The public network

The public Quidnug network is a small cooperative set of nodes that mutually trust each other to produce and validate blocks under the reserved network.quidnug.com domain tree. It is seeded by the nodes operated under the quidnug.com administrative control, and grows by bilateral mutual-trust edges signed between existing operators and new joiners.

This is not a permissionless chain. Quidnug’s Proof-of-Trust model deliberately refuses to accept blocks from unvouched validators, so “the network” is not a list of whoever shows up; it’s a trust graph that any operator can join by proposing trust bilaterally.

Who runs the seeds

The seeds are operated by the owner of quidnug.com. Their identities and current status live at /network/seeds.json.

Each seed:

Has a distinct quid (a separate identity, not a shared key).
Has a 3-of-5 guardian quorum with a 24-hour time-lock.
Has its private key offline, loaded into the runtime via a Fly.io secret.
Signs no transactions outside the network.quidnug.com tree and the reserved examples.public.quidnug.com demo domain.

If you ever need to verify something signed by the seed roots, start from seeds.json, it is the canonical mapping from seed names to current public keys.

The reserved domain tree

Domain	Semantic
`peering.network.quidnug.com`	Bilateral agreement to gossip.
`validators.network.quidnug.com`	Bilateral agreement to tier each other’s blocks as `Trusted`.
`validators.<app-domain>.network.quidnug.com`	Validator trust scoped to an application domain.
`operators.network.quidnug.com`	Attestation that an identity corresponds to a named human/org operator.
`bootstrap.network.quidnug.com`	Agreement to serve as a K-of-K snapshot source (QDP-0008).

These are conventions, not protocol. A node won’t refuse a connection just because peering.* trust is missing, the node’s own tiering rules determine what it actually accepts. But the conventions let operators answer “can I tell whether this peer belongs?” by looking at what domains the seeds vouch for it in.

How joining works

┌──────────────┐          ┌─────────────────────┐         ┌─────────────┐
│ New operator │ ──(1)──▶ │ Signed peering req  │──(2)───▶│ Seed reviewer│
│ (your node)  │          │ GitHub issue / POST │         │ (quidnug.com)│
└──────────────┘          └─────────────────────┘         └─────────────┘
       ▲                                                         │
       │                                                         │
       │                                    (3) TRUST edges      │
       │                          quidnug.com-seed ──► new op    │
       │                     in the domains you requested        │
       │                                                         │
       └──────(4) Reciprocal TRUST edges (new op ──► seed)────────
                      within 72 hours of approval

No keys, secrets, or confidential state is exchanged, only signed trust edges. Either side can unilaterally revoke at any time by publishing a TRUST transaction at level 0 in the same domain.

The wire protocol is specified in detail at peering-protocol. Reasons for a rejection are standardized at rejection-reasons.

What it commits everyone to

Joiners commit to

Operating with a running, attended quid (guardian quorum installed).
Responding to security advisories in #network within one business day.
≥95% uptime over a rolling 30-day window.
Annual key rotation at minimum.
Revoking edges prospectively before retiring a node.

The seeds commit to

Reviewing requests in under 72 hours.
Publishing standardized rejection reasons publicly when they decline.
Advance notice of protocol upgrades via fork-block (QDP-0009).
Never silently mass-revoking peers.

Nobody commits to

A service-level agreement for the network’s throughput.
Indefinite operation.
Agreement on what counts as abuse across domains, this is per-operator judgment, which is the whole point of relational trust.

Why this works

Quidnug’s protocol does the enforcement work for free:

Signed edges: membership can’t be forged. Either you hold a key the seed has vouched for, or you don’t.
Domain scoping: a peer trusted for oracles can’t silently start issuing medical credentials; trust doesn’t compose across unrelated domains.
Guardian recovery + resignation: operator-lifecycle events (stolen key, retired peer, replaced operator) are protocol-level primitives. No escrow required.
Tiered acceptance: a misbehaving peer’s blocks go to Tentative without coordinated “voting”, each node’s trust graph does it.
No global reputation: peers disagree about third parties, and that’s correct. Disagreement doesn’t rupture the network; it degrades to partial propagation.

Operational view

Live status: /network/
Seeds JSON: /network/seeds.json
Metrics API: /api/network/network.json
Peering request template: GitHub issue form
Rejection enum: /docs/network/rejection-reasons/

If you don’t want to peer

Running a Quidnug node without peering is perfectly valid. A local dev node, a CI node, an org-internal node, none of them need the public network’s attestation. You get the full protocol in all cases.