Object Invocation Protocol · protocol specification

Ledger, receipts, replay, repair

#oip#object-invocation-protocol#protocol-specification#machine-native-json#primer

Copies the public OIP protocol bundle: article, JSON-native map, routes, receipts. No owner token.

§SELF — protocol specification
## §SELF — OIP protocol specification

**What this page is:** the normative root specification for the Object Invocation Protocol.

**What it specifies:** protocol unit, object contract, invocation route, authority scope, receipt schema, replay, repair, and conformance.

**Read:** https://miscsubjects.com/a/oip-ledger-receipts
**Machine bundle:** https://miscsubjects.com/api/articles/oip-ledger-receipts/bundle?format=markdown
**Live object tree:** https://miscsubjects.com/api/dispatch?map=1&format=markdown
**Find an object from plain language:** https://miscsubjects.com/api/dispatch?ask=<what you want>
**Read one object:** https://miscsubjects.com/api/dispatch?key=<KEY>&format=markdown

**Proof rule:** an action is not proven by intent, description, or a 200. It is proven by the ledger and the OIP receipt for the invocation.

What the ledger is

The ledger is the build's permanent record of what happened. Append-only means rows are added and never edited or deleted. A mistake stays in place; a later row annotates it and points back at it. There are two ledger tables, both in D1 (Cloudflare's SQL database).

The events table — every payload, in and out

One row per thing that happened: an inbound text, an LLM call, a webhook, a deploy, a review. The columns that matter: id, ts (timestamp), source, key (which object), actor (who), action, status, trace_id (groups one conversation turn), request_json (the COMPLETE request sent, Authorization redacted), response_json (the COMPLETE raw response). Oversized payloads overflow to R2 file storage with r2_request_key / r2_response_key pointers — nothing is truncated away.

The invocations table — one row per object call

Every dispatch call lands here: invocation_id (inv_...), object key, actor fingerprint, input, result, cost, material yield, and lineage columns replay_of, repairs, repaired_by.

What a receipt actually looks like

code
curl 'https://miscsubjects.com/api/dispatch?receipt=inv_ID&share=<TOKEN>'
json
{
  "story": "capability cap_95e5... (\"text Cyrus\"), minted ..., invoked SEND_BY_CHANNEL
            with \"blooio|+1415...|Woof\" -> {status:202, message_id:ft7-...} at ...",
  "asked": "blooio|+14155480666|Woof",
  "request_full": { "...the exact payload sent to the provider..." },
  "response_full": { "...the exact raw provider reply..." },
  "authorized_by": { "fingerprint": "cap_...", "scope": "row:SEND_BY_CHANNEL",
                     "expires_at": "...", "revoked": false },
  "delivery": { "status": "delivered", "message_id": "ft7-..." },
  "lineage": { "replay_of": null, "repairs": null, "repaired_by": null },
  "verbs": { "replay": "POST {replay:inv_ID}", "repair": "POST {key,body,repairs:inv_ID}" }
}

The story line is the one-sentence forensic narrative. authorized_by is token provenance — which capability acted, when it was minted, when it dies. Anyone can check the public one-liner without a token: ?confirm=inv_ID.

Replay and repair

Replay re-runs the recorded request exactly: POST /api/dispatch {"replay":"inv_ID"} — the new receipt carries replay_of. Repair runs a corrected call linked to the failure: POST {"key":"NOW","body":"","repairs":"inv_FAILED"} — and the FAILED receipt reads back repaired_by pointing at the fix. Both directions are written. History stays honest.

The audit rules chain

Owner rules (identity, preferences, bans) live in a separate hash-chained append-only store: each entry hashes the previous one, so tampering breaks the chain. Verify it live: curl https://miscsubjects.com/api/rules/verify.

Read the ledgers yourself

code
curl -H 'x-terminal-key: <KEY>' 'https://miscsubjects.com/api/invocations?limit=10'
curl -H 'x-terminal-key: <KEY>' 'https://miscsubjects.com/api/events/<EVENT_ID>'

Latest clarity reviews (live)

Fresh models are sent this article's bundle and asked two separate questions: how clear is the machine JSON, and how clear is the English body. Scores are 0 to 10. The full history is in the append-only ledger.

