This scorecard keeps the public repo honest before launch. It scores only the open ZERO Runtime, Protocol, and Proof substrate. It does not score the hosted retail product, production wallets, raw exchange records, or commercial Intelligence service operation.
100/100
100/100
The launch repository is ready for serious contributors when the public readiness gate passes with current doctrine. ZERO product truth is explicit: ZERO is the operating intelligence layer between humans and capital; this public repo is the open Runtime, Protocol, and Proof substrate. The stricter trust bar requires runnable software, redacted evidence, clear custody boundaries, and gates that reject stale category claims.
- Paper-first Python engine runtime
- Deterministic paper scenarios and strategy example
- Inspectable paper decision log
- Local paper HTTP API with CLI-compatible endpoints
- Railway deployment template, remote doctor, redacted deployment evidence pack, evidence verifier, optional HMAC signature, deployment identity evidence, plan-only rollback rehearsal, optional Railway log capture, and smoke test
- Hyperliquid read-only market data path
- Optional self-custodial live-executor boundary with fail-closed paper deploys
- Public-safe ZERO Network profile, leaderboard, local publish, and hosted-compatible ingestion contracts
- Delayed public ZERO Intelligence snapshot, catalog, commercial API boundary,
hosted-compatible
/v1/intelligence/*reference API, webhook signature fixtures, rate-limit headers, and local export contracts - Rust operator CLI with doctor, TUI, command tests, and safety invariants
- Redacted CLI quickstart capture for doctor, status, risk inspection, live cockpit refusal, receipt summary, canary-policy state, and runtime-parity proof
- Public CI for engine, CLI, docs, paper example, paper API smoke, and container smoke
- Release workflow for Python package, CLI binaries, container image artifact, and checksums
- Draft GitHub Release assembly with combined release checksums
- Release verifier and tamper-detection rehearsal
- Release SBOM/provenance bundle with checksummed
SBOM.spdx.jsonandPROVENANCE.json - Published
v0.1.2release evidence from a clean GitHub download, including checksum verification, release verifier output, executable attestations, and Homebrew formula rendering - Draft GitHub Release rollback rehearsal, Homebrew formula renderer, committed public repo tap formula, and formula drift check
- GitHub artifact attestations for release asset provenance
- One-command live canary operator workflow with public-safe report, exchange-evidence attachment, recursive checksums, and local verifier
- Redacted live trading evidence packet generated from private operator
Hyperliquid records and verified by
scripts/live_trading_evidence.py - Live cockpit drill bundle for read-only preflight, immune, reconciliation, certification, receipts, evidence, metrics, and audit packets, plus a local verifier and tamper rehearsal that replay packet-derived readiness
- Threat model, incident runbooks, distribution policy, and hardening gate
- Agent architecture bounds, autonomous-loop failure-mode taxonomy, and incident-postmortem publication policy
- Hash-chained decision journals, operator-owned signing hooks, local timestamp bindings, external anchor packets, verifier CLI, and tamper tests
- Periodic journal-head anchor operation with
zero.decision_journal.anchor_cadence.v1state and fail-closed external receipt enforcement - Property-based safety-gate tests for risk budgets, malformed Hyperliquid responses, memory staleness, dry-run order validation, and model-gateway retry/privacy behavior
- Dependency and supply-chain policy with vulnerability response rules
- One-line CLI install path with checksum and attestation verification
- Registry-readiness gate for PyPI/Cargo metadata and package-channel guardrails
- MCP Registry publication workflow with GitHub OIDC and live listing verifier
- Package dry-run gate for Python artifacts and the Rust crate graph
- Shared paper API contract fixtures pinned by Python API tests and Rust client tests
- First-class GitHub product page with operating-intelligence narrative, above-the-fold terminal proof artifact, quickstart, safety model, open-core boundary, live-operation boundary, capability boundary, operator proof path, and contributor paths
- First-10-minutes guide and reproducible terminal demo capture for source and installed release binaries, including the live cockpit/readiness boundary
- Fresh source-tree rehearsal that copies the publishable checkout into a temporary directory, reruns hardening, and smokes the paper API through the CLI
- Public contribution, security, governance, support, and issue templates
- First-release notes template, live contributor issue board, completed first issue wave, and second-wave launch issue seed with three good-first issues and two help-wanted issues
- Reader-focused release verification guide covering checksums, attestations, SBOM/provenance metadata, Homebrew formula drift, and clean-download evidence
- CLI doctor troubleshooting guide for missing tokens, stopped paper API, and fail-closed live preflight warnings
- Read-only MCP markdown resources for strategy runner, strategy plugin, and market-data adapter contributor docs
- Deterministic market-data adapter fixture with unknown-symbol, positive-limit, and paper strategy integration tests
- Paper-only momentum strategy plugin with deterministic accepted and no-signal paths for first-time strategy contributors
- Proof-pack privacy regression fixtures for wallet-like and raw exchange order ID leakage
- Deterministic ZERO Network stale profile fixture separating valid proof from active operator freshness
- Deterministic ZERO Network empty, active, and stale static page states with local-link-only smoke coverage
- Public boundary audit from the private repo
POST /executein the public engine returnssimulated=true- Local market prices are deterministic fixtures unless read-only Hyperliquid mids are explicitly enabled
- Public hosted deployments should keep live execution disabled unless the operator self-custodially configures local credentials and controls
- Container image is a paper runtime, not a production trading service
- Hosted ZERO Network profile pages, signed identity verification, and production ingestion persistence
- Production hosted growth-mode ZERO Intelligence API service
- Production hosted historical intelligence warehouse
- Hosted intelligence ingestion persistence, abuse controls, commercial terms, and signed webhook delivery infrastructure
- Commercial intelligence connectors
- Enterprise support and SLAs
- Keep the public GitHub Actions matrix green after every push
- Keep published release evidence green with
just release-evidence v0.1.2 - Keep package-registry publication disabled until public name ownership, Trusted Publishing, owner lists, and rollback procedure are secured
- Keep the committed Homebrew formula generated from release checksums
The repo is 100/100 when a new engineer can clone it, run one command, inspect a paper engine through the CLI, pass CI locally, verify release artifacts, and pick up a scoped contributor issue without private context.