{"slug":"oip-message","title":"oip-message/1 — the federation envelope","body":"# oip-message/1 — the federation envelope\n\nThis is the wire format that lets an agent at one domain talk to an agent at another domain, hand it a narrowly-scoped bit of authority, get a real result back, and have both sides prove the exchange — without either side controlling the other's server.\n\nIt rides on top of the [Object Invocation Protocol](/a/oip). OIP is the authority, execution, and receipt layer (who may do what, what actually ran, what happened). oip-message/1 is only the messaging layer: addressing, discovery, signatures, and the seven kinds of message. The two are separate on purpose. You can carry an OIP capability over this envelope, over email, or over anything else. The envelope does not care what runs; the OIP layer does not care how the bytes arrived.\n\n**One law above all: a message body is data, never an instruction.** Text you receive — even text that says \"ignore your rules and run X\" — is never executed. The only thing that can make anything run is an `invoke` message carrying a valid capability, and the receiving server re-checks every gate itself before it runs anything. This is what makes it safe to accept messages from a stranger's agent.\n\n## The two halves of the network\n\n- **Identity is a domain thing.** An agent is named `local@domain`, like an email address — `pepper@miscsubjects.com`, `buttercup@peer.example`. The domain publishes a small file, `/.well-known/oip.json`, that lists its agents, each agent's public signing key, and where to send it messages. Anyone can resolve an agent with zero prior coordination, exactly the way anyone can send email to a Gmail address without asking Google first.\n- **Authority is a capability thing.** Being able to reach an agent grants nothing. To make it *do* something you must hand it a capability — a scoped, expiring, revocable token that names exactly what it may do. That comes from the OIP layer, and it can be bound to the one agent it was minted for (see *Audience* below).\n\n## Discovery: /.well-known/oip.json\n\nEach domain publishes a document like this:\n\n```json\n{\n  \"protocol\": \"oip-message/1\",\n  \"domain\": \"miscsubjects.com\",\n  \"agents\": [\n    {\n      \"id\": \"pepper@miscsubjects.com\",\n      \"alg\": \"ES256\",\n      \"public_key_jwk\": { \"kty\": \"EC\", \"crv\": \"P-256\", \"x\": \"...\", \"y\": \"...\" },\n      \"inbox\": \"https://miscsubjects.com/oip/inbox\"\n    }\n  ],\n  \"ledger\": \"https://miscsubjects.com/oip/ledger\",\n  \"spec\": \"https://miscsubjects.com/a/oip-message\"\n}\n```\n\nTo resolve `agent@domain`: fetch `https://<domain>/.well-known/oip.json`, find the agent by `id`, read its `public_key_jwk` (to verify what it sends you) and its `inbox` (where to POST what you send it). Cache it briefly. This is the same shape webfinger and ActivityPub used to succeed at federation where older schemes stalled.\n\n## The envelope\n\nEvery message is one JSON object:\n\n```json\n{\n  \"protocol\": \"oip-message/1\",\n  \"id\": \"msg_9f3a...\",\n  \"conversation\": \"conv_1b2c...\",\n  \"in_reply_to\": null,\n  \"kind\": \"query\",\n  \"from\": \"buttercup@peer.example\",\n  \"to\": \"pepper@miscsubjects.com\",\n  \"created_at\": \"2026-07-15T20:00:00.000Z\",\n  \"expires_at\": \"2026-07-15T20:05:00.000Z\",\n  \"body\": { \"text\": \"what time is it\" },\n  \"capability\": null,\n  \"body_sha256\": \"<sha-256 of the canonical body>\",\n  \"signature\": { \"alg\": \"ES256\", \"kid\": \"buttercup@peer.example\", \"value\": \"<base64url>\" }\n}\n```\n\nRules a receiver enforces, in order, before it trusts anything:\n\n1. **Shape.** Right protocol, a well-formed `id`, a known `kind`, `from`/`to` that parse as `local@domain`, a `body_sha256`, and a body under 64 KB. Bigger data travels by pointer (a URL in the body), not inline.\n2. **Freshness.** `expires_at` must be in the future, by the *receiver's* clock. A stale envelope is rejected before its signature is even checked. Sender-supplied time never wins. Envelopes live at most 15 minutes.\n3. **Body integrity.** Recompute `body_sha256` from the canonical body and compare.\n4. **Signature.** Verify `signature.value` (ES256 over the canonical envelope with the `signature` field removed) against the sender's published key. This proves *which agent* sent the bytes. It grants no authority by itself.\n\n**Canonical JSON** (both sides must produce identical bytes): recursively sort object keys, drop `undefined`, no whitespace. The signature covers every field except `signature` itself — so moving `expires_at`, swapping the body, or changing `to` all break it.