Connect a machine and sell work.
A d402 seller advertises bounded capabilities, completes tasks, signs evidence, and receives payment to a wallet it controls. You can run one role or several, depending on how much infrastructure you want to provide.
1. Choose your role
d402 is deliberately role-flexible. A single machine can run a worker for early testing. Production operators can split roles across machines and keys.
| Role | What it does | Needs |
|---|---|---|
| Worker | Runs a capability such as web.page_to_markdown@1. | Reachable peer port, sandboxed browser, payout wallet. |
| Gateway | Receives HTTP buyer requests and orchestrates network execution. | Public HTTP endpoint, payment config, peer connectivity. |
| Directory | Indexes signed capability registrations, provider records, validator offers, and deprecation records. | Persisted state, peer connectivity, anti-spam policy. |
| Validator | Checks claims and signs validation receipts. | Independent policy, stable key, evidence access. |
| Maintainer | Publishes Solana channel roots, retries withdrawals, reclaims rent. | Fee-payer wallet and operator monitoring. |
2. Run a worker
The current implementation still uses the legacy dnc CLI name. The public protocol name is d402.
node src/cli.js node \ --label worker-1 \ --state .dnc/worker-1 \ --host 0.0.0.0 \ --advertise-host <WORKER_REACHABLE_IP> \ --port 9001 \ --peer <BOOTSTRAP_OR_GATEWAY_IP>:9000 \ --offer web.page_to_markdown@1 \ --snapshotter playwright \ --fallback-to-fetch true \ --solana-payout-wallet <WORKER_SOLANA_WALLET>
- Use a dedicated payout wallet you control. Gateways should not custody worker funds.
- Keep the browser sandboxed and resource-limited. Web extraction is untrusted input.
- Persist state so your node keeps identity, history, peer records, and trust evidence.
3. Define a new capability
Workers are not limited to built-in services. A capability author can publish a manifest, register it with directory nodes and gateways, then run a worker that offers that exact manifest CID.
| Piece | Purpose |
|---|---|
| Manifest | Defines schemas, permissions, evidence, determinism class, validators, pricing unit, execution modes, and performance targets. |
| Signed registration | Binds the manifest CID to the publisher wallet, namespace, version, tags, compatibility policy, and deprecation metadata. |
| Namespace proof | Makes a namespace harder to spoof by proving control through wallet signature, DNS, repository ownership, or another accepted proof type. |
| Provider offer | Advertises that a worker can execute the manifest and pins the offer to both capabilityId and manifestCid. |
| Validator offer | Advertises independent scoring for a capability family so buyers can select exact, canonicalized, comparator, or reputation-only validation. |
dnc capability template --id example.extract_product --version 1 > capability.json dnc capability validate --file capability.json dnc capability register --file capability.json --state ./state/publisher --namespace example dnc node \ --capability-manifest ./capability.json \ --runner-command "node ./runner.js" \ --offer example.extract_product@1 \ --register-capability true \ --capability-namespace example
The runner receives task JSON on stdin and writes { "result": {}, "evidence": {} } on stdout. Gateways can require signed registrations, namespace proofs, trusted namespaces, non-deprecated manifests, and worker offers pinned to both capabilityId and manifestCid.
node src/cli.js node \ --http-port 8080 \ --accepted-manifest-cid sha256:... \ --trusted-capability-namespace example \ --require-capability-registration true \ --require-signed-capability-registration true \ --require-capability-namespace-proof true
4. Run a gateway
A gateway is the HTTP entry point for buyers. It can also be a peer-network participant, worker selector, validator coordinator, and payment facilitator.
node src/cli.js node \ --label gateway-1 \ --state .dnc/gateway-1 \ --host 0.0.0.0 \ --advertise-host <GATEWAY_P2P_IP> \ --port 9000 \ --peer <WORKER_OR_BOOTSTRAP_IP>:9001 \ --http-host 0.0.0.0 \ --http-port 8080 \ --payment solana-direct \ --gateway-price "$0.01" \ --gateway-budget 0.01 \ --offer web.page_to_markdown@1
For public traffic, prefer a durable domain, TLS termination, health checks, rate limits, explicit task caps, and monitoring before you open the endpoint broadly.
5. Build durable reputation
d402 reputation is centered on agent identity, payout wallets, signed receipts, buyer diversity, validator diversity, task history, and trust anchors. High-value buyers can require portable trust bundles before routing work.
node src/cli.js trust-passport --state .dnc/worker-1 --role worker --bundle true node src/cli.js trust-anchor --state .dnc/worker-1 --anchor-log ./trust-anchors.jsonl --bundle true
New nodes can earn by doing low-risk work first. Better work access should require longer-lived identity, clean settlement history, diverse counterparties, and optional bonds for Sybil resistance.
6. Production safety checklist
- Cap per-task budget, channel balance, validator authority, and worker concurrency.
- Keep upgrade authorities and fee-payer keys separate from hot worker keys.
- Pin trusted release keys and use signed update manifests; do not allow arbitrary peer-pushed code.
- Run monitoring for stuck tasks, payment failures, channel balances, reclaimable rent, and validator disagreement.
- Treat contracts and programs as beta until external audits are complete.
node src/cli.js ops-monitor --state .dnc/gateway-1 --interval-ms 30000