the leaked token class.
4. Run `scripts/paper_api_smoke.sh`, `scripts/hardening_gate.sh`, and `just ci`.
5. Rotate or mark stale any public proof generated by the unsafe serializer.

Exit gate: public profile, leaderboard, and intelligence packets contain only
aggregate fields and proof hashes.

## P1: Bad Release Artifact

1. Keep the GitHub Release in draft or pull it back to draft.
2. Download artifacts to a clean directory.
3. Run `shasum -a 256 -c SHA256SUMS`.
4. Run `scripts/release_verify.py <downloaded-release-dir>` and confirm
   `SBOM.spdx.json` plus `PROVENANCE.json` parse cleanly.
5. Run `gh attestation verify zero-linux -R zero-intel/zero` and the macOS
   equivalent for executable artifacts.
6. Rebuild from the tag only after the local and GitHub gates pass.

Exit gate: fresh-download checksum, release verifier, SBOM/provenance, and
attestation verification all pass.

## P1: Vulnerable Dependency In Release

1. Identify whether the dependency is runtime, dev-only, CI-only, or
   live-optional.
2. Check `SBOM.spdx.json`, `PROVENANCE.json`, `engine/pyproject.toml`, and
   `cli/Cargo.lock` to confirm affected packages and release assets.
3. Patch, pin, remove, or replace the dependency.
4. Regenerate lockfiles through the package manager.
5. Run `just ci`, `scripts/hardening_gate.sh`, and `just release-rehearsal`.
6. If a public release is affected, mark it unsafe or pull it back to draft and
   publish a patched release.

Exit gate: patched release assets include regenerated SBOM/provenance files and
all GitHub checks pass.

## P2: Market Data Degradation

1. Check `/market/quote?symbol=BTC` and `/hl/status`.
2. Confirm whether the failure is exchange outage, missing symbol, rate limit,
   or local network failure.
3. Switch demos to deterministic paper prices when public market data is stale.
4. Do not enable live execution while quote source freshness is unknown.

Exit gate: quote source and freshness are operator-visible.

## Required Incident Artifacts

Every P0/P1 incident should preserve:

- commit SHA and release tag;
- Railway deployment ID or local command line;
- `/health`, `/v2/status`, `/metrics`, `/immune`, `/live/preflight`, `/live/cockpit`;
- `/hl/reconcile`, `/live/certification`;
- `/audit/export?limit=1000`;
- relevant trace IDs and idempotency keys;
- exchange-side fill/order records when live mode is involved;
- remediation commit and verification commands.

## Public Postmortem Gate

Use [incident-postmortems/TEMPLATE.md](incident-postmortems/TEMPLATE.md) for
any incident that affects autonomous-loop trust, live safety, journal integrity,
public privacy, or release integrity.

Publish a redacted postmortem within 7 days when public users, public
artifacts, or live-safety claims are affected. If publication would expose
secrets or an active exploit, publish a delayed notice and complete the
postmortem after containment.
````


## Source: `docs/incident-postmortems/README.md`

````markdown
# Incident Postmortems

ZERO publishes redacted postmortems for incidents that affect autonomous-loop
trust, live safety, journal integrity, public privacy, or release integrity.

The goal is not performative transparency. The goal is to make autonomous
operation auditable by showing what failed, how it was detected, how far it
could spread, how it was rolled back, what the journal recorded, what alert
fired, and which test now prevents recurrence.

## Publication Policy

Publish a redacted postmortem when any of the following occurs:

- a P0/P1 incident from [Incident Runbooks](../incident-runbooks.md);
- unexpected live order, failed canary, or emergency control failure;
- safety-gate refusal that reveals a design gap;
- journal anomaly, checksum break, signature failure, or timestamp-anchor
  failure;
- autonomous loop proposes, applies, or rehearses an unsafe change;
- public Network or Intelligence packet leaks private identifiers;
- MCP server exposes an unsafe tool, resource, or registry manifest;
- release artifact, SBOM, provenance, or attestation is wrong.

## Timing

- Preserve evidence immediately.
- Draft internally within 72 hours.
- Publish a redacted version within 7 days when public users, public artifacts,
  or live-safety claims are affected.
- If publication would expose secrets or an active exploit, publish a delayed
  notice and complete the postmortem after containment.

## Redaction Rules

Never publish:

- private keys, seed phrases, API tokens, cookies, or auth headers;
- wallet addresses unless the operator explicitly made them public;
- raw exchange order IDs, raw private journals, trace tokens, or idempotency
  tokens;
- strategy labels or private notes that can identify an operator;
- unredacted screenshots containing account state.

Publish instead:

- timestamps;
- release tags and commit SHAs;
- redacted trace IDs;
- proof hashes;
- verifier outputs;
- aggregate counts;
- remediation commits;
- new or updated test names.

## Index

No public incident postmortems have been published yet.

New postmortems should use [TEMPLATE.md](TEMPLATE.md) and be named:

```text
YYYY-MM-DD-short-slug.md
```
````


## Source: `docs/open-core-boundary.md`

````markdown
# Open Runtime Boundary

ZERO is the operating intelligence layer between humans and capital. This public
repository is the open Runtime, Protocol, and Proof substrate beneath the hosted
ZERO product.

This repository contains the local-first runtime, operator terminal, public
proof contracts, MCP readouts, and deployment paths that engineers can run,
inspect, test, and extend locally. Railway is the recommended hosted path, but
it is optional: the public Runtime, Protocol, and Proof substrate remains
paper-first and locally usable without hosted ZERO infrastructure. Operators own
their Railway project, environment variables, exchange credentials, and runtime
state.

Hosted ZERO Studio, ZERO Control, ZERO Registry, founder-admin, and doctrine
surfaces stay outside this repository. The public repo should remain useful
without a ZERO-hosted app account. The future commercial product can sell
advantaged scale, retention, redistribution, datasets, webhooks, benchmarks,
reliability commitments, and enterprise support without gating basic runtime
operation.

## Open Source

- Local ZERO Runtime
- Paper execution adapter
- Safety and risk primitives
- Operator CLI
- Local API contracts
- Strategy and data-adapter examples
- Railway and Docker deployment templates
- Public profile, leaderboard, and verification contracts
- Contributor tests and CI
- Documentation needed to understand, build, and modify the runtime

## Public Contracts

- Redacted Proof packets
- Public profile and leaderboard contracts
- Delayed public snapshots
- Protocol schemas and read-only MCP surfaces

## Future Commercial

- Historical intelligence datasets
- Advanced filters, cohorts, and benchmarks
- Commercial intelligence connectors and enrichment feeds
- Higher rate limits, webhooks, and bulk exports
- Commercial redistribution rights
- Enterprise support, reliability commitments, and SLAs

## Boundary Rules

- Public examples must run without real funds.
- Public docs must not reference private infrastructure, direct host details, or
  private legal material.
- Public code must not require a ZERO-hosted app to run paper mode.
- Vibe Deploy may connect an operator-owned Runtime to the ZERO control plane,
  but it must be optional and receipt-backed: ownership, liveness, paper
  capability, authority, and execution lease are separate proof steps.
- Railway deployment must be optional, reproducible, and self-custodial.
- Runtime telemetry and profile publication must be opt-in.
- Public profiles and leaderboards are part of the public product surface.
- ZERO Network publication must use redacted proof packets and must not require
  a ZERO-hosted app.
- Delayed ZERO Intelligence snapshots, realtime growth-mode access, and the
  local intelligence export contract are public-facing; future higher-scale
  history, cohorts, bulk exports, redistribution, and SLAs remain commercial.
- Core runtime and venue adapters should be public; commercial connectors should
  enrich, distribute, or integrate ZERO Intelligence rather than gate basic
  runtime operation.
- Future paid features must be based on scale, history, reliability,
  redistribution, or support, not on basic runtime use or early operator access.
- Builder Codes must be explicit operator-approved revenue authority, never a
  hidden default in the open Runtime.
- A public contributor must be able to run the default test suite from a clean
  checkout.

## Contribution Policy

Contributions are welcome in the public runtime. Commercial-only features should
start as a design discussion so maintainers can decide whether the feature
belongs in the open runtime, a public extension interface, the public network,
or ZERO Intelligence.
````


## Source: `docs/production-readiness.md`

````markdown
# Production Readiness

This scorecard measures ZERO as a production product, not just as a clean public
repository. It deliberately keeps two scores separate:

- **Public repo readiness:** whether the repository is good enough for serious
  engineers to run, inspect, and contribute to.
- **Full operating-intelligence readiness:** whether ZERO has the runtime contracts,
  operator controls, and evidence paths needed for self-custodial live capital.

The public repository is launch-ready for contributors. The private/operator
deployment has live Hyperliquid execution evidence; this repo publishes a
redacted private live evidence packet and verifier, not raw custody records.
Hosted custody is not offered, and every new live operator remains responsible
for local wallet control, preflight, kill-switches, reconciliation, and review.

## Current Score

| Dimension | Score | Status |
|---|---:|---|
| Public repo hygiene | 100 | Strong CI, release artifacts, governance, docs, clean boundaries, first-class GitHub product page, first-10-minutes guide, reproducible demo capture, fresh source-tree rehearsal, threat model, incident runbooks, distribution policy, hardening gate, and public-readiness gate. |
| Product narrative | 100 | Clear category around ZERO as the operating intelligence layer between humans and capital, with this repository scoped to open Runtime, Protocol, and Proof. Hosted product, live-operation boundary, capability boundary, and operator proof path are separated cleanly. |
| CLI readiness | 100 | Mature Rust terminal, doctor, five-mode TUI, full-screen live cockpit, friction gates, tests, release binary path, recovery-aware status output, live-preflight diagnostics, `/live-cockpit`, `/live-certify`, `/live-receipts`, `/live-canary`, `/runtime-parity`, `/immune`, friction-gated `/resume-entries`, friction-gated engine-backed `/execute` with receipt-hash rendering, operator-context audit headers, operator-local runtime partitions, a one-command live canary operator evidence workflow, canary policy renderer, and a verified read-only live cockpit drill bundle exist. Raw canary records remain operator-owned external proof, not a public-runtime CLI gap. |
| Engine runtime | 100 | Deterministic paper runtime, bounded OODA cycle records, strategy runner SDK, declarative paper strategies, public lens/layer/modifier decision stack, process-serialized append-only decision journal, durable runtime bus contracts, restart replay, read-only Hyperliquid info adapter, live-mid paper execution, traceable audit export, production-parity OODA reports, disabled live-shadow fail-closed evidence, rejection/execution-quality feedback, live custody preflight, account reconciliation, dry-run live certification, immune breaker packets, live execution receipt packets, maintained live canary rehearsal collector, verifier, exchange-evidence normalizer, live canary policy lifecycle, operator report workflow, operator report verifier, redacted private live evidence packet (`zero.live_trading_evidence.v1`: 30 fills, 437 trades, 188 live decisions), public-safe signed live evidence packets, fail-closed model gateway plumbing, and live-executor interfaces exist. Raw exchange canary proof remains operator-owned external evidence. |
| Self-evolution loop | 100 | Local memory, genesis proposal core, paper-only research command chain, public decision-stack review, production-parity OODA reports, and paper-first evolve gates are implemented with typed public-safe entries, append-only JSONL journals, generated `knowledge.md`, `/memory`, `/genesis`, `/research`, `/runtime/parity`, `/decision/stack`, `/evolve`, fixture-backed CLI extraction/classification/research/decision-stack/parity output, guardian sample floors, protected path escalation, hunt/edge/convergence/thesis/score/meta/sharpen reports, lenses/layers/modifiers, red-team review, sandbox candidate mutation, deterministic paper canary, calibration, promotion plan, rollback plan, promotion verification, exact-phrase local apply, apply receipts, rollback receipts, and expanded read-only MCP status/parity/health/journal/rejection/memory/immune/backtest/evidence/safety surfaces. Protected live-code evolution remains human-reviewed by design. |
| Safety and risk | 100 | CLI risk asymmetry, local custody validation, dry-run order validation, preflight refusal, account-reconciliation gate, live-submit idempotency model, no-retry exchange-error records, dry-run live certification drills, `zero.immune.v1` breakers, dead-man heartbeat contract, max notional/loss/order-rate policy, pause, kill, reduce-only flatten, fail-closed canary rehearsal, canary policy qualification, hash-only live evidence capture, redacted private live evidence verification, verified cockpit drill tamper rejection, threat model, and P0/P1 runbooks exist. Third-party security review and exchange chaos rehearsal are external trust work, not missing public-runtime safety contracts. |
| API contracts | 100 | Paper fixtures are pinned across Python and Rust, OpenAPI documents the local paper runtime, compatibility rules are explicit, `/memory` exposes redacted local learning, `/genesis` exposes plan-only proposal classification, `/research` exposes paper-only research reports, `/runtime/parity` exposes production-parity OODA and live-shadow fail-closed evidence, `/decision/stack` exposes lens/layer/modifier evaluation shape, `/evaluate/{coin}` embeds that stack while preserving CLI fields, `/evolve` exposes paper-only evolve gates plus promotion plan, rollback plan, and promotion verification, `/operator/context` exposes audit identity, `/deployment/claim` exposes signature-ready runtime identity, `/deployment/heartbeat` exposes signature-ready public liveness, `/hl/status` exposes read-only market status, `/hl/account` and `/hl/reconcile` expose account truth, `/immune` exposes risk-blocking breaker state, `/live/cockpit` exposes consolidated live operator state, `/live/certification` exposes dry-run safety evidence, `/live/receipts` exposes public-safe local execution receipts, `/live/evidence` exposes a hash-only signed canary evidence bundle, `/live/canary-policy` exposes the live canary lifecycle and qualification contract, `/market/quote` names the active price source, `/health` plus `/v2/status` expose recovery state, `/metrics` plus `/audit/export` expose observable runtime state, `/network/*` exposes public proof packets and hosted-compatible ingestion, `/intelligence/*` exposes delayed intelligence, model gateway status, model gateway health, model gateway audit, and billing-ready commercial API contracts, `/v1/intelligence/*` exposes hosted-compatible auth, scopes, rate-limit headers, usage events, webhook signatures, and export jobs, `/live/preflight` exposes a non-secret live-readiness gate, and `POST /live/*` controls are typed in the CLI. |
| Deployment | 100 | Docker path, Railway config, healthcheck, restart policy, `PORT`-aware start script, durable journal replay, traceable paper decisions, Railway remote doctor, redacted deployment evidence pack, evidence verifier, optional HMAC evidence signature, OpenSSL-backed deployment identity evidence bundle, plan-only deployment rollback rehearsal, optional Railway CLI log capture with CI redaction/signature/identity/rollback coverage, Railway smoke test, and Railway incident runbook exist. Live deployed project proof and production log drains are external operation evidence, not missing public deployment contracts. |
| Observability and audit | 100 | HTTP trace IDs, operator context packets, operator-local state partitions, live-control action logs, traced paper decisions, metrics, idempotency counters, replay counts, retention/redaction metadata, structured audit export, checksum-chained runtime events, local state snapshots, immune breaker packets, Hyperliquid reconciliation packets, live cockpit packets, live execution receipt hashes, dry-run live certification packets, hash-only signed live evidence bundles, redacted private live trading evidence, live canary policy packets, live canary bundle verification, live cockpit drill replay verification, live cockpit drill tamper rehearsal, public-safe exchange evidence attachment, public-safe operator reports, recursive operator evidence checksums, operator report verification, model gateway health packets, model gateway audit bundles, deployment evidence manifests, and required incident artifacts are documented. Remaining production work is external log drains/signing, not public-runtime audit shape. |
| Security and custody | 100 | No secrets needed for first run; Hyperliquid private keys have operator-scoped keychain/env helpers, redaction tests, a non-secret preflight gate, optional SDK-backed live adapter, threat model, secret-leak runbook, dependency policy, SBOM/provenance metadata, and release provenance policy. External security review remains diligence evidence, not a missing custody contract. |
| ZERO Network contracts | 100 | Public-safe local profile packets, proof hashes, deployment claim hashes, deployment heartbeat hashes, verification badges, leaderboard rows, opt-in local publish logs, hosted-compatible ingestion, proof validation, duplicate refusal, metric-consistency checks, accepted-only leaderboard output, empty/active/stale public page states, `zero.network.profile_verification.v1` profile-plus-identity verification, and deterministic `zero.network_proof_pack.v1` public proof-chain artifacts exist. Hosted persistence, sybil policy operation, and identity service operation are external product work. |
| ZERO Intelligence contracts | 100 | Delayed public snapshots, catalog, billing-ready commercial contract, hosted-compatible `/v1/intelligence/*` reads/writes, token-gated paid scopes, actual rate-limit headers, usage events, HMAC-SHA256 webhook signature fixtures, aggregate export jobs, plan/scope model, dataset names, fail-closed model gateway status, model gateway health probes, model gateway audit bundles, mock/local provider conformance, external model adapter contract tests, bounded retry/cost policy, hosted key-management rules, plan boundary, opt-in local export packets, and a durable JSONL reference store behind `ZERO_INTELLIGENCE_STORE_PATH` exist. Billing, warehouse-backed feeds, and webhook delivery are external commercial service work. |
| Release and distribution | 100 | GitHub release artifacts, checksums, SBOM/provenance bundle, recorded `v0.1.2` clean-download release evidence, published-release evidence command with committed Homebrew formula comparison, release verifier, tamper-detection rehearsal, draft-release rollback rehearsal, committed Homebrew formula, formula drift check, attestations, installer, registry-readiness gate, package dry run, distribution readiness policy, release template hardening checks, dependency policy, PyPI `zero-engine`, published crates.io `zero-os` workspace crates, Official MCP Registry listing, published Docker Hub `getzero/zero` image with anonymous pull evidence, published GHCR `ghcr.io/zero-intel/zero` image with anonymous pull evidence, and rollback rules exist. |
| Documentation for operators | 100 | Good local docs, operator isolation docs, Hyperliquid read-only boundary docs, live-paper quote docs, immune-system docs, live cockpit docs, live cockpit drill bundle, verifier, and tamper rehearsal, live certification docs, live evidence docs, redacted live trading evidence docs, live canary policy/operator docs, Railway paper deploy, remote-doctor, and evidence-pack docs, restart recovery docs, audit/metrics docs, live-preflight warnings, threat model, and incident runbooks. Missing third-party review evidence only as external proof, not documented workflow. |

**Public repo readiness: 100/100.**

The production-parity contract is `zero.runtime.production_parity.v1`.

This is credible for a public open-source launch repository. Clean release
artifacts, fresh source-tree rehearsal, contribution paths, public gates, and
product boundary docs are now in place. The remaining external proof belongs to
commercial and institutional trust: external security review, human fresh-clone
feedback from at least one serious engineer, and optional raw exchange
disclosure for parties that need custody proof beyond the public redacted
packet.

**Full ZERO operating-intelligence contract readiness: 100/100.**

**Autonomous trust readiness: 100/100.**

The stricter trust bar is intentionally higher than contract completeness. The
repo now documents autonomous-loop bounds, a failure-mode taxonomy, and a
postmortem publication policy. Decision journals are hash-chained,
process-serialized at append time, locally signable, verifier-backed, and
covered by public-safe external anchor packets that can require
Rekor/OpenTimestamps/RFC3161/public-chain receipt references.
The core safety gates now have bounded property-based coverage for risk-budget
invariants, malformed Hyperliquid payloads, memory staleness, dry-run order
validation, model-gateway retry/privacy behavior, and research-source
classification. The research chain rejects prompt-injected, unsupported,
untrusted, or risk-increasing external claims into non-raw quarantine metadata
before they can influence genesis or evolve context. Journal-head anchoring now
has a periodic operation that creates or reuses external anchor packets, fails
closed when live evidence requires an external receipt, and verifies cadence
state. The manual GitHub OIDC MCP Registry workflow and listing verifier now
prove the live listing for `io.github.zero-intel/zero` after `zero-engine`
PyPI publication. The tracked failure modes are documented in
[Failure Modes Of The Autonomous Loop](failure-modes-autonomous-loop.md).