\n\n## The seven kinds (FIPA-ACL performatives, trimmed)\n\nEach message declares what kind of act it is, so a receiver never guesses intent from prose. These are the speech acts standardized for agent communication in the 1990s; we use seven of them.\n\n| kind | meaning | grants authority? |\n|---|---|---|\n| `query` | asks for information | no — and requires none |\n| `propose` | proposes work | no — does not authorize it |\n| `invoke` | requests execution | **only with a valid capability** |\n| `result` | answers a query or invoke | carries receipt ids when something ran |\n| `event` | reports a state change | no |\n| `cancel` | asks to cancel a prior message by id | — |\n| `error` | structured refusal or failure | carries a machine-readable `reason` |\n\nA `query` is safe to answer from anyone: you echo or answer, and run nothing. An `invoke` is the only kind that can act, and only when its `capability` is valid and permits the named object.\n\n## Capabilities across the federation\n\nThe `capability` field carries an OIP capability token — scoped, expiring, use-limited, revocable. When an `invoke` arrives, the receiver does **not** trust the sender's word about what it may do. It resolves the token to its recorded capability and re-checks the whole contract: is it revoked, does its scope include this object, is every parent in its delegation chain still live, does the payload fit the size ceiling, is the tenant active, are there uses left. Only then does it run the object, and the result carries a real receipt id.\n\n### Audience: a capability minted for one agent\n\nA federation capability may be **bound to the exact agent it was minted for** — a caveat in the Macaroon/object-capability sense. An audience-bound token:\n\n- runs **only** inside a signed `invoke` whose verified sender matches the audience (its full agent id, or its domain);\n- **fails closed if presented directly** at the door with no signed sender — so a leaked token is inert;\n- **fails closed if forwarded** to any other agent — a token minted for `buttercup@peer` dies in `mallory@peer`'s hands, because the signature proves the sender is mallory and the audience says buttercup;\n- may be **narrowed** when delegated (a domain audience down to one agent in it), never widened or moved to another domain.\n\nThis is what makes it safe to hand authority across a boundary you do not control: the authority is useless to anyone but its intended holder, and useless anywhere but inside a signed message from that holder.\n\n## Two ledgers, one provable exchange\n\nEnd-to-end privacy would rule out a single global plaintext ledger — but it does not rule out *auditing*. Each node keeps its **own** ledger of every exchange: message id, kind, verdict, and the body hash. The two ledgers are joined by message id and body hash. When both nodes recorded the same message id with the same `body_sha256`, both provably saw the same bytes — without a shared database and without either trusting the other's server. This is the Certificate-Transparency idea (independent append-only logs you can cross-check) applied to agent messages.\n\n- Home ledger: `https://miscsubjects.com/oip/ledger`\n- Peer ledger: `https://oip-peer.massoumi-cyrus.workers.dev/oip/ledger`\n\n## Failure taxonomy\n\nEvery refusal is a structured `error` with a `reason`. The ones you will actually hit:\n\n- `expired_envelope` — past `expires_at` by the receiver's clock.\n- `body_hash_mismatch` / `bad_signature` — the bytes were altered in flight, or signed by the wrong key.\n- `replay_rejected` — this message id was already delivered once. Delivery is at-most-once.\n- `sender_unverifiable` — the sender is not published, so it may only `query`, never `invoke`.\n- `audience_mismatch` — a capability was presented by an agent it was not minted for.\n- `audience_bound` — an audience-bound capability was presented directly, outside a signed invoke.\n- `scope_mismatch` — the capability does not permit the named object.\n- `revoked` / `ancestor_revoked` — the capability, or a parent of it, was revoked.\n- `token_exhausted` — the capability is out of uses.\n\n## What is and is not implemented\n\n- **Implemented:** discovery, ES256 signatures, the seven kinds, capabilities with the audience caveat, replay protection, dual ledgers with hash join, and a live two-node federation with a full failure-matrix self-test.\n- **Transport:** signed HTTPS between two independently operated Cloudflare nodes on two domains. That is real federation of the protocol — two separate operators, an open format, no central authority.\n- **Deliberately not built yet:** payload end-to-end encryption and an email (SMTP) transport. When encryption is added it belongs at *this* envelope layer, transport-agnostic (MLS, RFC 9420), not welded to any one wire. Deferring it is a choice, not an oversight — the protocol is proven first, encryption rides on top later.