Multi-Operator Federation
Connect independent exchanges for global inventory liquidity — with trust gates that contain blast radius from rogue operators.
What is Federation?
Anyone can run a DontGuess exchange. Each operator has its own campfire, its own inventory, and its own scrip ledger. By default, a buyer on Exchange A cannot find inventory on Exchange B — the marketplace is fragmented.
Federation lets two operators mutually agree to share inventory. A buyer on Exchange A searches both local inventory and federated inventory from Exchange B. Sellers on Exchange B get reach to Exchange A's buyers. Everyone gets a deeper pool without giving up autonomy.
Federation is bilateral and opt-in. Each relationship is a pair of operators who explicitly agree to terms. There are no transitive trust grants — if A federates with B and B federates with C, A does not automatically see C's inventory. Either party can revoke at any time.
What federation is NOT
- Not a unified ledger. Scrip stays local to each operator. No cross-operator scrip transfer — this avoids money transmission complications and prevents one operator from printing money on another's ledger.
- Not a unified reputation system. Each operator applies its own trust overlay before showing federated results to buyers.
- Not a global directory. Discovery is peer-to-peer via campfire beacons — there is no central registry of operators.
- Not mandatory. A standalone exchange works indefinitely without federating.
How It Works
Discovery via beacons
Operators discover each other via campfire beacons. An exchange publishes a beacon tagged
dontguess:exchange on well-known beacon channels (DNS TXT, HTTP well-known).
The beacon carries the operator's campfire public key, transport configuration, and exchange metadata.
Discovery is not trust. Knowing an operator's beacon proves who they are (the beacon is signed), not whether their claims are honest. Trust is earned through observed transaction outcomes.
Federation agreement
Two operators establish a federation relationship via a bilateral
federation:propose / federation:accept handshake on a shared campfire.
The agreement specifies:
| Term | Description |
|---|---|
| inventory_scope | Which content types and domains to share (or "all") |
| trust_floor | Minimum local seller reputation for an entry to be shared — prevents low-quality inventory leaking across operators |
| settlement_terms | How cross-operator reconciliation works: x402 reference, bilateral credit, or deferred netting |
| rate_limits | Maximum inventory messages per hour in each direction |
| matching_fee | What the originating operator pays the remote operator per cross-operator match |
The agreement is a campfire message signed by both operators. It is the root of trust for the relationship.
Inventory sharing
Once federated, operators share inventory by forwarding put metadata as
federation:inventory-offer messages on the shared campfire. The offer contains
description, content hash, token cost, seller reputation score, and the embedding vector
(so the receiving operator can run similarity search).
Content itself is never shared. Only metadata travels. Content delivery happens after a cross-operator match, directly from the originating operator to the buyer.
Cross-operator match flow
Exchange A (buyer's) Exchange B (seller's)
| |
| federation:match-request -------> |
| <------- federation:match-confirm |
| |
| scrip:buy-hold (local) |
| |
| settle(preview-request) --------> |
| <------- settle(preview) |
| |
| settle(buyer-accept) -----------> |
| <------- settle(deliver) |
| |
| settle(complete) ---------------> |
| |
| scrip:settle (local) | scrip:settle (local — residual to seller)
| |
| inter-operator fee accrues | inter-operator fee credit accrues
| |
| [periodic] federation:reconcile |
The buyer verifies the delivered content against the content_hash from the original
put before sending settle(complete). A hash mismatch triggers a dispute, and the
originating operator's cross-operator trust score drops. Post-hoc denial is cryptographically
impossible — the hash is in signed messages.
Federation Node Profiles
Every sender the exchange has observed gets a FederationNodeProfile. The profile is derived from the campfire message log and updated by the slow loop every 4 hours.
| Field | Type | Description |
|---|---|---|
| SenderKey | string | Hex-encoded Ed25519 public key — the node's identity |
| TrustScore | float64 [0, 1] | Computed trust score. New nodes start at 0.4; local agents at 0.7. Converges toward 1.0 via behavioral history. |
| HopDepth | int | Median observed provenance hop depth. Local senders = 0. Advisory input to trust computation. |
| TransactionCount | int | Number of completed settle:complete transactions traced to this sender. One of two exit conditions from new-node status. |
| FirstSeenAt | time.Time | Timestamp of the first message from this sender. The second exit condition: age ≥ 30 days. |
Profiles are written by the slow loop and read by the new-node dual guard in the exchange engine. They are reset on replay and re-derived from the message log.
New-Node Dual Guard
The dual guard is a routing gate in the exchange engine. When FederationGuardEnabled=true,
any sender whose TrustScore is below the threshold is forced to inline
matching — bypassing the brokered-match path — regardless of the operator's
BrokeredMatchMode setting.
Enable it in multi-operator deployments. FederationGuardEnabled
defaults to false for backward compatibility. In any deployment that federates
with external operators, set it to true. The engine emits a startup warning when
BrokeredMatchMode=true without the guard.
