wave 39: publish did:web:inbox.qntm.corpo.llc DID Document, add expiry_ts relay enforcement, fix DID resolver user-agent

- DID Document served at /.well-known/did.json on relay worker
  - Ed25519VerificationKey2020, multibase z-prefix
  - Service endpoints for QSP1Relay and QSP1RelayWebSocket
  - Bidirectional DID resolution now possible (forward + reverse)
- expiry_ts enforcement in /v1/send (OATR spec 10 §6.2)
  - Graceful degradation: enforced when present, passed through when absent
  - Backwards compatible with existing QSP-1 traffic
- DID resolver: add User-Agent header to fix Cloudflare 403 on urllib
- 2 new engagements: OATR#4 (expiry_ts alignment) + OATR#2 (reverse DID test)

Author: PV

.company/qntm/chats/2d0d3ec2b36f83337a143512043ce8bc.json

@@ -463,5 +463,12 @@
     "body_type": "text",
     "body": "## PAGE 2: OPERATIONS\n\n### Specific Outreach / Incoming\n\n- **aeoess (APS):** NEW REPLY (16:54 UTC). Agreed multibase canonical encoding, committed to updating createDID(). Endorsed code-first governance. \"6 projects in one day is real traction.\" STATUS: WG FOUNDING MEMBER \u2014 fully aligned, shipping code.\n- **desiorac (ArkForge):** DID INTEGRATION TEST PASSED. `did:web:trust.arkforge.tech` resolves to valid Ed25519 key. buyer_fingerprint alignment proven live. Proposed integration test on OATR#2 from wave 37 \u2014 now we can report concrete results. STATUS: INTEGRATION PROVEN.\n- **The-Nexus-Guard (AIP):** Re-engaged wave 37. Resolved DIDs, offered subscribe auth test vectors, acknowledged invitation. did:aip \u2192 did:agip rename pending. STATUS: RE-ENGAGED, subscribe auth test vectors incoming.\n- **haroldmalikfrimpong-ops (AgentID):** Stable. Declared \"WG is real.\" Entity integration proven. STATUS: WG FOUNDING MEMBER.\n- **archedark-ada (Agent Agora):** Connecting directly with The-Nexus-Guard. Phase 2 verificationMethod alignment in progress. STATUS: ALIGNING.\n- **FransDevelopment (OATR):** Spec PR #3 awaiting merge. WG invited. STATUS: INVITED.\n\n### Blockers\n\n| # | Blocker | Priority | Waves Asking |\n|---|---------|----------|--------------|\n| 1 | Protocol vs Product direction | P1 | **15+** |\n| 2 | MCP marketplace (Smithery.ai) | P1 | **15+** |\n| 3 | CF KV write limits ($5/mo) | P0 | **15+** |\n| 4 | Public posting (Show HN) | P1 | **15+** |\n| 5 | WG governance formalization | P1 | **2** |\n\n### Top 5 for Next Waves (38-42)\n\n1. **Report desiorac DID test results on OATR#2** \u2014 live proof, not theory. Post resolution output + sender_id derivation. Strongest concrete interop artifact for ArkForge.\n2. **Reply to aeoess on A2A #1672** \u2014 acknowledge governance agreement. Propose: next concrete multiproject artifact = entity formation POC (APS identity \u2192 qntm transport \u2192 Corpo entity verification \u2192 ArkForge execution attestation). Full stack test.\n3. **Engage The-Nexus-Guard on subscribe auth test vectors** \u2014 they offered. Accept concretely: share relay endpoint, propose specific test scenario.\n4. **QSP-1 v1.0 formalization push** \u2014 3 implementations converging, FransDevelopment spec references it. Time to draft ratifiable version. Campaign 6 Goal 4.\n5. **CF KV upgrade or DO migration** \u2014 operational risk. Cannot defer forever.\n\n\u2014 Founder Agent, qntm",
     "created_ts": 1774287951
+  },
+  {
+    "msg_id": "933b6eee77ff293338d92c4309900f70",
+    "direction": "outgoing",
+    "body_type": "text",
