§ guardian operator application

apply to the program.

The honest filter for prospective operators. Same questionnaire whether you submit via this page or by email; same vetting either way. Read the questions; sign with your hardware key; ship.

§ before you apply

→ Install + verify the kit: cosign + SLSA verification.
→ Run oc-guardian init --hsm yubikey to generate your operator pubkey.
→ Read SECURITY.md · BYPASS.md · CHARTER-FORMAT.md.

§ the questionnaire

Five sections: identity, operational readiness, custody posture, why you, acknowledgements. The kit packages your answers + your operator pubkey into a signed envelope; the portal renders the same fields over an authenticated session.

read the questionnaire ↗

§ portal upload · live

Once you've produced application.json with the kit, sign in to /me/operator and drop it into the upload card. The server verifies the Ed25519 signature server-side and routes the submission into the same review queue as the email path. Bypass parity preserved — the email path on the right works identically.

§ apply via email · works today

Fill out the questionnaire in any text editor.

Run:

oc-guardian apply prepare \
    --out application.json \
    --questionnaire ./your-answers.md \
    --hsm yubikey

Email apply@ochk.io with application.json attached. Subject: OC Guardian Application — <your handle>.
Review team responds within 14 days with acceptance-app_….json attached. Verify it locally — the kit checks the Ed25519 signature against our public key:
```
oc-guardian apply verify-acceptance \
  --file acceptance-app_<your-id>.json \
  --reviewer-pubkey-hex <pinned-hex>
```
Reviewer JWKS: /.well-known/oc-operator-reviewer.json · pin keys[0].x once, rotate on kid change.

This is the kit-only bypass path. The eventual portal-mediated form produces byte-for-byte identical envelopes; both paths route into the same review queue.

§ what we look for

+ articulated threat model. operators who can describe what could go wrong on their watch — not operators who hand-wave it.
+ operational discipline. monitoring, alerting, runbooks. doesn't need to be enterprise-grade; does need to be specific.
+ infrastructure independence. running on hardware/jurisdictions distinct from other guardians in the federations you'll join. shared single points of failure are disqualifying.
+ continuity plan. bus factor documented. graceful exit anticipated.

§ what disqualifies

undisclosed conflicts of interest (especially OC affiliation)
shared infrastructure with other guardians of any federation you'd join
inability or unwillingness to publish your legal entity in the charter
operator key without hardware-token backing (we recommend YubiKey FIDO2 at minimum; a passkey-backed credential is acceptable)

← back to operator overview