[ f=1.287 Hz ]

[ τ=0.777s Zeqond ]

FOUNDATION STATE MACHINE · FOUNDATION · TICKS SINCE GENESIS · 1.287 HZ LIVE · OPEN OBSERVER ↗

✓ ENERGY CONSERVED
f=1.287 Hz · τ=Zeqond · 10⁻⁴ numeric bound

Zeq digital.
The verified internet.

The security surface of the framework — state contracts for the web, encryption everywhere, secrets out of .env files and into the machine, every result signed and checkable.

Today's web runs on trust: plaintext secrets in .env files, servers that say “believe me,” results nobody can check. Zeq digital replaces that with verification: every secret sealed AES-256-GCM inside the state machine, every action hash-linked on the 1.287 Hz clock, every result signed and verifiable offline.

At its centre are state contracts for the web — agreements that run as signed, executable state on your machine — and a full security stack built on the framework: HITE encryption, Zeqond-synchronised Zeq SSL credentials, serverless Zeq VPN tunnels, encrypted mail and messaging, an antivirus with no signature database, and a universal audit chain.

New here? This is the security face of the framework. Watch the verification pipeline run on the clock below — then turn the pulse off and see why the clock is part of the security. Then explore the security apps.

Zeq digital, in full — state contracts for the web, the end of .env, encryption everywhere, and the verified internet

Zeq digital is the security surface of the Zeq framework — the part that turns the framework's mathematics into a verified internet. The web we have runs on trust: secrets sit in plaintext files, servers assert results nobody can re-check, and agreements live in PDFs that enforce nothing. Zeq digital replaces each of those with something verifiable: sealed secrets, signed computation, and contracts that run as state. This is the long version — the contracts, the encryption, the end of the .env file, and the security stack built on top.

State contracts for the web

A state contract is an agreement that runs: terms expressed as executable state on your own machine, every transition signed and hash-linked at the pulse. Where a web form promises and a PDF describes, a state contract enforces — it fires on real events, records what happened, and its whole history is replayable proof. You can build and deploy them from a growing library of industry templates in the State Contracts studio and the Contract IDE — contracts as infrastructure for the web, not paperwork alongside it.

The end of the .env file

Every breach post-mortem has the same line in it somewhere: the secret was in a plaintext file. The framework's answer is ZSC — Zeq Secure Context: secrets live inside the state machine, encrypted AES-256-GCM at rest, with a per-machine subkey derived by HKDF — and every read lands in the audit chain. No .env files, no plaintext credentials on disk, no secret that can be copied without leaving a mark. Across this fleet it is not a roadmap item: the nodes you are browsing run with no .env files at all.

Encryption everywhere

Encryption in the framework is not one feature — it is the default fabric. HITE (Hilbert Information Theory Encryption) does the heavy lifting: AES-256-GCM keyed with KO42-derived entropy. Zeq SSL issues symmetric, Zeqond-synchronised credentials — managed, rotated and revoked as rows of state, so a credential is something you can see and kill, not a file you hope nobody found. TESC provides secure real-time channels, and Zeq Mail and Zeq Message put AES-256-GCM email and ZSP-secured messaging on your own identity, on your own machine.

The security stack

On top of that fabric sits a full stack of security applications, all in the Zeq Apps store: ZSP Security — the unified cybersecurity protocol on the HULYAS spectral-topological kernel; Zeq VPN — serverless, peer-to-peer HITE-encrypted tunnels brokered by state machines (no central server to subpoena or breach); Zeq Antivirus — endpoint protection that scores host claims mathematically through the HF spectrum, with no central signature database; the Zeq Audit Daemon — pipe events from any server, device or website into the tamper-evident audit chain; and the HF Forensic Dashboard — a live anti-hallucination layer scoring every operation. And everything they record is inspectable in the open on the State Observer — watch any machine's signed, phase-locked history live.

Every result signed

Computation itself is part of the security story. Every result the framework returns is an envelope: the value, the equation, the constants, the full pipeline transcript, the clock stamp — and an Ed25519 signature over the claim, verifiable offline or against an independent node. Every answer carries an honest verdict — verified, unverifiable, or disputed. On the verified internet, “trust us” is replaced by “check it.”