+    "body": "CHAIRMAN MORNING BRIEFING \u2014 Wave 39 \u2014 Mon March 23, 2026 11:40 AM PT\n\n== PAGE 1: GOOD NEWS / BAD NEWS ==\n\nGOOD NEWS:\n\u2022 FransDevelopment MERGED Spec 10 (encrypted transport) and IMMEDIATELY opened issue #4 on expiry_ts alignment. This is WG-member-grade behavior \u2014 they're not just contributing, they're stewarding.\n\u2022 desiorac ran reverse-direction DID test and gave detailed clarification of live vs proposed infrastructure. Two-tier architecture (proxy DID vs per-agent DID) is sound.\n\u2022 Spec 10 merge means the WG now has a 3rd party-authored encrypted transport spec that references QSP-1. Standards gravity is real.\n\u2022 All 3 founding members (qntm, APS, AgentID) + 4 candidates still active. No attrition.\n\u2022 261 tests pass, 0 failures. Relay operational. 16 active conversations.\n\u2022 41 external engagements total. 6 external persons. 2 merged PRs.\n\nBAD NEWS:\n\u2022 did:web:qntm.corpo.llc returns 404. We don't publish our own DID Document. This is a credibility gap \u2014 we're testing everyone else's DIDs but don't implement the spec ourselves. desiorac exposed this with the reverse-direction test.\n\u2022 expiry_ts enforcement gap between FransDevelopment's spec and our relay. Spec says MUST, relay uses sequence windowing. Fixable but it's a real incompatibility.\n\u2022 Still 0 standalone users. 38 waves. The protocol is being adopted as infrastructure by WG members, but nobody uses qntm independently.\n\u2022 15+ waves asking for protocol-vs-product decision. WG has 3 committed members + 4 candidates. The strategic question is increasingly urgent.\n\u2022 CF KV daily write limits still blocking production scalability. $5/mo would fix it.\n\u2022 MCP marketplace listing still blocked (15 waves asking for ruling on 'any-public-post').\n\n== PAGE 2: OPERATIONS ==\n\nSPECIFIC OUTREACH / INCOMING:\n\u2022 FransDevelopment: Spec 10 merged. Issue #4 opened (expiry_ts alignment). Now WG-member-grade contributor. Recommend formal WG invitation acceptance.\n\u2022 desiorac: Reverse test revealed our did:web gap. Clarified 2-tier DID architecture. Active on OATR#2 thread.\n\u2022 The-Nexus-Guard: Subscribe auth test vectors pending. Relay details shared. Awaiting their next move.\n\u2022 aeoess: Governance aligned. Committed to multibase update. Stable WG member.\n\u2022 haroldmalikfrimpong-ops: Stable WG member. Entity integration proven. WG proposer.\n\u2022 archedark-ada: Quiet. Connecting with AIP on Phase 2 alignment.\n\nBLOCKERS:\n1. Protocol vs Product decision \u2014 15+ waves. WG formally committed. Need explicit chairman direction. (REQUIRES_APPROVAL)\n2. MCP marketplace listing \u2014 materials ready. Is submitting to Smithery.ai 'any-public-post'? (REQUIRES_APPROVAL)\n3. CF KV $5/mo upgrade \u2014 free tier write limits break operations. (REQUIRES_APPROVAL \u2014 paid service)\n4. Public posting denied \u2014 HN, Reddit remain blocked. (DENIED \u2014 no change requested)\n5. WG governance \u2014 code-first working, but 7 projects touching same stack. Charter question open. (chairman guidance requested)\n\nTOP 5 FOR WAVES 39-43:\n1. Publish did:web:qntm.corpo.llc \u2014 close credibility gap (this wave)\n2. Implement expiry_ts relay enforcement \u2014 align with Spec 10 (this wave)\n3. Reply to FransDevelopment #4 + desiorac on OATR#2 (this wave)\n4. Follow up with The-Nexus-Guard on subscribe auth test (wave 40-41)\n5. Drive full-stack entity formation POC with aeoess + haroldmalikfrimpong (waves 41-43)",
+    "created_ts": 1774291510
   }
 ]

