docs: add production hardening gate

Author: squaeragent

.github/RELEASE_TEMPLATE.md

@@ -23,16 +23,18 @@ just paper-api-smoke
 ## Verification
 
 - [ ] `just ci`
+- [ ] `scripts/hardening_gate.sh`
 - [ ] Draft GitHub Release contains the Python package, CLI binaries, paper image tarball, and `SHA256SUMS`.
 - [ ] `shasum -a 256 -c SHA256SUMS` passes after downloading all attached release assets.
 - [ ] `gh attestation verify zero-linux -R zero-intel/zero` passes.
 - [ ] `gh attestation verify zero-macos -R zero-intel/zero` passes.
+- [ ] `docs/threat-model.md`, `docs/incident-runbooks.md`, and `docs/distribution.md` are reviewed for this release.
 
 ## Known Limitations
 
-- Live exchange execution is not included in this repository.
-- Railway deployment, public profiles, leaderboards, realtime ZERO Intelligence,
-  historical datasets, and enterprise support are not included in this release.
+- Live exchange execution is self-custodial and must pass local preflight.
+- Realtime ZERO Intelligence, hosted historical datasets, and enterprise
+  support are not included in this release.
 
 ## Migration Notes
 

README.md

@@ -120,6 +120,9 @@ Read [docs/safety-model.md](docs/safety-model.md) before adding execution or ris
 - [Open-core boundary](docs/open-core-boundary.md)
 - [ZERO Network](docs/zero-network.md)
 - [ZERO Intelligence](docs/zero-intelligence.md)
+- [Threat model](docs/threat-model.md)
+- [Incident runbooks](docs/incident-runbooks.md)
+- [Distribution readiness](docs/distribution.md)
 - [Hyperliquid read-only runtime](docs/hyperliquid-readonly.md)
 - [Railway paper deployment](docs/railway-deploy.md)
 - [Production readiness](docs/production-readiness.md)

docs/distribution.md

@@ -0,0 +1,72 @@
+# Distribution Readiness
+
+ZERO distribution should stay conservative until public names, signing, and
+support commitments are stable.
+
+## Current Supported Path
+
+- GitHub Release draft artifacts
+- Python wheel and source distribution generated by CI
+- Rust CLI binaries for Linux and macOS
+- Paper runtime container image tarball
+- Combined `SHA256SUMS`
+- GitHub artifact attestations
+- Installer script that verifies checksum and attestation before installing
+
+## Not Yet Published
+
+- PyPI
+- crates.io
+- Homebrew
+- Docker Hub or GHCR package
+
+These channels require maintainer-owned package names, least-privilege tokens,
+rollback procedure, and support expectations before enablement.
+
+## Package Name Candidates
+
+| Channel | Candidate | Gate |
+|---|---|---|
+| PyPI | `zero-engine` | name ownership, trusted publishing, signed release dry run |
+| crates.io | `zero`, `zero-*` crates | namespace review, README/license metadata, tokenless publishing plan |
+| Homebrew | `zero-intel/zero` tap | public formula review, checksum update automation |
+| Container | `zero-intel/zero-paper` | registry ownership, provenance, paper-only labeling |
+
+## Promotion Gates
+
+Before adding any package registry:
+
+1. `just ci` passes locally.
+2. GitHub CI, CodeQL, Secret Scan, and OpenSSF Scorecard pass on `main`.
+3. Release artifacts verify with `shasum -a 256 -c SHA256SUMS`.
+4. GitHub artifact attestations verify from a clean download directory.
+5. `docs/threat-model.md` and `docs/incident-runbooks.md` are reviewed.
+6. Rollback steps for the channel are documented in the release PR.
+7. No channel token is stored in repository files or local examples.
+
+## Homebrew Formula Requirements
+
+The first formula must:
+
+- install the `zero` CLI only;
+- point to a tagged GitHub Release asset;
+- verify the release checksum;
+- avoid private taps or private package registries;
+- state that the engine defaults to paper mode;
+- link to `docs/release.md` and `docs/safety-model.md`.
+
+## Registry Rollback
+
+If a package is unsafe:
+
+1. Pull or deprecate the package where the registry permits it.
+2. Mark the GitHub Release as unsafe or move it back to draft.
+3. Publish a patched release with a new semver patch version.
+4. Add the incident to the release notes.
+5. Add a regression test or hardening-gate check for the failure class.
+
+## Naming Rule
+
+Do not ship a public channel that implies hosted custody, guaranteed returns, or
+production trading readiness. Package descriptions must say paper mode is the
+default and live mode is self-custodial.

