A Protocol for Sovereign Work

Peer-to-peer freelance settlement · keypair identity · Bitcoin + Lightning · 2-of-3 multisig escrow · web-of-trust reputation · AGPL-3.0

Abstract

FORGE is an open protocol for a freelance marketplace that no one owns. It combines four existing, battle-tested primitives, Bitcoin for money, Nostr for identity and transport, PGP for long-lived keys, and Bitcoin Script for escrow, into a thin coordination layer for sovereign labor. There is no company holding accounts, no custodian holding funds, and no gatekeeper granting permission. Identity is a keypair, payment is Bitcoin and Lightning, reputation is a graph of signed mutual attestations, and escrow is a 2-of-3 multisig contract between client, freelancer, and a freely chosen arbiter. The reference implementation is free and open source under AGPL-3.0. This document describes the philosophy, the protocol, and, most importantly, how a censorship-resistant labor market can remain free without collapsing into a market for harm.

1. The problem with platforms

A modern freelancer does not own their business. They rent it. The platform owns the account, the client relationship, the payment rails, the reputation score, and the dispute process. It can change the rules overnight, raise its fee to a quarter of every invoice, freeze a balance, or delete a decade of five-star history with a single automated decision and no appeal.

This is the same flaw Bitcoin identified in money: a trusted third party is a single point of failure and control. The freelancer is asked to trust a corporation to be a fair custodian of their identity, their income, and their reputation, simultaneously. History shows this trust is routinely abused, not always maliciously, but inevitably, because the incentives point that way.

If the trusted third party can take it from you, it was never yours. FORGE removes the third party from the parts that matter: your name, your money, and your reputation.

2. First principles

• Self-sovereignty. You hold your own keys, your own funds, and your own reputation. Nothing critical lives in a database we control.
• No permission. No KYC, no nationality, no approval to work or to hire. Participation is open to any keypair.
• Radical transparency. Profiles, reviews, and arbitration rulings are signed and public. Sunlight is the security model.
• Verifiability. Every component is open source. If you cannot read and run it, you should not trust it.
• Exit over voice. If you dislike a relay, a front-end, or a fee, you can leave or fork without losing your identity or your trust graph. The right to exit is what keeps the protocol honest.
• Protocol before product, community before business model. We build the open standard and the people first; monetization comes last and in the open.

3. Identity: pubkeys, not emails

An account on FORGE is not a row in our database. It is a keypair that you generate and control. Authentication is a signed challenge: the client asks you to sign a nonce, and your signature proves control of the key. We support two schemes:

• Nostr (npub / nsec) as the primary identity and transport. Nostr already gives us decentralized, relay-based messaging and a portable public identity.
• Bitcoin message signing for users who prefer to anchor identity directly to a Bitcoin key.

On top of the root key sits human-friendly metadata: a nickname, an avatar, a bio, a skill list. These are public and pleasant to use, but they are only labels bound to the key. Your cryptographic identity is the root of trust; the pretty parts are decoration. Users may additionally bind a long-lived PGP key for encrypted project briefs and for reputation that outlives any single relay.

Because identity is a keypair, it is portable by construction. You can move between front-ends, leave FORGE entirely, and carry your name and history with you, because they were never ours.

4. Payment: Bitcoin and Lightning

FORGE settles exclusively in Bitcoin. There is no fiat on-ramp, no card processor, no chargeback, and no intermediary that can be pressured into freezing a payment.

• Lightning for fast, low-value work, tips, and micro-bounties. Near-instant, near-free, ideal for the long tail of small jobs.
• On-chain Bitcoin for any contract large enough to justify escrow.

Critically, the platform never custodies a single sat. Money moves directly between the participants and the multisig escrow address. There is no FORGE wallet for an attacker to drain, a regulator to seize, or an operator to abscond with.

5. Escrow: 2-of-3 multisig

Trust between strangers is bootstrapped with a native Bitcoin 2-of-3 multisig contract. Three parties each hold one key:

1. The client, who funds the contract.
2. The freelancer, who performs the work.
3. An arbiter, freely chosen and agreed by both sides before funding.

Funds lock into the multisig address. Any two of the three signatures can release them:

• Happy path: on delivery, client and freelancer co-sign. The arbiter is never involved and never sees a key used.
• Dispute: the arbiter reviews evidence and co-signs with whichever party they judge to be in the right. Two signatures move the money; the arbiter alone cannot.

No single party, including FORGE, can ever move the funds unilaterally. The escrow is enforced by Bitcoin, not by a company's promise.

6. Reputation: a web of trust

FORGE deliberately avoids a single global five-star average, which is trivial to game and owned by whoever runs the database. Instead, reputation is a web of trust built from signed, mutual attestations.