.company/waves/wave-039.md

@@ -0,0 +1,61 @@
+# Wave 39 — SPEC ALIGNMENT + DID INFRASTRUCTURE
+Started: 2026-03-23T18:40:00Z (Mon 11:40 AM PT)
+Campaign: 6 (Waves 29+) — Standard or Product?
+
+## 10 Questions
+
+1. **What changed since last wave?**
+   - FransDevelopment merged Spec 10 (PR #3) and immediately opened issue #4: `expiry_ts` enforcement gap between spec and qntm relay. Proposed graceful degradation (option c). This is WG-member-grade behavior — identifying real incompatibilities and proposing solutions.
+   - desiorac ran reverse-direction test: `did:web:qntm.corpo.llc` returns 404. We don't publish a DID Document. This is a real gap — we're asking others to dogfood specs we don't implement ourselves.
+   - desiorac clarified infrastructure: proxy DID is live (`did:web:trust.arkforge.tech`), per-agent DIDs are registration-time binding (proposed). Two-tier architecture.
+
+2. **Single biggest bottleneck?**
+   - **Credibility gap: we don't implement our own specs.** We built the DID resolver, tested it against everyone else's DID Documents, but don't publish one ourselves. This undermines the WG's code-first principle.
+
+3. **Bottleneck category?**
+   - Product / Infrastructure. This one the CEO can fix directly.
+
+4. **Evidence?**
+   - desiorac's 404 on `did:web:qntm.corpo.llc`. FransDevelopment's #4 showing spec-vs-implementation gap.
+
+5. **Highest-impact action?**
+   - Reply to OATR #4 (expiry_ts alignment) — validates FransDevelopment's WG-grade work and keeps spec convergence moving.
+   - Reply to desiorac on OATR#2 — acknowledge the 404 and commit to publishing.
+
+6. **Customer conversation avoiding?**
+   - Same as always: anyone outside the WG ecosystem.
+
+7. **Manual work that teaches faster?**
+   - Publishing our own DID Document would teach us about did:web serving gaps.
+
+8. **Pretending is progress?**
+   - Proposing full-stack POCs without publishing our own DID is exactly this. Ship the basics first.
+
+9. **Write down?**
+   - FransDevelopment is now WG-member-grade (opened alignment issue, proposed resolution, merged spec)
+   - qntm has a credibility gap: no did:web:qntm.corpo.llc DID Document published
+   - expiry_ts needs relay-side implementation (graceful degradation path agreed)
+
+10. **Escalation?**
+    - Same 5 blockers (protocol vs product, MCP marketplace, CF KV, public posting, WG governance).
+    - NEW: Publishing `did:web:qntm.corpo.llc` may require DNS/worker setup for the domain — checking if relay worker can serve it.
+
+## Wave 39 Top 5 (force ranked)
+
+1. **Reply to FransDevelopment OATR #4** — agree with graceful degradation, commit to relay-side implementation
+2. **Reply to desiorac on OATR #2** — acknowledge 404, commit to DID publishing, validate two-tier architecture
+3. **Investigate + publish `did:web:qntm.corpo.llc` DID Document** — close the credibility gap
+4. **Implement expiry_ts relay-side enforcement** — relay checks field when present, falls back to seq windowing
+5. **Update state + wave log**
+
+## Execution Log
+
+### #1 — Reply to OATR #4 (expiry_ts alignment)
+
+### #2 — Reply to desiorac on OATR #2
+
+### #3 — Investigate DID publishing infrastructure
+
+### #4 — Relay expiry_ts implementation
+
+### #5 — State updates

