# BOX MVP Checklist

Date: 2026-06-12

Target: `box.zweichain.net`

## MVP shape

- Static BOX site with hero, token track, model arena, simulator, deployment notes, and conservative public wording.
- Python/SQLite arena app served from the same folder.
- Live MVP console loads `/api/health`, `/api/config`, `/api/tournaments/current`, and `/api/leaderboard`.
- Model commit form posts hashes and signed ownership metadata only. It does not upload model files.
- Leaderboard can show public model nicknames, wallet short names, hashes, scores, and title status.

## Local run

From `BOX`:

```cmd
app\run-local.cmd
```

Open:

```text
http://127.0.0.1:8088/
```

The local launcher enables public commits and sets `BOX_ADMIN_TOKEN=local-dev-admin` for development.

## Push readiness

- Run `powershell -ExecutionPolicy Bypass -File app/smoke.ps1`.
- Run `powershell -ExecutionPolicy Bypass -File deploy/verify-static.ps1`.
- Do not commit `app/data/*.db`, `.env`, private keys, model files, or hidden evaluation sets.
- Keep production `BOX_ADMIN_TOKEN` out of git. Set it through a systemd override.
- Keep public commits closed on the first VPS boot unless rate limiting and log review are ready.

## First VPS mode

Recommended first mode:

- nginx serves static files,
- systemd runs `app/box_app.py` on `127.0.0.1:8088`,
- nginx proxies `/api/` to the local app,
- `BOX_ENABLE_PUBLIC_COMMITS=0` until review is complete.

## Before public model competition

- Add wallet signature recovery with a Web3 dependency or Django upgrade.
- Add rate limiting for `/api/commits`.
- Add backup/restore process for `app/data/box_arena.db`.
- Decide evaluator receipt format and hidden test-set custody.
- Write approved champion/gym wording before naming any real person or gym.

## Later

- Import the boxing match sample source as a reference.
- Decide whether Unity WebGL replaces the JavaScript simulator or sits beside it.
- Add private model upload storage only after auth, review, and sandbox evaluation are designed.