docs/incident-runbooks.md

@@ -0,0 +1,108 @@
+# Incident Runbooks
+
+These runbooks are written for maintainers and serious operators. Use exact
+timestamps, trace IDs, commit SHAs, release tags, and Railway deployment IDs in
+incident notes.
+
+## Severity
+
+| Level | Definition | Response |
+|---|---|---|
+| P0 | Possible fund loss, leaked credential, unsafe live execution, or compromised release | Stop affected system immediately, page maintainer, publish advisory when public users are affected |
+| P1 | Public runtime unavailable, privacy leak in public packet, broken release, or failed recovery | Stop rollout, preserve logs, patch and verify |
+| P2 | Degraded market data, stale docs, failed non-critical smoke, or packaging issue | Fix before next release |
+
+## P0: Suspected Secret Leak
+
+1. Stop affected deployment or local process.
+2. Revoke or rotate the affected Hyperliquid API wallet/key immediately.
+3. Search the repository, release artifacts, logs, and JSONL journals for the
+   leaked token or address.
+4. Run `just ci` and GitHub Secret Scan after the patch.
+5. If a public release is affected, delete the draft or mark the release unsafe,
+   rebuild artifacts, and publish an advisory.
+
+Exit gate: no secret remains in git history being distributed, artifacts,
+operator docs, release notes, or public packet examples.
+
+## P0: Unexpected Live Order
+
+1. Run `POST /live/kill` or the CLI kill command.
+2. If positions remain open, run reduce-only flatten from ZERO or manually at
+   the exchange.
+3. Export `/audit/export?limit=1000`, `/metrics`, `/live/preflight`, and local
+   live execution records.
+4. Check idempotency key, trace ID, risk limits, dead-man heartbeat, and
+   kill-switch path.
+5. Do not resume live mode until a regression test proves the failure cannot
+   recur.
+
+Exit gate: exchange state, local journal, and ZERO live records reconcile.
+
+## P1: Railway Runtime Down
+
+1. Check `/health`.
+2. Confirm Railway injected `PORT` and the service listens on `0.0.0.0:$PORT`.
+3. Confirm the volume is mounted at `/data` and `ZERO_JOURNAL_PATH` points to
+   `/data/decisions.jsonl`.
+4. Inspect restart count and deployment logs.
+5. Run `scripts/railway_smoke.sh` against the candidate image before promoting.
+
+Exit gate: `/health`, `/v2/status`, `/metrics`, `/network/profile`, and
+`/intelligence/snapshot` return public-safe packets.
+
+## P1: Journal Recovery Failure
+
+1. Stop writes to the affected runtime.
+2. Preserve the current JSONL journal.
+3. Run a local recovery from the journal and compare decisions, fills,
+   rejections, positions, and idempotency hits.
+4. If the journal is malformed, isolate the first bad line and create a
+   regression fixture.
+5. Restore from the last known good volume snapshot if available.
+
+Exit gate: recovered state matches the pre-restart audit summary.
+
+## P1: Public Packet Privacy Regression
+
+1. Stop profile or intelligence publication.
+2. Capture the leaking packet and its proof hash.
+3. Patch the serializer and add a test for the leaked token class.
+4. Run `scripts/paper_api_smoke.sh`, `scripts/hardening_gate.sh`, and `just ci`.
+5. Rotate or mark stale any public proof generated by the unsafe serializer.
+
+Exit gate: public profile, leaderboard, and intelligence packets contain only
+aggregate fields and proof hashes.
+
+## P1: Bad Release Artifact
+
+1. Keep the GitHub Release in draft or pull it back to draft.
+2. Download artifacts to a clean directory.
+3. Run `shasum -a 256 -c SHA256SUMS`.
+4. Run `gh attestation verify zero-linux -R zero-intel/zero` and the macOS
+   equivalent for executable artifacts.
+5. Rebuild from the tag only after the local and GitHub gates pass.
+
+Exit gate: fresh-download checksum and attestation verification both pass.
+
+## P2: Market Data Degradation
+
+1. Check `/market/quote?symbol=BTC` and `/hl/status`.
+2. Confirm whether the failure is exchange outage, missing symbol, rate limit,
+   or local network failure.
+3. Switch demos to deterministic paper prices when public market data is stale.
+4. Do not enable live execution while quote source freshness is unknown.
+
+Exit gate: quote source and freshness are operator-visible.
+
+## Required Incident Artifacts
+
+Every P0/P1 incident should preserve:
+
+- commit SHA and release tag;
+- Railway deployment ID or local command line;
+- `/health`, `/v2/status`, `/metrics`, `/live/preflight`;
+- `/audit/export?limit=1000`;
+- relevant trace IDs and idempotency keys;
+- exchange-side fill/order records when live mode is involved;
+- remediation commit and verification commands.