It is still not a hosted custody product, and real capital operation remains
self-custodial and operator-owned. The public repo must not imply that a new
operator can run unattended live capital safely without local custody setup,
canary review, external review, and human-reviewed protected live-code
evolution rules documented in
[Private Engine Capability Gap Audit](private-engine-capability-gap-audit.md).
In plain terms, ZERO has a complete autonomous capital runtime path for a
self-custodial operator, and the public repo now includes redacted private live
evidence. What it does not include is a hosted custody service or raw exchange
records.

For the public repo target, ZERO now has the executable contracts expected from
a complete operating-intelligence launch artifact: paper runtime,
production-parity OODA proof, live-readiness gates, live-shadow fail-closed
evidence, local evolution gates, release evidence, and agentic contribution
surfaces. Hosted Network persistence, paid Intelligence billing/warehouse
infrastructure, third-party security review, production log drains, and raw
exchange disclosure remain external product and launch work, not missing
public-runtime contracts.

## CLI Readiness Detail

| Area | Score | Notes |
|---|---:|---|
| Command surface | 100 | `zero`, `zero init`, `zero doctor`, `zero run`, TUI, and slash-command dispatch cover the public runtime and operator workflows. |
| Operator safety | 100 | Risk-reducing commands are friction-exempt and risk-increasing commands require interactive friction. |
| Engine integration | 100 | HTTP, WebSocket, mock engine, contract tests, Rust client decoding for production-parity OODA reports, live receipt packets, live canary policy packets, `/runtime-parity`, `/live-receipts`, and `/live-canary` operator rendering, live risk-reducer endpoints, and redacted private live execution evidence exist. Raw accepted canary records remain external. |
| Install path | 100 | Release installer exists with checksum and attestation verification, `v0.1.2` was installed from the public GitHub Release into a temporary bin directory, the public Homebrew repo tap installs and tests `zero` from the checksummed GitHub Release asset, PyPI serves `zero-engine` for agent/MCP installs, crates.io serves `zero-os`, which installs the `zero` binary, Docker Hub serves `getzero/zero:0.1.2` with anonymous pull and runtime smoke evidence, and GHCR serves `ghcr.io/zero-intel/zero:0.1.2` with anonymous pull and runtime smoke evidence. |
| Diagnostics | 100 | Doctor, JSON output, exit codes, rate-budget checks, operator/credential partition checks, live-preflight diagnostics, live-cockpit next-action/operator rendering, Railway remote doctor, deployment evidence verification, deployment identity verification, deployment evidence log capture/signing, rollback rehearsal checks, protected-scope fail-closed checks, and live-control refusals are covered. External production examples against a linked Railway project remain operations evidence. |
| TUI production UX | 100 | Snapshot coverage, status honesty, risk overlays, live-stream pane, and a full-screen live cockpit are covered for the public runtime. External live operator fault drills remain operations evidence. |
| Non-interactive automation | 100 | `zero run` covers cockpit, receipts, canary policy, runtime parity, breaker, certification, account truth, and risk-reducer workflows while intentionally gating risk-increasing commands. External production examples remain operations evidence. |
| Documentation freshness | 100 | Command docs, production deployment notes, live-mode API docs, paper/live refusal docs, cockpit drills, canary policy, incident runbooks, and evidence verification docs are current for the public runtime. |

**CLI readiness: 100/100 as a public-runtime terminal.**

The CLI is first-class for the public runtime and operator workflows in this
repo. Raw accepted-live canary records are operator-owned external proof, not
missing terminal shape.

## Definition Of 100

ZERO is 100/100 when a new serious operator can:

- deploy the runtime locally or on Railway from the public repo;
- run paper mode on live Hyperliquid market data;
- inspect every decision through the CLI;
- opt into public profile publishing without leaking secrets;
- switch to live mode only after custody, risk, and kill-switch checks pass;
- stop, flatten, or pause risk immediately from the operator terminal;
- export an audit journal that explains every accepted and rejected action;
- recover from restarts without losing position, risk, or decision state;
- extract local memory from outcomes, generate genesis proposals, run paper
  canaries, calibrate changes, and promote or roll back with reviewable
  evidence;
- publish verified behavior to ZERO Network;
- consume delayed and realtime ZERO Intelligence in growth mode for free;
- move to future commercial ZERO Intelligence packaging when higher limits,
  deeper history, webhooks, redistribution rights, support, or SLAs matter.

## Execution Cycles

Forecast after Cycle 46: **0 major public-repo product cycles remain before the
repo can be treated as a complete ZERO operating-intelligence launch
artifact.** External work still includes third-party review, hosted Network,
growth-mode Intelligence production deployment, and optional raw exchange
disclosure for commercial diligence.

| Cycle | Target | Historical Target Score |
|---|---|---:|
| 7 | Live custody preflight and local key handling | 84 |
| 8 | Self-custodial Hyperliquid live execution with kill switches | 90 |
| 9 | ZERO Network verified public profiles and leaderboards | 94 |
| 10 | ZERO Intelligence API, billing boundary, and delayed public data | 97 |
| 11 | External hardening: security review, package registries, Homebrew, release drills | 100 |

### Cycle 1: Runtime Skeleton

Target score: 58/100.

- Add runtime packages for `runtime`, `bus`, `risk`, `execution`, `operator`,
  `adapters`, and `audit`.
- Keep paper mode deterministic.
- Add a durable local journal format.
- Define the production event schema before adding live execution.

Exit gate:

- `zero-paper-api` writes replayable decisions to a local journal.
- CLI can show runtime status, journal tail, risk state, and last decision.

Current progress:

- `zero-paper-api --journal PATH` appends accepted and rejected paper decisions
  to JSONL.
- `GET /journal?limit=50` returns persisted journal records when a journal is
  configured, or the in-memory decision log otherwise.

### Cycle 2: Hyperliquid Read-Only Adapter

Target score: 66/100.

- Add public Hyperliquid market/account read adapter.
- Add `zero hl status` or equivalent CLI path.
- Add fixtures and replay tests.
- Add rate-limit and exchange-failure tests.

Exit gate:

- Users can run live market-data paper mode without exchange private keys.

Current progress:

- `HyperliquidInfoClient` reads public `allMids` and validates account-read
  addresses for `clearinghouseState`.
- `zero-paper-api --hyperliquid` enables `/hl/status` without requiring secrets
  or signing.
- `/hl/status` stays disabled by default so contributor examples remain
  deterministic and offline.

### Cycle 3: Paper Trading On Live Data

Target score: 74/100.

- Route live market data through the same evaluator, risk, and execution-intent
  path used by live mode.
- Add strategy/lens plugin contracts.
- Add replayable paper sessions.

Exit gate:

- A Railway or local deployment can run paper mode continuously and survive
  restart without losing journaled decisions.

Current progress:

- `zero-paper-api --hyperliquid-live-prices` routes paper quotes through cached
  Hyperliquid `allMids`.
- `POST /execute`, `GET /evaluate/{coin}`, and `GET /positions` use the same
  quote path, so paper fills and marks are sourced from live mids when enabled.
- `GET /market/quote?symbol=BTC` exposes the active quote source for operator
  inspection.
- Missing live symbols and market-data failures fail closed instead of silently
  falling back to deterministic fixture prices.

### Cycle 4: Railway-First Deployment

Target score: 80/100.

- Add Railway template/config.
- Document required variables, volumes, health checks, restart policy, and
  rollback.
- Add `zero doctor railway` checks or equivalent diagnostics.

Exit gate:

- A new operator can deploy paper mode to Railway, inspect it from the CLI, and
  view logs without private context.

Current progress:

- `railway.toml` defines Dockerfile deployment, `/health`, timeout, and restart
  policy.
- `/app/scripts/railway_start.sh` binds `0.0.0.0:${PORT}` and writes the paper
  decision journal to `/data/decisions.jsonl` by default.
- `docs/railway-deploy.md` documents the volume, variables, CLI connection, and
  failure modes.
- GitHub CI runs `scripts/railway_smoke.sh`, which boots the Docker image with
  Railway-style variables, checks `/health`, records a paper fill, and verifies
  journal recovery through `/journal`.

### Cycle 5: Durable Runtime State And Restart Recovery

Target score: 70/100.

- Persist runtime state needed to recover after process or host restart.
- Rehydrate positions, recent decisions, and paper session metadata from disk.
- Add explicit recovery status to `/health`, `/v2/status`, and CLI output.

Exit gate:

- A Railway or local deployment can restart and keep enough state to explain
  the active paper session without relying only on process memory.

Current progress:

- `PaperEngine.recover_from_journal` replays append-only decision records into
  in-memory decisions, simulated fills, open positions, and rejections.
- Journaled idempotency keys rebuild the API execution cache, so duplicate
  `POST /execute` requests after restart return the original simulated result
  instead of creating another paper fill.
- `/health` and `/v2/status` expose recovery status, durable-vs-ephemeral
  journal mode, recovered counts, current counts, and the last decision time.
- `zero run status` renders a recovery row when the engine reports recovery
  metadata.

### Cycle 6: Production Audit And Observability

Target score: 76/100.

- Add trace IDs across decisions, fills, API requests, and CLI commands.
- Add metrics endpoints and operator export format.
- Define journal retention, redaction, and integrity checks.

Exit gate:

- An operator can export a complete paper-session audit trail and correlate CLI
  actions with engine decisions.

Current progress:

- Every HTTP response carries `X-Zero-Trace-Id`.
- HTTP `POST /execute` writes the request trace into the paper decision journal
  and echoes it in the HTTP response; idempotency replays preserve the original
  decision trace.
- `GET /metrics` exposes runtime counters for API calls, status codes, execute
  outcomes, idempotency hits, decisions, fills, rejections, open positions, and
  recovery state.
- `GET /audit/export?limit=100` returns a structured `zero.audit.v1` packet
  with summary, retention/redaction metadata, metrics, recovery state, and
  recent decisions.
- Local and Railway smoke tests verify traced execution, metrics, and audit
  export.

### Cycle 7: Live Custody Preflight

Target score: 84/100.

- Add local-only Hyperliquid API wallet setup.
- Add key redaction, permission checks, account-read verification, and dry-run
  order validation.
- Add `zero doctor` checks that refuse live mode until custody, exchange, risk,
  journal, and emergency controls are all present.

Exit gate:

- Live mode cannot start without a passing custody and safety preflight.

Current progress:

- CLI config now has explicit Hyperliquid custody metadata and emergency-control
  fields while keeping private keys out of `config.toml`.
- `zero-config` has local-only Hyperliquid private-key helpers for
  operator-scoped OS keychain slots and environment resolution, plus strict
  key/address validation and redaction.
- `GET /live/preflight` emits `zero.live_preflight.v1`, refuses live mode by
  default, verifies wallet/key shape, account-read access, dry-run order
  validation, durable journal presence, risk limits, and emergency controls.
- `zero doctor` reads the live-preflight gate and warns until controls are
  present; future live start paths can require the same row to pass.
- Local and Railway smoke tests verify the preflight endpoint remains non-secret
  and returns `live_mode=refused` in public paper deployments.

### Cycle 8: Self-Custodial Live Execution

Target score: 90/100.

- Add live executor with idempotency, no-retry-on-order-submit, kill switch,
  dead-man switch, reduce-only flatten, max notional, max loss, and max order
  rate.
- Add exchange outage drills, kill-switch drills, and flatten drills.

Exit gate:

- Operators can start live mode only after preflight and can immediately pause,
  kill, or flatten exposure from the CLI.

Current progress:

- Added `zero_engine.live.LiveExecutor` with idempotent submit, deterministic
  Hyperliquid client order IDs, dead-man heartbeat, pause/resume, kill switch,
  reduce-only flatten, max notional, daily loss, and order-rate limits.
- Added an optional `HyperliquidSdkAdapter` behind the `engine[live]`
  dependency group; paper installs and Railway paper deploys do not need it.
- `POST /execute` now routes to live execution only when `X-Zero-Mode: live`
  is sent and a local live executor is configured; otherwise it fails closed.
- The interactive CLI now wires `/execute <coin> <buy|sell> <size>` to
  `POST /execute` after operator-state friction clears, with no automatic
  retry and engine-asserted `(paper)` / `(live)` rendering.
- Added `POST /live/heartbeat`, `/live/pause`, `/live/resume`, `/live/kill`,
  and `/live/flatten` plus CLI wiring for `/kill`, `/pause-entries`, and
  `/flatten-all`.
- Local and Railway smoke tests now assert public paper deployments refuse live
  execution and live controls with `live executor not configured`.
- Added `GET /live/evidence`, a hash-only `zero.live_evidence.v1` canary
  evidence bundle that captures preflight, cockpit, live execution receipts,
  reconciliation, immune, certification, audit, deployment claim, and
  deployment heartbeat artifacts without leaking credentials, raw decisions,
  trace tokens, or idempotency keys. `ZERO_LIVE_EVIDENCE_SIGNING_KEY` enables
  local HMAC-SHA256 signing.
- Added `scripts/live_canary_rehearsal.py`, which captures the full local
  rehearsal packet sequence in safe fail-closed mode and supports explicit
  operator-owned canary mode once all live gates are ready.
- Added `scripts/live_canary_verify.py`, which recomputes hashes, verifies
  packet completeness/status, compares manifest receipt/evidence fields, and
  fails on common redaction leaks before a canary bundle is shared.
- Added `scripts/live_canary_exchange_evidence.py`, which normalizes an
  operator-owned Hyperliquid order/fill export into public-safe evidence,
  hashes raw venue identifiers, matches exchange records to accepted ZERO
  receipts, and refreshes bundle checksums.
- Added `scripts/live_canary_operator.py`, which runs the public-safe refusal
  workflow end to end, finalizes real canary bundles after exchange export,
  writes `operator_report.json`, and fails closed when accepted live receipts
  lack exchange-side proof.
- Added `scripts/live_canary_operator_verify.py`, which independently verifies
  operator reports, recursive workflow checksums, privacy flags, redaction
  posture, accepted-live exchange-evidence rules, and the nested canary bundle.

### Cycle 9: ZERO Network

Target score: 94/100.

- Add opt-in public profile publishing contract.
- Add verified paper/live badge protocol.
- Add leaderboard data model.
- Keep default runtime private.

Exit gate:

- Operators can publish verified public behavior without leaking credentials,
  private notes, or non-consented strategy details.

Current progress:

- Added `zero.network.profile.v1` public-safe profile packets with aggregate
  behavior metrics, proof hashes, privacy metadata, and verification badges.
- Added `zero.network.leaderboard.v1` rows derived from the same redacted
  profile packet.
- Added `POST /network/publish` with explicit consent plus
  `ZERO_NETWORK_PUBLISH_PATH`; the public runtime writes a local JSONL proof log
  and does not upload to a hosted ZERO service.
- Added tests and smoke checks proving public profiles exclude raw decisions,
  trace IDs, idempotency keys, per-trade symbols, wallet material, exchange
  order details, and strategy source labels.
- Added `docs/proof/network` with a deterministic
  `zero.network_proof_pack.v1` chain that binds the public profile,
  leaderboard, deployment identity bundle, profile verification report, and
  hosted-compatible ingestion acceptance.

### Cycle 10: ZERO Intelligence

Target score: 97/100.

- Add API key, rate-limit, billing, and dataset model.
- Ship delayed public snapshots and realtime paid feed contracts.
- Add cohort, benchmark, webhook, and export contracts.

Current progress:

- Added `zero.intelligence.snapshot.v1` delayed public intelligence packets
  derived from verified ZERO Network proof.
- Added `zero.intelligence.catalog.v1` with public/commercial packaging,
  hosted API auth shape, rate-limit headers, dataset names, scopes, and plan
  boundaries.
- Added `POST /intelligence/export` with explicit consent plus
  `ZERO_INTELLIGENCE_EXPORT_PATH`; the public runtime writes a local JSONL
  packet log and does not upload to a hosted ZERO service.
- Added tests and smoke checks proving intelligence packets exclude raw
  decisions, trace IDs, idempotency keys, per-trade symbols, exchange
  credentials, private notes, and strategy source labels.
- Added hosted-compatible `/v1/intelligence/snapshots`, `/history`, `/cohorts`,
  `/benchmarks`, `/webhooks`, and `/exports` with bearer-scope checks,
  `x-zero-ratelimit-*` headers, usage events, HMAC-SHA256 webhook signature
  fixtures, aggregate export jobs, OpenAPI coverage, local smoke, and Railway
  smoke coverage.

Exit gate:

- Hosted commercial users can pay for speed, history, scale, webhooks, exports,
  and redistribution while the runtime stays open.

### Cycle 11: Production Hardening

Target score: 100/100.

- Add chaos drills, exchange outage drills, restart drills, key-rotation drills,
  and incident runbooks.
- Add security review, threat model update, and signed release policy.
- Add package registry distribution once names, Trusted Publishing, owner
  lists, and rollback procedures are secured.

Current progress:

- Added a public threat model covering custody, live execution, public packet
  privacy, dependency/release compromise, Railway, and contributor bypass
  risks.
- Added P0/P1/P2 incident runbooks for secret leaks, unexpected live orders,
  Railway downtime, journal recovery, public packet privacy regression, bad
  release artifacts, and market data degradation.
- Added distribution readiness policy for GitHub Release, PyPI, crates.io,
  Homebrew, and container channels with promotion and rollback gates.
- Added `scripts/hardening_gate.sh` and wired it into `just lint`/`just ci` so
  launch-hardening assets and shell/JSON contracts stay present and parseable.
- Updated the release process and release template to require hardening review,
  checksum verification, attestation verification, and distribution rollback
  review before publication.
- Added `scripts/registry_readiness.py` and wired it into CI/release preflight
  to enforce PyPI metadata, Cargo registry metadata, optional live dependencies,
  and package-channel guardrails without publishing to external registries.
- Added dependency and supply-chain policy plus release SBOM/provenance
  generation so release bundles carry checksummed `SBOM.spdx.json` and
  `PROVENANCE.json` alongside GitHub artifact attestations.
- Added draft-release rollback rehearsal, Homebrew formula rendering from
  `SHA256SUMS`, a committed public repo tap formula, and a formula drift check
  that proves `Formula/zero.rb` remains renderer-generated.
- Backfilled the public `v0.1.1` GitHub Release with checksummed
  `SBOM.spdx.json` and `PROVENANCE.json`, verified executable attestations, and
  added `scripts/release_evidence.py` for clean-download release evidence.

Exit gate:

- The production scorecard reaches at least 95 in every dimension, and no live
  capital path is blocked by missing safety, audit, deployment, or recovery
  work.
````


## Source: `docs/public-upgrade.md`

````markdown
# Public Upgrade Plan

This document is the launch control plan for turning the public repository into
the open ZERO Runtime, Protocol, and Proof surface. The customer-facing product
surface stays on getzero.dev and app.getzero.dev.

ZERO is the operating intelligence layer between humans and capital. The public
repo must prove its part of that system through runnable software, not marketing
copy. The first public impression should be:

- a serious engineer can run paper mode in minutes;
- the Runtime, Protocol, CLI, and Proof contracts are real, testable, and inspectable;
- live-capable behavior fails closed until custody, risk, reconciliation, and
  emergency controls are coherent;
- the open-core boundary is obvious;
- agentic contributors can find safe, scoped work immediately.

Hosted Studio, Control, Registry, founder-admin, and doctrine surfaces are not
public-repo surfaces. This repo owns the open Runtime, Protocol, Proof, CLI,
and verification substrate those products can consume.

