zero-intel
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Formula/zero.rb‎
Lines changed: 5 additions & 5 deletions b/‎Formula/zero.rb‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎docs/backlog.md‎
Lines changed: 5 additions & 2 deletions b/‎docs/backlog.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎docs/distribution.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/distribution.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/launch-scorecard.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/launch-scorecard.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/llms-full.txt‎
Lines changed: 12 additions & 12 deletions b/‎docs/llms-full.txt‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎docs/production-readiness.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/production-readiness.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/public-upgrade.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/public-upgrade.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/release-verification.md‎
Lines changed: 5 additions & 5 deletions b/‎docs/release-verification.md‎
Lines changed: 5 additions & 5 deletions
@@ -101,6 +101,7 @@ jobs:
           test -f docs/releases/v0.1.1.md
           test -f docs/releases/v0.1.2.md
           test -f docs/releases/v0.1.1-evidence.md
+          test -f docs/releases/v0.1.2-evidence.md
           test -f docs/launch-scorecard.md
           test -f docs/launch-issues.md
           test -f contracts/paper-api/v2_status.json
 
@@ -2,17 +2,17 @@
 class Zero < Formula
   desc "Operator terminal for self-custodial onchain operations"
   homepage "https://getzero.dev"
-  version "0.1.1"
+  version "0.1.2"
   license "Apache-2.0"
 
   if OS.mac? && Hardware::CPU.arm?
-    url "https://github.com/zero-intel/zero/releases/download/v0.1.1/zero-macos"
-    sha256 "7dfbcd7acba04dece4d0c4dcee2e72213c191bf0cb9c6b432f5e663d87bd4b0f"
+    url "https://github.com/zero-intel/zero/releases/download/v0.1.2/zero-macos"
+    sha256 "68262ded7cb7b1add978cdf292dab2d34c20246c711e0dbfb14f50735020e3d3"
   elsif OS.mac?
     odie "ZERO currently ships an arm64 macOS binary; use install.sh or build from source on Intel macOS"
   else
-    url "https://github.com/zero-intel/zero/releases/download/v0.1.1/zero-linux"
-    sha256 "2c31ca36e274c44b55efa5bcdcfb758bac2379e185be8e092101d042eed72fd6"
+    url "https://github.com/zero-intel/zero/releases/download/v0.1.2/zero-linux"
+    sha256 "b735e19420994ab4241698df9aa500863e2c4fdcda2ba3c02ad7ebbe3505d9d9"
   end
 
   def install
 
@@ -64,12 +64,15 @@ Acceptance:
 
 ### Completed: first public release
 
-The first public release is complete as `v0.1.1`.
+The first public release is complete as `v0.1.1`; the current published
+release is `v0.1.2`.
 
 Evidence:
 
 - [Release notes](releases/v0.1.1.md)
 - [Clean-download release evidence](releases/v0.1.1-evidence.md)
+- [Current v0.1.2 release notes](releases/v0.1.2.md)
+- [Current v0.1.2 clean-download evidence](releases/v0.1.2-evidence.md)
 - [Release verification guide](release-verification.md)
 - [CLI doctor troubleshooting guide](cli-doctor-troubleshooting.md)
 - [Read-only MCP contributor docs resources](mcp.md)
@@ -83,7 +86,7 @@ artifact requirements or public safety claims.
 
 ### Completed: Homebrew formula
 
-The public repo now includes `Formula/zero.rb`, generated from the `v0.1.1`
+The public repo now includes `Formula/zero.rb`, generated from the `v0.1.2`
 GitHub Release checksum manifest. Operators can install it with:
 
 ```bash
 
@@ -97,7 +97,7 @@ The committed formula must:
 Render the formula from a verified release directory:
 