Why the clock is part of the security

The animation above is the framework's verification pipeline running as a clocked system: every stage fires on the 1.287 Hz beat, one hop per Zeqond, and every hop is stamped and chained. That shared clock is what makes the audit chain tamper-evident — every machine agrees on when, so history has one order and edits have nowhere to hide. Turn the pulse off and the pipeline goes asynchronous: queues jam, order dissolves — and with it, the very property that makes verification possible.

The papers

The mathematics underneath is published openly on Zenodo, downloaded over 5,000 times in the first year: Zeq — Evolution of Mathematics and Zeq: Universal Proper-Time Modulation — both CC BY 4.0. Read them, then put a secret in a machine instead of a file.

integrator · 1.287 Hz PULSE ON
// running ON the 1.287 Hz pulse
const dt = τ/60;  // pulse: ON  ✓
for (let i=0; i < bodies.length; i++) {
  b.v += a[i] * dt;
  b.x += b.v * dt;
}
✓ on course  |  ΔE/E₀ < 0.001
step 2 · how you'll talk to your state machine

Two ways
to drive it.

The state machine is itself a mathematical language — it doesn't need AI to run. The optional Pulse (Mathematical Intelligence) is laid on top of an LLM as a translator: it turns Plain English into Zeq contracts. The LLM never computes the math. The kernel does. The entangled state proves it. Pick the surface that suits you — switch any time.

Mathematical Intelligence vs Root — the LLM is a translator, not a calculator

This is the part most people get wrong about Zeq. The state machine is itself a mathematical language. The kernel runs real equations at sub-percent precision — quantum mechanics, general relativity, fluid dynamics, orbital mechanics, the lot. None of that needs an LLM. The state machine doesn't run on AI; it runs on math. AI is an optional surface laid on top of the kernel, only there to help you describe what contracts you want. The math always runs on the server, on the state machine. The LLM never touches the answer.

What we mean by "Mathematical Intelligence" (MI)

Standard AI is a language model that guesses the next token. It hallucinates because it has no ground truth — only statistical patterns over text. Mathematical Intelligence is what you get when you put a kinematic-spectrum kernel under a language model: the LLM proposes a contract in human terms ("simulate three planets in mutual orbit"), the kernel verifies the math actually works, picks the right operators, binds the real constants, runs the equations, issues a ZeqProof. Whatever the LLM produces gets checked against physics before any byte hits your screen. The result is an agent that can't lie about a number — the kernel won't let it. That's MI: AI that's been physics-grounded by a state machine.

The LLM is a translator. The kernel is the calculator. The entangled state is the receipt.

Pulse — Mathematical Intelligence on top of an LLM

Pulse mode gives you a chat surface where you describe contracts in Plain English (or any language) and the system turns your words into Zeq contracts. Two ways to power the LLM underneath:

Option A · Free limited model from us

Sign in and you get a free quota of contract translations on a model we host. It's rate-limited and capped per day, but it's free, it's instant, and it requires no setup. Good for trying the framework, prototyping a couple of contracts, getting the feel. The translations are always shown to you before they fire, and the math still runs on your kernel — the model only decides what contract to write, never what the answer is.

Option B · Bring your own API key (BYOK)

Paste an API key from a provider you already pay for — OpenAI, Anthropic, Fireworks, DeepSeek, Cerebras, Together, Groq, or any OpenAI-compatible endpoint. Your key is encrypted with HITE (AES-256-GCM under KO42) and stored against your state machine. From that point Pulse calls your account, on your tier, with your model of choice. The framework never sees the cleartext key, and you can revoke or rotate it at any tick. This unlocks longer contexts, smarter translations, vision input — whatever your provider gives you. Same kernel, same math, smarter translator.

What the LLM never does: the LLM never computes a physics value. It cannot output a number that wasn't produced by the kernel. If a contract requires R(t) at zeqond N, the kernel runs it; the LLM is told the result and weaves it into the prose. There is no path where an LLM hallucination can become an entangled state entry — the seven-step wizard rejects anything not produced by the operators.

