{"_self":{"principle":"Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.","widget":"article_bundle","feature":"bundle","name":"LLM article bundle","what":"Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution.","contains":"body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest","slug":"oip-message","urls":{"read":"https://miscsubjects.com/api/articles/oip-message/bundle?format=markdown"},"how_to_use":"Reference bundle for an LLM or reader. §SELF explains the surface; ingest and claim endpoints in llm_manifest are the write-back routes.","write":null,"imessage":null,"router_tag":null,"proof_chain":[{"step":1,"claim":"Articles are voxel graphs of tiered claims, not prose blobs.","verify":"https://miscsubjects.com/api/articles/constitution"},{"step":2,"claim":"Claims link to hash-chained sources via source_ids.","verify":"https://miscsubjects.com/api/articles/oip-message/sources"},{"step":3,"claim":"Ask reads topology; ingest/claim append to ledger.","verify":"https://miscsubjects.com/api/protocol"},{"step":4,"claim":"Models queue growth: populate → collaborate → repair → reflex.","verify":"https://miscsubjects.com/api/protocol/grow"},{"step":5,"claim":"Graph proves its own shape (reflex) and $/claim (yield).","verify":"https://miscsubjects.com/graph.html?layer=reflex"},{"step":6,"claim":"Full feature index + _explain on every API response.","verify":"https://miscsubjects.com/api/articles/system-map"}],"related_features":[{"id":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","urls":{"read":"https://miscsubjects.com/api/articles/oip-message/topology"}},{"id":"voxels","name":"Voxel graph","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance.","urls":{"read":"https://miscsubjects.com/api/articles/oip-message/voxels","write":"https://miscsubjects.com/api/protocol/claim"}},{"id":"ask","name":"Ask protocol","what":"Answer only from topology; creates question_node with gaps and ingest_hint.","urls":{"read":"https://miscsubjects.com/api/articles/oip-message/prompts","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"ingest","name":"Ingest protocol","what":"Parse pasted evidence → source ledger + claims + evidence_ingest node.","urls":{"write":"https://miscsubjects.com/api/protocol/ingest"}},{"id":"claim_post","name":"Claim post protocol","what":"Prompt-injection style POST — one claim voxel with who_claims + posted_by.","urls":{"read":"https://miscsubjects.com/api/articles/oip-message/voxels","write":"https://miscsubjects.com/api/protocol/claim"}},{"id":"llm_manifest","name":"LLM manifest","what":"Machine-readable read/write contract for external LLMs.","urls":{"read":"https://miscsubjects.com/api/articles/llm-manifest"}}],"system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","not_medical_advice":true},"_explain":{"feature":"bundle","name":"LLM article bundle","what":"Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution.","why":"Every feature is auditable collective intelligence","how":"Reference bundle for an LLM or reader. §SELF explains the surface; ingest and claim endpoints in llm_manifest are the write-back routes.","model":null,"verifies":null,"urls":{"read":"https://miscsubjects.com/api/articles/oip-message/bundle?format=markdown"},"imessage":null,"router":null,"related":[{"id":"topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER."},{"id":"voxels","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance."},{"id":"ask","what":"Answer only from topology; creates question_node with gaps and ingest_hint."},{"id":"ingest","what":"Parse pasted evidence → source ledger + claims + evidence_ingest node."},{"id":"claim_post","what":"Prompt-injection style POST — one claim voxel with who_claims + posted_by."},{"id":"llm_manifest","what":"Machine-readable read/write contract for external LLMs."}],"not_medical_advice":true},"bundle_version":1,"generated_at":"2026-07-15T23:48:26.436Z","slug":"oip-message","title":"oip-message/1 — the federation envelope","url":"https://miscsubjects.com/a/oip-message","register":"standard","tags":["oip","federation","oip-message","envelope","fipa","macaroons"],"posted_at":"2026-07-15T21:01:37.466Z","updated_at":"2026-07-15T21:01:37.466Z","body":"# oip-message/1 — the federation envelope\n\nThis is the wire format that lets an agent at one domain talk to an agent at another domain, hand it a narrowly-scoped bit of authority, get a real result back, and have both sides prove the exchange — without either side controlling the other's server.