 ```bash
-scripts/homebrew_formula.py <downloaded-release-dir> --tag v0.1.1 --output Formula/zero.rb
+scripts/homebrew_formula.py <downloaded-release-dir> --tag v0.1.2 --output Formula/zero.rb
 scripts/homebrew_formula_check.py
 ```
 
 
@@ -33,7 +33,7 @@ reserved for ZERO Intelligence.
 - Release verifier and tamper-detection rehearsal
 - Release SBOM/provenance bundle with checksummed `SBOM.spdx.json` and
   `PROVENANCE.json`
-- Published `v0.1.1` release evidence from a clean GitHub download, including
+- Published `v0.1.2` release evidence from a clean GitHub download, including
   checksum verification, release verifier output, executable attestations, and
   Homebrew formula rendering
 - Draft GitHub Release rollback rehearsal, Homebrew formula renderer, committed
@@ -104,7 +104,7 @@ reserved for ZERO Intelligence.
 ## Remaining To Keep 100
 
 - Keep the public GitHub Actions matrix green after every push
-- Keep published release evidence green with `just release-evidence v0.1.1`
+- Keep published release evidence green with `just release-evidence v0.1.2`
 - Keep package-registry publication disabled until public name ownership,
   Trusted Publishing, owner lists, and rollback procedure are secured
 - Keep the committed Homebrew formula generated from release checksums
 
@@ -3726,7 +3726,7 @@ for local wallet control, preflight, kill-switches, reconciliation, and review.
 | Security and custody | 100 | No secrets needed for first run; Hyperliquid private keys have operator-scoped keychain/env helpers, redaction tests, a non-secret preflight gate, optional SDK-backed live adapter, threat model, secret-leak runbook, dependency policy, SBOM/provenance metadata, and release provenance policy. External security review remains diligence evidence, not a missing custody contract. |
 | ZERO Network contracts | 100 | Public-safe local profile packets, proof hashes, deployment claim hashes, deployment heartbeat hashes, verification badges, leaderboard rows, opt-in local publish logs, hosted-compatible ingestion, proof validation, duplicate refusal, metric-consistency checks, accepted-only leaderboard output, empty/active/stale public page states, `zero.network.profile_verification.v1` profile-plus-identity verification, and deterministic `zero.network_proof_pack.v1` public proof-chain artifacts exist. Hosted persistence, sybil policy operation, and identity service operation are external product work. |
 | ZERO Intelligence contracts | 100 | Delayed public snapshots, catalog, billing-ready commercial contract, hosted-compatible `/v1/intelligence/*` reads/writes, token-gated paid scopes, actual rate-limit headers, usage events, HMAC-SHA256 webhook signature fixtures, aggregate export jobs, plan/scope model, dataset names, fail-closed model gateway status, model gateway health probes, model gateway audit bundles, mock/local provider conformance, external model adapter contract tests, bounded retry/cost policy, hosted key-management rules, plan boundary, and opt-in local export packets exist. Production persistence, billing, warehouse-backed feeds, and webhook delivery are external commercial service work. |
-| Release and distribution | 100 | GitHub release artifacts, checksums, SBOM/provenance bundle, recorded `v0.1.1` clean-download release evidence, published-release evidence command with committed Homebrew formula comparison, release verifier, tamper-detection rehearsal, draft-release rollback rehearsal, committed Homebrew formula, formula drift check, attestations, installer, registry-readiness gate, package dry run, distribution readiness policy, release template hardening checks, dependency policy, and rollback rules exist. External package registries remain unpublished pending name ownership and support policy. |
+| Release and distribution | 100 | GitHub release artifacts, checksums, SBOM/provenance bundle, recorded `v0.1.2` clean-download release evidence, published-release evidence command with committed Homebrew formula comparison, release verifier, tamper-detection rehearsal, draft-release rollback rehearsal, committed Homebrew formula, formula drift check, attestations, installer, registry-readiness gate, package dry run, distribution readiness policy, release template hardening checks, dependency policy, and rollback rules exist. External package registries remain unpublished pending name ownership and support policy. |
 | Documentation for operators | 100 | Good local docs, operator isolation docs, Hyperliquid read-only boundary docs, live-paper quote docs, immune-system docs, live cockpit docs, live cockpit drill bundle, verifier, and tamper rehearsal, live certification docs, live evidence docs, redacted live trading evidence docs, live canary policy/operator docs, Railway paper deploy, remote-doctor, and evidence-pack docs, restart recovery docs, audit/metrics docs, live-preflight warnings, threat model, and incident runbooks. Missing third-party review evidence only as external proof, not documented workflow. |
 
 **Public repo readiness: 100/100.**
@@ -3770,7 +3770,7 @@ not missing public-runtime contracts.
 | Command surface | 100 | `zero`, `zero init`, `zero doctor`, `zero run`, TUI, and slash-command dispatch cover the public runtime and operator workflows. |
 | Operator safety | 100 | Risk-reducing commands are friction-exempt and risk-increasing commands require interactive friction. |
 | Engine integration | 100 | HTTP, WebSocket, mock engine, contract tests, Rust client decoding for production-parity OODA reports, live receipt packets, live canary policy packets, `/runtime-parity`, `/live-receipts`, and `/live-canary` operator rendering, live risk-reducer endpoints, and redacted private live execution evidence exist. Raw accepted canary records remain external. |
-| Install path | 100 | Release installer exists with checksum and attestation verification, `v0.1.1` was installed from the public GitHub Release into a temporary bin directory, and the public Homebrew repo tap installs and tests `zero` from the checksummed GitHub Release asset. External package registries remain unpublished pending ownership proof. |
+| Install path | 100 | Release installer exists with checksum and attestation verification, `v0.1.2` was installed from the public GitHub Release into a temporary bin directory, and the public Homebrew repo tap installs and tests `zero` from the checksummed GitHub Release asset. External package registries remain unpublished pending ownership proof. |
 | Diagnostics | 100 | Doctor, JSON output, exit codes, rate-budget checks, operator/credential partition checks, live-preflight diagnostics, live-cockpit next-action/operator rendering, Railway remote doctor, deployment evidence verification, deployment identity verification, deployment evidence log capture/signing, rollback rehearsal checks, paid-scope fail-closed checks, and live-control refusals are covered. External production examples against a linked Railway project remain operations evidence. |
 | TUI production UX | 100 | Snapshot coverage, status honesty, risk overlays, live-stream pane, and a full-screen live cockpit are covered for the public runtime. External live operator fault drills remain operations evidence. |
 | Non-interactive automation | 100 | `zero run` covers cockpit, receipts, canary policy, runtime parity, breaker, certification, account truth, and risk-reducer workflows while intentionally gating risk-increasing commands. External production examples remain operations evidence. |
@@ -4298,7 +4298,7 @@ Exit gate:
 ```bash
 just release-rehearsal
 just draft-release-rehearsal
-just release-evidence v0.1.1
+just release-evidence v0.1.2
 just fresh-clone-rehearsal
 just public-readiness
 ```
@@ -7027,7 +7027,7 @@ Use `zero-macos` for the macOS binary.
 Verify a published GitHub Release from a clean download directory:
 