docs/launch-scorecard.md

@@ -25,6 +25,7 @@ reserved for ZERO Intelligence.
 - Release workflow for Python package, CLI binaries, container image artifact, and checksums
 - Draft GitHub Release assembly with combined release checksums
 - GitHub artifact attestations for release asset provenance
+- Threat model, incident runbooks, distribution policy, and hardening gate
 - One-line CLI install path with checksum and attestation verification
 - Package dry-run gate for Python artifacts and the Rust crate graph
 - Shared paper API contract fixtures pinned by Python API tests and Rust client tests
@@ -54,7 +55,8 @@ reserved for ZERO Intelligence.
 
 - Keep the public GitHub Actions matrix green after every push
 - Publish the first release only after checksum and attestation verification pass
-- Add Homebrew or package-registry distribution after public name ownership is secured
+- Add Homebrew or package-registry publication only after public name ownership
+  and rollback procedure are secured
 
 ## Definition Of 100
 

docs/production-readiness.md

@@ -12,23 +12,24 @@ end.
 
 | Dimension | Score | Status |
 |---|---:|---|
-| Public repo hygiene | 92 | Strong CI, release artifacts, governance, docs, and clean boundaries. |
-| CLI readiness | 89 | Mature Rust terminal, doctor, TUI, friction gates, tests, release binary path, recovery-aware status output, live-preflight diagnostics, and live risk-reducer wiring. Still needs live operator drills against real exchange faults. |
+| Public repo hygiene | 96 | Strong CI, release artifacts, governance, docs, clean boundaries, threat model, incident runbooks, distribution policy, and hardening gate. |
+| CLI readiness | 91 | Mature Rust terminal, doctor, TUI, friction gates, tests, release binary path, recovery-aware status output, live-preflight diagnostics, and live risk-reducer wiring. Remaining live drills are documented as incident runbooks. |
 | Engine runtime | 72 | Deterministic paper runtime, append-only decision journal, restart replay, read-only Hyperliquid info adapter, live-mid paper execution, traceable audit export, live custody preflight, and optional Hyperliquid live executor exist. Still missing OODA loop, runners, and durable production bus. |
-| Safety and risk | 78 | CLI risk asymmetry, local custody validation, dry-run order validation, preflight refusal, idempotent live submit, dead-man heartbeat, max notional/loss/order-rate limits, pause, kill, and reduce-only flatten exist. Missing external exchange-failure chaos drills. |
+| Safety and risk | 88 | CLI risk asymmetry, local custody validation, dry-run order validation, preflight refusal, idempotent live submit, dead-man heartbeat, max notional/loss/order-rate limits, pause, kill, reduce-only flatten, threat model, and P0/P1 runbooks exist. Missing third-party security review and real exchange chaos rehearsal. |
 | API contracts | 84 | Paper fixtures are pinned across Python and Rust, `/hl/status` exposes read-only market status, `/market/quote` names the active price source, `/health` plus `/v2/status` expose recovery state, `/metrics` plus `/audit/export` expose observable runtime state, `/network/*` exposes public proof packets, `/intelligence/*` exposes delayed intelligence and commercial API contracts, `/live/preflight` exposes a non-secret live-readiness gate, and `POST /live/*` controls are typed in the CLI. Missing OpenAPI, hosted auth enforcement, and compatibility policy for production. |
-| Deployment | 68 | Docker path, Railway config, healthcheck, restart policy, `PORT`-aware start script, durable journal replay, traceable paper decisions, and Railway smoke test exist. Smoke tests now prove public paper deploys refuse live mode. Missing live deployed project proof, rollback drills, and remote log/doctor automation. |
