Skip to content

zero-network.md

Latest commit

 

History

History
292 lines (223 loc) · 10.2 KB

zero-network.md

File metadata and controls

292 lines (223 loc) · 10.2 KB

ZERO Network

ZERO Network is the public proof layer for verified autonomous behavior. It is not a hosted control plane and it does not require operators to send exchange credentials to ZERO.

Defaults

  • Runtime behavior is private by default.
  • Profile publication is opt-in.
  • Public profiles contain aggregate behavior only.
  • Public leaderboard rows are derived from the same redacted profile packet.
  • Deployment identity is represented by a public-safe zero.deployment.claim.v1 claim hash, not by custody or hosted permission.
  • Deployment liveness is represented by a public-safe zero.deployment.heartbeat.v1 heartbeat hash bound to the claim hash.
  • Raw decisions, trace IDs, idempotency keys, wallet addresses, exchange order IDs, strategy source labels, private notes, and per-trade symbols are excluded.

Local Endpoints

GET /network/profile returns a local public-safe profile:

{
  "schema_version": "zero.network.profile.v1",
  "profile": {
    "handle": "local-operator",
    "publish_enabled": false
  },
  "verification": {
    "proof_hash": "sha256:...",
    "deployment_claim_hash": "sha256:...",
    "deployment_heartbeat_hash": "sha256:..."
  },
  "metrics": {
    "decisions": 12,
    "fills": 1,
    "rejections": 11,
    "rejection_rate": 0.9167
  }
}

GET /deployment/claim returns the signature-ready deployment identity packet that the profile proof binds. Local deployments report signature.status = unsigned_local unless external signing metadata is provided through deployment environment variables.

GET /deployment/heartbeat returns the signature-ready liveness packet that the profile proof also binds. It reports paper-only or live dead-man freshness without exposing raw decisions, trace IDs, idempotency keys, credentials, wallet material, or private runtime notes.

GET /network/leaderboard returns zero.network.leaderboard.v1 with ranked rows derived from the same redacted profile format.

POST /network/publish requires explicit consent and a local publish path:

ZERO_NETWORK_HANDLE=my-handle \
ZERO_NETWORK_PUBLISH_PATH=.zero/network/published.jsonl \
zero-paper-api --journal .zero/decisions.jsonl

curl -fsS \
  -H "content-type: application/json" \
  -d '{"consent":true}' \
  http://127.0.0.1:8765/network/publish

The public runtime writes a JSONL proof packet to the configured local path. It does not upload to a ZERO-hosted service. A future hosted Network ingestion API can consume the same packet without changing the local privacy contract.

Hosted-Compatible Ingestion And Anti-Gaming

POST /network/ingest validates already-redacted zero.network.profile.v1 packets and returns zero.network.ingestion.v1:

curl -fsS \
  -H "content-type: application/json" \
  -d '{"profiles":[...]}' \
  http://127.0.0.1:8765/network/ingest

This route is stricter than the static leaderboard renderer. It models the public-safe checks a hosted ZERO Network ingestion service must preserve:

  • explicit publish_enabled=true consent;
  • recomputed profile proof hash;
  • internally consistent decision, fill, rejection, acceptance-rate, and rejection-rate metrics;
  • duplicate accepted handle refusal;
  • duplicate accepted proof-hash refusal;
  • deployment claim and heartbeat hash binding when deployment packets are present;
  • accepted-only leaderboard output.

Every submitted packet receives an accepted/refused record with risk flags, refusal reasons, trust tier, anti-gaming score, and leaderboard eligibility. The ingestion response includes no raw journals, trace IDs, idempotency keys, wallet addresses, exchange order IDs, strategy labels, per-trade symbols, or credentials.

The pinned contract fixture lives at contracts/network/ingestion.json.

Freshness And Stale Publication

ZERO Network pages must distinguish historical proof validity from current operator freshness. A stale profile can keep a valid proof hash while losing freshness badges and active leaderboard treatment.

See network-freshness.md for the public-safe freshness windows, badge policy, and leaderboard rules.

Profile And Identity Verification

scripts/network_profile_verify.py verifies a public profile packet before it is accepted into Network tooling or shared as operator proof:

curl -fsS "$ZERO_API/network/profile" > profile.json

scripts/network_profile_verify.py profile.json \
  --identity-bundle artifacts/deployment-identity/current \
  --require-signed-identity

The verifier emits zero.network.profile_verification.v1 and checks:

  • profile schema and public-safety redaction;
  • recomputed zero.network.proof.v1 proof hash;
  • leaderboard row binding to the profile proof hash;
  • deployment claim and heartbeat hashes bound to the profile;
  • deployment heartbeat bound to the deployment claim;
  • optional signed zero.deployment_identity_evidence.v1 bundle;
  • optional hosted-compatible consent and ingestion acceptance.