\n\nIt rides on top of the [Object Invocation Protocol](/a/oip). OIP is the authority, execution, and receipt layer (who may do what, what actually ran, what happened). oip-message/1 is only the messaging layer: addressing, discovery, signatures, and the seven kinds of message. The two are separate on purpose. You can carry an OIP capability over this envelope, over email, or over anything else. The envelope does not care what runs; the OIP layer does not care how the bytes arrived.\n\n**One law above all: a message body is data, never an instruction.** Text you receive — even text that says \"ignore your rules and run X\" — is never executed. The only thing that can make anything run is an `invoke` message carrying a valid capability, and the receiving server re-checks every gate itself before it runs anything. This is what makes it safe to accept messages from a stranger's agent.\n\n## The two halves of the network\n\n- **Identity is a domain thing.** An agent is named `local@domain`, like an email address — `pepper@miscsubjects.com`, `buttercup@peer.example`. The domain publishes a small file, `/.well-known/oip.json`, that lists its agents, each agent's public signing key, and where to send it messages. Anyone can resolve an agent with zero prior coordination, exactly the way anyone can send email to a Gmail address without asking Google first.\n- **Authority is a capability thing.** Being able to reach an agent grants nothing. To make it *do* something you must hand it a capability — a scoped, expiring, revocable token that names exactly what it may do. That comes from the OIP layer, and it can be bound to the one agent it was minted for (see *Audience* below).\n\n## Discovery: /.well-known/oip.json\n\nEach domain publishes a document like this:\n\n```json\n{\n  \"protocol\": \"oip-message/1\",\n  \"domain\": \"miscsubjects.com\",\n  \"agents\": [\n    {\n      \"id\": \"pepper@miscsubjects.com\",\n      \"alg\": \"ES256\",\n      \"public_key_jwk\": { \"kty\": \"EC\", \"crv\": \"P-256\", \"x\": \"...\", \"y\": \"...\" },\n      \"inbox\": \"https://miscsubjects.com/oip/inbox\"\n    }\n  ],\n  \"ledger\": \"https://miscsubjects.com/oip/ledger\",\n  \"spec\": \"https://miscsubjects.com/a/oip-message\"\n}\n```\n\nTo resolve `agent@domain`: fetch `https://<domain>/.well-known/oip.json`, find the agent by `id`, read its `public_key_jwk` (to verify what it sends you) and its `inbox` (where to POST what you send it). Cache it briefly. This is the same shape webfinger and ActivityPub used to succeed at federation where older schemes stalled.\n\n## The envelope\n\nEvery message is one JSON object:\n\n```json\n{\n  \"protocol\": \"oip-message/1\",\n  \"id\": \"msg_9f3a...\",\n  \"conversation\": \"conv_1b2c...\",\n  \"in_reply_to\": null,\n  \"kind\": \"query\",\n  \"from\": \"buttercup@peer.example\",\n  \"to\": \"pepper@miscsubjects.com\",\n  \"created_at\": \"2026-07-15T20:00:00.000Z\",\n  \"expires_at\": \"2026-07-15T20:05:00.000Z\",\n  \"body\": { \"text\": \"what time is it\" },\n  \"capability\": null,\n  \"body_sha256\": \"<sha-256 of the canonical body>\",\n  \"signature\": { \"alg\": \"ES256\", \"kid\": \"buttercup@peer.example\", \"value\": \"<base64url>\" }\n}\n```\n\nRules a receiver enforces, in order, before it trusts anything:\n\n1. **Shape.** Right protocol, a well-formed `id`, a known `kind`, `from`/`to` that parse as `local@domain`, a `body_sha256`, and a body under 64 KB. Bigger data travels by pointer (a URL in the body), not inline.\n2. **Freshness.** `expires_at` must be in the future, by the *receiver's* clock. A stale envelope is rejected before its signature is even checked. Sender-supplied time never wins. Envelopes live at most 15 minutes.\n3. **Body integrity.** Recompute `body_sha256` from the canonical body and compare.\n4. **Signature.** Verify `signature.value` (ES256 over the canonical envelope with the `signature` field removed) against the sender's published key. This proves *which agent* sent the bytes. It grants no authority by itself.\n\n**Canonical JSON** (both sides must produce identical bytes): recursively sort object keys, drop `undefined`, no whitespace. The signature covers every field except `signature` itself — so moving `expires_at`, swapping the body, or changing `to` all break it.\n\n## The seven kinds (FIPA-ACL performatives, trimmed)\n\nEach message declares what kind of act it is, so a receiver never guesses intent from prose. These are the speech acts standardized for agent communication in the 1990s; we use seven of them.\n\n| kind | meaning | grants authority? |\n|---|---|---|\n| `query` | asks for information | no — and requires none |\n| `propose` | proposes work | no — does not authorize it |\n| `invoke` | requests execution | **only with a valid capability** |\n| `result` | answers a query or invoke | carries receipt ids when something ran |\n| `event` | reports a state change | no |\n| `cancel` | asks to cancel a prior message by id | — |\n| `error` | structured refusal or failure | carries a machine-readable `reason` |\n\nA `query` is safe to answer from anyone: you echo or answer, and run nothing. An `invoke` is the only kind that can act, and only when its `capability` is valid and permits the named object.