Vibe Deploy is the optional trust ceremony that connects an operator-owned ZERO Runtime to the ZERO control plane. It is not custody and it is not required to run the public paper Runtime locally, in Docker, or on Railway.
The public Runtime remains useful by itself:
- paper mode is the default;
- live Hyperliquid prices are read-only unless the operator configures more;
- live-risk endpoints fail closed by default;
- journals, audit export, proof packs, and MCP inspection work without a ZERO hosted account.
Vibe Deploy adds a receipt-backed chain of evidence so the app/control plane can distinguish a genuine Runtime from someone clicking a button.
| Step | Runtime/control-plane proof |
|---|---|
claim_runtime |
Deployment ownership proof. The Runtime consumes a single-use claim token and receives scoped control-plane credentials. |
observe_first_heartbeat |
Runtime liveness proof. The claimed Runtime sends signed heartbeat evidence with replay protection. |
run_paper_acceptance |
Paper capability proof. The Runtime executes a paper acceptance path and writes local journal/audit evidence. |
record_paper_acceptance |
Control-plane acceptance proof. The Runtime posts a signed paper acceptance event for the deployment. |
approveAgent |
Authority proof. The operator's main wallet approves the Hyperliquid API/agent wallet; the public Runtime does not do this by default. |
grant_short_live_lease |
Execution authority proof. The control plane grants bounded live authority only after ownership, liveness, paper capability, and agent approval are present. |
approveBuilderFee |
Revenue authority proof. Optional for paid/live use; signed by the main wallet, never by the API/agent wallet. |
The public repository supports the Runtime side of the ceremony:
- deployment claim and heartbeat packets;
- local/Railway paper Runtime evidence;
- audit and proof export;
- fail-closed live readiness and canary rehearsal;
- read-only MCP inspection.
The ZERO control plane owns the app-side ceremony:
- deployment creation;
- claim token minting and redemption;
- receipt storage;
- live lease gating;
- Privy/API-wallet signing where configured;
- proof-chain projection into user/admin product surfaces.
- The Runtime can run paper mode without connecting to the ZERO control plane.
- A claim token is single-use and should be stored hash-only server-side.
- Heartbeats must be signed, nonce-protected, and clock-bounded when posted to the control plane.
- Paper acceptance must come from Runtime evidence, not from UI state.
- Live execution must remain refused until explicit operator authority gates are complete.
- Builder Codes must never be hidden. The public Runtime does not apply ZERO builder fees by default.
For a local or Railway Runtime:
curl -fsS "$ZERO_RUNTIME_URL/health"
curl -fsS "$ZERO_RUNTIME_URL/deployment/heartbeat"
curl -fsS "$ZERO_RUNTIME_URL/audit/export?limit=1"
curl -fsS "$ZERO_RUNTIME_URL/live/preflight"Run /deployment/claim only once through the dedicated claim ceremony flow
with a single-use token. It is stateful and must not be part of repeatable
health verification.
For the public repository gates:
just public-proof
just railway-smoke
just docs-check/live/preflight should report refused/not-ready in the default public Runtime.
That is the expected posture until an operator completes the separate authority
ceremony.