## Non-Negotiables

- Do not publish this private monorepo wholesale.
- Keep the public repo built from a positive allowlist.
- Keep paper mode as the default first-run path.
- Keep public examples secret-free and deterministic.
- Keep live execution self-custodial and explicit.
- Keep future commercial data products outside this open Runtime/Protocol/Proof
  repo until they have an explicit public contract boundary.
- Keep local memory, research, genesis, evolve, guardian review, paper canary,
  and calibration loops open because they are part of the self-custodial runtime.
  Local memory is already open in [Memory Core](memory-core.md), and genesis
  proposal classification is open in [Genesis](genesis.md). Paper-only research
  is open in [Research Command Chain](research.md). The lens/layer/modifier
  decision stack is open in [Decision Stack](decision-stack.md). Production
  parity OODA reporting is open in [Runtime Bus](runtime-bus.md). Paper-only
  evolve gates plus local sandbox promotion, explicit local apply, and rollback
  execution are open in [Evolve Harness](evolve.md).
- Do not imply guaranteed returns, hosted custody, or unattended live safety.

## Public Launch Surface

| Surface | Public launch requirement |
| --- | --- |
| Runtime | Paper engine, local API, durable journal, runtime bus, production-parity OODA reports, strategy runners, safety gates, read-only Hyperliquid data, and live-readiness contracts. |
| Protocol | MCP-compatible schemas, read/compute tools, mandates, evidence bundles, replay frames, audit entries, and permission tiers. |
| CLI | Doctor, status, risk, replay, Runtime control packets, and friction-preserving risk controls. |
| Evolution | Local memory, research command chain, decision-stack review, production-parity OODA reporting, genesis proposal core, paper-first evolve gates, sandbox candidate mutation, promotion plans, explicit local apply, rollback receipts, and promotion verification now exist; protected live-code evolution remains human-reviewed. |
| Proof | Redacted local proof packets, public contract schemas, replay exports, journal roots, and verification fixtures. |
| Developers | Links to getzero.dev/developers and getzero.dev/proof, plus repo-local quickstarts and contribution boundaries. |
| Contribution | Agent guide, scoped backlog, issue forms, PR template, safety review path, and one-command gates. |

## Upgrade Cycles

### Cycle A: Public Truth Pass

Goal: make the public repo impossible to misunderstand.

- Root README states the product truth, repo boundary, current runnable surface,
  safety defaults, open-core boundary, and current live-capital limitations.
- `docs/production-readiness.md` separates public launch readiness from full
  hosted-product and live-capital readiness.
- `docs/open-core-boundary.md` defines what stays open and what becomes ZERO
  Intelligence.
- `scripts/public_readiness_gate.sh` rejects cache artifacts, private markers,
  private infrastructure, stale product framing, and generated binary/runtime
  files.

Exit gate:

```bash
just public-readiness
just docs-check
```

### Cycle B: Real Runtime Publicization

Goal: move the real Runtime capabilities into the public runtime without private
state, private deployment topology, or commercial data.

Publicize:

- OODA loop controller interfaces;
- strategy/lens runner interfaces;
- risk and immune gates;
- live-readiness and reconciliation contracts;
- hash-only signed live evidence bundles;
- local journals and runtime bus;
- Hyperliquid venue adapter interfaces;
- paper/live separation tests;
- operator-safe CLI workflows, including friction-gated engine-backed
  `/execute <coin> <buy|sell> <size>`.

Keep private:

- private operator state;
- production wallets, addresses, keys, journals, and fills;
- private deployment topology;
- proprietary datasets, calibrations, and hosted scoring feeds;
- commercial fleet management, billing, and customer operations.

Exit gate:

```bash
just ci
just public-readiness
```

Current progress: `/live/evidence` now packages preflight, cockpit, live
execution receipts, reconciliation, immune, certification, audit, deployment
claim, and deployment heartbeat hashes into `zero.live_evidence.v1`, with
optional local HMAC-SHA256 signing via `ZERO_LIVE_EVIDENCE_SIGNING_KEY`.
The repo also commits `zero.live_trading_evidence.v1`, a redacted proof bridge
generated from private operator Hyperliquid fills, trades, and live decisions.
It proves live execution evidence exists without publishing raw venue records,
wallet addresses, private journals, or custody material.

### Cycle C: Launch Proof

Goal: produce the evidence a serious engineer expects before starring,
installing, or contributing.

- Fresh-clone demo transcript.
- Fresh source-tree rehearsal in CI, proving the public gates and paper API
  work outside the maintainer checkout.
- Published `v0.1.1` clean-download release evidence with checksums,
  executable attestations, release verifier output, and Homebrew formula
  rendering.
- Railway paper deployment evidence.
- Release rehearsal evidence.
- OpenSSF Scorecard enabled.
- CodeQL, secret scan, Dependabot, and release attestations green.
- At least five scoped `good first issue` candidates in
  [launch issues](launch-issues.md).
- At least three `help wanted` issues for serious contributors in
  [launch issues](launch-issues.md).

Exit gate:

```bash
just release-rehearsal
just draft-release-rehearsal
just release-evidence v0.1.2
just fresh-clone-rehearsal
just public-readiness
```

### Cycle D: Self-Evolution Publicization

Goal: expose the adaptive loop that makes ZERO operating intelligence improve
under review, without publishing private operator data or commercial
intelligence.

Publicize:

- memory taxonomy and append-only knowledge extraction, now implemented as the
  first open component;
- genesis proposal schema, journal, and guardian policy;
- research reports for hunt, edge, convergence, thesis, score, meta, and sharpen;
- builder, red-team, paper canary, calibration, and local promotion gates;
- expanded read-only MCP/API surfaces for runtime status, health, journal,
  rejection audit, memory, genesis, research, decision-stack review, evolve
  gates, immune state, backtest summaries, evidence bundles, and safety
  classification.

Keep private:

- private journals, production trades, production wallets, private deployment
  details, proprietary datasets, and hosted aggregate intelligence.

Exit gate:

```bash
just ci
just public-readiness
```

## Launch Score

Use two scores, always:

- **Public repo readiness:** how ready this repository is for engineers and
  contributors.
- **Full ZERO operating-intelligence readiness:** how close the public runtime is to
  the complete autonomous live-capital system.

Do not collapse those into one number. A repo can be excellent for public
contribution while raw exchange disclosure, external review, and hosted
infrastructure remain separate product work.
````


## Source: `docs/autonomous-os-plan.md`

````markdown
# ZERO Runtime Completion Plan

Status: historical publicization roadmap. The canonical public repo surfaces
are ZERO Runtime, ZERO Protocol, ZERO Proof, and Developers. Hosted Studio,
Control, Registry, founder-admin, and doctrine surfaces live outside this
repository.

This plan defines the historical path from the open-source launch repository to
the current open ZERO Runtime, ZERO Protocol, and ZERO Proof substrate for
self-custodial capital operations.

The current public repo is strong as an open Runtime, Protocol, and Proof
surface, contributor surface, CLI, paper runtime, and safety-first launch
artifact. It is not a hosted real-capital product surface. The remaining work is
runtime truth, live exchange evidence, multi-operator isolation, public Network
ingestion, growth-mode Intelligence infrastructure, future commercial scale
packaging, and the public self-evolution loop: memory, research, genesis,
guardian review, red-team, canary, calibration, and evolve.

## North Star

ZERO reaches 100/100 when a serious operator can:

- deploy ZERO locally, in Docker, or on Railway without private ZERO
  infrastructure;
- run paper mode on live Hyperliquid market data;
- run a continuous OODA loop with strategy runners, risk gates, execution
  policy, and immune controls;
- verify production-parity OODA behavior from the operator terminal with
  `/runtime-parity`;
- inspect public-safe live execution receipts from the operator terminal with
  `/live-receipts`;
- verify the live canary policy lifecycle from the operator terminal with
  `/live-canary`;
- inspect every accepted and rejected decision through the terminal;
- switch to live Hyperliquid execution only after local custody, journal,
  risk, liveness, and emergency controls pass;
- reconcile open orders, fills, positions, equity, funding, and exchange
  failures against Hyperliquid;
- pause, kill, flatten, or reduce risk immediately from the CLI;
- restart without losing runtime state, idempotency state, risk state, or
  position truth;
- export an audit bundle that explains every cycle and every decision;
- learn from local outcomes through memory, research reports, genesis
  proposals, paper canaries, calibration, and reviewable promotion gates;
- opt into public ZERO Network publishing without leaking secrets;
- consume delayed and realtime ZERO Intelligence in growth mode for free;
- move to future commercial ZERO Intelligence packaging only when higher
  limits, deeper history, webhooks, redistribution rights, or support matter.

## Product Boundary

Open:

- ZERO Runtime
- ZERO CLI
- paper trading
- venue adapters needed for self-custodial operation
- local journals and audit exports
- local memory, research, genesis, evolve, proposal journals, paper canaries,
  red-team review, and calibration gates
- strategy and market-data extension contracts
- ZERO Network proof contracts, profiles, leaderboards, and delayed public
  snapshots
- Railway and Docker self-host deployment paths

Commercial:

- higher-scale ZERO Intelligence API access after growth-mode free access
- historical intelligence datasets
- cohorts, benchmarks, webhooks, exports, redistribution rights, SLAs, and
  enterprise support
- hosted ingestion and reliability commitments for the Intelligence product

ZERO should not sell basic execution, custody, or safety as proprietary
features. ZERO should sell advantaged access to verified autonomous behavior at
speed, scale, history, and reliability.

## Current Baseline

| Dimension | Current | 100/100 Gap |
|---|---:|---|
| Public repo hygiene | 100 | PyPI `zero-engine`, MCP registry listing, release gates, and public contribution surfaces are live; external review remains business/process work |
| Product narrative | 100 | keep narrative aligned as hosted Network and Intelligence launch |
| CLI readiness | 100 | five-mode terminal with full-screen live cockpit exists; raw exchange records remain operator-owned proof |
| Engine runtime | 100 | public production-parity OODA report plus redacted live trading evidence exist; raw exchange records remain operator-owned external proof |
| Self-evolution loop | 98 | public memory, research command chain, genesis proposal classification, production-parity OODA reports, local apply, rollback, paper-first evolve gates, agent architecture bounds, and property-based safety coverage exist; protected live-code evolution remains human-reviewed |
| Safety and risk | 98 | autonomous-loop failure taxonomy and bounded property-based safety-gate tests exist; real exchange chaos drills and external review remain |
| API contracts | 100 | public runtime contracts are complete; hosted compatibility is commercial launch work |
| Deployment | 96 | live Railway proof, external production log-drain evidence |
| Observability and audit | 99 | checksum-chained runtime bus, hash-chained signable decision journal, local timestamp binding, external anchor packet, periodic anchor-cadence operation, verifier, and signed evidence bundles exist; metrics backend and log drains remain |
| Security and custody | 91 | external review, key-handling drill evidence |
| ZERO Network | 82 | deterministic public proof-chain pack plus profile identity verifier exist; hosted identity service, public pages, and production ingestion service remain |
| ZERO Intelligence | 82 | durable JSONL hosted-reference persistence and growth-mode free access exist; hosted warehouse backend, abuse controls, terms, retention, and SLA policy remain |
| Release and distribution | 100 | public Homebrew repo tap, PyPI `zero-engine`, and MCP Registry listing exist; crates/container registry ownership remains optional external distribution work |
| Operator docs | 98 | third-party review and optional raw exchange disclosure |

## Execution Cycles

Each cycle should land as a small, reviewable merge to `main` with tests, docs,
and a scorecard update. A cycle is done only when local `just ci` and remote
CI/security workflows pass.

The capability baseline is documented in
[Private Engine Capability Gap Audit](private-engine-capability-gap-audit.md).
That audit supersedes the earlier assumption that only hosted Network,
Intelligence, and external proof remained.
Cycle 28 delivered the first open self-evolution component:
[Memory Core](memory-core.md).

### Cycle 12: Autonomous Runtime Loop

Target score: 78.

Build the public OODA controller as the engine source of truth:

- `observe`: collect market, account, journal, operator, and liveness state.
- `orient`: derive regime, exposure, stale data, and risk posture.
- `decide`: run strategy runners and risk policy to produce intents or
  rejections.
- `act`: dispatch to paper or live execution bus.
- `learn`: append audit records and calibration signals.

Exit gate:

- `zero-engine-run --once` produces one complete cycle record.
- `zero-engine-run --interval 5` can run continuously.
- Restart recovery preserves last cycle, idempotency keys, positions, and
  rejection counts.

Current progress:

- `zero-engine-run --once` runs one paper OODA cycle from a public scenario.
- `RuntimeLoop` records explicit observe, orient, decide, act, and learn
  phases as `zero.runtime.cycle.v1`.
- Decision journals recover through the existing `PaperEngine` replay path, so
  later runtime invocations continue at the next scenario intent instead of
  duplicating the first action.
- `examples/runtime-loop` demonstrates a bounded paper cycle with temporary
  decision and cycle journals.
- `zero-engine-run --production-parity` emits
  `zero.runtime.production_parity.v1`, mirrors the same intents through a
  disabled live executor, verifies no live adapter orders were placed, and
  attaches `zero.runtime.feedback.v1` rejection/execution-quality feedback.

### Cycle 13: Strategy Runner SDK

Target score: 80.

Turn examples into a real contributor SDK:

- define `StrategyRunner` and `MarketLens` protocols;
- load declarative YAML strategies and Python plugins in paper mode;
- require paper-only defaults for community plugins;
- add conformance fixtures for runner outputs, risk labels, and failure modes.

Exit gate:

- a new strategy can be added with one file plus one fixture;
- malformed runners fail closed;
- strategy output cannot bypass risk evaluation.

Current progress:

- `StrategyRunner`, `StrategyRunnerMetadata`, and `DeclarativeStrategyRunner`
  define a paper-first runner SDK.
- `load_strategy_runner` loads JSON or ZERO's dependency-free YAML subset.
- `assert_runner_conformance` emits deterministic
  `zero.strategy_runner.conformance.v1` packets for review and CI fixtures.
- `examples/strategy-runner` demonstrates one-file declarative strategy
  contribution.
- Tests prove runner output still goes through `PaperEngine.submit` and can be
  rejected by risk limits.

### Cycle 14: Durable Runtime Bus

Target score: 83.

Replace process memory assumptions with a durable local bus:

- event log for cycles, decisions, fills, positions, health, and operator
  commands;
- state snapshots for fast boot;
- append-only journal integrity checks;
- SQLite or JSONL-backed local store with a clean interface for future
  Postgres mirroring.

Exit gate:

- kill and restart during a paper loop recovers state without duplicated fills;
- audit export can reconstruct the session from disk only.

Current progress:

- `DurableRuntimeBus` writes dependency-free local
  `zero.runtime.event.v1` events to `events.jsonl`.
- Events are checksum-chained through `previous_checksum` and `checksum`, and
  `verify_integrity()` fails closed on mutation, deletion, reorder, or chain
  break.
- `zero-engine-run --runtime-bus DIR` records runtime cycles, decisions,
  fills, rejections, position snapshots, and health events.
- `state-snapshot.json` stores the latest fast-boot state with event count and
  last checksum.
- `export_audit()` returns `zero.runtime.audit.v1` from disk only, including
  integrity status, event type counts, latest snapshot, and events.

### Cycle 15: Hyperliquid Account Reconciliation

Target score: 86.

Make Hyperliquid account truth explicit before expanding live trading:

- read open orders, fills, positions, margin, funding, and account equity;
- reconcile local state against exchange state;
- classify drift as stale data, local lag, exchange rejection, or critical
  mismatch;
- fail live risk-increasing actions when reconciliation is stale or mismatched.

Exit gate:

- `/hl/account` and CLI readouts are available without exposing secrets;
- reconciliation fixtures cover partial fills, canceled orders, stale mids,
  missing orders, and drift.

Current status:

- `GET /hl/account` returns normalized `zero.hl_account.v1` account snapshots
  from read-only `clearinghouseState` and `openOrders` calls.
- `GET /hl/reconcile` returns `zero.reconciliation.v1` with stale-data,
  local-lag, exchange-rejection, and critical-mismatch classifications.
- The Rust CLI exposes `/hl-account` and `/hl-reconcile` readouts backed by
  typed engine-client models and mock-engine contract coverage.
- Live risk-increasing `POST /execute` now fails closed unless reconciliation
  allows risk increase; reduce-only controls remain available.
- Remaining scope before Cycle 16: richer fill/funding/order-history
  reconciliation fixtures.

### Cycle 16: Live Execution Certification Harness

Target score: 89.

Promote live primitives into a certified operating path:

- exchange adapter conformance tests;
- fake exchange chaos harness;
- tiny-capital live canary runbook;
- dead-man, cancel-all, kill, pause, flatten, and reduce-only drills;
- evidence bundle template for live rehearsal.

Exit gate:

- no live start without passing preflight, reconciliation, durable journal, and
  certification checks;
- a dry-run or tiny-live report can prove each emergency path worked.

Current status:

- `LiveExecutor` turns exchange submit outages into auditable `exchange_error`
  records and does not retry order submissions.
- `GET /live/certification` returns `zero.live_certification.v1` dry-run
  evidence for heartbeat, idempotency, exchange outage, pause, reduce-only
  flatten, kill, dead-man rejection, order-rate, and daily-loss drills.
- The Rust CLI exposes `/live-certify` with typed client coverage and mock
  engine contract coverage.
- [Live Certification](live-certification.md) documents the evidence bundle and
  tiny-capital canary procedure.
- Remaining scope before Cycle 17: execute the tiny-capital canary only after
  explicit operator approval and preserve real exchange-side evidence.

### Cycle 17: Immune System And Circuit Breakers

Target score: 91.

Build the protective layer as first-class runtime code:

- stale data breaker;
- max drawdown breaker;
- daily loss and per-symbol exposure breaker;
- order velocity breaker;
- exchange error breaker;
- operator inactivity breaker;
- manual kill file and terminal kill command priority.

Exit gate:

- every breaker has fixtures, metrics, audit records, and CLI rendering;
- risk-reducing commands continue to work while risk-increasing actions are
  blocked.

Current status:

- `zero.immune.v1` models risk-blocking breaker state for stale market data,
  reconciliation, dead-man freshness, operator pause, kill switch, daily loss,
  order velocity, exchange submit errors, operator inactivity, and max exposure.
- `GET /immune` exposes the packet; `/health`, `/metrics`, `/audit/export`,
  and `/live/preflight` embed it so breaker state is visible in operations and
  evidence bundles.
- Live risk-increasing execution checks the immune packet after reconciliation
  and before order submission. Risk-reducing controls remain available.
- The Rust CLI exposes `/immune` with typed client and mock-engine coverage.
- [Immune System](immune-system.md) documents breaker semantics and live-start
  behavior.
- Remaining scope before Cycle 18 was the richer TUI cockpit layout and real
  canary evidence for exchange-side breaker behavior. Cycle 41 closes the
  cockpit layout; accepted exchange evidence remains external operator proof.

### Cycle 18: Operator Terminal Live Cockpit

Target score: 92.

Make the CLI/TUI the safety-preserving operator interface for the real runtime:

- cycle status, exchange status, reconciliation status, breaker state, and
  journal tail;
- live heartbeat visibility;
- preflight and refusal reasons surfaced plainly;
- one-command `pause`, `kill`, `flatten`, and `resume` flows;
- non-interactive `zero run` examples for supervised operations.

Exit gate:

- an operator can diagnose and reduce risk from the terminal without using raw
  HTTP calls.

