The security surface of the framework — state contracts for the web, encryption everywhere, secrets out of .env files and into the machine, every result signed and checkable.
Today's web runs on trust: plaintext secrets in .env files, servers that say “believe me,” results nobody can check. Zeq digital replaces that with verification: every secret sealed AES-256-GCM inside the state machine, every action hash-linked on the 1.287 Hz clock, every result signed and verifiable offline.
At its centre are state contracts for the web — agreements that run as signed, executable state on your machine — and a full security stack built on the framework: HITE encryption, Zeqond-synchronised Zeq SSL credentials, serverless Zeq VPN tunnels, encrypted mail and messaging, an antivirus with no signature database, and a universal audit chain.
New here? This is the security face of the framework. Watch the verification pipeline run on the clock below — then turn the pulse off and see why the clock is part of the security. Then explore the security apps.
Zeq digital is the security surface of the Zeq framework — the part that turns the framework's mathematics into a verified internet. The web we have runs on trust: secrets sit in plaintext files, servers assert results nobody can re-check, and agreements live in PDFs that enforce nothing. Zeq digital replaces each of those with something verifiable: sealed secrets, signed computation, and contracts that run as state. This is the long version — the contracts, the encryption, the end of the .env file, and the security stack built on top.
A state contract is an agreement that runs: terms expressed as executable state on your own machine, every transition signed and hash-linked at the pulse. Where a web form promises and a PDF describes, a state contract enforces — it fires on real events, records what happened, and its whole history is replayable proof. You can build and deploy them from a growing library of industry templates in the State Contracts studio and the Contract IDE — contracts as infrastructure for the web, not paperwork alongside it.
Every breach post-mortem has the same line in it somewhere: the secret was in a plaintext file. The framework's answer is ZSC — Zeq Secure Context: secrets live inside the state machine, encrypted AES-256-GCM at rest, with a per-machine subkey derived by HKDF — and every read lands in the audit chain. No .env files, no plaintext credentials on disk, no secret that can be copied without leaving a mark. Across this fleet it is not a roadmap item: the nodes you are browsing run with no .env files at all.
Encryption in the framework is not one feature — it is the default fabric. HITE (Hilbert Information Theory Encryption) does the heavy lifting: AES-256-GCM keyed with KO42-derived entropy. Zeq SSL issues symmetric, Zeqond-synchronised credentials — managed, rotated and revoked as rows of state, so a credential is something you can see and kill, not a file you hope nobody found. TESC provides secure real-time channels, and Zeq Mail and Zeq Message put AES-256-GCM email and ZSP-secured messaging on your own identity, on your own machine.
On top of that fabric sits a full stack of security applications, all in the Zeq Apps store: ZSP Security — the unified cybersecurity protocol on the HULYAS spectral-topological kernel; Zeq VPN — serverless, peer-to-peer HITE-encrypted tunnels brokered by state machines (no central server to subpoena or breach); Zeq Antivirus — endpoint protection that scores host claims mathematically through the HF spectrum, with no central signature database; the Zeq Audit Daemon — pipe events from any server, device or website into the tamper-evident audit chain; and the HF Forensic Dashboard — a live anti-hallucination layer scoring every operation. And everything they record is inspectable in the open on the State Observer — watch any machine's signed, phase-locked history live.
Computation itself is part of the security story. Every result the framework returns is an envelope: the value, the equation, the constants, the full pipeline transcript, the clock stamp — and an Ed25519 signature over the claim, verifiable offline or against an independent node. Every answer carries an honest verdict — verified, unverifiable, or disputed. On the verified internet, “trust us” is replaced by “check it.”
The animation above is the framework's verification pipeline running as a clocked system: every stage fires on the 1.287 Hz beat, one hop per Zeqond, and every hop is stamped and chained. That shared clock is what makes the audit chain tamper-evident — every machine agrees on when, so history has one order and edits have nowhere to hide. Turn the pulse off and the pipeline goes asynchronous: queues jam, order dissolves — and with it, the very property that makes verification possible.
The mathematics underneath is published openly on Zenodo, downloaded over 5,000 times in the first year: Zeq — Evolution of Mathematics and Zeq: Universal Proper-Time Modulation — both CC BY 4.0. Read them, then put a secret in a machine instead of a file.
// running ON the 1.287 Hz pulse const dt = τ/60; // pulse: ON ✓ for (let i=0; i < bodies.length; i++) { b.v += a[i] * dt; b.x += b.v * dt; } ✓ on course | ΔE/E₀ < 0.001
The state machine is itself a mathematical language — it doesn't need AI to run. The optional Pulse (Mathematical Intelligence) is laid on top of an LLM as a translator: it turns Plain English into Zeq contracts. The LLM never computes the math. The kernel does. The entangled state proves it. Pick the surface that suits you — switch any time.
