Skip to content
operating intelligence runtime · —Sign in
Menu

developers · contracts

The contract files, served raw.

Every public artifact ZERO emits — receipts, replays, brackets, capability states — validates against one of these contracts. Each link below is the canonical file itself, not a rewrite of it. Versioned names are stable; breaking changes ship as a new version, never as an edit in place.

schemas · 52

  • zero.a2ui.v1.schema.json

    ZERO a2ui.v1 · the agent-stream delta grammar

    The published contract for ZERO's agent stream: intent in, governed generative UI out. An agent emits an ordered sequence of frames — a2ui deltas (append/replace/remove) over a closed 16-kind node vocabulary — that a pure reducer folds into a tree and renders to ZERO primitives. No free-form HTML, no open node set: an unknown kind renders a visible error, never a silent fallback. The stream is honest by construction — every stream declares an evidence_class (live/replay/simulation/unavailable) and rides the five data-beats (see → decide → authorize → act → prove). Consequential intents halt the stream at the GATE sentinel, which pairs with an approvalGate node and holds until the operator rules; a replay holds no authority and renders its refusal as the receipt. Both surfaces build against this one contract: the Shell v3 composer driver that emits frames and the a2ui runtime (window.ZeroA2UI) that folds and renders them.

  • zero.audit_entry.v95.schema.json

    ZERO v95 AuditEntry

    Public-safe Runtime audit entry transport shape for mapping ZERO Runtime, Proof, replay, and journal events into lifecycle Trace objects.

  • zero.authority_ceremony.v1.schema.json

    ZERO Authority Ceremony and Receipt v1

  • zero.builder_code_authority.v1.schema.json

    ZERO Builder Code Authority v1

  • zero.capital_operation.v1.schema.json

    ZERO CapitalOperation v1

    The envelope for anything that can touch money, authority, payment, task settlement, or proof. Agents never call rails directly; they create and advance CapitalOperations. Policy-checked, simulated, signed under scoped authority, executed through a rail, replayable from receipts. The runtime validator (zero.protocol.capital_operation) additionally enforces per-kind consequence-class floors under the rule: class = worst reachable consequence, not stated intent.

  • zero.coliseum.league_retention.v0.schema.json

    ZERO Coliseum League retention v0

    Public read-only retention gate for weekly paper Coliseum bracket samples and League promotion evidence. This contract never executes orders and never publishes performance claims.

  • zero.coliseum.paper_bracket.v0.schema.json

    ZERO Coliseum paper bracket v0

    Public read-only paper tournament bracket for replay-backed ZERO League promotion.

  • zero.coliseum.paper_bracket.v1.schema.json

    ZERO Coliseum paper bracket v1

    Public read-only paper League bracket derived from REAL stored paper runs (decision_replay_frames, source_type=paper_fill). No fabricated entrants; no public pnl ranking. Honest forming state when no scored runs exist yet.

  • zero.decision_receipt_card.v1.schema.json

    ZERO Public Decision Receipt Card

  • zero.decision_replay.v1.schema.json

    ZERO Decision Replay

  • zero.developer_proof_api.v1.schema.json

    ZERO Developer Proof API Contract

    Machine-readable launch contract for public read-only proof and replay integration.

  • zero.discovery.v1.schema.json

    ZERO discovery manifest

    Canonical machine-readable discovery manifest for ZERO agents and public crawlers.

  • zero.divergence_refusal_proof.v1.schema.json

    DivergenceRefusalProof v1

    Cryptographically-fingerprinted bundle attached to an hl-sign refusal that was driven by HL data-plane divergence. Lets an operator (or third-party auditor) verify the claim 'we refused this trade because our primary HL source and the fallback disagreed, by this amount, on these coins, at this timestamp' — without trusting the engine's own log line. Embedded as an extension under decision_replay_frames.frame.tools[] or stored as a standalone bundle keyed by replay_id. The proof_hash field self-seals the bundle so any silent modification is detectable. Closes audit item F21/F22 (https://getzero.dev/contracts/audit-items#F22) when the engine wires the full payload-hash chain.

  • zero.engine.evidence_depth.v1.schema.json

    ZERO Runtime evidence depth v1

    Public contract for retained live-Runtime evidence depth and the exact sample gaps that block launch-grade confidence.

  • zero.engine.native_dimension_readback.v1.schema.json

    ZERO native Runtime dimension readback v1

    Public read-only contract for app-owned Runtime dimension readbacks generated from public-safe live-Runtime-bus harvests.