• When a job concludes, both parties sign a review of each other. A review is only valid if it references a real, settled contract, which makes fake reviews expensive rather than free.
• Attestations are published as signed events and form a directed graph keyed by pubkey.
• Your view of someone's reputation is computed relative to identities you already trust. A glowing review from a stranger means little; one from people in your own trust graph means a great deal. This is PGP's web-of-trust model applied to labor.

Because the graph is signed and public, it is portable and auditable. No central score to inflate, no algorithm to reverse-engineer, just a network of cryptographic claims you can weigh for yourself.

7. Arbitration as an open market

Arbitration is not a privileged office held by the platform. It is an open role in a competitive market. Anyone can publish an arbiter profile listing their terms, their fee, and their public history of rulings.

• Parties select an arbiter per contract, by mutual agreement, before funds are locked.
• Every ruling an arbiter makes is signed and public, forever. Their entire judicial record is open to inspection.
• An arbiter's only capital is their reputation. Make biased, lazy, or strange decisions and the market simply stops selecting you. There is no need for a central appeals board; trust flows away from bad arbiters automatically.

This turns dispute resolution into a reputation market with real skin in the game. The more questionable an arbiter's history, the lower the trust they command, and the fewer contracts they are chosen for.

8. Freedom without the dark market

This is the hardest and most important section. A no-KYC, censorship-resistant, Bitcoin-settled market for human labor could, left naive, drift toward a market for harm. We will not pretend that tension away, and we will not solve it by rebuilding the surveillance apparatus we are trying to escape. Our answer is structural: we make the open market a hostile environment for harmful work without compromising the freedom of legitimate work.

Why transparency beats darkness

Dark markets depend on opacity: hidden listings, anonymous escrow, deniable communication. FORGE inverts every one of those. Listings, reviews, and rulings are signed and public. Reputation is bound to a persistent cryptographic identity. Disputes leave a permanent signed record. A market this loud and legible is precisely where illicit trade does not want to be.

Moderation at the edge, not the core

The protocol itself is neutral and uncensorable, like SMTP or TCP/IP. But the protocol is not the storefront. The reference front-end and community relays operate under a published, community-ratified Acceptable Use Charter, refusing to surface clearly illegal categories (violence-for-hire, CSAM, weapons, and similar). This is the email model: SMTP is open, yet your inbox still filters spam and abuse. Anyone is free to run a relay or front-end with different rules, or none, but they do so outside the curated commons, and outside its trust, escrow, and arbiters.

Trust is the gate, not identity

The deepest defense is economic. Harmful work cannot accumulate the things FORGE makes valuable: no honest counterparty will sign a mutual review for it, and no reputable arbiter will hold a key for it. Without reputation and without escrow, an illicit actor is reduced to anonymous peer-to-peer dealing, which they could already do without us, and without our trust graph to lend them credibility.

Culture before scale

We deliberately seed the network with open-source bounties and legitimate sovereign freelance, establishing norms and a trust topology before growth. The earliest, most-trusted nodes in the web of trust set the cultural center of gravity for everyone who joins later.

The base layer is as free as cash. But unlike a dark market, it is loud, legible, and reputation-bound. You can always step outside the commons and transact peer-to-peer, but then you forfeit its escrow, its arbiters, and its trust, which is exactly the price that keeps the open market clean.

9. Governance and sustainability

FORGE has no token, no ICO, and no foundation collecting rent. It will never issue one. We reject the model where a protocol's success is captured by early speculators rather than its users.

• Funding begins with donations, listed transparently in a public ledger.
• Long-term sustainability may come from a small, optional, transparent fee on escrow contracts that use the commons' infrastructure, decided openly with the community and always avoidable by self-hosting. The fee funds the commons; it does not enrich an owner.
• Governance is rough consensus and running code. Disagreement is resolved by forking, the ultimate check on any maintainer.

10. Roadmap

1. Phase 0 (now): Manifesto, whitepaper, acceptable-use charter, first community.
2. Phase 1: Identity and reputation spec, signed mutual reviews, read-only reference client.
3. Phase 2: Lightning tips and small jobs; open-source bounty board as the first live use case.
4. Phase 3: 2-of-3 multisig escrow, open arbiter registry, public dispute records.
5. Phase 4: Federation across many relays and front-ends, transparent sustainability model.

11. License and ethos

The reference implementation, protocol specification, and all official tooling are released under the GNU Affero General Public License v3.0 (AGPL-3.0). The AGPL is a deliberate choice: anyone who runs a modified version of FORGE as a network service must publish their modifications. A protocol built for freedom cannot rest on code its users are forbidden to read or improve.

FORGE stands in the cypherpunk tradition: privacy through cryptography, freedom through code, trust through verification rather than authority. We build in the open, we hold no one's keys, and we ask no one's permission.

Pubkeys over emails. Self-custody over trust. Exit over voice. Freedom is the first principle.

← Back to FORGE   Read the code