This is the part most people get wrong about Zeq. The state machine is itself a mathematical language. The kernel runs real equations at sub-percent precision — quantum mechanics, general relativity, fluid dynamics, orbital mechanics, the lot. None of that needs an LLM. The state machine doesn't run on AI; it runs on math. AI is an optional surface laid on top of the kernel, only there to help you describe what contracts you want. The math always runs on the server, on the state machine. The LLM never touches the answer.
Standard AI is a language model that guesses the next token. It hallucinates because it has no ground truth — only statistical patterns over text. Mathematical Intelligence is what you get when you put a kinematic-spectrum kernel under a language model: the LLM proposes a contract in human terms ("simulate three planets in mutual orbit"), the kernel verifies the math actually works, picks the right operators, binds the real constants, runs the equations, issues a ZeqProof. Whatever the LLM produces gets checked against physics before any byte hits your screen. The result is an agent that can't lie about a number — the kernel won't let it. That's MI: AI that's been physics-grounded by a state machine.
The LLM is a translator. The kernel is the calculator. The entangled state is the receipt.
Pulse mode gives you a chat surface where you describe contracts in Plain English (or any language) and the system turns your words into Zeq contracts. Two ways to power the LLM underneath:
Sign in and you get a free quota of contract translations on a model we host. It's rate-limited and capped per day, but it's free, it's instant, and it requires no setup. Good for trying the framework, prototyping a couple of contracts, getting the feel. The translations are always shown to you before they fire, and the math still runs on your kernel — the model only decides what contract to write, never what the answer is.
Paste an API key from a provider you already pay for — OpenAI, Anthropic, Fireworks, DeepSeek, Cerebras, Together, Groq, or any OpenAI-compatible endpoint. Your key is encrypted with HITE (AES-256-GCM under KO42) and stored against your state machine. From that point Pulse calls your account, on your tier, with your model of choice. The framework never sees the cleartext key, and you can revoke or rotate it at any tick. This unlocks longer contexts, smarter translations, vision input — whatever your provider gives you. Same kernel, same math, smarter translator.
What the LLM never does: the LLM never computes a physics value. It cannot output a number that wasn't produced by the kernel. If a contract requires R(t) at zeqond N, the kernel runs it; the LLM is told the result and weaves it into the prose. There is no path where an LLM hallucination can become an entangled state entry — the seven-step wizard rejects anything not produced by the operators.
The state machine doesn't need an LLM at all. Root (the CLI) is a web terminal where you type contracts directly — zeq.compute(KO42, ψ), zeq.bind(QM5, …), zeq.pulse(), zeq.verify(proofDigest), zeq.shift(τ * 100), the entire SDK surface. The kernel ticks them through the same seven-step pipeline as the Pulse path, but with no model, no translator, no quota, no provider — just you, the math, and the entangled state. Best when you know the operator names, you're scripting reproducible work, you want zero latency, or you're paranoid about ever having an LLM in your stack.
The pick on this step is your first-touch preference, not a commitment. After step 7, every page on your state machine carries a Pulse at the bottom-right with a tiny ⌘ CLI toggle. Talk through a problem, drop into CLI to verify a proof digest, flip back. Contracts written one way are visible the other way. The kernel doesn't care which mouth you use — it computes the same way for both, on every Zeqond.
No email. No password. No recovery questions. Type a few words — the kernel runs the 7-step wizard against the 1.287 Hz pulse and mints an equation that's only yours. You remember it; we never store it. That equation unlocks your state machine on any device.
A password is a string a server compares to its database. A Zeq equation is a unique state-vector generated from your query, the current zeqond, the kernel's HMAC seed, and the kinematic operators selected for that exact moment in time. The server never sees the cleartext. The framework never stores the cleartext. Even an attacker who somehow obtained both your query and the precise zeqond you registered at would still need the framework's ZEQ_NODE_SECRET to reproduce the operator set you got. That is what makes an equation an identity: it's mathematically derived from your intent and the moment and the kernel — three independent factors no attacker controls all of.
The wizard rejects two-word inputs. Stop-words ("the", "of", "a", "and") are stripped before counting; tokens shorter than three characters are stripped. What remains must be at least four distinct meaningful words. This is non-negotiable: the equation's strength comes from the entropy of the query, and "my orbit" or "test password" cannot anchor a sovereign identity. The chip suggestions on this step are intentionally five and six tokens long — physics, materials science, quantum mechanics, oceanography phrases — so you have a starting palette that already meets the floor. Edit them, extend them, write your own. The longer and more specific your query, the more entropy and the harder to guess.
