§ federation · v1.2

Guardians as principals.

OC Agent v1 binds an agent's authority to a single Bitcoin address. v1.2 generalizes the principal to a federation: a quorum of guardians issues, scopes, and revokes delegations. The agent's authority survives any individual guardian going rogue or going offline. This is the missing piece for federations running real autonomous workflows.

The shape

A federation is a set of N guardians with an M-of-N threshold. In OC Agent v1.2 terms, the principal of a delegation can be a federation descriptor — instead of a single Bitcoin address, the canonical message is signed by M of N guardians. The verifier checks:

The delegation envelope carries M valid BIP-322 signatures from addresses in the federation's declared guardian set.
The guardian set is itself a content-addressed object — adding or removing a guardian produces a new principal id, and a rotation event is OC-Stamp-anchored.
Revocation works the same way: M guardians sign a revocation envelope. Anyone below threshold cannot revoke unilaterally, preventing single-guardian sabotage.

Why this is strategically critical

Fedimint federations are the most important new sovereignty story in Bitcoin. They let communities pool custody and run their own financial primitives. But if a federation wants to deploy autonomous workflows — bots that move funds under guardian authority, agents that respond to events in the federation's name — there is no clean primitive today for “the federation itself authorized this.”

Federation sign-in for OC Agent fills that hole. A federation can operate console-managed agents whose authority is bound to the guardian quorum, with the same offline-verifiable audit posture individual operators get today.

Composes with the rest of the family

The same generalization lifts every OrangeCheck primitive a federation might want:

attest — the federation as the attesting principal (sybil resistance for services that gate on guardian-issued attestations).
stamp — federation- signed stamps for content the federation publishes (e.g., governance decisions, finality announcements).
vote — federation as tally authority for polls scoped to the guardian set.
pledge — federation- bonded pledges (M guardians stake on a delivery commitment).

What ships in v1.2

Console's v1.2 release wires:

Multi-signature delegation envelopes per the (proposed) oc-agent-protocol v2 spec change.
Wallet adapter driver for Fedimint guardian signing flows (specific to Fedi's guardian software; other federation kits via plugin).
/signin federation flow — point at a federation descriptor, collect M guardian signatures via the federation's native UX.
Federation-aware /team — guardian set is the team, roles map to threshold structure (M can revoke, M can add scope, etc.).

Spec posture

Federation principals are an additive extension to the existing OC Agent canonical-message format. The single-address case continues to work unchanged; the federation case is gated on a new envelope field (principal.alg = "federation"). Spec PR will land in the open oc-agent-protocol repo before any production federation deployment.

delegation.json · federation principal

{
  "v": 1,
  "kind": "agent-delegation",
  "id":   "fed_delegation_a40f1aa2",
  "principal": {
    "alg":            "federation",
    "descriptor_id":  "fed_acme_v3",
    "threshold":      "3-of-5",
    "guardians": [
      { "address": "bc1qg1…", "name": "alice"   },
      { "address": "bc1qg2…", "name": "bob"     },
      { "address": "bc1qg3…", "name": "carol"   },
      { "address": "bc1qg4…", "name": "dave"    },
      { "address": "bc1qg5…", "name": "erin"    }
    ]
  },
  "agent": { "name": "treasury-router.prod" },
  "scopes": [
    { "verb": "lightning.send", "limits": { "max_sats_per_h": 1000000 } },
    { "verb": "ecash.mint",     "limits": { "max_sats_per_h":  500000 } }
  ],
  "expires_at": { "block_height": 905600 },
  "stamp": {
    "id":           "8c14d702…aa9f",
    "status":       "confirmed",
    "block_height": 904122
  },
  "sig": {
    "alg":         "federation-bip322",
    "signatures": [
      { "guardian": "alice", "value": "…" },
      { "guardian": "bob",   "value": "…" },
      { "guardian": "carol", "value": "…" }
    ]
  }
}

§ quorum properties

· any single guardian going rogue cannot forge or revoke
· any single guardian going offline does not block scope edits
· guardian rotation is content-addressed, anchored, replayable
· the principal id is stable across guardian-set changes via descriptor evolution

Run a federation? Want to be a v1.2 design partner?

We're looking for a small number of federations to co-design the federation sign-in flow with us. The spec change goes through oc-agent-protocol openly; the implementation pairs an OrangeCheck engineer with your guardian software for a couple of weeks.

apply to v1.2 cohort read the protocol →