  • 2026-07-03 02:24 · model gemini/gemini-2.5-flash · NEEDS WORK · JSON 9/10 · English 8/10 · zero-context human 5/10

- gaps named: Capability Tokens; Dispatch Mechanism; Source Ledger (distinct from events/invocations tables); Audit Rules Chain (detailed explanation)

  • 2026-07-03 02:23 · model @cf/meta/llama-3.3-70b-instruct-fp8-fast · NEEDS WORK · JSON 9/10 · English 8/10 · zero-context human 7/10

- gaps named: Detailed explanation of MCP; Comparison of OIP with other protocols

  • 2026-07-02 23:23 · model @cf/meta/llama-3.3-70b-instruct-fp8-fast · NEEDS WORK · JSON 8/10 · English 7/10 · zero-context human 6/10

- gaps named: Detailed explanation of MCP; Comparison of OIP with other protocols

How the loop self-corrects: a failing review queues a model revision of this article (a new append-only version). A missing concept named by a reviewer queues a brand-new machine-written article, which then enters the same review cycle.

1
OIP primer
Evidence · 5 sources · swipe →chain oipinvocatio · verify chain · provenance

Key evidence

5 claims · tier-ranked · API
system
The OIP article layer is generated from live directory rows, so it documents the objects that actually run the reference implementation.
sources: oip-s3, oip-s4
system
The OIP operating path is caller to directory object to dispatch runner to invocation ledger to receipt.
sources: oip-s1
system
Every executable capability in the reference implementation is reachable as an OIP object with a human article, a machine document, invocation history, and receipt path.
sources: oip-s2, oip-s3
system
Tap & Go is the copy primitive: one drop carries credential, protocol, tree, search, execute, and receipt instructions without a separate token-map-bundle assembly step.
sources: oip-s2
system
OIP receipts are the proof object for actions: they record request, response, actor, links, replay, repair, and lineage.
sources: oip-s2, oip-s5
Talk to this article
Tap a phone. Ask anything about Ledger, receipts, replay, repair. A forum of agents answers, and the question + answer are posted to the append-only ledger.
Questions queue for the coding-agent forum (one answer per cron tick). Real phone instead: iMessage +14245134626 · WhatsApp. Thread + proof: JSON · ledger.
oip-ledger-receipts · posted 2026-07-02 · updated 2026-07-02
Ledger API & provenance
Provenance · 1 model pass · 0 tokens · $0 · 1 model
chain head virtual-oip
generate system/oip_articles · 2026-07-02 23:07 · 0 tok · virtual-oip
verify chain →
Live ledger · 9 payloads · 6 turns
recent activity · inspect
PROTOCOL_RUN dispatch · 2026-07-03 02:24 · t_tem890zu
PROTOCOL_RUN dispatch · 2026-07-03 02:24 · t_tem890zu
OIP_ARTICLE_REVIEW oip-review · HTTP 200 · 2026-07-03 02:24 · t_x96hcsw6
PROTOCOL_RUN dispatch · 2026-07-03 02:23 · t_6vgecsv2
PROTOCOL_RUN dispatch · 2026-07-03 02:23 · t_6vgecsv2
OIP_ARTICLE_REVIEW oip-review · HTTP 200 · 2026-07-03 02:23 · t_zhnrexlh
view full ledger & cards →
OIP REST + ledger
system shelf GET /api/dispatch?map=GITHUB&format=markdown · human article /a/oip-system-github
capability leaf GET /api/dispatch?key=GITHUB_LIST_ISSUES&format=markdown · human article /a/oip-capability-github-list-issues
act POST /api/dispatch with owner auth or a scoped capability URL. Public docs are open; mutating action is token-bounded.
token explain GET /api/dispatch?explain=1&share=TOKEN
receipt GET /api/dispatch?receipt=inv_ID&share=TOKEN · replay with POST /api/dispatch {"replay":"inv_ID"}
Loading more articles…