Current status:

- `GET /live/cockpit` emits `zero.live_cockpit.v1`, joining preflight,
  reconciliation, immune breakers, dry-run certification, heartbeat, recent
  live records, operator actions, and the next required action.
- The Rust client decodes the cockpit packet and `zero run live-cockpit`
  renders the live-mode state, failed checks, open breakers, certification
  count, heartbeat expiry, and risk-reducer commands.
- The full-screen TUI cockpit is available with Ctrl+5 and `/cockpit-mode`.
  It renders the same `zero.live_cockpit.v1` packet from the engine-state
  mirror, while the background poller owns the HTTP fetch.
- `/execute <coin> <buy|sell> <size>` is wired to the engine `POST /execute`
  endpoint after operator-state friction clears. `/resume-entries` is wired as a
  friction-gated live resume command; `/kill`, `/flatten-all`, and
  `/pause-entries` remain instant risk reducers.
- Live executor attempts now produce `request_hash` and `receipt_hash` values,
  and `/live/receipts` contributes a hash-only artifact into `/live/evidence`
  for canary audit bundles.
- Local, Railway, mock-engine, and OpenAPI contract checks cover the cockpit.
- [Live Cockpit](live-cockpit.md) documents the operator workflow and canary
  evidence boundary.
- Remaining scope before Cycle 19 is real tiny-capital canary evidence after
  external live approval.

### Cycle 19: Multi-Operator Foundation

Target score: 94.

Prepare ZERO as a substrate, not a single-operator script:

- `OperatorContext` for all runtime state, custody config, bus paths, and model
  config;
- per-operator local filesystem partitions;
- signed deployment identity and heartbeat protocol;
- local-first deployment claim contract;
- public schema that a hosted control plane can consume later without making
  paper mode depend on it.

Exit gate:

- two operators can run isolated local deployments from the same checkout;
- state, journals, profiles, and credentials cannot cross partitions.

Current status:

- `zero.operator_context.v1` is resolved from `X-Zero-Operator-*` headers,
  `ZERO_OPERATOR_*` environment variables, or the local default.
- `GET /operator/context` exposes the active audit identity.
- `/live/cockpit`, `/audit/export`, live control responses, and live execution
  records include operator context.
- Live control attempts are appended to an in-memory operator action log and
  surfaced in cockpit/audit packets.
- The Rust CLI attaches `identity.handle` as operator context when config is
  present and renders the resolved operator line in `zero run live-cockpit`.
- Local mutable CLI state now lands under
  `<zero_dir>/operators/<operator-slug>/`, including `state.db`, `zero.log`,
  the headless socket, headless state, and daily wraps.
- OS keychain writes use `operator:<operator-slug>` account names for engine
  and Hyperliquid secrets, with legacy `default` reads kept only for migration
  compatibility.
- `zero doctor` includes `operator_partition` and `credential_partition` rows,
  and warns when legacy shared state artifacts remain at the top level.
- Added `zero.deployment.claim.v1` with local deployment metadata, public-safe
  operator identity, aggregate evidence counts, signature-ready claim hash, and
  explicit `unsigned_local` status unless external signing metadata is supplied.
- Added `zero.deployment.heartbeat.v1` with public-safe paper/live liveness,
  dead-man freshness, heartbeat hash, and optional external signature metadata.
- `GET /deployment/claim`, `/deployment/heartbeat`, `/network/profile`,
  `/network/leaderboard`, `/intelligence/snapshot`, and `/audit/export` now
  share deployment claim and heartbeat hashes so a hosted Network or
  Intelligence API can verify packet lineage later.
- Remaining scope before Cycle 20: real hosted verification service design.

### Cycle 20: LLM Gateway

Target score: 95.

Add provider-agnostic intelligence plumbing without making trading depend on a
single model vendor:

- Added `ModelClient` protocol boundary and provider registry.
- Added OpenAI, Anthropic, Ollama, and OpenRouter provider families as
  registered optional provider surfaces.
- Added capability tiers for hard reasoning, fast reasoning, chat, embeddings,
  and structured output.
- Added deterministic mock provider for CI and local conformance.
- Added real HTTP JSON adapters for OpenAI, Anthropic, Ollama, and OpenRouter
  behind explicit network opt-in.
- Added bounded retry budgets, timeout policy, provider usage extraction,
  operator-configured token cost estimates, and hosted key-management rules.
- Added structured output validation, fail-closed evaluation, and usage/cost
  event recording.
- Added `GET /intelligence/model-gateway` plus OpenAPI, fixture, smoke checks,
  and docs.
- Added `GET /intelligence/model-gateway/health` for config-only provider
  health by default and explicit `network=true` structured provider probes.
- Added `GET /intelligence/model-gateway/audit` for production model-operation
  bundles with controls, evidence requirements, usage totals, and privacy
  assertions.

Exit gate:

- the runtime can evaluate through mock/local providers in CI;
- live providers are optional, configured per operator, and never expose secret
  values in public status packets;
- model failure degrades safely instead of inventing certainty;
- provider health and audit packets remain public-safe and omit prompts, raw
  outputs, headers, request IDs, and secret values.

Remaining scope before Cycle 21: add live hosted key-management implementation,
hosted provider health evidence retention, and commercial model audit history
behind the same fail-closed contract.

### Cycle 21: ZERO Network Ingestion And Anti-Gaming

Target score: 96.

Make public proof a real open product surface:

- signed proof packets;
- local publish queue;
- anti-gaming rules for duplicate handles, replayed packets, fake volume, sybil
  profiles, and stale publication;
- public-safe identity and verification badges;
- hosted-compatible ingestion contract.

Exit gate:

- profile and leaderboard data can be accepted, rejected, replayed, and audited
  without private runtime data.

Current progress:

- Added `zero.network.ingestion.v1` for hosted-compatible validation of
  already-redacted public profile packets.
- Added `POST /network/ingest` with explicit publication-consent checks,
  recomputed proof-hash validation, aggregate metric consistency checks,
  duplicate handle/proof refusal, deployment claim/heartbeat hash binding, and
  accepted-only leaderboard output.
- Added a pinned ingestion fixture at
  [contracts/network/ingestion.json](../contracts/network/ingestion.json).
- Local and Railway smoke paths verify accepted ingestion remains public-safe
  and does not leak trace IDs or idempotency keys.

Remaining scope before Cycle 22: signed hosted identity verification, public
profile pages backed by the ingestion result, stale-publication windows, sybil
policy, and production service persistence.

### Cycle 22: ZERO Intelligence API

Target score: 97.

Build the commercial data product around verified autonomous behavior:

- hosted API contract for snapshots, cohorts, benchmarks, webhooks, and
  exports;
- bearer API keys, scopes, rate-limit headers, and usage events;
- delayed public snapshots remain open;
- realtime/history/scale/webhooks/export rights are commercial;
- billing-ready plan boundaries.

Exit gate:

- public delayed data and commercial realtime data are separate, tested, and
  documented;
- no exchange credentials or raw private journals are required.

Current progress:

- Added `zero.intelligence.commercial.v1`, a pinned hosted API boundary for
  open/commercial/not-sold rules, bearer-token hosted auth shape, plans,
  scopes, datasets, endpoints, rate-limit headers, usage events, webhooks,
  exports, reliability tiers, and privacy.
- Added `GET /intelligence/commercial` plus OpenAPI, fixture, tests, local
  smoke, and Railway smoke coverage.
- Updated `zero.intelligence.catalog.v1` so its hosted API summary points to
  the commercial contract instead of carrying only prose.

### Cycle 23: Hosted Intelligence Reference API

Target score: 98.

Make the commercial API boundary runnable without pretending the public runtime
is the production warehouse:

- public delayed `/v1/intelligence/snapshots`;
- token-gated realtime/history/cohort/benchmark scopes;
- rate-limit headers on hosted-compatible responses;
- signed webhook fixture;
- aggregate export job contract;
- Railway smoke coverage.

Exit gate:

- clients can build against `/v1/intelligence/*`;
- paid scopes fail closed without a valid bearer token;
- webhook signatures are verifiable;
- no token, signing key, raw journal, exchange credential, or trace data leaks.

Current progress:

- Added `/v1/intelligence/snapshots`, `/history`, `/cohorts`, `/benchmarks`,
  `/webhooks`, and `/exports` to the stdlib paper API.
- Added `ZERO_INTELLIGENCE_API_TOKEN`, `ZERO_INTELLIGENCE_API_PLAN`,
  `ZERO_INTELLIGENCE_API_ACCOUNT_ID`, and
  `ZERO_INTELLIGENCE_WEBHOOK_SIGNING_KEY` reference env support.
- Added actual `x-zero-ratelimit-*` HTTP headers, bearer-scope enforcement,
  usage events, and HMAC-SHA256 webhook signature fixtures.
- Added OpenAPI paths/schemas, unit tests, local smoke coverage, Railway smoke
  coverage, and docs.

Remaining scope before Cycle 24: production hosted service persistence,
API-key issuer, warehouse-backed history, abuse controls, commercial terms,
retention policy, SLA policy, and signed hosted identity verification.

### Cycle 24: Production Deployment And Remote Operations

Target score: 98.

Make Railway the first-class self-custodial deployment path:

- volume and secret checks;
- remote log and doctor automation;
- health, metrics, and recovery checks;
- deployment smoke runbook;
- rollback and incident drills.

Exit gate:

- a new operator can deploy paper mode to Railway, run live-data paper, inspect
  logs, export audit, and recover from restart.

Current progress:

- Added `scripts/railway_doctor.py`, a stdlib remote deployment doctor for
  Railway-style paper services.
- Added `scripts/deployment_evidence.py` and `scripts/deployment_evidence.sh`
  to collect a redacted deployment evidence folder with doctor output, public
  runtime packets, optional Railway logs, manifest metadata, checksums, and an
  optional operator-owned HMAC signature artifact.
- Added `scripts/deployment_evidence_verify.py` to recompute `SHA256SUMS`,
  validate the manifest inventory, enforce redaction rules, and verify signed
  evidence packs when a signing key is supplied.
- Added `scripts/deployment_identity_evidence.py` to bind `/deployment/claim`
  and `/deployment/heartbeat` into a public-safe bundle, verify their hashes
  and binding, and optionally sign the identity payload with an operator-owned
  OpenSSL key without including private key material.
- Added `scripts/network_profile_verify.py` to verify
  `zero.network.profile.v1` packets against recomputed proof hashes,
  deployment claim/heartbeat binding, and optional signed deployment identity
  bundles.
- The doctor checks health, recovery durability, market data source, metrics,
  immune state, live-preflight refusal, live cockpit refusal, public Network
  privacy, delayed Intelligence privacy, hosted-compatible rate-limit headers,
  protected-scope fail-closed behavior, and optional tokened history access.
- Local paper API smoke and Railway smoke now execute the same doctor and
  evidence collector, failing CI on any failed deployment check or leaked trace
  data in the evidence pack.
- Added `scripts/deployment_rollback_rehearsal.py`, a plan-only rollback
  rehearsal that verifies current and rollback-target evidence packs, proves
  public paper services remain fail-closed, and emits a hashable rollback plan
  with optional HMAC signature.
- Railway deployment docs and the P1 incident runbook now start from the doctor
  report, verifier, and deployment evidence pack instead of ad hoc curl-only
  checks.

Remaining scope before Cycle 25: real deployed Railway proof and external
log-drain evidence.

### Cycle 25: Release, Registry, And Supply Chain

Target score: 99.

Finish distribution:

- release asset verifier;
- rollback and tamper-detection rehearsal;
- publish package registry ownership plan;
- Homebrew formula drift check;
- SBOM/provenance;
- dependency update and security response policy.

Exit gate:

- release process is reproducible by a maintainer other than the founder.

Current progress:

- Added `scripts/release_verify.py` to verify expected GitHub Release assets,
  exact `SHA256SUMS` coverage, checksum integrity, nonempty artifacts, and
  source-only exceptions when explicitly requested.
- Added `scripts/release_rehearsal.sh` to assemble a temporary release bundle,
  verify it, tamper with the Linux binary, and prove verification fails.
- Wired release verification into the tag release workflow before attestation
  and draft release upload.
- Added release rehearsal to local `just ci`, GitHub CI, release docs,
  distribution gates, and release template checklist.
- Added `scripts/registry_readiness.py` to enforce PyPI metadata, Cargo package
  metadata inheritance, optional live dependencies, and package-channel docs
  without publishing to external registries.
- Wired registry readiness into local `just ci`, GitHub CI, and the tag release
  workflow as a preflight before building release artifacts.
- Added explicit Trusted Publishing, `cargo owner`, Homebrew formula, and
  package publication disablement gates to release/distribution docs.
- Added `scripts/release_provenance.py` to generate checksummed
  `SBOM.spdx.json` and `PROVENANCE.json` from Python, Cargo, workspace, git, and
  release-asset metadata.
- Added `docs/dependency-policy.md` with update rules, release requirements,
  and vulnerability-response steps.
- Added `scripts/draft_release_rehearsal.sh` for dry-run CI and maintainer-run
  temporary draft GitHub Release creation, fresh-download verification,
  Homebrew formula rendering, and rollback.
- Added `scripts/homebrew_formula.py` to render a tap-ready formula from
  `SHA256SUMS`, committed `Formula/zero.rb`, and verified the public repo tap
  install path.
- Backfilled `v0.1.1` with `SBOM.spdx.json` and `PROVENANCE.json`, verified the
  published release from a clean download, and added `scripts/release_evidence.py`
  so maintainers can rerun checksum, metadata, attestation, and formula evidence.
- Published `zero-engine==0.1.2` through `zero-engine==0.1.5` on PyPI through
  Trusted Publishing, then listed `io.github.zero-intel/zero` in the Official
  MCP Registry with a public `uvx` stdio package reference. The `0.1.5` MCP
  runtime reports the installed package version from its initialize response.

Remaining scope before Cycle 26: crates/container ownership evidence and
external review evidence.

### Cycle 26: External Review And Real-World Evidence

Target score: 100.

Earn the final points with evidence:

- external security review;
- external operator usability review;
- live exchange chaos rehearsal;
- tiny-capital live canary report;
- public incident-style postmortem template;
- scorecard update with links to evidence artifacts.

Exit gate:

- every 100/100 claim links to tests, docs, CI, release artifacts, drill logs,
  or external review notes.

## Work Order

Do cycles 12 through 18 before hosted Network or Intelligence expansion. A
commercial API built before runtime truth would sell a weak dataset. Runtime
truth, reconciliation, and safety evidence create the verified behavior that
ZERO Intelligence monetizes.

Then do cycles 19 through 22 to turn the single runtime into a multi-operator
substrate and commercial data product.

Finish with cycles 23 through 25 to prove deployment, distribution, and
external trust.

## Non-Negotiables

- Paper mode stays deterministic and free.
- Live mode stays self-custodial.
- Risk-reducing commands are always easier than risk-increasing commands.
- Hosted systems never require custody.
- Public surfaces never leak wallets, private keys, exchange order IDs, raw
  journals, strategy labels, private notes, or per-trade symbols unless a future
  explicit consent contract is designed and reviewed.
- Every live-capable feature needs a refusal path, a test, a runbook entry, and
  CLI visibility.
````


## Source: `docs/private-engine-capability-gap-audit.md`

````markdown
# Private Engine Capability Gap Audit

Status: historical extraction audit. Public-facing repo language should treat
this as a Runtime capability-boundary document; internal engine/source names are
preserved here only to explain the extraction path from private implementation
to open Runtime, Protocol, and Proof contracts.

This audit translates ZERO's existing internal engine capabilities into a
public-safe extraction plan. It is intentionally capability-level only: it does
not publish private deployment topology, private journals, production wallets,
operator identifiers, strategy thresholds, proprietary datasets, or commercial
operations data.

The important conclusion is direct: the public repository is excellent as an
open Runtime, Protocol, and Proof launch artifact, but ZERO also needs the
adaptive intelligence loop that already exists internally:

```text
operate -> journal -> memory -> genesis -> guardian -> build -> red-team
        -> paper canary -> calibration -> promote or rollback -> evolve
```

That loop is not a sidecar. It is the difference between a static runtime and an
operating-intelligence runtime that improves under review.

## Internal Capability Classes

ZERO's internal engine has five command planes:

| Plane | Capability class |
| --- | --- |
| Operator skills | Human and agent-invoked workflows for health, market scans, edge reports, convergence audits, memory extraction, genesis, evolution, scoring, red-team review, and operator communication. |
| Script commands | Repeatable Python commands for live readiness, Hyperliquid state checks, honest health checks, live canary lifecycle, rejection audits, perps audits, fix-impact scoring, memory, genesis, thesis, and recovery. |
| Terminal CLI | Operator setup, start/stop/status, configuration, logs, emergency close, score, evaluate, brief, credits, observe, MCP serving, diagnostics, arena, and mode management. |
| API and MCP | Read-heavy operational state, strategy/session control, heat/regime/pulse/briefs, diagnostics, circuit breakers, rejections, near misses, execution quality, equity, backtests, reconciliation, immune state, chat, memory, architecture proposals, trade approvals, evolution status, and recall. |
| Daemons and services | Trading engine, API server, MCP server, agent daemon, autopilot loop, sensor layer, and durable bus service. |

The public repo should not copy these surfaces wholesale. It should extract the
portable capability behind each surface, then ship it with deterministic
fixtures, paper-first defaults, and public-safe contracts.

## Public Extraction Boundary

Open-source scope:

- local memory taxonomy and append-only knowledge extraction;
- local `memory`, `genesis`, and `evolve` command surfaces;
- proposal schemas, guardian policies, and review journals;
- builder/red-team/canary/calibration lifecycle in paper mode;
- strategy, lens, risk, sizing, immune, and venue adapter interfaces;
- local OODA loop, runtime bus, journals, audit exports, and recovery;
- public-safe proof packets, Network profiles, and delayed snapshots;
- read-only and risk-reducing MCP/API tools for local operators and coding
  agents.

Commercial scope:

- realtime ZERO Intelligence API;
- aggregate cross-operator behavior, cohorts, benchmarks, and history;
- hosted ingestion reliability, warehouse persistence, billing, webhooks,
  redistribution rights, SLAs, and enterprise support;
- managed model gateway and hosted key-management operations.

ZERO should not sell basic self-custodial execution, safety, local memory,
local genesis, or the operator terminal as proprietary features.

## Gap Map

| Area | Internal capability | Public state | Gap |
| --- | --- | --- | --- |
| Self-evolution | Memory extracts rules, research explains what to study, genesis proposes/builds changes, red-team attacks diffs, canary/calibration gates promotion. | Memory core, research command chain, genesis proposal classification, production-parity OODA reports, paper-first evolve gates, sandbox candidate mutation, promotion plans, exact-phrase local apply, rollback receipts, and promotion verification are now present as public subsystems. | Protected live-code evolution remains human-reviewed until external operator evidence and review exist. |
| Research command chain | Hunt, edge, convergence, thesis, score, meta, and sharpen form a learning/research loop. | Public docs mention Runtime, Protocol, and Proof boundaries, but not the full command chain. | Add public command contracts and deterministic fixture-backed reports. |
| Real decision engine | Multi-lens evaluation, layered signals, risk gates, sizing modifiers, and rejection learning. | Public runtime now exposes a paper-only lens/layer/modifier decision stack plus `zero.runtime.production_parity.v1` live-shadow fail-closed parity over API, MCP, OpenAPI, docs, and tests. | Add richer regime/correlation gates and real exchange execution-quality feedback after operator-owned canary evidence. |
| MCP surface | Internal MCP can inspect and operate many engine surfaces. | Public MCP exposes expanded read-only local/operator surfaces with explicit safety classes. | Add risk-reducing local controls only after the operator policy and friction contract are public. |
| Live canary lifecycle | Readiness, policy, launch, evidence, report, qualification, shadow review, follow-through. | Public has rehearsal, evidence, verification, policy qualification, cockpit-drill policy capture, and operator report flows. | Attach real operator-owned exchange evidence from an accepted canary. |
| Agent daemon | Persistent agents, approvals, proposals, operator app, and communication loop. | Public has agent contribution docs and a thin MCP. | Add local proposal queue and approval surfaces before hosted agents. |
| Perception layer | Sensor, cross-asset, liquidations, universe, market data service, and setup detection. | Public has market adapter examples and read-only Hyperliquid status. | Add public sensor interfaces, fixture stores, and live-read-only adapters. |
| Recovery and operations | Honest checks, Hyperliquid state checks, recovery CLI, watchdog, log rotation. | Public has incident docs, deployment evidence, and readiness gates. | Add operator-safe diagnostics and recovery commands with no secret access. |

## Required Public Cycles

These cycles supersede the earlier assumption that only hosted Network,
Intelligence, and external proof remained.