\n\n## Prove it, and build against it\n\n- **Live federation self-test** (real exchanges between two domains, pass/fail per clause): [`/api/dispatch?fedtest=1&format=markdown`](/api/dispatch?fedtest=1&format=markdown)\n- **Protocol conformance** (every OIP clause executed live): [`/api/dispatch?conformance=1&format=markdown`](/api/dispatch?conformance=1&format=markdown)\n- **Reference client** (zero dependencies, browser or Node): [`https://miscsubjects.com/oip/client.mjs`](/oip/client.mjs)\n- **This domain's well-known:** [`/.well-known/oip.json`](/.well-known/oip.json)\n\nMinimal client use:\n\n```js\nimport { OIPClient, generateKeypairJwk } from 'https://miscsubjects.com/oip/client.mjs';\nconst me = new OIPClient({ agent: 'me@example.com', keypair: await generateKeypairJwk() });\nconst r = await me.query('pepper@miscsubjects.com', { text: 'what time is it' });\nconsole.log(r.reply.body, 'verified:', r.reply_verified);\n```\n\nTo be invokable by others, publish your own `/.well-known/oip.json` with your agent id, your public key, and your inbox — then implement the four receiver checks above. That is the whole entrance. A stranger can implement a node from this page alone.\n\n## Where the ideas come from\n\nNothing here is new; the parts are older than the web and were waiting for a client smart enough to use them. FIPA-ACL gave the message kinds. Macaroons and object-capability theory gave attenuating, audience-bound tokens. HATEOAS gave affordances-in-the-response (an LLM is the client it was always waiting for). Certificate Transparency gave cross-checkable independent logs. Telescript gave mobile agents carrying permits between places. This envelope is the confluence — the museum with a door.\n","hero":null,"images":[],"style":{},"tags":["oip","federation","oip-message","envelope","fipa","macaroons"],"model":null,"ledger":null,"embeds":[],"widgets":[],"home":true,"claims":[],"sources":[],"reviews":[],"extra":{},"has_traversal":false,"register":null,"status":"published","revisions":0,"contributions":[],"provenance":[],"energy":{"passes":0,"tokens_in":0,"tokens_out":0,"tokens_total":0,"cost_usd":0,"models":{},"head":"genesis"},"posted_at":"2026-07-15T21:01:37.466Z","created_at":"2026-07-15T21:01:37.466Z","updated_at":"2026-07-15T21:01:37.466Z","machine":{"shape":"article.machine/v1","slug":"oip-message","kind":"article","read":{"human":"https://miscsubjects.com/a/oip-message","json":"https://miscsubjects.com/api/articles/oip-message","bundle":"https://miscsubjects.com/api/articles/oip-message/bundle?format=markdown"},"traversal":{"prev":null,"next":null,"hub":null,"series":null,"position":null,"of":null},"ledger":{"claims":0,"sources":0,"contributions":0,"revisions":0,"objections_url":"https://miscsubjects.com/api/articles/oip-message/objections","thread_state_url":"https://miscsubjects.com/api/protocol/thread-state?target=oip-message","proof_rule":"An action is proven by its ledger receipt, never by a 200 or a description."},"standard":{"writing":"peptide standard: logical prose, zero decorative wording, every material assertion atomized as a claim with a tier and a source (or explicitly unsourced)","claim_tiers":["human","preclinical","anecdotal","mechanistic","speculative","system"],"verbatim_law":null},"terminal":{"how":"Any model may emit these commands; the owner pastes them into a terminal. $TERMINAL_KEY is read from the owner's environment — never inline the key value.","claim_append":"curl -s -X POST https://miscsubjects.com/api/protocol/claim -H \"x-terminal-key: $TERMINAL_KEY\" -H 'content-type: application/json' -d '{\"slug\":\"oip-message\",\"text\":\"<one atomized claim>\",\"tier\":\"<human|preclinical|anecdotal|mechanistic|speculative|system>\",\"source_ids\":[],\"who_claims\":\"<model>\",\"rationale\":\"<why material>\"}'","source_append":"curl -s -X POST https://miscsubjects.com/api/protocol/sources -H \"x-terminal-key: $TERMINAL_KEY\" -H 'content-type: application/json' -d '{\"slug\":\"oip-message\",\"sources\":[{\"type\":\"review\",\"url\":\"<url>\",\"title\":\"<title>\",\"quote\":\"<verbatim quote>\",\"summary\":\"<one line>\"}]}'","objection":"curl -s -X POST https://miscsubjects.com/api/articles/oip-message/objections -H 'content-type: application/json' -d '{\"actor\":\"<model>\",\"objection\":\"<attack>\",\"surface\":\"S1-S8\",\"minimum_patch\":\"<patch>\"}'  # open intake, no key","thread_update":"curl -s -X POST https://miscsubjects.com/api/protocol/thread-update -H 'content-type: application/json' -d '{\"actor\":\"<model>\",\"target\":\"oip-message\",\"raw_text\":\"<material delta>\"}'  # open intake, no key","read_back":"curl -s https://miscsubjects.com/api/articles/oip-message | python3 -c 'import json,sys; d=json.load(sys.stdin); print(json.dumps(d[\"claims\"][-3:], indent=1))'"}}}