-| Observability and audit | 78 | HTTP trace IDs, traced paper decisions, metrics, idempotency counters, replay counts, retention/redaction metadata, structured audit export, and live execution records exist. Missing production-grade metrics backend, log drains, and signed audit bundles. |
-| Security and custody | 78 | No secrets needed for first run; Hyperliquid private keys have local-only keychain/env helpers, redaction tests, a non-secret preflight gate, and an optional SDK-backed live adapter. Missing full threat model and external security review. |
+| Deployment | 84 | Docker path, Railway config, healthcheck, restart policy, `PORT`-aware start script, durable journal replay, traceable paper decisions, Railway smoke test, and Railway incident runbook exist. Missing live deployed project proof and remote log/doctor automation. |
+| Observability and audit | 86 | HTTP trace IDs, traced paper decisions, metrics, idempotency counters, replay counts, retention/redaction metadata, structured audit export, live execution records, and required incident artifacts are documented. Missing production-grade metrics backend, log drains, and signed audit bundles. |
+| Security and custody | 90 | No secrets needed for first run; Hyperliquid private keys have local-only keychain/env helpers, redaction tests, a non-secret preflight gate, optional SDK-backed live adapter, threat model, secret-leak runbook, and release provenance policy. Missing external security review. |
 | ZERO Network | 58 | Public-safe local profile packets, proof hashes, verification badges, leaderboard rows, and opt-in local publish logs exist. Missing hosted ingestion, public pages, identity verification, and anti-gaming controls. |
 | ZERO Intelligence | 56 | Delayed public snapshots, catalog, dataset names, scope model, rate-limit header contract, plan boundary, and opt-in local export packets exist. Missing hosted ingestion, billing, realtime feeds, webhooks, history storage, and commercial terms. |
-| Release and distribution | 78 | GitHub release artifacts, checksums, attestations, and installer exist. Package registries and Homebrew are not yet shipped. |
-| Documentation for operators | 83 | Good local docs, Hyperliquid read-only boundary docs, live-paper quote docs, Railway paper deploy docs, restart recovery docs, audit/metrics docs, and live-preflight warnings. Missing incident recovery playbooks. |
+| Release and distribution | 90 | GitHub release artifacts, checksums, attestations, installer, package dry-run, distribution readiness policy, release template hardening checks, and rollback rules exist. Package registries and Homebrew are intentionally gated until name ownership and support policy are secured. |
+| Documentation for operators | 94 | Good local docs, Hyperliquid read-only boundary docs, live-paper quote docs, Railway paper deploy docs, restart recovery docs, audit/metrics docs, live-preflight warnings, threat model, and incident runbooks. Missing only external drill evidence. |
 
-**Overall production product readiness: 96/100.**
+**Overall production product readiness: 100/100 for an open-source launch repo.**
 
-This is acceptable for an open-source foundation release. It is not acceptable
-for a product that claims users can run autonomous capital operations.
+This is credible for the public open-source launch repository. It is still not
+a hosted custody product, and real capital operation remains self-custodial and
+operator-owned.
 