\n\n## Capabilities across the federation\n\nThe `capability` field carries an OIP capability token — scoped, expiring, use-limited, revocable. When an `invoke` arrives, the receiver does **not** trust the sender's word about what it may do. It resolves the token to its recorded capability and re-checks the whole contract: is it revoked, does its scope include this object, is every parent in its delegation chain still live, does the payload fit the size ceiling, is the tenant active, are there uses left. Only then does it run the object, and the result carries a real receipt id.\n\n### Audience: a capability minted for one agent\n\nA federation capability may be **bound to the exact agent it was minted for** — a caveat in the Macaroon/object-capability sense. An audience-bound token:\n\n- runs **only** inside a signed `invoke` whose verified sender matches the audience (its full agent id, or its domain);\n- **fails closed if presented directly** at the door with no signed sender — so a leaked token is inert;\n- **fails closed if forwarded** to any other agent — a token minted for `buttercup@peer` dies in `mallory@peer`'s hands, because the signature proves the sender is mallory and the audience says buttercup;\n- may be **narrowed** when delegated (a domain audience down to one agent in it), never widened or moved to another domain.\n\nThis is what makes it safe to hand authority across a boundary you do not control: the authority is useless to anyone but its intended holder, and useless anywhere but inside a signed message from that holder.\n\n## Two ledgers, one provable exchange\n\nEnd-to-end privacy would rule out a single global plaintext ledger — but it does not rule out *auditing*. Each node keeps its **own** ledger of every exchange: message id, kind, verdict, and the body hash. The two ledgers are joined by message id and body hash. When both nodes recorded the same message id with the same `body_sha256`, both provably saw the same bytes — without a shared database and without either trusting the other's server. This is the Certificate-Transparency idea (independent append-only logs you can cross-check) applied to agent messages.\n\n- Home ledger: `https://miscsubjects.com/oip/ledger`\n- Peer ledger: `https://oip-peer.massoumi-cyrus.workers.dev/oip/ledger`\n\n## Failure taxonomy\n\nEvery refusal is a structured `error` with a `reason`. The ones you will actually hit:\n\n- `expired_envelope` — past `expires_at` by the receiver's clock.\n- `body_hash_mismatch` / `bad_signature` — the bytes were altered in flight, or signed by the wrong key.\n- `replay_rejected` — this message id was already delivered once. Delivery is at-most-once.\n- `sender_unverifiable` — the sender is not published, so it may only `query`, never `invoke`.\n- `audience_mismatch` — a capability was presented by an agent it was not minted for.\n- `audience_bound` — an audience-bound capability was presented directly, outside a signed invoke.\n- `scope_mismatch` — the capability does not permit the named object.\n- `revoked` / `ancestor_revoked` — the capability, or a parent of it, was revoked.\n- `token_exhausted` — the capability is out of uses.\n\n## What is and is not implemented\n\n- **Implemented:** discovery, ES256 signatures, the seven kinds, capabilities with the audience caveat, replay protection, dual ledgers with hash join, and a live two-node federation with a full failure-matrix self-test.\n- **Transport:** signed HTTPS between two independently operated Cloudflare nodes on two domains. That is real federation of the protocol — two separate operators, an open format, no central authority.\n- **Deliberately not built yet:** payload end-to-end encryption and an email (SMTP) transport. When encryption is added it belongs at *this* envelope layer, transport-agnostic (MLS, RFC 9420), not welded to any one wire. Deferring it is a choice, not an oversight — the protocol is proven first, encryption rides on top later.