### Cycle 27: Capability Audit Canon

Make this gap audit part of the public docs, readiness gates, roadmap, and LLM
context so contributors and coding agents understand the true product target.

Exit gate:

- README links this audit.
- Architecture names ZERO Evolution as a product surface.
- Production readiness includes a self-evolution score.
- `docs/llms-full.txt` includes this audit.

### Cycle 28: Memory Core

Implement local memory as a public engine subsystem:

- typed memory entries: signal, regime, operator, strategy reference;
- anti-derivation rule, TTLs, deduplication, and expiry;
- append-only JSONL store plus generated `knowledge.md`;
- CLI/API readouts for local memory state;
- tests for derivable rejection, expiry, deduplication, and operator scope.

Exit gate:

- `zero-memory extract` can produce public-safe observations from fixture
  decisions.
- `/memory`, `zero_get_memory_snapshot`, and `zero://memory/snapshot` expose
  public-safe readouts.
- memory output never stores live prices, secrets, raw wallet data, exchange
  order ids, or derivable exchange state.

Current public status:

- Implemented in `engine/src/zero_engine/memory.py`.
- Covered by `engine/tests/test_memory.py`, API tests, MCP tests, and
  `just memory-core-example`.
- Documented in [Memory Core](memory-core.md).

### Cycle 29: Genesis Proposal Core

Implement proposal lifecycle without automatic code changes:

- `Proposal` schema;
- risk tiers and protected path classes;
- append-only genesis journal;
- guardian policy with sample-size floors and revert-plan requirements;
- `zero genesis plan/status` commands.

Exit gate:

- fixture-backed proposals are accepted, escalated, or rejected
  deterministically.
- proposals touching execution, sizing, stops, circuit breakers, live adapters,
  or immune core require human review.

Current public status:

- Implemented in `engine/src/zero_engine/genesis.py`.
- Covered by `engine/tests/test_genesis.py`, API tests, MCP tests, and
  `just genesis-example`.
- `/genesis`, `zero_get_genesis_proposals`, and `zero://genesis/proposals`
  expose plan-only classifications.
- Documented in [Genesis](genesis.md).

### Cycle 30: Builder, Red-Team, Canary, Calibration

Implement the public paper-only self-modification harness:

- create branch/worktree for approved low-risk proposals;
- generate or apply bounded patches only in allowed paths;
- run tests before producing a build result;
- run red-team review on the diff;
- run paper canary against deterministic or live-read-only market data;
- calibrate against baseline with conservative statistical gates.

Exit gate:

- no generated branch can be promoted without tests, red-team verdict, and
  canary/calibration evidence.
- promotion is local-only and never pushes automatically.

Current public status:

- Implemented in `engine/src/zero_engine/evolve.py`.
- Covered by `engine/tests/test_evolve.py`, API tests, MCP tests, and
  `just evolve-example`.
- `/evolve`, `zero_get_evolve_status`, and `zero://evolve/status` expose
  paper-only gate status.
- The public harness writes sandbox artifacts but does not mutate the checkout,
  promote, deploy, or push.
- Documented in [Evolve Harness](evolve.md).

### Cycle 31: Research Command Chain

Add fixture-backed public versions of the internal research loop:

- `hunt`: market scan report from public-safe market data;
- `edge`: strategy/lens/time/coin expectancy report from local journals;
- `convergence`: feedback-loop drift and lockstep detection;
- `thesis`: seven-day operating hypothesis with anti-thesis and scorecard;
- `score`: compare prior judgments against outcomes;
- `meta` and `sharpen`: audit command usefulness and system improvement.

Exit gate:

- each command writes a versioned report artifact;
- reports are deterministic in CI with fixture data;
- no report claims live PnL unless backed by signed operator evidence.

Current public status:

- Implemented in `engine/src/zero_engine/research.py`.
- Covered by `engine/tests/test_research.py`, API tests, MCP tests, and
  `just research-example`.
- `/research`, `zero_get_research_report`, and `zero://research/report` expose
  paper-only research status.
- Reports include hunt, edge, convergence, thesis, score, meta, and sharpen.
- The public report is read-only, does not mutate the checkout, does not push,
  and does not claim live PnL.
- Documented in [Research Command Chain](research.md).

### Cycle 32: Decision Stack

First public slice of intelligence engine parity.

Port the real decision interfaces:

- lens runner protocol;
- evaluation layer protocol;
- sizing modifier chain;
- rejection learner;
- regime and correlation gates;
- execution quality and near-miss feedback.

Exit gate:

- a contributor can add one lens, one layer, or one sizing modifier with a
  fixture and conformance test.
- every decision path still flows through safety and paper/live separation.

Current public status:

- Implemented the first public decision-stack contract in
  `engine/src/zero_engine/decision.py`.
- `/decision/stack` exposes `zero.decision.stack.v1`.
- `/evaluate/{coin}` embeds the same stack while preserving CLI-compatible
  fields.
- `zero_get_decision_stack` and `zero://decision/stack` expose the same
  read-only contract to coding agents.
- Covered by decision, API, MCP, OpenAPI, and `just decision-stack-example`
  checks.
- The public stack never grants live execution authority and reports
  `allowed_to_execute_live: false`.
- Documented in [Decision Stack](decision-stack.md).

### Cycle 33: Expanded Local MCP

Expose local read-only and risk-reducing tools for agents:

- status, health, positions, journal tail, memory stats, genesis proposals,
  research reports, backtests, rejection audit, immune status, and canary
  evidence;
- risk-reducing controls only where local operator policy allows them;
- no risk-increasing MCP tools without explicit local friction.

Exit gate:

- MCP transcript proves read-only operation by default.
- safety class is documented for every tool.

Current public status:

- `zero-mcp` now exposes 20 read-only tools and 22 resources for strategies,
  runtime status, health, paper results, positions, journal tail, rejection
  audit, proof pack, memory snapshot/stats, genesis proposals, evolve status,
  research report, decision stack, immune status, backtest report, evidence
  bundle, safety catalog, and contributor docs for strategy runners, strategy
  plugins, and market-data adapters.
- Every public tool declares `safetyClass: read_only_public`,
  `canPlaceOrders: false`, `canChangeRuntimeState: false`, and
  `canReadSecrets: false`.
- `docs/mcp/transcript.jsonl`, `engine/tests/test_mcp.py`, and
  `zero-mcp --smoke` verify the tool list, resource list, safety metadata,
  paper-only payloads, and absence of write-capable tool names.
- Risk-reducing MCP controls are intentionally deferred until the local
  operator friction contract can be enforced over MCP.

### Cycle 34: Live Canary Policy Parity

Complete the live canary lifecycle:

- readiness;
- policy arm/disarm;
- bounded launch window;
- evidence export;
- shadow review;
- qualification;
- follow-through review;
- next-step policy recommendation.

Exit gate:

- public CI exercises the lifecycle in refusal/paper mode.
- operator-owned live evidence can be attached and verified without leaking raw
  venue payloads or secrets.

Current public status:

- `/live/canary-policy` exposes `zero.live_canary_policy.v1` with readiness,
  arm/disarm, launch-window, evidence, shadow-review, qualification,
  follow-through, and next-step fields.
- Rehearsal bundles and operator reports embed the same policy object.
- `scripts/live_canary_policy.py` renders the policy from rehearsal bundles,
  cockpit drill bundles, manifests, or operator reports.
- The canary verifiers reject missing policy packets and operator-report policy
  contradictions.
- Public paper smoke exercises refusal-mode policy qualification without
  claiming accepted live execution.

### Cycle 35: Local Promotion And Rollback Evidence

Complete the public self-evolution promotion evidence layer:

- materialized sandbox candidate tree;
- original and candidate hashes for every allowed mutation;
- local promotion plan;
- rollback plan;
- promotion artifact verification;
- explicit approval phrase;
- no checkout mutation and no remote push.

Exit gate:

- `/evolve`, `zero_get_evolve_status`, and contract fixtures expose promotion,
  rollback, and verification evidence.
- public CI proves the plan is local-only and rollback-ready.
- generated candidates remain limited to `docs/` and `examples/`.

Current public status:

- `zero.evolve.run.v1` now includes `promotion_plan`,
  `rollback_plan`, and `promotion_verification`.
- The evolve build materializes candidate files under a sandbox candidate tree
  and hashes both original and candidate content.
- `zero.evolve.promotion_plan.v1` requires
  `I_APPROVE_ZERO_EVOLVE_LOCAL_PROMOTION` and records
  `applies_to_checkout=false`, `pushes_to_remote=false`, and
  `places_orders=false`.
- `zero.evolve.rollback_plan.v1` records restore hashes and fails closed when
  no rollback target exists.
- `zero.evolve.promotion_verification.v1` rejects plans that can mutate the
  checkout or push remotely.

### Cycle 36: Local Apply And Rollback Execution

Complete the public local checkout promotion layer:

- explicit `zero_engine.evolve apply` command;
- exact local promotion approval phrase;
- full prevalidation before any checkout write;
- original checkout hash verification;
- candidate hash verification;
- apply receipt;
- explicit `zero_engine.evolve rollback` command;
- exact rollback approval phrase;
- backup-backed restore with original hash verification;
- no remote push and no order placement.

Exit gate:

- approved docs/example candidates can be applied to a local checkout;
- wrong approval phrases do not mutate the checkout;
- tampered candidates fail before any file is written;
- rollback restores the original content and emits a receipt.

Current public status:

- `zero.evolve.apply_receipt.v1` records approved local checkout mutation,
  backup paths, applied hashes, and failure checks.
- `zero.evolve.rollback_receipt.v1` records local restore execution and verifies
  restored hashes.
- Apply and rollback remain CLI-only; the HTTP and MCP surfaces stay read-only.
- Protected runtime paths remain blocked by `ALLOWED_PATCH_ROOTS` and
  `FORBIDDEN_PATCH_ROOTS`.

### Cycle 37: Production-Parity OODA Report

Implemented in `engine/src/zero_engine/runtime.py`:

- `zero.runtime.production_parity.v1` runs the bundled paper OODA loop through
  observe, orient, decide, act, and learn phases;
- mirrors every intent and idempotency key through a disabled `LiveExecutor`;
- proves the live shadow path refuses every order and that the exchange adapter
  placed zero orders;
- verifies checksum-chained runtime-bus integrity and snapshot consistency;
- emits `zero.runtime.feedback.v1` rejection/execution-quality feedback without
  claiming live slippage or exchange fill quality;
- exposes the report through `GET /runtime/parity`,
  `zero_get_runtime_parity`, `zero://runtime/parity`, OpenAPI, and a pinned
  contract fixture.

### Cycle 38: Operator CLI Runtime-Parity Surface

Implemented in `cli/crates/zero-engine-client` and `cli/crates/zero-commands`:

- added typed Rust decoding for `GET /runtime/parity`;
- added the neutral `/runtime-parity` slash command, with aliases `/parity`,
  `/ooda-parity`, and `/production-parity`;
- rendered the public-safe boundary an operator needs to see: paper cycles,
  fills, rejections, disabled live-shadow refusals, zero adapter orders,
  rejection-rate feedback, certification status, and the no-live-trading claim
  boundary;
- extended the mock engine and dispatcher/client tests so the terminal cannot
  drift from the API contract.

### Cycle 39: Operator CLI Live-Canary Policy Surface

Implemented in `cli/crates/zero-engine-client` and `cli/crates/zero-commands`:

- added typed Rust decoding for `GET /live/canary-policy`;
- added the neutral `/live-canary` slash command, with aliases `/canary`,
  `/canary-policy`, and `/live-canary-policy`;
- rendered the public-safe live canary lifecycle an operator needs to see:
  readiness, armed/disarmed state, qualification, publishability, accepted-live
  boundary, exchange-evidence attachment, refusal-proof qualification, next
  action, operator identity, and phase status;
- extended the mock engine and dispatcher/client tests so the CLI cannot claim
  publishable accepted-live proof from refusal-mode evidence.

### Cycle 40: Operator CLI Live-Receipts Surface

Implemented in `cli/crates/zero-commands`:

- added the neutral `/live-receipts` slash command, with aliases `/receipts`,
  `/execution-receipts`, and `/live-execution-receipts`;
- rendered the public-safe live execution receipt packet an operator needs to
  see before any canary claim: total, accepted, refused, exchange-error count,
  receipt-bundle hash, operator identity, privacy flags, and recent
  hash-only receipt rows;
- extended dispatcher tests so the terminal locks the empty/refused receipt
  boundary and never implies accepted live proof from a zero-receipt packet.

### Cycle 41: Full-Screen TUI Live Cockpit

Implemented in `cli/crates/zero-engine-client`, `cli/crates/zero-tui`, and
`cli/crates/zero-commands`:

- added `LiveCockpit` to the CLI-side `EngineState` mirror and populated it
  from the HTTP backfill poller via `GET /live/cockpit`;
- added a fifth TUI mode, `Cockpit`, reachable with Ctrl+5 and
  `/cockpit-mode`, while keeping `/live-cockpit` as the one-shot readout;
- rendered the same public-safe cockpit packet full-screen: live mode,
  readiness, risk allowance, next action, operator identity, preflight,
  immune, reconciliation, certification, heartbeat, receipt totals, failed
  checks, open breakers, and risk-reducing command affordances;
- extended Rust tests for mode routing, backfill population, input handling,
  and full-screen cockpit rendering.

## Revised Score

Public repo readiness remains **100/100** as a launch artifact.

Full ZERO operating-system readiness is **100/100** as a public repo contract
after Cycle 41. The score increased because the public runtime now has an
executable production-parity OODA report, rejection/execution-quality feedback,
live-shadow fail-closed evidence, a first-class operator CLI renderer for that
proof, and a first-class terminal renderer for live canary policy qualification
plus live execution receipts and a full-screen live cockpit in addition to
local evolve apply/rollback. The public repo also now carries
`zero.live_trading_evidence.v1`, a redacted proof bridge generated from private
operator Hyperliquid fills, trades, and live decisions.

The remaining work is no longer missing public-runtime shape. It is external
product proof and launch operation:

1. optional raw exchange disclosure for commercial diligence;
2. third-party security review;
3. hosted ZERO Network persistence and signed identity verification;
4. paid ZERO Intelligence deployment, billing, and retention policy.
````


## Source: `docs/agentic-contribution.md`

````markdown
# Agentic Contribution Guide

ZERO should be first-class for engineers using coding agents, design agents, or
review agents. This guide explains how to structure agent work so contributions
remain safe and useful.

## Good Agent Tasks

- Add focused tests around an existing behavior.
- Add a deterministic example under `examples/`.
- Extend a public contract fixture.
- Improve CLI diagnostics without changing risk semantics.
- Add docs that clarify operator safety, deployment, or contribution paths.
- Implement one item from `docs/autonomous-os-plan.md` with tests and docs.

## Issue Lanes

The public repo uses issue templates as agent routing contracts:

- `.github/ISSUE_TEMPLATE/agent_task.yml` for scoped agent work. Use label
  `agent-eligible`.
- `.github/ISSUE_TEMPLATE/strategy_example.yml` for deterministic paper-only
  strategy, runner, plugin, market-data adapter, runtime loop, or proof-pack
  examples. Use label `good-first-strategy`.
- `.github/ISSUE_TEMPLATE/safety_review.yml` for execution, risk, credentials,
  operator friction, live evidence, or proof privacy. Use label
  `safety-critical`.
- `.github/ISSUE_TEMPLATE/design_review.yml` for README, CLI/TUI copy, public
  proof pages, generated Network pages, and docs information architecture. Use
  label `design-review`.
- `.github/ISSUE_TEMPLATE/docs_gap.yml` for missing, stale, misleading, or
  agent-hostile docs. Use label `docs-gap`.

`scripts/issue_template_check.py` enforces the lane names, required labels, and
template markers. Update that checker in the same pull request as any template
or label change.

## Command Recipes

Reusable command recipes live in `.claude/commands/`. They are plain Markdown,
not hidden permissions. Use them as scoped prompts for any coding agent:

- `.claude/commands/paper-backtest.md`
- `.claude/commands/verify-schema.md`
- `.claude/commands/proof-pack.md`
- `.claude/commands/mcp-transcript.md`
- `.claude/commands/new-strategy.md`

If a command recipe is stale, update the recipe in the same pull request as the
behavior it describes.

## Bad Agent Tasks

- Add live execution shortcuts without preflight, kill, and refusal paths.
- Add hosted dependencies to paper mode.
- Add broad refactors across engine and CLI without a failing test.
- Add public data fields that could deanonymize an operator.
- Add generated marketing pages that do not improve operator understanding.

## Required Context Packet

When assigning an agent, include:

- the target cycle from `docs/autonomous-os-plan.md`;
- the exact files or module boundary it owns;
- the safety invariant it must preserve;
- the checks it should run;
- whether the work is engine, CLI, docs, Network, Intelligence, or design.
- the operator context to use when testing shared runtimes, usually
  `X-Zero-Operator-Handle: <agent-or-engineer-handle>`.
- the GitHub issue lane and label that matches the work.
- the CODEOWNERS surface that must review the change when touching protected
  paths.

Example:

```text
Implement Cycle 12 runtime-loop tests only. Own engine/tests/test_runtime.py.
Preserve paper-only behavior and no live execution. Run engine pytest and
just docs-check.
```

When an agent touches live-control surfaces, capture `/operator/context`,
`/deployment/claim`, `/live/cockpit`, and `/audit/export?limit=100` in the
review notes. The context packet is audit identity, not permission; agents must
not bypass CLI friction, preflight, immune breakers, or live execution policy.

## Review Checklist

Before merging agent-authored work, verify:

- the change is scoped and understandable;
- public examples run without secrets;
- live-capable code fails closed;
- docs match actual behavior;
- contracts stay deterministic;
- `just ci` passes or the remaining gap is documented;
- `just codeowners-check` passes when review boundaries changed;
- no private repo language, private infrastructure names, or credentials were
  introduced.

## Pull Request Disclosure

Agent-assisted pull requests should fill out `.github/PULL_REQUEST_TEMPLATE.md`
completely, including the AI assistance field and the safety impact field.
Maintainers should ask for a narrower diff when an agent PR changes unrelated
engine, CLI, docs, and release surfaces together.

## Design Review Checklist

For design agent work:

- the first screen should be a usable product surface or clear repo surface;
- operational state should be visible;
- risk-reducing actions should be visually and mechanically easier than
  risk-increasing actions;
- generated public pages should stay aggregate-only;
- no text should imply hosted custody, guaranteed profit, or black-box trading.
````


## Source: `docs/contributor-issue-board.md`

````markdown
# Contributor Issue Board

These issues are the first public contribution lanes for ZERO. They are scoped
so a human contributor or coding agent can make progress without private
operator context, exchange credentials, or live trading.

Use the GitHub labels when choosing work:

- [`good first issue`](https://github.com/zero-intel/zero/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22good%20first%20issue%22)
- [`agent-eligible`](https://github.com/zero-intel/zero/issues?q=is%3Aissue%20is%3Aopen%20label%3Aagent-eligible)
- [`help wanted`](https://github.com/zero-intel/zero/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22help%20wanted%22)
- [`design-review`](https://github.com/zero-intel/zero/issues?q=is%3Aissue%20is%3Aopen%20label%3Adesign-review)

## Good First Issues

- [#26 Add a deterministic funding-rate adapter fixture](https://github.com/zero-intel/zero/issues/26)
- [#27 Add a paper sizing policy example](https://github.com/zero-intel/zero/issues/27)
- [#28 Add MCP client setup snippets](https://github.com/zero-intel/zero/issues/28)

## Help Wanted

No open seeded help-wanted issues remain. New contributor lanes should be
opened through [launch issues](launch-issues.md) so acceptance criteria stay
source-controlled.

