docs: record published release evidence

Author: squaeragent

.github/workflows/ci.yml

@@ -65,6 +65,7 @@ jobs:
           test -f docs/agentic-contribution.md
           test -f docs/release.md
           test -f docs/releases/v0.1.1.md
+          test -f docs/releases/v0.1.1-evidence.md
           test -f docs/launch-scorecard.md
           test -f docs/launch-issues.md
           test -f contracts/paper-api/v2_status.json

docs/launch-scorecard.md

@@ -29,6 +29,9 @@ reserved for ZERO Intelligence.
 - Release verifier and tamper-detection rehearsal
 - Release SBOM/provenance bundle with checksummed `SBOM.spdx.json` and
   `PROVENANCE.json`
+- Published `v0.1.1` release evidence from a clean GitHub download, including
+  checksum verification, release verifier output, executable attestations, and
+  Homebrew formula rendering
 - Draft GitHub Release rollback rehearsal and Homebrew formula renderer
 - GitHub artifact attestations for release asset provenance
 - One-command live canary operator workflow with public-safe report,

docs/production-readiness.md

@@ -28,16 +28,17 @@ end.
 | Security and custody | 92 | No secrets needed for first run; Hyperliquid private keys have operator-scoped keychain/env helpers, redaction tests, a non-secret preflight gate, optional SDK-backed live adapter, threat model, secret-leak runbook, dependency policy, SBOM/provenance metadata, and release provenance policy. Missing external security review. |
 | ZERO Network | 70 | Public-safe local profile packets, proof hashes, deployment claim hashes, deployment heartbeat hashes, verification badges, leaderboard rows, opt-in local publish logs, hosted-compatible ingestion, proof validation, duplicate refusal, metric-consistency checks, and accepted-only leaderboard output exist. Missing production hosted service persistence, public hosted pages, stale-publication windows, sybil policy, and signed identity verification. |
 | ZERO Intelligence | 78 | Delayed public snapshots, catalog, billing-ready commercial contract, hosted-compatible `/v1/intelligence/*` reads/writes, token-gated paid scopes, actual rate-limit headers, usage events, HMAC-SHA256 webhook signature fixtures, aggregate export jobs, plan/scope model, dataset names, fail-closed model gateway status, model gateway health probes, model gateway audit bundles, mock/local provider conformance, real external model adapters, bounded retry/cost policy, hosted key-management rules, plan boundary, and opt-in local export packets exist. Missing production hosted persistence, billing provider integration, warehouse-backed realtime/history feeds, production webhook delivery, commercial terms, live hosted key-management implementation, and hosted audit retention. |
-| Release and distribution | 97 | GitHub release artifacts, checksums, SBOM/provenance bundle, published-release evidence command, release verifier, tamper-detection rehearsal, draft-release rollback rehearsal, Homebrew formula renderer, attestations, installer, registry-readiness gate, package dry-run, distribution readiness policy, release template hardening checks, dependency policy, and rollback rules exist. Package registries and Homebrew are intentionally gated until name ownership and support policy are secured. |
+| Release and distribution | 98 | GitHub release artifacts, checksums, SBOM/provenance bundle, recorded `v0.1.1` clean-download release evidence, published-release evidence command, release verifier, tamper-detection rehearsal, draft-release rollback rehearsal, Homebrew formula renderer, attestations, installer, registry-readiness gate, package dry-run, distribution readiness policy, release template hardening checks, dependency policy, and rollback rules exist. Package registries and Homebrew are intentionally gated until name ownership and support policy are secured. |
 | Documentation for operators | 100 | Good local docs, operator isolation docs, Hyperliquid read-only boundary docs, live-paper quote docs, immune-system docs, live cockpit docs, live cockpit drill bundle, verifier, and tamper rehearsal, live certification docs, live evidence docs, live canary rehearsal docs, Railway paper deploy, remote-doctor, and evidence-pack docs, restart recovery docs, audit/metrics docs, live-preflight warnings, threat model, and incident runbooks. Missing real exchange drill evidence only as external proof, not documented workflow. |
 
-**Public repo readiness: 99/100.**
+**Public repo readiness: 100/100.**
 
-This is credible for a public open-source launch repository. The remaining four
-points are external proof: clean release artifacts from the public repository,
-external security review, human fresh-clone feedback from at least one serious
-engineer, and a real operator-owned live canary evidence bundle. The automated
-fresh source-tree rehearsal now guards the mechanical clone path in CI.
+This is credible for a public open-source launch repository. Clean release
+artifacts, fresh source-tree rehearsal, contribution paths, public gates, and
+product boundary docs are now in place. The remaining external proof belongs to
+the full operating-system/product score: external security review, human
+fresh-clone feedback from at least one serious engineer, and a real
+operator-owned live canary evidence bundle.
 