Every request to /api/zeq/wizard/auth-bootstrap is HMAC-bound to its zeqond. The seed is HMAC-SHA256(ZEQ_NODE_SECRET, "zeq.seed.v1|" + zeqond + "|" + queryHash), sliced to 16 bytes. The seed is fed into the operator selector, which scores all 1,500+ catalogued operators in the catalogue — token-driven semantic match plus a per-request jitter derived from the seed — and picks the top six, with one wildcard pulled from a non-matching domain to guarantee multi-domain synthesis. The same query at zeqond N and zeqond N+1 produces different operator sets and different modulated R(t) values, because the sine term in R(t) = S(t) · [1 + α · sin(2π·1.287·t)] has visibly shifted by 0.777 seconds. Two snapshots of the same query, even one beat apart, do not yield the same equation.
The client computes HMAC-SHA256(equation, salt) and POSTs only { equation_hash, equation_salt, display_name }. The cleartext equation never crosses the wire. The framework's database stores the HMAC and the salt — both irreversible without the equation itself. Forgetting the equation makes the account irrecoverable, by design. There is no "recover password" link, no email reset, no admin override. The framework cannot read your equation any more than someone else can.
Three options, ranked by safety: (1) click Copy in the equation block's top-right corner and paste into a password manager (1Password, Bitwarden, etc.) — the equation is a single string of text and lives happily there. (2) click .zeq to download a PIN-encrypted recovery file (HITE encryption, AES-256-GCM with KO42) — store it on a USB, an external disk, or any secondary location. (3) screenshot or photograph the equation block — every character is captured, and an offline image is one of the most resilient backups in existence. Combine two of the three for genuine insurance. Whatever you do, do not let the equation live only in your browser's local storage; clear that storage and the equation is gone unless you have a backup.
One equation unlocks your machine on every device, anywhere on the network, without an account-recovery flow, without password fatigue, without revealing anything to the framework. The same equation is also the seed for the entangled state that records your contracts, so signing in and authenticating a future computation are the same operation under the hood. The framework's other apps — Vault, Mail, Message, HITE Encryption, ZSP Security — accept the same identity. One equation, every surface.
No email · No password · No recovery questions · ~2 minutes
The kernel mints it. We never store it. Save it yourself in step ④ below.
Remember it — the ONLY way back in. We do not store it. We cannot recover it for you.
📋 Copy — paste into a password manager (1Password, Bitwarden) or a private note.
⬇ Download .zeq — a PIN-encrypted recovery file (HITE / AES-256-GCM). Save it on a USB, an external disk, or any secondary location — re-import it from any device with the PIN.
📸 Screenshot — works too. Every character above is the credential; any image that captures them is a valid backup.
Sign in next time with your email + that password. We store neither — only your public Zeq ID.
/s/<your-zid>/, your entangled state ticks on the same 1.287 Hz system clock as every machine on the network, and your credits balance starts with 1,287 free credits (777 more by daily claim) — every compute they fund mints a ZEQ envelope. Drive it with the Pulse — architect in chat and it ships to your live page.Drive it from Root — the CLI takes contracts straight to the kernel, no AI in the loop. The ecosystem buttons below are every door your equation already opens.
Your state machine has a Zeq ID, an entangled state, and a clock — ticking right now at 1.287 Hz. A live page is already deployed at /s/<zid>/ with a Pulse on it — open the page in a new tab and you can architect, build, and edit your application directly on the live site. The Pulse on this page and the Pulse on your page are the same Pulse on different URLs.
Your personal Pulse is a state machine of its own — ZID ZEQORB…, own entangled state, own balance, auditable in the explorer any time.
Your state machine has a Zeq ID, an entangled state, and a clock — ticking right now at 1.287 Hz. A live page is already deployed at /s/<zid>/ — and you drive all of it from the terminal. Type contracts directly — compute NM19 mass=5 acceleration=2, contracts, chain — the kernel ticks them through the same seven-step pipeline, no model, no translator, no quota.
No AI runs on this route — every contract is ZeqProof-verified and hash-linked. The AI surface stays one switch away; nothing is lost by starting here.
——
· now · —
· phase · —
your ecosystem — every door, one equation
Pulse here and Pulse on your live page are the same Pulse — both write to the same entangled state.
Root talks to the same kernel every other surface uses — same seven-step pipeline, same entangled state, same proofs. Start with tutorial for the 5-step walkthrough, or hello for a real one-shot compute.