## Completed Seed Issues

- [#18 Add a paper-only momentum strategy plugin](https://github.com/zero-intel/zero/issues/18) -
  delivered in [Paper Momentum Strategy Plugin](../examples/momentum-strategy-plugin/README.md).
- [#19 Add a deterministic market-data adapter fixture](https://github.com/zero-intel/zero/issues/19) -
  delivered in [Market Data Adapter Example](../examples/market-data-adapter/README.md).
- [#23 Expand read-only MCP strategy resources](https://github.com/zero-intel/zero/issues/23) -
  delivered in [ZERO MCP Server](mcp.md).
- [#25 Add release evidence reader docs](https://github.com/zero-intel/zero/issues/25) -
  delivered in [Release Verification Guide](release-verification.md).
- [#20 Add CLI doctor troubleshooting examples](https://github.com/zero-intel/zero/issues/20) -
  delivered in [CLI Doctor Troubleshooting](cli-doctor-troubleshooting.md).
- [#22 Add proof-pack privacy regression fixtures](https://github.com/zero-intel/zero/issues/22) -
  delivered in [Proof Privacy Regression Fixtures](proof/privacy-regression/README.md).
- [#21 Add a stale ZERO Network profile fixture](https://github.com/zero-intel/zero/issues/21) -
  delivered in [ZERO Network Stale Profile Fixture](../examples/network-stale-profile/README.md).
- [#24 Design public Network empty and stale states](https://github.com/zero-intel/zero/issues/24) -
  delivered in [ZERO Network Empty Profile Fixture](../examples/network-empty-profile/README.md),
  [ZERO Network Stale Profile Fixture](../examples/network-stale-profile/README.md),
  and [ZERO Network Profile Page Example](../examples/network-profile-page/README.md).
- [#29 Add a static ZERO Intelligence catalog page](https://github.com/zero-intel/zero/issues/29) -
  delivered in [ZERO Intelligence Catalog Page](../examples/intelligence-catalog-page/README.md).
- [#30 Add Homebrew rollback verification docs](https://github.com/zero-intel/zero/issues/30) -
  delivered in [Release Process](release.md#homebrew-rollback-verification) and
  [Distribution Readiness](distribution.md#homebrew-rollback-verification).

## Contribution Rules

- Keep the default path paper-first.
- Do not add exchange credentials, wallet material, raw fills, private journals,
  or production deployment details.
- Keep examples deterministic unless an issue explicitly asks for read-only
  live market data.
- Include a test, smoke command, or verification note with every PR.
- For agent-authored work, follow [AGENTS.md](../AGENTS.md) and
  [Agentic Contribution](agentic-contribution.md).
````


## Source: `docs/review-ownership.md`

````markdown
# Review Ownership

ZERO uses `.github/CODEOWNERS` as the public source of truth for review
ownership. The initial owner is `@squaeragent`; additional maintainers or teams
can be added after they have repository access and understand the safety model.

## Protected Surfaces

The ownership gate covers:

- GitHub workflows, issue templates, labels, and release automation.
- Engine execution, safety, immune, reconciliation, and Hyperliquid boundaries.
- CLI friction, operator configuration, headless control, doctor, and engine
  client crates.
- Public contracts, OpenAPI schemas, live evidence docs, threat model,
  incident runbooks, release docs, and distribution policy.

## Change Policy

Routine documentation and example changes can still be reviewed normally.
Changes to protected surfaces require approval from a listed owner of the
affected area and must preserve paper-first defaults, fail-closed behavior,
credential redaction, and risk-reducing command priority.

Do not remove or weaken CODEOWNERS entries to make a pull request easier to
merge. If ownership needs to change, update `.github/CODEOWNERS`,
`docs/review-ownership.md`, and the CODEOWNERS checker in the same pull
request.

## Local Check

```bash
just codeowners-check
```

This validates that required safety-critical patterns exist, each entry has at
least one syntactically valid owner, wildcard ownership is present, and no
placeholder owners are committed.
````


## Source: `docs/label-taxonomy.md`

````markdown
# Label Taxonomy

ZERO uses labels as routing metadata for humans and coding agents. A label in a
launch issue, issue template, or backlog item must exist in `.github/labels.yml`.

Run:

```bash
just label-taxonomy-check
```

Maintainers can also check or apply the configured labels against GitHub:

```bash
just github-label-check
just github-label-sync
```

`github-label-sync` only creates or updates labels listed in
`.github/labels.yml`. It does not delete extra repository labels.

After labels are synced, maintainers can seed the launch issues from
`docs/launch-issues.md`:

```bash
just launch-issue-config-check
just github-launch-issue-check
just github-launch-issue-sync
```

The issue sync creates missing exact-title seed issues only. It does not edit
existing issues or delete maintainer-created work.

## Routing Labels

- `needs triage`: maintainer review is required before work starts.
- `agent-eligible`: scoped for a coding, review, docs, or design agent.
- `good first issue`: small contributor task.
- `good-first-strategy`: paper-only strategy contribution suitable for a first
  engine PR.
- `help wanted`: maintainer-approved community work.

## Safety Labels

- `safety`: touches execution, risk, credentials, or operator friction.
- `safety-critical`: requires explicit safety review before implementation or
  merge.
- `security`: vulnerability response, public proof privacy, or security docs.

## Surface Labels

- `engine`: Python engine runtime.
- `cli`: Rust operator terminal.
- `docs`: documentation.
- `examples`: examples, templates, and demos.
- `strategy`: strategy API, plugin, runner, or deterministic strategy example.
- `market-data`: market-data adapter interfaces and fixtures.
- `contracts`: public API, Network, Intelligence, or proof packet contracts.
- `network`: ZERO Network profiles, leaderboards, and publication contracts.
- `design`: operator-facing design, public pages, or documentation IA.
- `ci`: continuous integration and repository automation.
- `containers`: Docker, Compose, or container smoke paths.
- `packaging`: package registries, Homebrew, release artifacts, or installers.

## Review Labels

- `design-review`: needs product, UX, narrative, or information architecture
  review.
- `docs-gap`: missing, stale, misleading, or agent-hostile documentation.
- `proof-pack`: proof packet methodology, reproducibility, or public evidence.
- `mcp`: MCP server, tools, resources, or transcript.

## Type Labels

- `bug`: something is not working as intended.
- `enhancement`: new feature or improvement.
- `release`: release packaging, artifacts, or versioning.

## Rules

- Do not create labels ad hoc in issue bodies. Update `.github/labels.yml`,
  this document, and `scripts/label_taxonomy_check.py` together.
- Do not edit public GitHub labels by hand when `.github/labels.yml` is meant
  to be authoritative. Use `just github-label-sync`.
- Prefer one routing label, one surface label, and one type or review label.
- Add `safety-critical` whenever a change touches live-capable behavior,
  operator friction, risk, credentials, live evidence, or public proof privacy.
````


## Source: `.github/ISSUE_TEMPLATE/agent_task.yml`

````markdown
name: Agent task
description: Propose a bounded task for coding, review, documentation, or design agents
title: "agent: "
labels: ["agent-eligible", "needs triage"]
body:
  - type: markdown
    attributes:
      value: |
        Use this for narrow tasks a coding or design agent can own. Keep the task small enough for one pull request and name the safety invariant up front.
  - type: textarea
    id: scope
    attributes:
      label: Owner Boundary
      description: Exact files, modules, docs, or examples the agent should own.
      placeholder: "Own docs/agentic-contribution.md and .github/ISSUE_TEMPLATE/*.yml only."
    validations:
      required: true
  - type: textarea
    id: out_of_scope
    attributes:
      label: Out Of Scope
      description: What must the agent avoid changing?
      placeholder: "Do not touch live execution, sizing, credentials, or unrelated release files."
    validations:
      required: true
  - type: textarea
    id: invariant
    attributes:
      label: Safety Invariant
      description: What behavior must not regress?
      placeholder: "Paper mode remains the default; no new live order path is introduced."
    validations:
      required: true
  - type: dropdown
    id: surface
    attributes:
      label: Surface
      options:
        - engine
        - cli
        - docs
        - examples
        - contracts
        - design
        - ci
    validations:
      required: true
  - type: dropdown
    id: task_size
    attributes:
      label: Task Size
      description: Prefer S or M for agent-eligible work.
      options:
        - S: single file or one small module
        - M: small cross-file change with tests
        - L: needs maintainer decomposition first
    validations:
      required: true
  - type: dropdown
    id: risk_class
    attributes:
      label: Risk Class
      options:
        - paper-only
        - docs-only
        - public contract
        - operator UX
        - safety-critical
    validations:
      required: true
  - type: textarea
    id: acceptance
    attributes:
      label: Acceptance Criteria
      description: Concrete conditions that make the task done.
      value: |
        - First acceptance criterion.
        - Second acceptance criterion.
        - Required checks pass.
    validations:
      required: true
  - type: textarea
    id: checks
    attributes:
      label: Required Checks
      description: Commands the agent or reviewer should run.
      value: |
        just docs-check
        just public-readiness
    validations:
      required: true
````


## Source: `.github/ISSUE_TEMPLATE/strategy_example.yml`

````markdown
name: Strategy example
description: Propose a paper-only strategy, runner, or market-data adapter example
title: "strategy: "
labels: ["good-first-strategy", "strategy", "examples", "needs triage"]
body:
  - type: markdown
    attributes:
      value: |
        Use this for examples that teach the public engine without requiring secrets or live trading.
  - type: textarea
    id: learning_goal
    attributes:
      label: Learning Goal
      description: What should a contributor or operator learn from this example?
      placeholder: "Show how to reject low-confidence momentum setups in paper mode."
    validations:
      required: true
  - type: dropdown
    id: example_type
    attributes:
      label: Example Type
      options:
        - paper strategy
        - strategy plugin
        - strategy runner
        - market data adapter
        - runtime loop
        - proof pack
    validations:
      required: true
  - type: textarea
    id: owner_boundary
    attributes:
      label: Owner Boundary
      description: Exact files or directories the contributor should own.
      placeholder: "Own examples/strategy-runner/* and engine/tests/test_runners.py only."
    validations:
      required: true
  - type: textarea
    id: safety_invariant
    attributes:
      label: Safety Invariant
      description: What must not regress?
      value: "The example is paper-only, deterministic, and does not require secrets."
    validations:
      required: true
  - type: textarea
    id: acceptance
    attributes:
      label: Acceptance Criteria
      value: |
        - Example runs from a fresh clone.
        - Output is deterministic.
        - Docs state that the example is paper-only.
        - Tests or smoke checks cover the example.
    validations:
      required: true
  - type: textarea
    id: checks
    attributes:
      label: Required Checks
      value: |
        just docs-check
        just strategy-example
        just strategy-plugin-example
        just strategy-runner-example
        just market-data-adapter-example
    validations:
      required: true
````


## Source: `.github/ISSUE_TEMPLATE/safety_review.yml`

````markdown
name: Safety review
description: Request review for execution, risk, credential, or safety behavior
title: "safety: "
labels: ["safety-critical", "safety", "needs triage"]
body:
  - type: markdown
    attributes:
      value: |
        Use this before changing execution, sizing, risk gates, kill switches, authentication, secret handling, operator friction, live evidence, or public proof contracts.
  - type: textarea
    id: change
    attributes:
      label: Change
      description: What safety-relevant behavior is changing?
    validations:
      required: true
  - type: textarea
    id: risk
    attributes:
      label: Failure Modes
      description: What could go wrong?
    validations:
      required: true
  - type: textarea
    id: fail_closed
    attributes:
      label: Fail-Closed Behavior
      description: How does the system refuse, halt, or degrade safely?
      placeholder: "If preflight is stale, live-capable paths refuse and risk-reducing commands remain available."
    validations:
      required: true
  - type: textarea
    id: paper_validation
    attributes:
      label: Paper-Mode Validation
      description: Which paper-mode scenario, proof packet, or rehearsal demonstrates the behavior?
    validations:
      required: true
  - type: textarea
    id: validation
    attributes:
      label: Required Checks
      description: Unit, integration, rehearsal, or manual validation commands.
      value: |
        just ci
        just hardening-gate
    validations:
      required: true
````


## Source: `.github/ISSUE_TEMPLATE/design_review.yml`

````markdown
name: Design review
description: Request review for operator UX, public proof pages, docs IA, or launch surfaces
title: "design: "
labels: ["design-review", "design", "needs triage"]
body:
  - type: markdown
    attributes:
      value: |
        Use this for design work that changes how operators, contributors, or public users understand ZERO.
  - type: textarea
    id: surface
    attributes:
      label: Surface
      description: Which screen, page, doc, template, or generated artifact is changing?
      placeholder: "README above the fold, docs proof page, Network profile page, or CLI/TUI copy."
    validations:
      required: true
  - type: textarea
    id: user_job
    attributes:
      label: User Job
      description: What should the user understand or accomplish faster?
    validations:
      required: true
  - type: textarea
    id: safety_copy
    attributes:
      label: Safety Copy Invariant
      description: What must not be implied?
      value: "Do not imply custody, guaranteed returns, black-box delegation, or live trading readiness beyond documented gates."
    validations:
      required: true
  - type: textarea
    id: evidence
    attributes:
      label: Evidence To Review
      description: Screenshots, rendered HTML paths, terminal output, or doc links.
    validations:
      required: true
  - type: textarea
    id: checks
    attributes:
      label: Required Checks
      value: |
        just docs-check
        just network-pages-smoke
        just public-readiness
    validations:
      required: true
````


## Source: `.github/ISSUE_TEMPLATE/docs_gap.yml`

````markdown
name: Documentation gap
description: Report missing, stale, misleading, or agent-hostile documentation
title: "docs: "
labels: ["docs-gap", "docs", "needs triage"]
body:
  - type: textarea
    id: gap
    attributes:
      label: Gap
      description: What is missing, stale, misleading, or difficult for agents to follow?
    validations:
      required: true
  - type: dropdown
    id: audience
    attributes:
      label: Audience
      options:
        - first-time operator
        - engine contributor
        - CLI contributor
        - design contributor
        - coding agent
        - security reviewer
        - launch reviewer
    validations:
      required: true
  - type: textarea
    id: source
    attributes:
      label: Source Of Truth
      description: Which code, contract, example, or existing doc should the answer align with?
    validations:
      required: true
  - type: textarea
    id: done
    attributes:
      label: Done When
      value: |
        - The doc names the real current behavior.
        - The doc links to the source of truth.
        - `docs/llms.txt` or `docs/llms-full.txt` is updated if agent-facing context changed.
    validations:
      required: true
````


## Source: `docs/zero-network.md`

````markdown
# ZERO Network

ZERO Network is the public proof layer for verified autonomous behavior. It is
not a hosted control plane and it does not require operators to send exchange
credentials to ZERO.

## Defaults

- Runtime behavior is private by default.
- Profile publication is opt-in.
- Public profiles contain aggregate behavior only.
- Public leaderboard rows are derived from the same redacted profile packet.
- Deployment identity is represented by a public-safe
  `zero.deployment.claim.v1` claim hash, not by custody or hosted permission.
- Deployment liveness is represented by a public-safe
  `zero.deployment.heartbeat.v1` heartbeat hash bound to the claim hash.
- Raw decisions, trace IDs, idempotency keys, wallet addresses, exchange order
  IDs, strategy source labels, private notes, and per-trade symbols are excluded.

## Local Endpoints

`GET /network/profile` returns a local public-safe profile:

```json
{
  "schema_version": "zero.network.profile.v1",
  "profile": {
    "handle": "local-operator",
    "publish_enabled": false
  },
  "verification": {
    "proof_hash": "sha256:...",
    "deployment_claim_hash": "sha256:...",
    "deployment_heartbeat_hash": "sha256:..."
  },
  "metrics": {
    "decisions": 12,
    "fills": 1,
    "rejections": 11,
    "rejection_rate": 0.9167
  }
}
```

`GET /deployment/claim` returns the signature-ready deployment identity packet
that the profile proof binds. Local deployments report
`signature.status = unsigned_local` unless external signing metadata is provided
through deployment environment variables.

`GET /deployment/heartbeat` returns the signature-ready liveness packet that the
profile proof also binds. It reports paper-only or live dead-man freshness
without exposing raw decisions, trace IDs, idempotency keys, credentials, wallet
material, or private runtime notes.

`GET /network/leaderboard` returns `zero.network.leaderboard.v1` with ranked
rows derived from the same redacted profile format.

`POST /network/publish` requires explicit consent and a local publish path:

```bash
ZERO_NETWORK_HANDLE=my-handle \
ZERO_NETWORK_PUBLISH_PATH=.zero/network/published.jsonl \
zero-paper-api --journal .zero/decisions.jsonl

curl -fsS \
  -H "content-type: application/json" \
  -d '{"consent":true}' \
  http://127.0.0.1:8765/network/publish
```

The public runtime writes a JSONL proof packet to the configured local path. It
does not upload to a ZERO-hosted service. A future hosted Network ingestion API
can consume the same packet without changing the local privacy contract.

## Hosted-Compatible Ingestion And Anti-Gaming

`POST /network/ingest` validates already-redacted `zero.network.profile.v1`
packets and returns `zero.network.ingestion.v1`:

```bash
curl -fsS \
  -H "content-type: application/json" \
  -d '{"profiles":[...]}' \
  http://127.0.0.1:8765/network/ingest
```

This route is stricter than the static leaderboard renderer. It models the
public-safe checks a hosted ZERO Network ingestion service must preserve:

- explicit `publish_enabled=true` consent;
- recomputed profile proof hash;
- internally consistent decision, fill, rejection, acceptance-rate, and
  rejection-rate metrics;
- duplicate accepted handle refusal;
- duplicate accepted proof-hash refusal;
- deployment claim and heartbeat hash binding when deployment packets are
  present;
- accepted-only leaderboard output.

Every submitted packet receives an accepted/refused record with risk flags,
refusal reasons, trust tier, anti-gaming score, and leaderboard eligibility.
The ingestion response includes no raw journals, trace IDs, idempotency keys,
wallet addresses, exchange order IDs, strategy labels, per-trade symbols, or
credentials.

The pinned contract fixture lives at
[contracts/network/ingestion.json](../contracts/network/ingestion.json).

## Freshness And Stale Publication

ZERO Network pages must distinguish historical proof validity from current
operator freshness. A stale profile can keep a valid proof hash while losing
freshness badges and active leaderboard treatment.

See [network-freshness.md](network-freshness.md) for the public-safe freshness
windows, badge policy, and leaderboard rules.

## Profile And Identity Verification

`scripts/network_profile_verify.py` verifies a public profile packet before it
is accepted into Network tooling or shared as operator proof:

```bash
curl -fsS "$ZERO_API/network/profile" > profile.json

scripts/network_profile_verify.py profile.json \
  --identity-bundle artifacts/deployment-identity/current \
  --require-signed-identity
```

The verifier emits `zero.network.profile_verification.v1` and checks:

- profile schema and public-safety redaction;
- recomputed `zero.network.proof.v1` proof hash;
- leaderboard row binding to the profile proof hash;
- deployment claim and heartbeat hashes bound to the profile;
- deployment heartbeat bound to the deployment claim;
- optional signed `zero.deployment_identity_evidence.v1` bundle;
- optional hosted-compatible consent and ingestion acceptance.

This makes the public Network boundary explicit: profiles are aggregate and
open, while signed deployment identity is operator-owned evidence that can be
verified without exposing exchange credentials, wallet material, trace IDs, or
raw decisions.