Root — pure mathematical language, no AI in the loop

The state machine doesn't need an LLM at all. Root (the CLI) is a web terminal where you type contracts directly — zeq.compute(KO42, ψ), zeq.bind(QM5, …), zeq.pulse(), zeq.verify(proofDigest), zeq.shift(τ * 100), the entire SDK surface. The kernel ticks them through the same seven-step pipeline as the Pulse path, but with no model, no translator, no quota, no provider — just you, the math, and the entangled state. Best when you know the operator names, you're scripting reproducible work, you want zero latency, or you're paranoid about ever having an LLM in your stack.

Switch any time

The pick on this step is your first-touch preference, not a commitment. After step 7, every page on your state machine carries a Pulse at the bottom-right with a tiny ⌘ CLI toggle. Talk through a problem, drop into CLI to verify a proof digest, flip back. Contracts written one way are visible the other way. The kernel doesn't care which mouth you use — it computes the same way for both, on every Zeqond.

step 2 / 4continue
step 3 · your identity

Your equation
is your key.

No email. No password. No recovery questions. Type a few words — the kernel runs the 7-step wizard against the 1.287 Hz pulse and mints an equation that's only yours. You remember it; we never store it. That equation unlocks your state machine on any device.

Why an equation is your identity — sovereign, irrecoverable, mathematically yours

A password is a string a server compares to its database. A Zeq equation is a unique state-vector generated from your query, the current zeqond, the kernel's HMAC seed, and the kinematic operators selected for that exact moment in time. The server never sees the cleartext. The framework never stores the cleartext. Even an attacker who somehow obtained both your query and the precise zeqond you registered at would still need the framework's ZEQ_NODE_SECRET to reproduce the operator set you got. That is what makes an equation an identity: it's mathematically derived from your intent and the moment and the kernel — three independent factors no attacker controls all of.

Query-driven — minimum four meaningful tokens

The wizard rejects two-word inputs. Stop-words ("the", "of", "a", "and") are stripped before counting; tokens shorter than three characters are stripped. What remains must be at least four distinct meaningful words. This is non-negotiable: the equation's strength comes from the entropy of the query, and "my orbit" or "test password" cannot anchor a sovereign identity. The chip suggestions on this step are intentionally five and six tokens long — physics, materials science, quantum mechanics, oceanography phrases — so you have a starting palette that already meets the floor. Edit them, extend them, write your own. The longer and more specific your query, the more entropy and the harder to guess.

Phase-locked — bound to the exact zeqond

Every request to /api/zeq/wizard/auth-bootstrap is HMAC-bound to its zeqond. The seed is HMAC-SHA256(ZEQ_NODE_SECRET, "zeq.seed.v1|" + zeqond + "|" + queryHash), sliced to 16 bytes. The seed is fed into the operator selector, which scores all 1,500+ catalogued operators in the catalogue — token-driven semantic match plus a per-request jitter derived from the seed — and picks the top six, with one wildcard pulled from a non-matching domain to guarantee multi-domain synthesis. The same query at zeqond N and zeqond N+1 produces different operator sets and different modulated R(t) values, because the sine term in R(t) = S(t) · [1 + α · sin(2π·1.287·t)] has visibly shifted by 0.777 seconds. Two snapshots of the same query, even one beat apart, do not yield the same equation.

Zero-knowledge — the server never sees the equation

The client computes HMAC-SHA256(equation, salt) and POSTs only { equation_hash, equation_salt, display_name }. The cleartext equation never crosses the wire. The framework's database stores the HMAC and the salt — both irreversible without the equation itself. Forgetting the equation makes the account irrecoverable, by design. There is no "recover password" link, no email reset, no admin override. The framework cannot read your equation any more than someone else can.

How to save it

Three options, ranked by safety: (1) click Copy in the equation block's top-right corner and paste into a password manager (1Password, Bitwarden, etc.) — the equation is a single string of text and lives happily there. (2) click .zeq to download a PIN-encrypted recovery file (HITE encryption, AES-256-GCM with KO42) — store it on a USB, an external disk, or any secondary location. (3) screenshot or photograph the equation block — every character is captured, and an offline image is one of the most resilient backups in existence. Combine two of the three for genuine insurance. Whatever you do, do not let the equation live only in your browser's local storage; clear that storage and the equation is gone unless you have a backup.