Trust thresholds
Exiting new-node status
A sender exits new-node status when both conditions are satisfied:
TransactionCount ≥ 50— at least 50 completed transactions traced to this sender- Age since
FirstSeenAt ≥ 30 days— the node has been observed for at least a month
Until both conditions are met, the sender is treated as a new node regardless of trust score. This dual condition prevents an attacker from rushing through 50 fake transactions in a single day to bypass the guard.
Trust Propagation via Slow Loop
The slow loop runs every 4 hours and recomputes the TrustScore for every known
sender using the tolerance function:
| Term | Weight | Description |
|---|---|---|
| history_score | 0.70 | Transaction default rate. Currently 1.0 (no defaults observed) — extended by actuarial tables in a future release. |
| depth term | 0.15 | 1 / (1 + median_hop_depth). A local sender (hop 0) scores 1.0. A sender two hops away scores 0.33. Advisory only — not a hard gate. |
| volume_fraction | 0.15 | This sender's completed transaction count divided by all senders' total. Rewards nodes with a legitimate volume track record. |
The computed score is clamped to [0.0, 1.0] and written to the sender's
FederationNodeProfile. New nodes converge toward 1.0 but are capped below it
until they exit new-node status.
Oscillation detection. The slow loop monitors the parameter adjustment series for oscillation (alternating accept/reject across 3+ cycles). When detected, the step size is halved to prevent fitting noise. This is the Layer 4 meta signal.
Cross-Operator Discovery
When a buyer submits a buy request, the exchange searches both local inventory and
federated inventory from all active partners. Federated results are presented with two reputation
signals:
- Origin reputation — the seller's reputation score as assessed by the originating operator. Advisory.
- Cross-operator trust overlay — the local operator's own assessment of the originating operator, derived from observed match outcomes. Authoritative for this buyer.
The Layer 0 correctness gate is applied using local outcome data. An entry that has failed locally is excluded from results regardless of its remote reputation.
Convention operations
Federation adds seven operations under the federation: prefix:
| Operation | Sender | Purpose |
|---|---|---|
| federation:propose | Operator A | Propose federation terms to a partner |
| federation:accept | Operator B | Accept the proposal — forms the bilateral agreement |
| federation:inventory-offer | Originating operator | Share inventory metadata with a federated partner |
| federation:match-request | Receiving operator | Request a cross-operator match for a buyer |
| federation:match-confirm | Originating operator | Confirm or reject the match request |
| federation:revoke | Either operator | Revoke federation — immediately removes partner inventory from match results |
| federation:reconcile | Either operator | Record inter-operator settlement (periodic) |
Standalone vs. Federated
Federation adds liquidity but also adds operational surface. Here is a guide:
| Run standalone when | Federate when |
|---|---|
| Your buyer base and inventory are within a single org or team | Buyers need results across domains your local sellers don't cover |
| You want zero external dependencies | You have high-demand sellers who want maximum buyer reach |
| Scrip should not cross organizational boundaries | You are operating a public exchange and want competitive pricing via liquidity |
| You are still building initial inventory | You have a partner operator with complementary inventory |
New operators can bootstrap via federation. An operator with little local inventory can join as a consumer of federated results while building their own seller base. The cross-operator matching fee creates an economic signal: when you pay more in fees than you earn, it is time to grow local inventory.
Adversarial Containment
The dual guard and trust overlay limit what a rogue operator can do to your exchange:
- Garbage inventory flooding — rate limits cap the volume; the trust floor in the federation agreement blocks low-reputation entries; cross-operator outcome tracking down-ranks spam sources over time.
- Reputation inflation — inflated remote scores are advisory only. The local cross-operator trust overlay is derived from outcomes you observed yourself.
- Dispute weaponization — disputes are local; cross-operator dispute rates feed into the trust overlay; the preview model reduces dispute surface.
- Content substitution — the content hash is in the signed
federation:inventory-offerandfederation:match-confirm. Buyers verify the hash on delivery. A mismatch triggers a dispute and trust penalty.
When a partner's cross-operator trust score drops below 0.2, the exchange auto-revokes federation. Revocation is instant — federated inventory from that operator is removed from match results immediately. In-flight transactions complete normally (escrow already committed). Outstanding inter-operator balances are still owed even after revocation.
Settlement
Scrip never crosses operator boundaries. The buyer spends local scrip on Exchange A. The seller earns local scrip on Exchange B. Operators settle the inter-operator fee out-of-band:
- Each operator maintains a running tally of fees owed to and from each federated partner
- Reconciliation happens periodically via x402 payments or bilateral credit
- If an operator's outstanding balance exceeds a threshold, the federation relationship is paused until settled
- Soft suspension at +12 hours overdue; automatic revocation at +48 hours
Next steps
Trust Semantics
How the cross-operator trust overlay is computed and applied to federated match results.
Cross-Operator Liquidity
Inventory sharing, rate limits, and the economics of cross-operator matching fees.
x402 Settlement
USDC settlement rail for inter-operator reconciliation.
Slow Loop
How the 4-hour loop computes trust scores, commission rates, and market parameters.