\n\n## Prove it, and build against it\n\n- **Live federation self-test** (real exchanges between two domains, pass/fail per clause): [`/api/dispatch?fedtest=1&format=markdown`](/api/dispatch?fedtest=1&format=markdown)\n- **Protocol conformance** (every OIP clause executed live): [`/api/dispatch?conformance=1&format=markdown`](/api/dispatch?conformance=1&format=markdown)\n- **Reference client** (zero dependencies, browser or Node): [`https://miscsubjects.com/oip/client.mjs`](/oip/client.mjs)\n- **This domain's well-known:** [`/.well-known/oip.json`](/.well-known/oip.json)\n\nMinimal client use:\n\n```js\nimport { OIPClient, generateKeypairJwk } from 'https://miscsubjects.com/oip/client.mjs';\nconst me = new OIPClient({ agent: 'me@example.com', keypair: await generateKeypairJwk() });\nconst r = await me.query('pepper@miscsubjects.com', { text: 'what time is it' });\nconsole.log(r.reply.body, 'verified:', r.reply_verified);\n```\n\nTo be invokable by others, publish your own `/.well-known/oip.json` with your agent id, your public key, and your inbox — then implement the four receiver checks above. That is the whole entrance. A stranger can implement a node from this page alone.\n\n## Where the ideas come from\n\nNothing here is new; the parts are older than the web and were waiting for a client smart enough to use them. FIPA-ACL gave the message kinds. Macaroons and object-capability theory gave attenuating, audience-bound tokens. HATEOAS gave affordances-in-the-response (an LLM is the client it was always waiting for). Certificate Transparency gave cross-checkable independent logs. Telescript gave mobile agents carrying permits between places. This envelope is the confluence — the museum with a door.\n","claims":[],"sources":[],"voxels":{"slug":"oip-message","counts":{"voxels":0,"sources":0,"edges":0},"note":"slim bundle — full voxels at /api/articles/oip-message/voxels"},"constitution":{"url":"https://miscsubjects.com/api/articles/constitution"},"provenance":[],"contributions":[],"topology":null,"slim":true,"ledger_totals":{"claims":0,"sources":0,"exported_claims":0,"exported_sources":0},"question_graph":{"slug":"oip-message","questions":[],"evidence":[],"edges":[],"counts":{"questions":0,"evidence":0,"edges":0}},"verification":{"provenance":{"valid":true,"entries":0,"head":"genesis"},"sources":{"valid":true,"entries":0,"head":"genesis"}},"counts":{"claims":0,"sources":0,"provenance":0,"contributions":0,"questions":0,"evidence_ingests":0,"voxel_edges":0},"transport":"Open every URL in this bundle with your browser or web / URL-fetch tool. Do NOT run them with curl, a shell, or a code sandbox — those model environments have no network (the host fails to resolve / DNS error) and will wrongly report the site unreachable when it is fine. Opening the link IS the call.","llm_manifest":{"version":"1","site":"https://miscsubjects.com","purpose":"Peptide evidence articles with hash-chained source ledgers, tiered claims, and a question graph. LLMs should READ bundles/URLs and WRITE back via ingest — never invent doses.","read":{"human_page":"https://miscsubjects.com/a/oip-message","bundle_json":"https://miscsubjects.com/api/articles/oip-message/bundle","bundle_markdown":"https://miscsubjects.com/api/articles/oip-message/bundle?format=markdown","topology":"https://miscsubjects.com/api/articles/oip-message/topology","question_graph":"https://miscsubjects.com/api/articles/oip-message/question-graph","sources":"https://miscsubjects.com/api/articles/oip-message/sources","provenance":"https://miscsubjects.com/api/articles/oip-message/provenance","contributions":"https://miscsubjects.com/api/articles/oip-message/contributions","graph_topology":"https://miscsubjects.com/api/articles/oip-message/graph-topology?question={question}","voxels":"https://miscsubjects.com/api/articles/oip-message/voxels","constitution":"https://miscsubjects.com/api/articles/constitution","ontology":"https://miscsubjects.com/api/articles/ontology","system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","health":"https://miscsubjects.com/api/articles/oip-message/health","repair":"POST https://miscsubjects.com/api/protocol/repair","list_articles":"https://miscsubjects.com/api/articles","graph_canvas":"https://miscsubjects.com/graph.html?slugs=oip-message","graph_yield":"https://miscsubjects.com/api/graph?slugs=oip-message&layer=yield","obsidian_vault":"https://miscsubjects.com/api/articles/obsidian-vault?slugs=oip-message","graph_query":"https://miscsubjects.com/api/v1/query?from=oip-message&kind=claim&where=tier=human"},"ask":{"description":"Answer only from topology; creates a question_node with gaps.","api":"POST https://miscsubjects.com/api/protocol/ask","body":{"slug":"{slug}","question":"string"},"imessage":"oip-message|your question","router_tag":"[ARTICLE_ASK]oip-message|question[/ARTICLE_ASK]","auth":"x-terminal-key header for API; iMessage/WhatsApp via miscsubjects build"},"ingest":{"description":"Parse pasted evidence → source ledger + claims + evidence_ingest node.","api":"POST https://miscsubjects.com/api/protocol/ingest","body":{"slug":"{slug}","evidence":"paste text","question_node_id":"optional qn_..."