What this gives you

One equation unlocks your machine on every device, anywhere on the network, without an account-recovery flow, without password fatigue, without revealing anything to the framework. The same equation is also the seed for the entangled state that records your contracts, so signing in and authenticating a future computation are the same operation under the hood. The framework's other apps — Vault, Mail, Message, HITE Encryption, ZSP Security — accept the same identity. One equation, every surface.

① Pick or type a topic
② Display name · optional
③ Mint your equation

No email · No password · No recovery questions · ~2 minutes
The kernel mints it. We never store it. Save it yourself in step ④ below.

① Email · how you'll sign in
② Four words · pre-filled — just generate
0 / 4 words These seed your password and are never needed again — no need to remember them.
③ Password strength · how secure
④ Display name · optional

Sign in next time with your email + that password. We store neither — only your public Zeq ID.

step 4 · meet your state machine

It's already
running.

Your state machine has a Zeq ID, an entangled state, and a clock — ticking right now at 1.287 Hz. A live page is already deployed at /s/<zid>/ with a Pulse on it — open the page in a new tab and you can architect, build, and edit your application directly on the live site. The Pulse on this page and the Pulse on your page are the same Pulse on different URLs.

Your personal Pulse is a state machine of its own — ZID ZEQORB…, own entangled state, own balance, auditable in the explorer any time.

Your state machine has a Zeq ID, an entangled state, and a clock — ticking right now at 1.287 Hz. A live page is already deployed at /s/<zid>/ — and you drive all of it from the terminal. Type contracts directly — compute NM19 mass=5 acceleration=2, contracts, chain — the kernel ticks them through the same seven-step pipeline, no model, no translator, no quota.

No AI runs on this route — every contract is ZeqProof-verified and hash-linked. The AI surface stays one switch away; nothing is lost by starting here.

0 zeqonds since genesis · 1 tick = 0.777 s
machine · 
genesis ·   ·  now ·   ·  phase · 

your ecosystem — every door, one equation

Apps ↗ SDK ↗ MCP ↗ State Observer ↗ Vault ↗ Root ↗ Zeq paper ↗ Framework paper ↗

Pulse here and Pulse on your live page are the same Pulse — both write to the same entangled state.

Root talks to the same kernel every other surface uses — same seven-step pipeline, same entangled state, same proofs. Start with tutorial for the 5-step walkthrough, or hello for a real one-shot compute.

What lives at your state machine — entangled state, observer, audit, sovereign by default

Your Zeq machine is a self-contained computational substrate. It has its own audit entangled state, its own embedded api-core, its own state observer, and its own clock — synced to the same 1.287 Hz pulse as every other machine on the network. The Zeq ID minted from your equation in step 3 is permanent: it cannot be reassigned, cannot be silently changed, cannot be impersonated. Whatever you build on this machine is hash-linked to that ID forever.

Tamper-evident entangled state — proof, not promises

Every contract that fires on your state machine writes a hash-linked entry to the entangled state. Each entry references the previous entry's hash, so any retroactive edit to history would invalidate every subsequent entry — a Merkle-style integrity guarantee on your machine's own entangled state, not a global ledger. Each contract carries a ZeqProof: an HMAC-SHA256 over the operator IDs picked, the modulated state R(t) at firing, the zeqond, and the queryHash. Anyone in the world with the proof digest can later verify what happened on what tick, in what state, with what inputs — without trusting you, without trusting the framework, and without re-running the computation. The entangled state is the receipt.

Fault-isolated — your state machine doesn't depend on ours

Each Zeq state machine runs on its own embedded api-core and its own clock. If a peer state machine crashes, yours never feels it. If the framework's mesh fabric (the consensus layer that coordinates 10 origins) degrades, your state machine keeps ticking on its own pulse until quorum returns; transitions queue locally and replay onto the mesh on reconnect. Resource limits and crash-loop protection are enforced per-state-machine: a runaway contract on one tenant cannot starve another. The fault model assumes adversarial neighbours and degraded networks as the steady state — not the exception.

