OrangeCheck the company never custodies funds, never operates guardians, never holds the surfaces that determine federation behavior. That commitment scales because guardians do — independent operators running fedimintd on infrastructure they control, threshold-signing for federations that back consumer wallets at me.ochk.io. This is the program that recruits, onboards, and supports them.
Rolling 30-day counts of users who left federation custody. High is the brand winning. Low is the brand failing. We publish it so our incentives stay aligned with yours. graduate now
Self-serve provisioning + operations toolkit you run under your own credentials on your own infrastructure. CLI-first. Composes with fedimintd. Open source MIT, reproducible builds, signed releases (cosign + SLSA L3). Works end-to-end without ever touching this portal.
Hosted convenience layer at me.ochk.io/operator covering recruitment → application → onboarding → federation matching → ceremony coordination → charter signing → ops dashboards → incident comms → payouts → exit. Every action authorized by your hardware key. The portal cannot push, sign, or shut down — only your hardware can.
Every portal feature has a documented kit-only equivalent. Guardian provisioning, ceremony coordination, charter signing, status reporting, payouts, exit handoff — all work without ever loading the portal. A guardian operating purely via the kit is architecturally indistinguishable from one operating with the portal at the federation layer.
bypass docs ↗Every portal-mediated action carries a signature produced by operator-held cryptographic material the portal cannot reach. Hardware token (YubiKey, Ledger, OS passkey, etc.) signs; guardian verifies; only then acts. Portal compromise produces signed-by-attacker requests, which the guardian rejects. The portal is rich, the operator's key is the gate.
program threat model ↗public marketing + structured application. honest filter — operators who can articulate threat models, not just hand-wave them.
entity verification, jurisdictional disclosure, technical readiness check, references. light-touch but real.
oc-guardian init walks WebAuthn / hardware-key registration. operator pubkey lands in the OC operator registry.
opt-in matching against federations seeking guardians. operator picks; federation organizers approve.
DKG ceremony coordination. portal-mediated relay or direct peer URLs — same cryptography either way.
render the charter, hash, request hardware-key signature, broadcast acceptance.
dashboard mirrors guardian-published status. incident alerts. peer health. nothing pushes; everything observes.
operator-signed incident updates with cryptographic message-authorship. nostr-republished or portal-mirrored.
accrued payouts surfaced; claim flow signs locally. federation pays your address; OC mediates none of it.
exit-handoff to a replacement guardian. signed by you, ratified by remaining guardians. federation continuity preserved.
v0.1.0 of oc-guardian-kit is published with signed releases (cosign + SLSA L3) and reproducible builds. Application intake + portal-mediated upload is live; reviewer pipeline runs against the same store. The first federation slot — OC-Me Federation v1 — is recruiting four guardians; ceremony opens once the cohort is on file. Runbook for the consumer-side bind: FEDERATION-DEPLOYMENT.md.