Compute Contracts

Marketplace Spec

May 08, 2026

Marketplace spec: https://github.com/publicdomainrelay/compute-contract

Alice, Bob, and Eve are on the network
Alice wants to issue a Compute Contract Request For Proposal (CCRFP)

at://johnandersen777.bsky.social/com.publicdomainrelay.ccrfp/3mlf7tjlfjr2d

https://pdsls.dev/at://did:plc:5svqtrhheairglgiiyvutzik/com.publicdomainrelay.ccrfp/3mlf7tjlfjr2d

Bob has plenty of builder machines
Eve wants to know what Alice is doing
Alice has vouched for Bob
Alice has denounced Eve
Alice creates a CCRFP manifest
Alice makes her CCRFP manifest available to the network
Bob and Eve each issue a Compute Contract Bid (CCB) against the CCRFP

at://johnandersen777.bsky.social/com.publicdomainrelay.ccb/3mlf7ttrffk23

https://pdsls.dev/at://did:plc:5svqtrhheairglgiiyvutzik/com.publicdomainrelay.ccb/3mlf7ttrffk23

Alice's policy engine sees that she's denounced Eve and vouched for Bob
Alice prepares to accept Bob's bid by configuring her Workload Identity Federation (WIF) Role Based Access Control (RBAC) per Bob's bid.wif information

at://johnandersen777.bsky.social/com.fedproxy.rbac/3mlewidctvt2n

https://pdsls.dev/at://did:plc:5svqtrhheairglgiiyvutzik/com.fedproxy.rbac/3mlewidctvt2n

Bob and Eve each issue a Compute Contract Bid (CCB) against the CCRFP
Alice's policy engine sees that she's denounced Eve and vouched for Bob
Alice issues a Compute Contract Bid Accept (CCBA) against Bob's CCB.
- TODO: CCBA
Alice issues a x402 payment to Bob per info provided in his CCB.
- Using the CCBA AT URI and CID.
  - TODO: ^ (first pass was using CCB, need CCBA)

npx awal x402 pay \
  https://builder.bob.example.com/ccr/${AT_URI}/${CID}

Bob builds to the CCRFP manifest's spec and issues a Compute Contract Receipt (CCR) over the CCRFP, CCB, and CCBA
- TODO: CCBA in CCR

at://johnandersen777.bsky.social/com.publicdomainrelay.ccr/3mlf7v5sbyx2m

https://pdsls.dev/at://did:plc:5svqtrhheairglgiiyvutzik/com.publicdomainrelay.ccr/3mlf7v5sbyx2m

Alice's user_data runs within Bob's compute and interacts with Bob's WIF to token exchange to get a token which will interact with the downstream service she configured her RBAC for.
- In our example we are leveraging a Workload Identity Reverse Proxy which enables calling XRPC createRecord against https://rp.fedproxy.com to proxy the POST to a PDS

Workload Identity Reverse Proxy - Blog

Imagine a reverse proxy that provides fine grained RBAC over any API

https://john.leaflet.pub/3lz7aymmqqc2l

The record we POST is of type com.fedproxy.sshPublicKey which is also for use with https://fedproxy.com (aka the same repo, different service/binary it hits: https://github.com/publicdomainrelay/atproto-reverse-proxy)

at://johnandersen777.bsky.social/com.fedproxy.sshPublicKey/3mlf7zbjoax23

https://pdsls.dev/at://did:plc:5svqtrhheairglgiiyvutzik/com.fedproxy.sshPublicKey/3mlf7zbjoax23

This SSH key registration allows us to expose an HTTP service to the internet. Also acting as service discovery.

ssh -NnT -p 2222 \
  -o UserKnownHostsFile=/dev/null \
  -o StrictHostKeyChecking=no \
  -o PasswordAuthentication=no \
  -R ${SERVICE}:80:127.0.0.1:8080 \
  ${HANDLE}@fedproxy.com

The end result is auto HTTPS server coming from arbitrary compute

https://cfb3c8d2.johnandersen777.bsky.social.fedproxy.com