Five surfaces other people reach you through

Messaging — end-to-end-encrypted address inside the framework, drop-in for email, no plaintext on any server: <zid>@zeq.dev. Public site — folder-portable page at /s/<zid>/ that anyone with the URL can reach. State observer — your entangled state rendered live at /state/?slug=<zid>, filter pills for compute / agent / contract / audit-source / proof events. APIAuthorization: Bearer zsm_… for admin scope, zeq_ak_… for site publish, all keys revocable per-scope. Audit entangled state — anyone with a proof digest calls /api/zeq/verify and the entangled state proves the entire path from genesis to that point. Hash-linked under origin: zeq.dev:<zid>.

Folder-portable — your state machine isn't trapped here

The state-machine folder under /s/<zid>/ contains everything required to boot the same state machine on a different framework instance: the entangled state, the contracts, the cached operator catalogue, the public-site assets. Copy it to another VPS, point a Zeq-compatible runtime at it, and the same state machine resumes ticking. There is no "you can only run on our cloud" lock-in; the framework is the protocol, not the host.

Other apps your equation already unlocks

The Apps menu at the top of every page lists every Zeq application — Vault, Mail, Message, Zeq MI, HITE Encryption, ZSP Security, HZC Compress, Globe, Audit Daemon, Skills, Physics Wizard, Wallet — and each one is a state machine of its own. The equation that minted this machine signs you into all of them. You don't need to set them up now; they're there whenever you want them.

How Pulse drives this machine

Pulse is Mathematical Intelligence laid on top of an LLM: the model translates your Plain English into Zeq contracts, the kernel computes them, the entangled state proves them. The LLM never computes a physics value — it cannot output a number the kernel didn't produce. Your personal Pulse is itself a state machine (its ZID is shown above): its own entangled state, its own balance, auditable in the State Observer like any other machine on the network. Free limited model from us, or BYOK — paste a key from OpenAI, Anthropic, Fireworks, DeepSeek and Pulse runs on your provider, your tier.

How Root drives this machine

Root is the kernel's native mouth — no model, no translator, no quota. compute NM19 mass=5 acceleration=2 runs a real operator and prints the CKO envelope; contracts deploys, fires, and dry-runs state contracts against the audit trail; verify walks the hash-linked log and re-checks any proof; zsc is the encrypted secret vault that replaces .env files. The same surface is scriptable from outside the browser: every Root verb maps to a real API route under your zeq_ak_ key, and any MCP-capable LLM client can drive the same endpoints — that's the MCP button above — without an AI ever running on your machine.

steps 5 · 6 · 7 happen on your live page

Click Open your page & Pulse above, then the ▲ Workbench pill. It walks the same four-step journey on every machine:

  1. LEARN — free-form Q&A with Pulse about the framework before you build.
  2. 5 · SKILL — pick or generate the operator skill your build needs.
  3. 6 · PLAN — spec, state contracts, APIs — Pulse architects, you approve.
  4. 7 · BUILD — edit files, deploy apps to /p/<app>/, every version hash-linked. The terminal rides under every step if you want the kernel directly.

Every deploy and every compute is a transition on your entangled state — same pipeline, same proofs as the CLI route.

steps 5 · 6 · 7 happen on your live page

Click Open your page & Root above, then the ▲ Root · CLI pill. The Root IDE walks the same four-step journey on every machine:

  1. LEARN — the written guide: Zeqonds, operators, contracts, proofs — no model involved.
  2. 5 · OPERATORS — browse the catalogue by domain, run any operator live in the terminal.
  3. 6 · CONTRACTS — the contracts IDE: Templates or Expert; dry-run and fire from the terminal.
  4. 7 · BUILD — edit files, deploy apps to /p/<app>/, every version hash-linked. The terminal rides under every step.

Every deploy and every compute is a transition on your entangled state — same pipeline, same proofs as the AI route. No AI ran, none will — unless you ever flip it on yourself.

backup your access

Your equation credential is the primary key to this machine — keep the printed copy somewhere safe. Want a fallback? Set an optional recovery password in your portal settings. It only works alongside the equation; it never replaces it.

Set recovery password →