 ```bash
-just release-evidence v0.1.1
+just release-evidence v0.1.2
 ```
 
 The evidence command downloads the release, verifies `SHA256SUMS`, runs
@@ -7037,8 +7037,8 @@ fails unless that rendered formula exactly matches the committed
 `Formula/zero.rb`, so the public tap cannot drift away from the published
 release. It does not publish package registries or mutate release assets.
 
-The current `v0.1.1` clean-download verification is recorded in
-[docs/releases/v0.1.1-evidence.md](releases/v0.1.1-evidence.md).
+The current `v0.1.2` clean-download verification is recorded in
+[docs/releases/v0.1.2-evidence.md](releases/v0.1.2-evidence.md).
 
 ## Public Proof Gate
 
@@ -7203,7 +7203,7 @@ The committed formula is `Formula/zero.rb`. To update it for a new release,
 render the formula from a downloaded and verified release directory:
 
 ```bash
-scripts/homebrew_formula.py <downloaded-release-dir> --tag v0.1.1 --output Formula/zero.rb
+scripts/homebrew_formula.py <downloaded-release-dir> --tag v0.1.2 --output Formula/zero.rb
 scripts/homebrew_formula_check.py
 ```
 
@@ -7254,13 +7254,13 @@ from GitHub and check everything in a temporary clean directory:
 ```bash
 git clone https://github.com/zero-intel/zero.git
 cd zero
-just release-evidence v0.1.1
+just release-evidence v0.1.2
 ```
 
 For machine-readable output:
 