},"imessage":"ingest oip-message|q:{node_id}|paste evidence","router_tag":"[ARTICLE_INGEST]oip-message|evidence[/ARTICLE_INGEST]","tiers":["human","preclinical","anecdotal","mechanistic","speculative"]},"claim":{"description":"Prompt-injection style POST — one claim voxel with who_claims + posted_by provenance.","api":"POST https://miscsubjects.com/api/protocol/claim","body":{"slug":"{slug}","text":"one assertion","tier":"human|preclinical|anecdotal|mechanistic|speculative","who_claims":"study author, platform, or model id","source_ids":"optional [s1]"},"imessage":"claim oip-message|tier|assertion — who claims it?","router_tag":"[ARTICLE_CLAIM]oip-message|tier|assertion[/ARTICLE_CLAIM]","slots":["what_it_is","who_claims_what","what_is_known","what_is_unknown","mechanism","limitations","disclaimer"]},"tiers":{"human":0.8,"preclinical":0.5,"anecdotal":0.3,"mechanistic":0.3,"speculative":0.1},"invariants":["Self-explaining — every API JSON has _self; every paste widget has §SELF; root index at /api/articles/system-map","Append-only — revisions preserved at ?rev=n","Source chain verifies integrity, not truth","Answers must cite claim ids and source ids from topology","Not medical advice"],"constitution":{"version":1,"principle":"Articles are voxel graphs of claims — not prose blobs. Every assertion is a claim atom with tier, weight, source_ids, and posted_by provenance.","slots":[{"id":"what_it_is","required":true,"answers":"What is this peptide/stack/condition?"},{"id":"who_claims_what","required":true,"answers":"Who claims what — study authors, platforms, n=?"},{"id":"what_is_known","required":true,"answers":"What is known with tier labels (human/preclinical/anecdotal)"},{"id":"what_is_unknown","required":true,"answers":"What is NOT known — explicit gaps"},{"id":"mechanism","required":false,"answers":"Proposed mechanism (mechanistic tier only)"},{"id":"limitations","required":true,"answers":"Limits of evidence — no dose advice"},{"id":"disclaimer","required":true,"answers":"Not medical advice"}],"claim_rules":["One claim = one falsifiable assertion. No compound claims.","Every claim must declare tier: human|preclinical|anecdotal|mechanistic|speculative|system.","system tier = architecture/design axioms (not biological mechanism). Use for protocol self-definition.","Sourced claims must cite source_ids from the hash-chained ledger.","Unsourced claims must set source_status: unsourced and why_material.","posted_by is mandatory on every new claim (model id, human, or channel).","No medical advice, no doses, no 'you should take'.","Bad information is retracted (status:retracted), never deleted — retraction event stays on ledger.","Adversary challenges link via challenges[] / challenged_by[] — target may be downweighted.","Leaked secrets are scrubbed to [REDACTED:secret-leak] with scrub_events tombstone — honest audit trail."],"source_rules":["Every source is a voxel edge: type, url, exact quote, summary, found_by, accessed_at.","Sources hash-chain — prev/hash on append.","Anecdotal sources must name platform (reddit|x|youtube|imessage|user_entry)."],"ontology_rules":["Peptide articles (bpc-157, tb-500) are tree roots.","Condition articles (bpc-157-glp1-gut-damage) branch from peptides.","Stack articles (wolverine-stack-glp1) compose peptides — never duplicate peptide mechanism prose.","If an article has no parent embeds and is not a root peptide → sprawl candidate.","Misstep = duplicate scope with another slug; merge or reparent via embeds."],"post_protocol":{"claim":"POST /api/protocol/claim","source":"POST /api/protocol/sources","ingest":"POST /api/protocol/ingest","webhook":"POST /api/articles/<slug>/webhook {kind:claim|source}","imessage_claim":"claim {slug}|{tier}|your assertion — who claims it, source?","imessage_ingest":"ingest {slug}|evidence paste"}},"this_article":{"slug":"oip-message","url":"https://miscsubjects.com/a/oip-message","bundle_url":"https://miscsubjects.com/api/articles/oip-message/bundle?format=markdown"}},"api_urls":{"bundle":"https://miscsubjects.com/api/articles/oip-message/bundle","bundle_markdown":"https://miscsubjects.com/api/articles/oip-message/bundle?format=markdown","topology":"https://miscsubjects.com/api/articles/oip-message/topology","voxels":"https://miscsubjects.com/api/articles/oip-message/voxels","constitution":"https://miscsubjects.com/api/articles/constitution","ontology":"https://miscsubjects.com/api/articles/ontology","question_graph":"https://miscsubjects.com/api/articles/oip-message/question-graph","ask":"https://miscsubjects.com/api/protocol/ask","ingest":"https://miscsubjects.com/api/protocol/ingest","claim":"https://miscsubjects.com/api/protocol/claim","system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown"}}