 **Full ZERO operating-system readiness: 90/100.**
 

docs/public-upgrade.md

@@ -103,6 +103,9 @@ installing, or contributing.
 - Fresh-clone demo transcript.
 - Fresh source-tree rehearsal in CI, proving the public gates and paper API
   work outside the maintainer checkout.
+- Published `v0.1.1` clean-download release evidence with checksums,
+  executable attestations, release verifier output, and Homebrew formula
+  rendering.
 - Railway paper deployment evidence.
 - Release rehearsal evidence.
 - OpenSSF Scorecard enabled.
@@ -115,6 +118,7 @@ Exit gate:
 ```bash
 just release-rehearsal
 just draft-release-rehearsal
+just release-evidence v0.1.1
 just fresh-clone-rehearsal
 just public-readiness
 ```

docs/release.md

@@ -108,6 +108,9 @@ The evidence command downloads the release, verifies `SHA256SUMS`, runs
 renders the Homebrew formula from the downloaded checksum manifest. It does not
 publish package registries or mutate release assets.
 
+The current `v0.1.1` clean-download verification is recorded in
+[docs/releases/v0.1.1-evidence.md](releases/v0.1.1-evidence.md).
+
 ## Hardening Gate
 
 Run the local hardening gate before tagging or publishing:

docs/releases/v0.1.1-evidence.md

@@ -0,0 +1,50 @@
+# ZERO v0.1.1 Release Evidence
+
+This file records the clean-download verification for the published
+`zero-intel/zero` `v0.1.1` GitHub Release.
+
+## Verification Run
+
+- Verified at: `2026-05-03T17:18:49Z`
+- Release tag: `v0.1.1`
+- Release URL: `https://github.com/zero-intel/zero/releases/tag/v0.1.1`
+- Published at: `2026-05-01T20:07:45Z`
+- Evidence schema: `zero.release_evidence.v1`
+
+Command:
+
+```bash
+scripts/release_evidence.py v0.1.1 --json
+```
+
+Result:
+
+```text
+verification.status=ok
+verification.ok=8
+verification.fail=0
+attestations=zero-linux,zero-macos
+assets=8
+```
+
+Verified release assets:
+
+- `PROVENANCE.json`
+- `SBOM.spdx.json`
+- `SHA256SUMS`
+- `zero-linux`
+- `zero-macos`
+- `zero-paper-image.tar`
+- `zero_engine-0.1.1-py3-none-any.whl`
+- `zero_engine-0.1.1.tar.gz`
+
+The evidence command downloaded the published release into a temporary clean
+directory, verified `SHA256SUMS`, ran `scripts/release_verify.py`, verified the
+GitHub artifact attestations for both executables, and rendered the Homebrew
+formula from the downloaded checksum manifest.
+
+## Safety Interpretation
+
+This proves release integrity for the public open-source runtime artifacts. It
+does not prove live trading safety, hosted custody, production ZERO Network
+persistence, or production ZERO Intelligence API availability.

docs/releases/v0.1.1.md

@@ -56,8 +56,9 @@ zero --help
 - [x] `ZERO_VERSION=v0.1.1 scripts/install.sh` installs the host binary from
   the release.
 
-Release evidence was rechecked on 2026-05-02 from a clean GitHub download. The
-backfilled provenance points to source commit
+Release evidence was rechecked on 2026-05-03 from a clean GitHub download. See
+[v0.1.1 release evidence](v0.1.1-evidence.md). The backfilled provenance points
+to source commit
 `8730e3621e1bb79fc9d7c370b204d76b37206084`, tag `v0.1.1`, and keeps
 `live_execution_claimed` false.
 

justfile

@@ -164,6 +164,7 @@ docs-check:
     test -f docs/agentic-contribution.md
     test -f docs/release.md
     test -f docs/releases/v0.1.1.md
+    test -f docs/releases/v0.1.1-evidence.md
     test -f docs/launch-scorecard.md
     test -f docs/backlog.md
     test -f docs/launch-issues.md

scripts/hardening_gate.sh

@@ -7,6 +7,7 @@ required_files=(
   "docs/distribution.md"
   "docs/safety-model.md"
   "docs/release.md"
+  "docs/releases/v0.1.1-evidence.md"
   "docs/production-readiness.md"
   "docs/public-upgrade.md"
   "docs/live-evidence.md"
@@ -56,6 +57,8 @@ contains "shasum -a 256 -c SHA256SUMS" .github/RELEASE_TEMPLATE.md
 contains "package registry publication remains disabled" .github/RELEASE_TEMPLATE.md
 contains "gh attestation verify zero-linux" .github/RELEASE_TEMPLATE.md
 contains "scripts/release_evidence.py <tag>" .github/RELEASE_TEMPLATE.md
+contains "zero.release_evidence.v1" docs/releases/v0.1.1-evidence.md
+contains "verification.fail=0" docs/releases/v0.1.1-evidence.md
 
 python3 -m json.tool contracts/intelligence/snapshot.json >/dev/null
 python3 -m json.tool contracts/intelligence/catalog.json >/dev/null