Your Zeq machine is a self-contained computational substrate. It has its own audit entangled state, its own embedded api-core, its own state observer, and its own clock — synced to the same 1.287 Hz pulse as every other machine on the network. The Zeq ID minted from your equation in step 3 is permanent: it cannot be reassigned, cannot be silently changed, cannot be impersonated. Whatever you build on this machine is hash-linked to that ID forever.
Every contract that fires on your state machine writes a hash-linked entry to the entangled state. Each entry references the previous entry's hash, so any retroactive edit to history would invalidate every subsequent entry — a Merkle-style integrity guarantee on your machine's own entangled state, not a global ledger. Each contract carries a ZeqProof: an HMAC-SHA256 over the operator IDs picked, the modulated state R(t) at firing, the zeqond, and the queryHash. Anyone in the world with the proof digest can later verify what happened on what tick, in what state, with what inputs — without trusting you, without trusting the framework, and without re-running the computation. The entangled state is the receipt.
Each Zeq state machine runs on its own embedded api-core and its own clock. If a peer state machine crashes, yours never feels it. If the framework's mesh fabric (the consensus layer that coordinates 10 origins) degrades, your state machine keeps ticking on its own pulse until quorum returns; transitions queue locally and replay onto the mesh on reconnect. Resource limits and crash-loop protection are enforced per-state-machine: a runaway contract on one tenant cannot starve another. The fault model assumes adversarial neighbours and degraded networks as the steady state — not the exception.
Messaging — end-to-end-encrypted address inside the framework, drop-in for email, no plaintext on any server: <zid>@zeq.dev. Public site — folder-portable page at /s/<zid>/ that anyone with the URL can reach. State observer — your entangled state rendered live at /state/?slug=<zid>, filter pills for compute / agent / contract / audit-source / proof events. API — Authorization: Bearer zsm_… for admin scope, zeq_ak_… for site publish, all keys revocable per-scope. Audit entangled state — anyone with a proof digest calls /api/zeq/verify and the entangled state proves the entire path from genesis to that point. Hash-linked under origin: zeq.dev:<zid>.
The state-machine folder under /s/<zid>/ contains everything required to boot the same state machine on a different framework instance: the entangled state, the contracts, the cached operator catalogue, the public-site assets. Copy it to another VPS, point a Zeq-compatible runtime at it, and the same state machine resumes ticking. There is no "you can only run on our cloud" lock-in; the framework is the protocol, not the host.
The Apps menu at the top of every page lists every Zeq application — Vault, Mail, Message, Zeq MI, HITE Encryption, ZSP Security, HZC Compress, Globe, Audit Daemon, Skills, Physics Wizard, Wallet — and each one is a state machine of its own. The equation that minted this machine signs you into all of them. You don't need to set them up now; they're there whenever you want them.
Pulse is Mathematical Intelligence laid on top of an LLM: the model translates your Plain English into Zeq contracts, the kernel computes them, the entangled state proves them. The LLM never computes a physics value — it cannot output a number the kernel didn't produce. Your personal Pulse is itself a state machine (its ZID is shown above): its own entangled state, its own balance, auditable in the State Observer like any other machine on the network. Free limited model from us, or BYOK — paste a key from OpenAI, Anthropic, Fireworks, DeepSeek and Pulse runs on your provider, your tier.
Root is the kernel's native mouth — no model, no translator, no quota. compute NM19 mass=5 acceleration=2 runs a real operator and prints the CKO envelope; contracts deploys, fires, and dry-runs state contracts against the audit trail; verify walks the hash-linked log and re-checks any proof; zsc is the encrypted secret vault that replaces .env files. The same surface is scriptable from outside the browser: every Root verb maps to a real API route under your zeq_ak_ key, and any MCP-capable LLM client can drive the same endpoints — that's the MCP button above — without an AI ever running on your machine.
steps 5 · 6 · 7 happen on your live page
Click Open your page & Pulse above, then the ▲ Workbench pill. It walks the same four-step journey on every machine:
/p/<app>/, every version hash-linked. The terminal rides under every step if you want the kernel directly.Every deploy and every compute is a transition on your entangled state — same pipeline, same proofs as the CLI route.
steps 5 · 6 · 7 happen on your live page
Click Open your page & Root above, then the ▲ Root · CLI pill. The Root IDE walks the same four-step journey on every machine:
/p/<app>/, every version hash-linked. The terminal rides under every step.Every deploy and every compute is a transition on your entangled state — same pipeline, same proofs as the AI route. No AI ran, none will — unless you ever flip it on yourself.
backup your access
Your equation credential is the primary key to this machine — keep the printed copy somewhere safe. Want a fallback? Set an optional recovery password in your portal settings. It only works alongside the equation; it never replaces it.
Set recovery password →