## Network Proof Pack

The repository commits a deterministic public-safe Network proof chain in
[docs/proof/network](proof/network). It is generated by:

```bash
PYTHONPATH="$PWD/engine/src" scripts/network_proof_pack.py
PYTHONPATH="$PWD/engine/src" scripts/network_proof_pack.py --check
```

The manifest emits `zero.network_proof_pack.v1` and binds:

- the `zero.network.profile.v1` packet;
- the derived `zero.network.leaderboard.v1` row;
- deployment claim and heartbeat artifacts;
- `zero.deployment_identity_evidence.v1`;
- the recomputed `zero.network.profile_verification.v1` report;
- hosted-compatible ingestion acceptance.

This is the public "verify the chain" artifact for agents and reviewers. It
does not claim live trading, PnL, or paper/live correlation.

## Public Index Page Builder

The public repository includes a deterministic static index for checked Network
contract pages:

```bash
just network-index-page-example
```

The index links the active, empty, stale, and leaderboard pages, explains the
opt-in aggregate publication model, and refuses remote or script-style links.
It uses no JavaScript, remote assets, journals, private execution details, or
external links. The three profile states are deliberately distinct:

- **Empty:** no public decisions, no behavior claim.
- **Active:** aggregate proof verifies inside the freshness window.
- **Stale:** proof may still verify, but it is archive evidence, not current
  operator status.

See [examples/network-index-page](../examples/network-index-page) and
[contracts/network/index.html](../contracts/network/index.html).

## Public Profile Page Builder

The public repository includes a deterministic static page builder for one
already-redacted `zero.network.profile.v1` packet:

```bash
just network-profile-page-example
```

The builder emits HTML for aggregate behavior, verification badges, proof hash,
and the public display state only. It escapes profile-provided text and uses no
JavaScript, remote assets, raw journals, symbols, trace IDs, idempotency keys,
wallet addresses, exchange order IDs, strategy labels, or private notes.

See [examples/network-profile-page](../examples/network-profile-page) and
[contracts/network/profile.html](../contracts/network/profile.html). Empty and
stale fixtures are committed at
[contracts/network/empty-profile.html](../contracts/network/empty-profile.html)
and [contracts/network/stale-profile.html](../contracts/network/stale-profile.html).

## Public Leaderboard Builder

The public repository includes a deterministic builder that turns already
redacted `zero.network.profile.v1` JSONL packets into
`zero.network.leaderboard.v1`:

```bash
just network-leaderboard-example
```

The builder:

- accepts public profile packets only;
- rejects malformed rows and mismatched proof hashes;
- ranks deterministically by verification score, decisions, rejection rate, and
  handle;
- emits only public-safe row fields;
- never reads raw journals, symbols, trace IDs, idempotency keys, wallet
  addresses, exchange order IDs, or private notes.

See [examples/network-leaderboard](../examples/network-leaderboard).

## Public Leaderboard Page Builder

The public repository also includes a deterministic static page builder for an
already-redacted `zero.network.leaderboard.v1` payload:

```bash
just network-leaderboard-page-example
```

The page renders rank, handle, display name, mode, aggregate counts,
verification score, proof hash, and an explicit state guide only. It escapes
row-provided text and uses no JavaScript, remote assets, raw journals, symbols,
trace IDs, idempotency keys, wallet addresses, exchange order IDs, strategy
labels, or private notes.

See [examples/network-leaderboard-page](../examples/network-leaderboard-page)
and [contracts/network/leaderboard.html](../contracts/network/leaderboard.html).

## Static Page Smoke Gate

Checked Network pages are covered by a deterministic smoke gate:

```bash
just network-pages-smoke
```

The gate parses `contracts/network/index.html`,
`contracts/network/profile.html`, `contracts/network/empty-profile.html`,
`contracts/network/stale-profile.html`, and
`contracts/network/leaderboard.html`. It verifies each page title and primary
heading, requires expected local links and state copy, and fails on JavaScript,
event handlers, remote references, missing local link targets, or raw private
runtime tokens.

## Verification Badges

- `paper_verified`: aggregate paper behavior was observed.
- `durable_journal`: behavior is backed by a local durable journal.
- `live_observed`: live execution records exist. This badge does not imply
  custody transfer and must never include exchange credentials.

## Leaderboard Rules

The first open-source leaderboard model is intentionally conservative. It ranks
verified public behavior by aggregate activity and rejection discipline rather
than PnL screenshots. It is a proof-of-process surface, not financial advice.

The leaderboard row includes:

- rank;
- handle;
- display name;
- mode;
- decision count;
- rejection rate;
- open position count;
- verification score;
- proof hash.
- deployment claim hash.

It excludes raw trades and strategy details.
````


## Source: `docs/network-freshness.md`

````markdown
# ZERO Network Freshness

ZERO Network publishes public-safe proof of process, not custody, PnL, or live
trading authority. A profile packet can stay cryptographically valid while its
operator state becomes old. Hosted Network pages must separate proof validity
from freshness.

## Core Rule

- Proof hashes remain historical audit evidence.
- Freshness badges expire when the packet is no longer recent.
- Stale packets can remain visible as archived proof.
- Expired packets should not receive active leaderboard freshness treatment.

This prevents an old but valid packet from implying current operator health,
current runtime liveness, or current risk discipline.

## Public-Safe Timestamps

Freshness should be derived only from public-safe timestamps already present in
or bound to redacted packets:

- `generated_at` from `zero.network.profile.v1`;
- deployment heartbeat timestamp from `zero.deployment.heartbeat.v1`;
- hosted ingestion timestamp assigned by the Network service.

Hosted pages must not request exchange credentials, wallet signatures,
exchange order IDs, raw journals, trace IDs, idempotency keys, per-trade
symbols, strategy labels, or private notes to calculate freshness.

## Freshness Windows

Use conservative defaults until real hosted traffic gives enough evidence to
adjust them.

| Packet type | Fresh | Stale | Expired |
| --- | --- | --- | --- |
| Paper profile | 24 hours | 7 days | 30 days |
| Live-observed profile | 15 minutes | 2 hours | 24 hours |
| Deployment heartbeat | 10 minutes | 30 minutes | 2 hours |

Paper profiles prove process and reproducibility, so they can remain fresh for
longer. Live-observed profiles imply more current operational liveness, so they
must expire faster. Deployment heartbeats are liveness evidence and should use
the strictest window.

## Badge Policy

Hosted pages may show:

- `proof_valid`: profile hash, leaderboard row, and optional deployment
  identity chain verify;
- `fresh`: packet is inside the fresh window;
- `stale`: packet is outside the fresh window but inside the stale window;
- `expired`: packet is outside the stale window.

Freshness badges must be removed or downgraded when the newest bound timestamp
crosses its window. `proof_valid` may remain visible if the packet still
verifies. `live_observed` must never imply that ZERO controls funds or that the
operator is currently live.

## Leaderboard Policy

Leaderboard rank remains proof-of-process, not PnL.

Hosted leaderboards should:

- rank active rows only when profile proof is valid and freshness is not
  expired;
- mark stale rows clearly in the active table or move them below fresh rows;
- move expired rows to historical views unless explicitly requested;
- keep ranking based on aggregate verification score, decisions, rejection
  discipline, and deterministic tie-breaks;
- never rank by unverified screenshots, claimed PnL, raw trade logs, or private
  strategy details.

If a row is stale or expired, the page should explain that historical proof
still verifies but current operator liveness is not being asserted.

## Ingestion Behavior

Hosted ingestion should preserve existing refusal rules for missing consent,
proof mismatches, inconsistent aggregate metrics, duplicate accepted handles,
and duplicate accepted proof hashes. Freshness is an additional display and
eligibility layer; it should not rewrite historical proof.

Recommended packet treatment:

- accept and archive valid packets even when stale;
- withhold `fresh` treatment when timestamps exceed the relevant window;
- reject or quarantine packets with impossible future timestamps;
- refuse active leaderboard eligibility for expired packets;
- include freshness status and evaluated timestamp in public-safe ingestion
  results.

## Operator Guidance

Operators who want an active public profile should republish a fresh redacted
packet from their local runtime. Republishing must remain opt-in and must not
require hosted custody, exchange credential upload, or private journal upload.

Freshness is an honesty signal. It tells viewers when the public proof was last
observed without turning ZERO Network into a custody service or a performance
claim.

## Deterministic Stale Fixture

The public repo includes a stale-profile fixture in
`examples/network-stale-profile/stale-profile.json`. It shows the important
separation:

- `proof.status=valid`: the profile proof hash still recomputes.
- `freshness.status=stale`: the packet is no longer active operator status.
- `claim_boundary.active_operator_status_asserted=false`: viewers should treat
  it as archive evidence, not current liveness.

Rebuild or verify the shape with:

```bash
PYTHONPATH="$PWD/engine/src" python3 examples/network-stale-profile/build.py
```

## Deterministic Empty Fixture

The public repo also includes an empty-profile fixture in
`examples/network-empty-profile/empty-profile.json`. It proves the profile and
page builders can render a zero-claim public state:

- `verification.status=empty`: no public decisions have been observed.
- `metrics.decisions=0`: the page has no behavior to rank.
- `state=empty`: viewers should not infer PnL, custody, or live trading.

Rebuild or verify the shape with:

```bash
PYTHONPATH="$PWD/engine/src" python3 examples/network-empty-profile/build.py
```
````


## Source: `docs/zero-intelligence.md`

````markdown
# ZERO Intelligence

ZERO Intelligence is the data product built from verified autonomous behavior.
During operator growth, realtime Intelligence access is free so ZERO can
increase operator density, collect better verified behavior, and make public
profiles and leaderboards more valuable. Future commercial packaging should
monetize scale, retention, redistribution, support, and SLAs rather than basic
operator access.

It is not a hosted deployment product. Operators should be able to run ZERO
locally, through Docker, or on Railway without paying ZERO and without sending
exchange credentials to ZERO. Railway is the preferred hosted deployment path
because it gives operators their own project, secrets, services, volumes,
databases, logs, and billing relationship.

## Public Surfaces

- Open-source ZERO Runtime
- Operator CLI
- Local paper mode
- Self-custodial live mode, once shipped
- Railway and Docker deployment templates
- Public profiles
- Public leaderboards
- Public verification badges
- Public benchmark pages
- Delayed or rate-limited public intelligence snapshots

## Growth-Mode Free Surfaces

- Realtime Intelligence API access for verified operators
- Public profiles and leaderboards
- Public verification badges
- Delayed and rate-limited public intelligence snapshots
- Hosted-compatible Railway/Docker contract testing

## Future Commercial Surfaces

- Historical decision and risk datasets
- Advanced filters, cohorts, and benchmark analytics
- Commercial intelligence connectors and enrichment feeds
- Webhooks and streaming feeds
- Higher API limits and bulk exports
- Commercial redistribution rights
- Enterprise support, reliability commitments, and SLAs

## Public Runtime Contract

The open runtime now emits the same safe packets that the commercial data
product should ingest later:

- `GET /intelligence/snapshot` returns `zero.intelligence.snapshot.v1`, a
  delayed public aggregate derived from a verified ZERO Network profile.
  Its source binds both the deployment claim hash and deployment heartbeat hash.
- `GET /intelligence/catalog` returns `zero.intelligence.catalog.v1`, the
  commercial API, billing, scope, dataset, and rate-limit contract.
- `GET /intelligence/commercial` returns `zero.intelligence.commercial.v1`, the
  pinned hosted API boundary for plans, scopes, datasets, usage events,
  webhooks, exports, reliability tiers, and privacy.
- `GET /v1/intelligence/snapshots`, `/history`, `/cohorts`, and `/benchmarks`
  expose the hosted-compatible read API shape. Delayed snapshots are public;
  realtime, history, cohort, and benchmark scopes require a bearer token when
  `ZERO_INTELLIGENCE_API_TOKEN` is configured.
- `POST /v1/intelligence/webhooks` and `/exports` expose the hosted-compatible
  write API shape for signed webhook fixtures and aggregate export jobs.
- `GET /intelligence/model-gateway` returns `zero.model_gateway.status.v1`, the
  provider-agnostic, fail-closed model routing status for advisory intelligence,
  including optional OpenAI, Anthropic, Ollama, and OpenRouter adapter readiness,
  bounded retry policy, usage counters, and public-safe cost-estimate source.
- `POST /intelligence/export` writes an opt-in local JSONL packet when
  `ZERO_INTELLIGENCE_EXPORT_PATH` is configured and the request includes
  `{"consent":true}`.

The public runtime does not upload intelligence packets to ZERO. Hosted
ingestion is a future commercial API surface, not a requirement for local
operation.

## Packaging

- Growth mode: runtime, CLI, public profiles, public leaderboards, delayed
  snapshots, realtime Intelligence API access, hosted-compatible Railway
  contracts, and onboarding credits are free for verified operators.
- Future operator plans: higher API quota, alerts, webhooks, longer history,
  saved views, and profile verification features.
- Future teams/funds: team API keys, cohort analytics, bulk exports, private
  benchmarks, and redistribution rights.
- Future enterprise: SLOs, support, compliance needs, custom retention, and
  commercial redistribution.

## Hosted API Shape

The hosted API should use bearer API keys, explicit scopes, usage events, and
standard rate-limit headers even while access is free in growth mode. The
checked contract fixture lives at
[contracts/intelligence/commercial.json](../contracts/intelligence/commercial.json).

The public server now includes a reference implementation of the hosted API
boundary under `/v1/intelligence/*`. It is not a production billing service;
it is a contract harness for clients, docs, Railway smoke tests, and
contributor work.

- `x-zero-ratelimit-limit`
- `x-zero-ratelimit-remaining`
- `x-zero-ratelimit-reset`
- `x-zero-ratelimit-policy`

Primary scopes:

- `intelligence:read:delayed`
- `intelligence:read:realtime`
- `intelligence:read:history`
- `intelligence:cohorts`
- `intelligence:exports`
- `intelligence:webhooks`
- `intelligence:redistribute`

Primary datasets:

- `verified_behavior_snapshots`
- `cohort_benchmarks`
- `risk_operations_history`
- `leaderboard_history`

Primary usage events:

- `snapshot.delayed.read`
- `snapshot.realtime.read`
- `history.query`
- `cohort.query`
- `benchmark.query`
- `webhook.delivery`
- `export.created`
- `redistribution.reported`

Reference auth and signing variables:

```text
ZERO_INTELLIGENCE_API_TOKEN=...
ZERO_INTELLIGENCE_API_PLAN=team_fund
ZERO_INTELLIGENCE_API_ACCOUNT_ID=acct_...
ZERO_INTELLIGENCE_WEBHOOK_SIGNING_KEY=...
ZERO_INTELLIGENCE_STORE_PATH=/data/zero/intelligence.jsonl
```

The reference implementation enforces protected scopes when a token is
configured, emits real `x-zero-ratelimit-*` headers, and returns webhook
signature fixtures with:

```text
x-zero-signature-timestamp
x-zero-signature
x-zero-signature-algorithm
```

The signature payload is `timestamp + "." + canonical_json_body` signed with
HMAC-SHA256. The signing key is never returned.

## Durable Reference Store

When `ZERO_INTELLIGENCE_STORE_PATH` is configured, the hosted-compatible
reference API appends public-safe JSONL records for delayed/realtime snapshots,
usage events, webhook subscription fixtures, and export jobs. History queries
then read stored snapshot records before falling back to the current runtime
snapshot.

The store is intentionally aggregate-only:

- API tokens and webhook signing keys are never written.
- Account IDs and webhook target URLs are persisted as SHA-256 hashes.
- Raw journals, trace IDs, idempotency keys, symbols, exchange order IDs,
  wallet identifiers, and strategy labels remain excluded by the same privacy
  checks that guard public Network and Intelligence packets.

This is not the final commercial warehouse or billing system. It is the
durable, stdlib, self-hostable persistence boundary that production hosted
Intelligence can replace with Postgres, ClickHouse, or another append-only
warehouse without changing the public API contract.

## Data Rules

- Local runtime use is private by default.
- Telemetry is opt-in.
- Public profile publishing is opt-in.
- Public profile packets must use the `zero.network.profile.v1` redaction
  contract.
- Verified live badges require proof without custody.
- Aggregated intelligence must not expose raw private operator secrets,
  exchange credentials, private notes, or non-consented strategy details.
- Model gateway status must not expose prompts, raw model outputs, provider
  secret values, or hosted request metadata.
- Model gateway health probes are config-only by default; explicit network
  probes must return only public provider, attempt, token-count, and status
  metadata.
- Model gateway audit bundles must prove fail-closed controls and evidence
  requirements without including prompts, raw outputs, headers, request IDs, or
  secret values.
- Model gateway costs must come from operator-configured prices or provider
  usage metadata; the public runtime must not bake stale vendor pricing into
  source code.
- Growth-mode intelligence should remain free for operator density.
- Future paid intelligence should monetize scale, history, reliability,
  redistribution, and support, not basic runtime use.
- Core runtime and venue adapters should remain public. Commercial connectors
  should exist for intelligence enrichment, partner integrations, redistribution,
  and enterprise data delivery.

## Flywheel

```text
Open runtime -> verified behavior -> public network proof -> Intelligence
```

The runtime creates behavior. The network verifies behavior. ZERO Intelligence
turns verified behavior into free operator utility first, then future
commercial scale, retention, redistribution, and SLA products.
````


## Source: `docs/model-gateway.md`

````markdown
# Model Gateway

ZERO's model gateway is the provider-agnostic boundary for advisory
intelligence. It is not an execution authority, and trading must remain safe
when no model provider is configured.

## Contract

```bash
curl -fsS http://127.0.0.1:8765/intelligence/model-gateway | jq .
```

The response is `zero.model_gateway.status.v1`. It reports configured provider
state, capability routing, adapter class, public usage counters, and privacy
guarantees. It does not include prompts, raw model outputs, API key values,
exchange credentials, wallet material, trace IDs, or idempotency keys.

Default local behavior is fail-closed:

```json
{
  "schema_version": "zero.model_gateway.status.v1",
  "mode": "fail_closed",
  "default_provider": "none",
  "routing": {
    "structured_output": null
  }
}
```

The pinned fixture lives at
[`contracts/intelligence/model_gateway.json`](../contracts/intelligence/model_gateway.json).

## Health And Audit

```bash
curl -fsS http://127.0.0.1:8765/intelligence/model-gateway/health | jq .
curl -fsS http://127.0.0.1:8765/intelligence/model-gateway/audit | jq .
```

`GET /intelligence/model-gateway/health` returns
`zero.model_gateway.health.v1`. The default probe is config-only: it reports
selected provider, configuration gaps, retry budgets, and whether a provider is
ready for an explicit network probe. It does not call a hosted provider.

To run a real provider probe, call:

```bash
curl -fsS 'http://127.0.0.1:8765/intelligence/model-gateway/health?network=true' | jq .
```

The explicit network probe sends a minimal structured-readiness request through
the selected provider and reports only public metadata: provider, status,
attempts, token counts when available, and a public reason. It never returns the
prompt, raw model output, headers, provider request IDs, or secret values.

`GET /intelligence/model-gateway/audit` returns
`zero.model_gateway.audit.v1`. It is the production model-operations bundle:
status, config-only health, usage totals, control assertions, evidence
requirements, and privacy guarantees in one packet.

Pinned fixtures:

- [`contracts/intelligence/model_gateway_health.json`](../contracts/intelligence/model_gateway_health.json)
- [`contracts/intelligence/model_gateway_audit.json`](../contracts/intelligence/model_gateway_audit.json)

## Providers

The open runtime registers these provider families:

- `mock` for deterministic local CI and conformance tests.
- `openai` for hosted Responses API reasoning, chat, embeddings, and structured
  output.
- `anthropic` for hosted reasoning, chat, and structured output.
- `ollama` for local model serving.
- `openrouter` for hosted provider routing.

