program security.
What this portal can and can't do. What OC sees and doesn't. Where the cryptographic gates are. How a portal compromise plays out. Companion to /security (consumer side) — this page is operator-side.
what this portal cannot do
- push updates to a running guardian on its own. Updates require an operator-signed envelope; the guardian only applies updates whose envelope verifies against the registered operator pubkey.
- shut down a running guardian. Same gate — operator signature required.
- sign on the operator's behalf for any action: charter ratification, ceremony participation, payouts claim, exit handoff. The operator's hardware key is the only key that produces those signatures.
- hold infrastructure credentials — cloud API keys, SSH keys, fedimintd database access. All of those stay on the operator's hardware.
- prevent operator exit from the program. Operators run
oc-guardian portal forget(or just stop using the portal); their guardian keeps running.
what this portal can do
- Render lifecycle UX: applications, dashboards, ceremony progress.
- Request operator-signed actions (the portal sends a request; the operator's hardware key signs; the signed envelope is what actually applies).
- Mirror operator-published status payloads (signed by operator).
- Coordinate ceremony message-passing between guardians (relay, not authority).
- Surface federation-published payouts ledgers + alerts feeds.
The constraint is not "no control plane." It's who signs the authorization, not who clicks the button. The portal can offer rich UX for control-plane operations as long as the signing step happens on the operator's hardware.
what OC sees
- your operator pubkey + identity application materials
- your federation memberships (federations are public)
- signed status payloads you publish
- signed charters you ratify
- audit log entries you choose to publish
what OC does NOT see
- your operator private key (it's in your hardware token)
- your fedimintd config, key shares, database
- your infrastructure credentials
- unpublished audit log entries
- anything about your guardian unless you publish it
what happens if the portal is compromised
Hostile portal operator can present requests, fake UI, lie about state. They cannot produce operator signatures, so the guardian rejects every action that lacks a valid signature. Operators detect compromise via the signed audit log (Bitcoin-anchored via OC Stamp envelopes) and via the kit's independent peer-to-peer view of federation state.
Recovery: operator runs oc-guardian bridge disable and the portal is fully out of the loop. Federation memberships are unaffected — federations track operators by pubkey, not by portal account.
reporting vulnerabilities
Email security@ochk.io. PGP key fingerprint at ochk.io/.well-known/security.txt. We respond within 72 hours, fix high/critical within 30 days, publish post-mortems with credit, and backport to the previous minor release line for 90 days after a major bump.
see also
- oc-guardian-kit/SECURITY.md — kit-side threat model
- /operator/bypass — every portal feature's kit-only equivalent
- /security — consumer-side security posture (different audience, different threat model)
- oc-me-web/NON_CUSTODIAL_AUDIT.md — the consumer-side audit that explains why the program exists