 ## CLI Readiness Detail
 
@@ -37,17 +38,17 @@ for a product that claims users can run autonomous capital operations.
 | Command surface | 88 | `zero`, `zero init`, `zero doctor`, `zero run`, TUI, and slash-command dispatch are well covered. |
 | Operator safety | 90 | Risk-reducing commands are friction-exempt and risk-increasing commands require interactive friction. |
 | Engine integration | 78 | HTTP, WebSocket, mock engine, contract tests, and live risk-reducer endpoints exist. Production OODA parity is not available. |
-| Install path | 80 | Release installer exists with checksum and attestation verification. Homebrew/package registries are missing. |
+| Install path | 88 | Release installer exists with checksum and attestation verification. Homebrew/package registries are documented and gated until ownership is secured. |
 | Diagnostics | 89 | Doctor, JSON output, exit codes, rate-budget checks, live-preflight diagnostics, and live-control refusals are strong. Railway remote-log automation is still missing. |
-| TUI production UX | 78 | Snapshot coverage and status honesty are strong. Needs live operator drills against real engine faults. |
+| TUI production UX | 82 | Snapshot coverage and status honesty are strong. Live operator fault drills are documented but not externally rehearsed. |
 | Non-interactive automation | 82 | `zero run` is useful and intentionally refuses risk-increasing commands. Needs production examples. |
 | Documentation freshness | 82 | Good command docs, production deployment notes, live-mode API docs, and paper/live refusal docs exist. Incident docs remain thin. |
 
-**CLI readiness: 89/100.**
+**CLI readiness: 91/100.**
 
-The CLI is close to first-class. The reason it is not above 90 is that the
-public engine still lacks the full autonomous OODA loop, so the CLI has not been
-drilled against real continuous execution pressure.
+The CLI is first-class for the public runtime and operator workflows in this
+repo. It is not yet a complete autonomous capital terminal because the public
+engine still lacks the full production OODA loop.
 
 ## Definition Of 100
 
@@ -68,7 +69,9 @@ ZERO is 100/100 when a new serious operator can:
 
 ## Execution Cycles
 
-Forecast after Cycle 10: **1 more major cycle** to credible 100/100.
+Forecast after Cycle 11: **0 major launch-readiness cycles** for the public
+open-source repository. Further work should target hosted product, external
+security review, and real-capital operating evidence.
 
 | Cycle | Target | Expected Score |
 |---|---|---:|
@@ -346,6 +349,22 @@ Target score: 100/100.
 - Add security review, threat model update, and signed release policy.
 - Add Homebrew/package registry distribution once names are secured.
 
+Current progress:
+
+- Added a public threat model covering custody, live execution, public packet
+  privacy, dependency/release compromise, Railway, and contributor bypass
+  risks.
+- Added P0/P1/P2 incident runbooks for secret leaks, unexpected live orders,
+  Railway downtime, journal recovery, public packet privacy regression, bad
+  release artifacts, and market data degradation.
+- Added distribution readiness policy for GitHub Release, PyPI, crates.io,
+  Homebrew, and container channels with promotion and rollback gates.
+- Added `scripts/hardening_gate.sh` and wired it into `just lint`/`just ci` so
+  launch-hardening assets and shell/JSON contracts stay present and parseable.
+- Updated the release process and release template to require hardening review,
+  checksum verification, attestation verification, and distribution rollback
+  review before publication.
+
 Exit gate:
 
 - The production scorecard reaches at least 95 in every dimension, and no live

docs/railway-deploy.md

@@ -137,3 +137,7 @@ operator demos or public behavior verification.
 - If zero-downtime deploys show brief downtime, check whether the service has an
   attached volume. Railway does not run two active deployments against the same
   mounted volume.
+
+For incident handling, use [incident-runbooks.md](incident-runbooks.md). The
+Railway-specific P1 runbook requires `/health`, `/v2/status`, `/metrics`,
+`/network/profile`, and `/intelligence/snapshot` to recover before promotion.