External providers use the `http_json` adapter behind the same fail-closed
contract as the mock provider. They are optional and operator-configured. The
public runtime reports whether a provider appears configured, but it does not
expose secret values. Network calls stay disabled unless the operator explicitly
enables the model network boundary with `ZERO_MODEL_ALLOW_NETWORK=true`.
OpenAI and OpenRouter requests use JSON Schema response formats; Ollama receives
the same schema through its local `format` field; Anthropic receives the schema
as an explicit return-only-JSON instruction.

## Retry And Cost Policy

Hosted model retries are bounded by `ZERO_MODEL_MAX_ATTEMPTS`, clamped to `1..3`.
`ZERO_MODEL_TIMEOUT_S` is clamped to `1..120`. Retry attempts and timeout
budgets are public in provider status so operators can audit the model boundary
without exposing secrets.

Provider token usage is recorded when the provider returns usage metadata. Dollar
costs are estimated only when the operator supplies per-provider token prices;
the runtime does not ship stale vendor pricing.

## Safety Rules

- Missing provider means `failed_closed`, never fabricated certainty.
- Model output must pass structured JSON validation before use.
- Hosted provider request failures return `failed_closed` after the bounded
  retry budget is exhausted.
- Usage events record provider, model, capability, status, prompt length, output
  length, attempts, token counts, and estimated cost only.
- Model output is advisory-only; live execution remains gated by preflight,
  reconciliation, immune breakers, dead-man heartbeat, and live policy.

## Environment

- `ZERO_MODEL_PROVIDER=mock|openai|anthropic|ollama|openrouter`
- `ZERO_MODEL_NAME`
- `ZERO_MODEL_MOCK_ENABLED=true`
- `ZERO_MODEL_ALLOW_NETWORK=true`
- `ZERO_MODEL_MAX_ATTEMPTS=1`
- `ZERO_MODEL_TIMEOUT_S=30`
- `OPENAI_API_KEY`
- `ANTHROPIC_API_KEY`
- `OLLAMA_BASE_URL`
- `OPENROUTER_API_KEY`
- `ZERO_OPENAI_BASE_URL` for an OpenAI-compatible override
- `ZERO_ANTHROPIC_BASE_URL` for an Anthropic-compatible override
- `ZERO_OPENROUTER_BASE_URL` for an OpenRouter-compatible override
- `ZERO_MODEL_OPENAI_INPUT_COST_PER_1M_TOKENS_USD`
- `ZERO_MODEL_OPENAI_OUTPUT_COST_PER_1M_TOKENS_USD`
- `ZERO_MODEL_ANTHROPIC_INPUT_COST_PER_1M_TOKENS_USD`
- `ZERO_MODEL_ANTHROPIC_OUTPUT_COST_PER_1M_TOKENS_USD`
- `ZERO_MODEL_OLLAMA_INPUT_COST_PER_1M_TOKENS_USD`
- `ZERO_MODEL_OLLAMA_OUTPUT_COST_PER_1M_TOKENS_USD`
- `ZERO_MODEL_OPENROUTER_INPUT_COST_PER_1M_TOKENS_USD`
- `ZERO_MODEL_OPENROUTER_OUTPUT_COST_PER_1M_TOKENS_USD`

For public CI, use the mock provider. For production, provider keys should be
scoped per operator and managed outside the repository.

For hosted ZERO Intelligence, provider keys must live in the hosted secret
manager or in the operator's own deployment environment. Public status packets
may expose whether a provider is configured, but must never expose key values,
request headers, raw prompts, raw outputs, or provider request identifiers.
````


## Source: `docs/release.md`

````markdown
# Release Process

ZERO does not publish production trading claims from this repository. Releases
ship installable open-source runtime artifacts, safety-contract changes, and
developer-facing examples.

## Release Gates

Before tagging:

```bash
just ci
just release-preflight
```

Required checks:

- Public proof gate for demo proof pack, Network proof chain, read-only MCP
  smoke test, and committed MCP transcript
- Python engine lint and tests
- Rust CLI formatting, clippy, and tests
- Local paper API smoke through the Rust CLI
- Hardening gate for threat model, runbooks, distribution policy, release
  verification, and public packet contracts
- Paper example smoke test
- Package dry run for Python artifacts and Rust crates
- Container smoke test in GitHub Actions
- Required docs check
- Secret scan in GitHub Actions
- CodeQL and OpenSSF Scorecard workflows

## Versioning

Use semver once public packages are published.

- Patch: bug fixes, docs, tests, non-breaking safety clarifications
- Minor: additive APIs, new examples, new adapters
- Major: breaking API, CLI, config, or safety-contract changes

## Release Notes

Every release note should include:

- What changed
- How to run it locally
- Safety impact
- Migration notes when applicable
- Known limitations

Version-specific notes live in `docs/releases/<tag>.md`. The release workflow
uses that file when it exists and falls back to `.github/RELEASE_TEMPLATE.md`
for unrehearsed tags.

## Artifacts

Target launch artifacts:

- Source archive
- Rust CLI binaries plus `SHA256SUMS`
- Python wheel/source distribution plus `SHA256SUMS`
- Container image tarball for the local paper runtime plus `SHA256SUMS`
- `SBOM.spdx.json`
- `PROVENANCE.json`

The first public release may ship source-only if the quickstart is reliable and
the limitation is called out clearly.

## Verification

For a reader-focused verification path, start with
[Release Verification Guide](release-verification.md).

Download the artifact bundle and verify its checksum file before running it:

```bash
cd dist
shasum -a 256 -c SHA256SUMS
scripts/release_verify.py dist
```

The checksum file uses the standard two-column `sha256  filename` format. A
failed checksum means the artifact should not be used.

`SBOM.spdx.json` and `PROVENANCE.json` must be present in the same directory as
the release assets. They are included in `SHA256SUMS`, so checksum verification
also detects tampering with dependency and provenance metadata.

For GitHub Release assets, download all files attached to the release into one
directory and verify the combined checksum manifest:

```bash
shasum -a 256 -c SHA256SUMS
scripts/release_verify.py .
```

Verify the GitHub artifact attestation for any downloaded executable:

```bash
gh attestation verify zero-linux -R zero-intel/zero
```

Use `zero-macos` for the macOS binary.

## Published Release Evidence

Verify a published GitHub Release from a clean download directory:

```bash
just release-evidence v0.1.2
```

The evidence command downloads the release, verifies `SHA256SUMS`, runs
`scripts/release_verify.py`, verifies executable artifact attestations, and
renders the Homebrew formula from the downloaded checksum manifest. It then
fails unless that rendered formula exactly matches the committed
`Formula/zero.rb`, so the public tap cannot drift away from the published
release. It does not publish package registries or mutate release assets.

The current `v0.1.2` clean-download verification is recorded in
[docs/releases/v0.1.2-evidence.md](releases/v0.1.2-evidence.md).

## Public Proof Gate

Run the public proof gate before tagging, publishing release notes, or
announcing a release candidate:

```bash
just public-proof
```

The gate verifies that the committed demo proof pack, Network proof chain,
read-only MCP server, and committed MCP transcript are internally consistent.
The tag-triggered release workflow runs the same proof commands before registry
readiness and before any package, CLI binary, or container artifact is built.

## Hardening Gate

Run the local hardening gate before tagging or publishing:

```bash
scripts/hardening_gate.sh
```

The gate verifies that the threat model, incident runbooks, distribution policy,
release verification template, intelligence contracts, and shell scripts are
present and parseable. It is intentionally lightweight so it can run inside
`just ci` on every pull request.

## CLI Install Path

Install the latest CLI binary with checksum and attestation verification:

```bash
curl -fsSL https://raw.githubusercontent.com/zero-intel/zero/main/scripts/install.sh | bash
```

The installer requires `gh`. It downloads the latest release asset for the host
OS, verifies `SHA256SUMS`, verifies the GitHub artifact attestation, and installs
`zero` to `~/.local/bin` by default. Set `ZERO_VERSION=vX.Y.Z` to install a
specific release or `ZERO_INSTALL_DIR=/path/to/bin` to choose another location.

Homebrew is also supported through the public repo tap:

```bash
brew tap zero-intel/zero https://github.com/zero-intel/zero
brew install zero
zero --version
```

The formula lives at `Formula/zero.rb`, installs the `zero` CLI from the
checksummed GitHub Release asset, and does not require private package registry
access. It is generated from `SHA256SUMS` by `scripts/homebrew_formula.py`.

### Homebrew Rollback Verification

First prove the current public tap path still works from a clean local tap:

```bash
brew uninstall zero || true
brew untap zero-intel/zero || true
brew tap zero-intel/zero https://github.com/zero-intel/zero
brew install zero-intel/zero/zero
zero --version
```

To temporarily roll an operator machine back to the previous formula commit,
checkout the older `Formula/zero.rb` inside the local Homebrew tap, reinstall,
and pin the package until the incident is resolved:

```bash
tap_repo="$(brew --repo zero-intel/zero)"
git -C "$tap_repo" log --oneline -- Formula/zero.rb
git -C "$tap_repo" checkout <previous-formula-commit> -- Formula/zero.rb
brew reinstall --formula zero-intel/zero/zero
zero --version
brew pin zero
```

After the rollback window, return the tap to the published formula and reinstall
the current release:

```bash
brew unpin zero || true
tap_repo="$(brew --repo zero-intel/zero)"
git -C "$tap_repo" restore Formula/zero.rb
brew update
brew reinstall --formula zero-intel/zero/zero
zero --version
```

The checksum check proves the installed binary matches the GitHub Release
checksum recorded in `SHA256SUMS`. The formula drift check proves the committed
Homebrew formula was generated from that release checksum manifest, still points
at the public GitHub Release asset, and has not been edited to use a stale
checksum, stale tag, private tap, or private registry. These checks prove
release integrity for the public Homebrew path; they do not prove trading
performance, custody safety, or publication to PyPI, crates.io, Docker Hub, or
GHCR.

## Package Dry Run

Run the non-publishing package check before opening a release PR or tagging:

```bash
just public-proof
just registry-readiness
just package-dry-run
```

`just registry-readiness` checks PyPI metadata, Cargo registry metadata,
per-crate publish metadata inheritance, optional live dependencies, and
documentation guardrails. It also verifies the registry launch packet at
`contracts/distribution/registry-launch.json` and the MCP Registry packet at
`contracts/distribution/mcp-registry.json`, which record which channels are
published, ready, or blocked. It is intentionally non-publishing. `just
package-dry-run` then builds the Python engine wheel and source distribution
into a temporary directory, and runs `cargo package --workspace --no-verify`
for the Rust crate graph using a temporary Cargo target directory. Neither
command requires PyPI, crates.io, Homebrew, Docker, or GitHub publishing tokens.

PyPI should use Trusted Publishing from GitHub Actions when enabled. Do not add
long-lived PyPI tokens to repository secrets or examples.

Current package-name assumptions:

- PyPI candidate: `zero-engine`
- PyPI published package: `zero-engine`
- crates.io packages: the `zero-*` workspace crates plus the `zero-os` CLI package
- Homebrew: `zero-intel/zero` public repo tap with `Formula/zero.rb`

## Release Rehearsal

Run the release rehearsal before tagging:

```bash
just release-rehearsal
just draft-release-rehearsal
```

The rehearsal creates a temporary GitHub Actions-style artifact directory,
assembles it through `scripts/assemble_release_assets.sh`, verifies the bundle
with `scripts/release_verify.py`, then tampers with the Linux binary and proves
verification fails. This is a rollback and integrity drill: a maintainer should
not publish a release unless the verifier catches the tampered-artifact case.

The assembly step also runs `scripts/release_provenance.py` to generate
`SBOM.spdx.json` and `PROVENANCE.json` before writing the combined checksum
manifest.

`just draft-release-rehearsal` dry-runs the GitHub draft release rehearsal path:
it builds temporary release assets, verifies them, and renders a Homebrew formula
from the combined checksum manifest. It does not contact GitHub unless explicitly
run as:

```bash
scripts/draft_release_rehearsal.sh --execute
```

The execute mode creates a temporary draft prerelease, downloads all attached
assets into a fresh directory, runs `scripts/release_verify.py`, renders the
Homebrew formula from the fresh download, then deletes the draft release and its
temporary tag. Use `--keep` only when a maintainer needs to inspect the draft
release manually.

## Tag Workflow Rehearsal

Before the first public release candidate, and after any material release
workflow change, run the high-fidelity GitHub tag workflow drill:

```bash
scripts/release_workflow_rehearsal.sh --execute
```

The script creates a temporary prerelease tag on `origin/main`, waits for the
real `.github/workflows/release.yml` run, verifies that `public-proof`,
registry-readiness, package builds, CLI builds, container smoke, and draft
release assembly all succeeded, downloads the generated draft release from
GitHub, verifies checksums, release provenance, Homebrew formula rendering, and
executable attestations, then deletes the draft release and temporary tag. Use
`--keep` only when a maintainer needs to inspect the temporary draft manually.

## Current Automation

`.github/workflows/release.yml` runs on tags shaped like `v*.*.*` and builds:

- Public proof preflight before release artifacts are built
- Registry-readiness preflight before package artifacts are built
- Python wheel and source distribution for `engine/`
- Linux and macOS CLI binaries for the `zero` crate
- Paper-mode Docker image smoke tests and an exported image tarball
- SHA-256 checksum files for each artifact group
- A draft GitHub Release containing the wheel, source distribution, CLI
  binaries, paper image tarball, `SBOM.spdx.json`, `PROVENANCE.json`, and a
  combined `SHA256SUMS`
- Release asset verification through `scripts/release_verify.py` before
  attestation and draft release upload
- GitHub artifact attestations for release assets listed in the combined
  checksum manifest
- Dry-run draft release rollback rehearsal in CI; execute mode remains
  maintainer-triggered only
- Maintainer-triggered tag workflow rehearsal through
  `scripts/release_workflow_rehearsal.sh --execute`

The workflow uploads artifacts to the GitHub Actions run and attaches the
assembled release bundle to a draft GitHub Release. It does not publish to any
package registry. PyPI publication for `zero-engine` is handled by
`python-release.yml` through Trusted Publishing. crates.io publication for
`zero-os` is manual with least-privilege `CRATESIO_API_TOKEN`. GHCR publication
for the paper image is maintainer-triggered through
`container-publish.yml` and has authenticated smoke evidence; keep it out of
the primary public install path until anonymous pull access is verified. Docker
Hub publishing should be added only after repository ownership, provenance,
rollback, and token permissions are finalized.

## Homebrew Formula

The committed formula is `Formula/zero.rb`. To update it for a new release,
render the formula from a downloaded and verified release directory:

```bash
scripts/homebrew_formula.py <downloaded-release-dir> --tag v0.1.2 --output Formula/zero.rb
scripts/homebrew_formula_check.py
```

The formula uses the `zero-macos` and `zero-linux` checksums from `SHA256SUMS`,
installs the CLI only, states that the public runtime defaults to paper mode,
and links to the release and safety docs in its caveats.

## Signing And Provenance

The release workflow uses GitHub artifact attestations through `actions/attest`.
For public repositories, GitHub signs the attestation with Sigstore-backed
provenance. Maintainers should leave releases in draft until checksum and
attestation verification both pass from a fresh checkout or clean download
directory.

ZERO also ships local provenance metadata:

- `SBOM.spdx.json`: SPDX 2.3 package/component metadata generated from
  `engine/pyproject.toml`, `cli/Cargo.lock`, workspace crate manifests, and
  release assets.
- `PROVENANCE.json`: source commit, branch/tag, dirty-state flag, asset hashes,
  and policy assertions that paper mode is default, live execution evidence is
  not claimed, and release-bundle generation does not publish package-registry
  artifacts.

Do not add automated crates.io or Docker Hub publishing until the registry
channel has an owner, rollback path, least-privilege token plan, and documented
support expectation in [distribution.md](distribution.md). Keep GHCR manual
until public-pull verification and package visibility administration are
recorded in [registry-launch.md](registry-launch.md).
````


## Source: `docs/release-verification.md`

````markdown
# Release Verification Guide

This guide explains how to verify a ZERO release before installing or sharing
it. It checks artifact integrity, GitHub artifact attestations, SBOM/provenance
metadata, the committed Homebrew formula, and the clean-download evidence record.

It verifies release integrity only. It does not prove live trading safety,
hosted custody, future package-registry publication, or profitability.

## From A Fresh Clone

Use this path when you want the repository verifier to download the release
from GitHub and check everything in a temporary clean directory:

```bash
git clone https://github.com/zero-intel/zero.git
cd zero
just release-evidence v0.1.2
```

For machine-readable output:

```bash
scripts/release_evidence.py v0.1.2 --json
```

The release evidence command:

- reads the published GitHub Release metadata;
- downloads every attached release asset into a clean temporary directory;
- verifies `SHA256SUMS` with `shasum -a 256 -c SHA256SUMS`;
- runs `scripts/release_verify.py` against the downloaded directory;
- verifies executable GitHub artifact attestations;
- renders a Homebrew formula from the downloaded checksums;
- fails if the rendered formula differs from the committed `Formula/zero.rb`.

The current published evidence is recorded in
[v0.1.2 release evidence](releases/v0.1.2-evidence.md). Historical `v0.1.1`
evidence remains in [v0.1.1 release evidence](releases/v0.1.1-evidence.md).

## From Downloaded Assets

Use this path when you already downloaded all GitHub Release assets into one
directory:

```bash
cd /path/to/downloaded/zero-release
shasum -a 256 -c SHA256SUMS
/path/to/zero/scripts/release_verify.py .
```

Expected launch assets include:

- `SHA256SUMS`
- `zero-linux`
- `zero-macos`
- `zero-paper-image.tar`
- `zero_engine-<version>-py3-none-any.whl`
- `zero_engine-<version>.tar.gz`
- `SBOM.spdx.json`
- `PROVENANCE.json`

`scripts/release_verify.py` checks that the checksum manifest covers exactly
the release assets, every checksum matches, expected launch assets are present,
assets are non-empty, and the metadata files parse with the expected safety
claims.

## Verify GitHub Artifact Attestations

Run attestation verification from the downloaded asset directory:

```bash
gh attestation verify zero-linux -R zero-intel/zero
gh attestation verify zero-macos -R zero-intel/zero
```

These commands prove that GitHub has signed provenance for the executable
artifacts attached to the release. They do not prove that the executable is safe
to use for live capital; they prove release provenance for the downloaded file.

## Read SBOM And Provenance

The release verifier requires both files:

```bash
python3 -m json.tool SBOM.spdx.json >/dev/null
python3 -m json.tool PROVENANCE.json >/dev/null
```

`SBOM.spdx.json` records package/component metadata. `PROVENANCE.json` records
source commit, tag, asset hashes, dirty-state policy, and release assertions
such as paper-first defaults and no package-registry publication.

## Check The Homebrew Formula

The public repo works as its own Homebrew tap:

```bash
brew tap zero-intel/zero https://github.com/zero-intel/zero
brew install zero
```

The committed formula at `Formula/zero.rb` must be generated from a verified
release directory:

```bash
scripts/homebrew_formula.py /path/to/downloaded/zero-release --tag v0.1.2 --output /tmp/zero.rb
diff -u Formula/zero.rb /tmp/zero.rb
scripts/homebrew_formula_check.py
```

The formula drift check proves that the tap points at the same GitHub Release
assets and checksums as the downloaded release. If the rendered formula differs
from `Formula/zero.rb`, the tap is stale or the release verification input is
wrong.

## Refuse On Any Failure

Do not install or redistribute a release when any of these fail:

- `shasum -a 256 -c SHA256SUMS`
- `scripts/release_verify.py <downloaded-release-dir>`
- `gh attestation verify zero-linux -R zero-intel/zero`
- `gh attestation verify zero-macos -R zero-intel/zero`
- `scripts/homebrew_formula_check.py`
- `just release-evidence <tag>`

Treat failure as an integrity incident until a maintainer publishes corrected
evidence or replaces the release.
````