 ```bash
-scripts/release_evidence.py v0.1.1 --json
+scripts/release_evidence.py v0.1.2 --json
 ```
 
 The release evidence command:
@@ -7274,8 +7274,8 @@ The release evidence command:
 - fails if the rendered formula differs from the committed `Formula/zero.rb`.
 
 The current published evidence is recorded in
-[v0.1.1 release evidence](releases/v0.1.1-evidence.md). That page is evidence
-for `v0.1.1` only; future releases need their own clean-download evidence.
+[v0.1.2 release evidence](releases/v0.1.2-evidence.md). Historical `v0.1.1`
+evidence remains in [v0.1.1 release evidence](releases/v0.1.1-evidence.md).
 
 ## From Downloaded Assets
 
@@ -7343,7 +7343,7 @@ The committed formula at `Formula/zero.rb` must be generated from a verified
 release directory:
 
 ```bash
-scripts/homebrew_formula.py /path/to/downloaded/zero-release --tag v0.1.1 --output /tmp/zero.rb
+scripts/homebrew_formula.py /path/to/downloaded/zero-release --tag v0.1.2 --output /tmp/zero.rb
 diff -u Formula/zero.rb /tmp/zero.rb
 scripts/homebrew_formula_check.py
 ```
 
@@ -30,7 +30,7 @@ for local wallet control, preflight, kill-switches, reconciliation, and review.
 | Security and custody | 100 | No secrets needed for first run; Hyperliquid private keys have operator-scoped keychain/env helpers, redaction tests, a non-secret preflight gate, optional SDK-backed live adapter, threat model, secret-leak runbook, dependency policy, SBOM/provenance metadata, and release provenance policy. External security review remains diligence evidence, not a missing custody contract. |
 | ZERO Network contracts | 100 | Public-safe local profile packets, proof hashes, deployment claim hashes, deployment heartbeat hashes, verification badges, leaderboard rows, opt-in local publish logs, hosted-compatible ingestion, proof validation, duplicate refusal, metric-consistency checks, accepted-only leaderboard output, empty/active/stale public page states, `zero.network.profile_verification.v1` profile-plus-identity verification, and deterministic `zero.network_proof_pack.v1` public proof-chain artifacts exist. Hosted persistence, sybil policy operation, and identity service operation are external product work. |
 | ZERO Intelligence contracts | 100 | Delayed public snapshots, catalog, billing-ready commercial contract, hosted-compatible `/v1/intelligence/*` reads/writes, token-gated paid scopes, actual rate-limit headers, usage events, HMAC-SHA256 webhook signature fixtures, aggregate export jobs, plan/scope model, dataset names, fail-closed model gateway status, model gateway health probes, model gateway audit bundles, mock/local provider conformance, external model adapter contract tests, bounded retry/cost policy, hosted key-management rules, plan boundary, and opt-in local export packets exist. Production persistence, billing, warehouse-backed feeds, and webhook delivery are external commercial service work. |
-| Release and distribution | 100 | GitHub release artifacts, checksums, SBOM/provenance bundle, recorded `v0.1.1` clean-download release evidence, published-release evidence command with committed Homebrew formula comparison, release verifier, tamper-detection rehearsal, draft-release rollback rehearsal, committed Homebrew formula, formula drift check, attestations, installer, registry-readiness gate, package dry run, distribution readiness policy, release template hardening checks, dependency policy, and rollback rules exist. External package registries remain unpublished pending name ownership and support policy. |
+| Release and distribution | 100 | GitHub release artifacts, checksums, SBOM/provenance bundle, recorded `v0.1.2` clean-download release evidence, published-release evidence command with committed Homebrew formula comparison, release verifier, tamper-detection rehearsal, draft-release rollback rehearsal, committed Homebrew formula, formula drift check, attestations, installer, registry-readiness gate, package dry run, distribution readiness policy, release template hardening checks, dependency policy, and rollback rules exist. External package registries remain unpublished pending name ownership and support policy. |