  • zero.engine.proof.v1.schema.json

    ZERO Runtime proof v1

    Public machine-readable contract for ZERO Runtime proof systems and safety boundaries.

  • zero.engine_product_truth.v1.schema.json

    ZERO Runtime product truth v1

    Public operator-facing contract for the ZERO Hyperliquid Runtime product narrative and safety boundary.

  • zero.genesis.evidence.v1.schema.json

    Genesis Evidence Bundle v1

    Machine-readable proof of one Genesis self-mutation cycle. Built by zero.genesis.evidence.build_bundle() by folding a stream of journal events sharing the same cycle_id. Lets an Admin UI / MCP tool / public proof surface render the cycle without parsing raw JSONL.

  • zero.growth_multi_operator_history.v1.schema.json

    ZERO Growth Multi-Operator History Readback

  • zero.growth_receipt_repeatability.v1.schema.json

    ZERO Growth Receipt Repeatability Readback

  • zero.hl_data_plane.v1.schema.json

    Hyperliquid Data-Plane Provenance v1

    Provenance block attached to a ReplayFrame / EvidenceBundle so consumers can see (a) which Hyperliquid source the Runtime read from, (b) how fresh each cached signal was at decision time, and (c) whether the source agreed with the public HL API. Produced by zero/data_plane.py:data_plane_provenance(). The schema deliberately does not specify a single hash field for the data plane state — divergence detection is a follow-on contract.

  • zero.hl_data_plane_divergence.v1.schema.json

    HL Data-Plane Divergence Record v1

    Per-cycle divergence record produced by zero.data_plane_producer.compute_divergence. Compares the engine's primary HL source (typically cached responses from market_data_service) against an optional fallback source. One record is written to bus/hl_data_plane_divergence.json each periodic cycle; the full history lives at bus/hl_data_plane_divergence_history.jsonl. Consumers: /v2/data-plane-divergence (current), /v2/data-plane-divergence/history (records[]), runtime_safety.py (folds the overall status into RuntimeSafetyState), and the hl-sign refusal path (refuses signing when status=major_drift). Schema name is intentionally distinct from zero.hl_data_plane.v1 — that one describes the provenance block embedded in a replay frame; this one describes the standalone divergence record produced by the periodic comparator.

  • zero.hosted_operator_launch_receipt.v1.schema.json

    ZERO Hosted Operator Launch Receipt

  • zero.intelligence_warehouse.v1.schema.json

    ZERO Intelligence Warehouse Contract v1

    Machine-readable source, join, privacy, and governance contract for ZERO intelligence warehouse materialization.

  • zero.intent.v1.schema.json

    zero.intent.v1

    The composer's intent envelope (COMPOSER-SPEC §3.1). Idempotent, mortal, carries NO secret material. Emitted by source:composer; the engine re-derives class and is authoritative.

  • zero.marketplace.paid_call_gate.v0.schema.json

    ZERO marketplace paid-call gate v0

    Public readiness contract for marketplace paid calls. The contract is disabled by default and cannot execute orders, move funds, or enable x402.

  • zero.marketplace.paid_response_receipt.v0.schema.json

    ZERO marketplace paid response receipt v0

    Draft blocked receipt schema for future marketplace paid responses. Version v0 represents disabled paid response delivery and cannot prove a charge.

  • zero.marketplace.reputation.v0.schema.json

    ZERO marketplace reputation v0

    Public supplier and listing reputation contract for the read-only ZERO marketplace.

  • zero.marketplace.seller_disclosure.v0.schema.json

    ZERO marketplace seller disclosure v0

    Public contract for seller disclosure review requirements. The review workflow is not enabled and cannot approve sellers, enable paid calls, configure x402, or move funds.

  • zero.mcp.public_tool_results.v1.schema.json

    ZERO public MCP tool results

    Contract for /oss/mcp read-only tool result payloads that do not already use public operator schemas.

  • zero.mcp.refusal.v1.schema.json

    ZERO public MCP refusal

    Structured refusal payload returned when public /oss/mcp is asked to mutate runtime or execute orders.

  • zero.mcp.tools.v1.schema.json

    ZERO public MCP tools list

    Contract for the read-only tools/list response exposed by /oss/mcp.

  • zero.pricing_contract.v1.schema.json

    ZERO Pricing Contract v1

    Machine-readable product, pricing, fee, and execution-boundary contract for public and operator pricing surfaces.