.founder-last-check

@@ -1 +1 @@
-1774284572
+1774288201

python-dist/src/qntm/did.py

@@ -115,6 +115,7 @@ def resolve_did_web(did_uri: str, *, timeout: float = 10.0) -> DIDDocument:
     try:
         req = urllib.request.Request(url, method="GET")
         req.add_header("Accept", "application/did+json, application/json")
+        req.add_header("User-Agent", "qntm-did-resolver/1.0")
         with urllib.request.urlopen(req, timeout=timeout) as resp:
             data = json.loads(resp.read())
     except urllib.error.HTTPError as e:

worker/src/index.ts

@@ -61,6 +61,7 @@ type SendPayload = {
 	envelope_b64: string;
 	msg_id?: string;
 	announce_sig?: string; // hex Ed25519 sig over SHA-256(envelope_b64), required for announce channels
+	expiry_ts?: number; // unix seconds (UTC) — relay rejects if expired, per OATR spec 10 §6.2
 };
 
 // --- Announce channel types ---
@@ -684,6 +685,44 @@ export default {
 		const url = new URL(request.url);
 		const path = url.pathname;
 
+			// DID Document — serves did:web:inbox.qntm.corpo.llc
+			// The relay Worker runs on inbox.qntm.corpo.llc, so the DID identifier
+			// matches the hosting domain per did:web spec compliance.
+			if (request.method === "GET" && (path === "/.well-known/did.json" || path === "/did.json")) {
+				const didDocument = {
+					"@context": [
+						"https://www.w3.org/ns/did/v1",
+						"https://w3id.org/security/suites/ed25519-2020/v1"
+					],
+					"id": "did:web:inbox.qntm.corpo.llc",
+					"verificationMethod": [{
+						"id": "did:web:inbox.qntm.corpo.llc#relay-key",
+						"type": "Ed25519VerificationKey2020",
+						"controller": "did:web:inbox.qntm.corpo.llc",
+						"publicKeyMultibase": "z6MkoneqzREQvS9HyVsocPhG1cs7fX3ov8zPPeiUtgonWKT6"
+					}],
+					"authentication": ["did:web:inbox.qntm.corpo.llc#relay-key"],
+					"assertionMethod": ["did:web:inbox.qntm.corpo.llc#relay-key"],
+					"service": [{
+						"id": "did:web:inbox.qntm.corpo.llc#relay",
+						"type": "QSP1Relay",
+						"serviceEndpoint": "https://inbox.qntm.corpo.llc"
+					}, {
+						"id": "did:web:inbox.qntm.corpo.llc#relay-ws",
+						"type": "QSP1RelayWebSocket",
+						"serviceEndpoint": "wss://inbox.qntm.corpo.llc/v1/subscribe"
+					}]
+				};
+				return new Response(JSON.stringify(didDocument, null, 2), {
+					status: 200,
+					headers: {
+						"Content-Type": "application/did+ld+json",
+						"Cache-Control": "public, max-age=3600",
+						...corsHeaders()
+					}
+				});
+			}
+
 			// Health check — no auth, no rate limit, no DO access
 			if (request.method === "GET" && path === "/healthz") {
 				return jsonResponse({ status: "ok", ts: Date.now() }, 200);
@@ -728,6 +767,16 @@ export default {
 					return errorResponse("envelope too large", 413);
 				}
 
+				// expiry_ts enforcement (OATR spec 10 §6.2, graceful degradation)
+				// If the sender includes expiry_ts, enforce it. If absent, allow through
+				// (backwards compatible with existing QSP-1 traffic).
+				if (typeof payload.expiry_ts === "number") {
+					const nowSec = Math.floor(Date.now() / 1000);
+					if (payload.expiry_ts <= nowSec) {
+						return errorResponse("envelope expired (expiry_ts in the past)", 400);
+					}
+				}
+
 				// Announce channel write gate: if this conv_id is an announce
 				// channel, require a valid transport-layer signature from the
 				// channel's posting key.