 | Documentation for operators | 100 | Good local docs, operator isolation docs, Hyperliquid read-only boundary docs, live-paper quote docs, immune-system docs, live cockpit docs, live cockpit drill bundle, verifier, and tamper rehearsal, live certification docs, live evidence docs, redacted live trading evidence docs, live canary policy/operator docs, Railway paper deploy, remote-doctor, and evidence-pack docs, restart recovery docs, audit/metrics docs, live-preflight warnings, threat model, and incident runbooks. Missing third-party review evidence only as external proof, not documented workflow. |
 
 **Public repo readiness: 100/100.**
@@ -74,7 +74,7 @@ not missing public-runtime contracts.
 | Command surface | 100 | `zero`, `zero init`, `zero doctor`, `zero run`, TUI, and slash-command dispatch cover the public runtime and operator workflows. |
 | Operator safety | 100 | Risk-reducing commands are friction-exempt and risk-increasing commands require interactive friction. |
 | Engine integration | 100 | HTTP, WebSocket, mock engine, contract tests, Rust client decoding for production-parity OODA reports, live receipt packets, live canary policy packets, `/runtime-parity`, `/live-receipts`, and `/live-canary` operator rendering, live risk-reducer endpoints, and redacted private live execution evidence exist. Raw accepted canary records remain external. |
-| Install path | 100 | Release installer exists with checksum and attestation verification, `v0.1.1` was installed from the public GitHub Release into a temporary bin directory, and the public Homebrew repo tap installs and tests `zero` from the checksummed GitHub Release asset. External package registries remain unpublished pending ownership proof. |
+| Install path | 100 | Release installer exists with checksum and attestation verification, `v0.1.2` was installed from the public GitHub Release into a temporary bin directory, and the public Homebrew repo tap installs and tests `zero` from the checksummed GitHub Release asset. External package registries remain unpublished pending ownership proof. |
 | Diagnostics | 100 | Doctor, JSON output, exit codes, rate-budget checks, operator/credential partition checks, live-preflight diagnostics, live-cockpit next-action/operator rendering, Railway remote doctor, deployment evidence verification, deployment identity verification, deployment evidence log capture/signing, rollback rehearsal checks, paid-scope fail-closed checks, and live-control refusals are covered. External production examples against a linked Railway project remain operations evidence. |
 | TUI production UX | 100 | Snapshot coverage, status honesty, risk overlays, live-stream pane, and a full-screen live cockpit are covered for the public runtime. External live operator fault drills remain operations evidence. |
 | Non-interactive automation | 100 | `zero run` covers cockpit, receipts, canary policy, runtime parity, breaker, certification, account truth, and risk-reducer workflows while intentionally gating risk-increasing commands. External production examples remain operations evidence. |
 
@@ -134,7 +134,7 @@ Exit gate:
 ```bash
 just release-rehearsal
 just draft-release-rehearsal
-just release-evidence v0.1.1
+just release-evidence v0.1.2
 just fresh-clone-rehearsal
 just public-readiness
 ```
 
@@ -15,13 +15,13 @@ from GitHub and check everything in a temporary clean directory:
 ```bash
 git clone https://github.com/zero-intel/zero.git
 cd zero
-just release-evidence v0.1.1
+just release-evidence v0.1.2
 ```
 
 For machine-readable output:
 
 ```bash
-scripts/release_evidence.py v0.1.1 --json
+scripts/release_evidence.py v0.1.2 --json
 ```
 
 The release evidence command:
@@ -35,8 +35,8 @@ The release evidence command:
 - fails if the rendered formula differs from the committed `Formula/zero.rb`.
 
 The current published evidence is recorded in
-[v0.1.1 release evidence](releases/v0.1.1-evidence.md). That page is evidence
-for `v0.1.1` only; future releases need their own clean-download evidence.
+[v0.1.2 release evidence](releases/v0.1.2-evidence.md). Historical `v0.1.1`
+evidence remains in [v0.1.1 release evidence](releases/v0.1.1-evidence.md).
 
 ## From Downloaded Assets
 
@@ -104,7 +104,7 @@ The committed formula at `Formula/zero.rb` must be generated from a verified
 release directory:
 
 ```bash
-scripts/homebrew_formula.py /path/to/downloaded/zero-release --tag v0.1.1 --output /tmp/zero.rb
+scripts/homebrew_formula.py /path/to/downloaded/zero-release --tag v0.1.2 --output /tmp/zero.rb
 diff -u Formula/zero.rb /tmp/zero.rb
 scripts/homebrew_formula_check.py
 ```