  • zero.proof_packet.v1.schema.json

    ZERO ProofPacket v1

    The exportable, third-party-verifiable record of ONE capital operation: the redacted latest zero.capital_operation.v1 envelope snapshot, an ordered sha256 chain over every journal snapshot of that operation, the authority it ran under, and the Ed25519 material needed to verify its authorization signatures offline — no secrets required, none included. Not zero.proof_pack.v1 (the per-root daily journal proof); this contract is per-operation. The runtime validator (zero.protocol.proof_packet) and the offline verifier (python3 -m zero.proof_packet_verify <packet.json>) additionally enforce cross-field laws this schema cannot express: packet_id must equal pp_<op_id> of the packaged operation; receipts and signature.entries must be verbatim mirrors of the operation's receipts and signatures; each snapshot_chain seq must equal its array position and the chain head status must match the operation; every status change in the chain must be a legal lifecycle transition; each signature challenge must bind this operation's op_id, policy_hash, simulation_hash, quote_hash, scope_id, and scope_epoch, be signed before quote expiry, and verify against the embedded public key; and proof_hash must reproduce as sha256 over the canonical packet bytes (JSON with sorted keys, compact separators, non-ASCII preserved, UTF-8) with proof_hash itself excluded.

  • zero.public_decision_artifacts.v1.schema.json

    ZERO Public Recurring Decision Artifacts

  • zero.public_operator.v1.schema.json

    ZERO Public Operator Profile

  • zero.public_operators.v1.schema.json

    ZERO Public Operators Index

  • zero.registry.catalog.v0.schema.json

    ZERO Registry catalog v0

    Public-safe catalog contract for ZERO Registry skills, strategy templates, signals, datasets, and evaluators. The compatibility /api/market route remains supported.

  • zero.registry.reputation.v0.schema.json

    ZERO Registry reputation v0

    Public supplier and listing reputation contract for the read-only ZERO Registry. The compatibility /api/market/reputation route remains supported.

  • zero.replay_decision_graph.v1.schema.json

    ZERO Public Replay Decision Graph v1

  • zero.replay_entrypoints.v1.schema.json

    ZERO Public Replay Entrypoints

  • zero.replay_graph_context.v1.schema.json

    ZERO Public Replay Graph Context

  • zero.runtime_capability_state.v1.schema.json

    ZERO Runtime Capability State v1

  • zero.runtime_safety.v1.schema.json

    RuntimeSafetyState v1

    Aggregated read-only view of the engine's safety signals. Joins risk.json, circuit_breaker.json, md_heartbeat.json, heartbeat.json, immune_risk.json into one contract with freshness metadata. Consumers (Admin UI, MCP tools, public Runtime status) read this once instead of reconciling 5+ files by hand. Pure aggregator: no business logic. Produced by zero/runtime_safety.py:compute_runtime_safety_state and exposed at GET /v2/runtime-safety.

  • zero.runtime_setup_lifecycle.v1.schema.json

    ZERO Runtime Setup Lifecycle

    Current app projection of the claim-to-proof Runtime setup spine derived from RuntimeCapabilityState.

  • zero.setup_lifecycle.v1.schema.json

    Setup Lifecycle Snapshot v1

    Unified view of the Runtime's 'what's forming' surfaces. Folds approaching.json, near_misses*.jsonl, rejections.jsonl, and trades.jsonl into one record per (coin, direction) tuple over a configurable window. Produced by zero/setup_lifecycle.py:build_snapshot(); persisted at bus/setup_lifecycles.json; exposed at GET /v2/setup-lifecycles.

  • zero.status.v1.schema.json

    ZERO public status contract

    Public-safe operational status for ZERO runtime, proof, notification, and support readiness.

  • zero.vibe_deploy.lifecycle_contract.v1.schema.json

    ZERO Vibe Deploy Lifecycle Contract v1

  • zero.vibe_deploy.proof_chain.v1.schema.json

    ZERO Vibe Deploy Proof Chain v1

    Ordered proof contract for establishing Runtime ownership, liveness, paper capability, Hyperliquid authority, main-wallet Builder Code authority before live lease, short live-lease execution authority, and no-secret Builder fill reconciliation.

  • zero.vibe_deploy.recovery_hardening.v1.schema.json

    ZERO Vibe Deploy Recovery Hardening v1

  • zero.vibe_deploy.runtime_manifest.v1.schema.json

    ZERO Vibe Deploy Runtime Manifest v1

  • zero.vibe_deploy_readiness.v1.schema.json

    ZERO Vibe Deploy Readiness v1

examples, api definitions, and docs · 7