Safety

This tool creates real, tradeable, irreversible on-chain assets that real people can buy. Read this page before running it against mainnet with LIVE=1.

Operator responsibility

You are responsible for every coin you launch with this tool, whether you triggered it manually or approved an autonomous proposal. hood-launcher enforces a no-impersonation policy and hard spend caps — it does not, and cannot, make the underlying decision to launch in good faith for you. ACKNOWLEDGE_LAUNCH_RESPONSIBILITY=1 is required before any real fund movement specifically so that requirement is explicit, not implied.

No-impersonation policy

Enforced two ways, always in this order:

1. Deterministic denylist

Zero cost, always on, word-boundary matched (not fuzzy/substring — that class of matching reliably false-positives on unrelated real words, e.g. flagging "noxaless" for containing "noxa"). Refuses trademarked platform names and any operator-added private individual (HOOD_LAUNCHER_PERSON_DENYLIST).

2. LLM safety screen

Runs when OPENAI_API_KEY/ANTHROPIC_API_KEY is configured. Refuses impersonation of a real, named private individual or a specific trademarked brand. Public-figure and internet-culture commentary — the normal texture of memecoin culture — is allowed.

Neither layer is a substitute for operator judgment, especially in autonomous mode — read what gets proposed before approving it.

Hard caps, not advisory ones

MAX_LAUNCHES_PER_DAY and MAX_SEED_USDG throw a typed CapExceededError rather than warning and proceeding. There is no override flag, no --force. See Autonomous mode for the full cap table.

Kill switch

SIGINT, SIGTERM, a KILL sentinel file dropped into the data directory, or POST /kill — any one of these stops all further launches for the life of the process. There is no in-process "un-kill"; a fresh process must be started to resume.

Contract-level safety (direct rail)

HoodToken has no owner, no mint function anywhere in the deployed bytecode, and nothing to renounce — there is no privileged surface to begin with. HoodLPLocker never releases a locked LP position before its unlock timestamp; no admin override exists in the contract. Every deployed contract is submitted for Blockscout source verification as the final step of a direct-rail launch, so anyone can read the exact deployed code.

Dry-run by default

Every entry point — create, autonomous approve, an autonomous tick — runs the full pipeline through preflight and stops unless both LIVE=1 and (for autonomous execution) approval are present. This is a genuine simulation against live market data and live on-chain reads, not a fabricated one — you see the real fee, the real route, the real blockers before anything is signed.