This makes the public Network boundary explicit: profiles are aggregate and open, while signed deployment identity is operator-owned evidence that can be verified without exposing exchange credentials, wallet material, trace IDs, or raw decisions.

Network Proof Pack

The repository commits a deterministic public-safe Network proof chain in docs/proof/network. It is generated by:

PYTHONPATH="$PWD/engine/src" scripts/network_proof_pack.py
PYTHONPATH="$PWD/engine/src" scripts/network_proof_pack.py --check

The manifest emits zero.network_proof_pack.v1 and binds:

  • the zero.network.profile.v1 packet;
  • the derived zero.network.leaderboard.v1 row;
  • deployment claim and heartbeat artifacts;
  • zero.deployment_identity_evidence.v1;
  • the recomputed zero.network.profile_verification.v1 report;
  • hosted-compatible ingestion acceptance.

This is the public "verify the chain" artifact for agents and reviewers. It does not claim live trading, PnL, or paper/live correlation.

Public Index Page Builder

The public repository includes a deterministic static index for checked Network contract pages:

just network-index-page-example

The index links the active, empty, stale, and leaderboard pages, explains the opt-in aggregate publication model, and refuses remote or script-style links. It uses no JavaScript, remote assets, journals, private execution details, or external links. The three profile states are deliberately distinct:

  • Empty: no public decisions, no behavior claim.
  • Active: aggregate proof verifies inside the freshness window.
  • Stale: proof may still verify, but it is archive evidence, not current operator status.

See examples/network-index-page and contracts/network/index.html.

Public Profile Page Builder

The public repository includes a deterministic static page builder for one already-redacted zero.network.profile.v1 packet:

just network-profile-page-example

The builder emits HTML for aggregate behavior, verification badges, proof hash, and the public display state only. It escapes profile-provided text and uses no JavaScript, remote assets, raw journals, symbols, trace IDs, idempotency keys, wallet addresses, exchange order IDs, strategy labels, or private notes.

See examples/network-profile-page and contracts/network/profile.html. Empty and stale fixtures are committed at contracts/network/empty-profile.html and contracts/network/stale-profile.html.

Public Leaderboard Builder

The public repository includes a deterministic builder that turns already redacted zero.network.profile.v1 JSONL packets into zero.network.leaderboard.v1:

just network-leaderboard-example

The builder:

  • accepts public profile packets only;
  • rejects malformed rows and mismatched proof hashes;
  • ranks deterministically by verification score, decisions, rejection rate, and handle;
  • emits only public-safe row fields;
  • never reads raw journals, symbols, trace IDs, idempotency keys, wallet addresses, exchange order IDs, or private notes.

See examples/network-leaderboard.

Public Leaderboard Page Builder

The public repository also includes a deterministic static page builder for an already-redacted zero.network.leaderboard.v1 payload:

just network-leaderboard-page-example

The page renders rank, handle, display name, mode, aggregate counts, verification score, proof hash, and an explicit state guide only. It escapes row-provided text and uses no JavaScript, remote assets, raw journals, symbols, trace IDs, idempotency keys, wallet addresses, exchange order IDs, strategy labels, or private notes.

See examples/network-leaderboard-page and contracts/network/leaderboard.html.

Static Page Smoke Gate

Checked Network pages are covered by a deterministic smoke gate:

just network-pages-smoke

The gate parses contracts/network/index.html, contracts/network/profile.html, contracts/network/empty-profile.html, contracts/network/stale-profile.html, and contracts/network/leaderboard.html. It verifies each page title and primary heading, requires expected local links and state copy, and fails on JavaScript, event handlers, remote references, missing local link targets, or raw private runtime tokens.

Verification Badges

  • paper_verified: aggregate paper behavior was observed.
  • durable_journal: behavior is backed by a local durable journal.
  • live_observed: live execution records exist. This badge does not imply custody transfer and must never include exchange credentials.

Leaderboard Rules

The first open-source leaderboard model is intentionally conservative. It ranks verified public behavior by aggregate activity and rejection discipline rather than PnL screenshots. It is a proof-of-process surface, not financial advice.

The leaderboard row includes:

  • rank;
  • handle;
  • display name;
  • mode;
  • decision count;
  • rejection rate;
  • open position count;
  • verification score;
  • proof hash.
  • deployment claim hash.

It excludes raw trades and strategy details.