ArxMint: Sovereign Economy Specification
Abstract.
A purely peer-to-peer version of electronic cash and AI agent commerce would allow online payments and autonomous economic activities to be sent directly from one party to another without going through a financial institution or centralized API provider. This document outlines the five phases of ArxMint's development, from foundational security hardening to production-grade deployment of sovereign Bitcoin economies integrating Fedimint, Cashu, and the Model Context Protocol (MCP). Every task traces back to rigorous core research, prioritized by security impact.
Execution Timeline
0.0Fortify: Security Hardening
Most P0 controls are shipped and tested. Final remote-signer transport hardening is still in progress.
your sats and data are protected before anything else gets built
Verify your mint is who it says it is
Verify keyset IDs against mint pubkeys. Prevent NUT-13 deterministic secret collisions — critical for agent wallets.
Honest reporting of what's available on each backend
Honest per-backend SP availability. SP for Fedimint peg-outs requires a federation module (server-side).
Agents get the minimum access they need, nothing more
WATCH_ONLY → PAY_ONLY → ADMIN tiers. Agents default to WATCH_ONLY. Never give agents admin macaroons.
Agent processes never hold signing keys
Signer config and fail-closed validation are shipped. Full isolated signer transport remains to be finalized.
1.0Keystone: Core Architecture
Core architecture is largely shipped: spend routing, merchant onboarding, BCE metrics, and scoped agent controls.
merchants can accept payments, wallet auto-picks best way to pay
Pay for services with ecash, not just Lightning
Dual L402 + Cashu flows are implemented; strict production enforcement and deeper testing are still being hardened.
Auto-pick the cheapest, most private way to pay
Auto-select ecash → Lightning → Ark → on-chain based on amount and privacy score.
Real numbers showing community health
Merchant count, active spenders, spend velocity, grant-ready export.
Step-by-step setup for any local business
Multi-step form, QR codes, POS guidance, directory listings.
Generate limited-permission keys for different roles
Generate scoped credentials: pay-only, invoice-only, read-only, agent-commerce.
Temporary wallets that clean up after themselves
In-memory, auto-expire, scoped. No persistent secrets.
Guided federation setup, no DevOps required
Fedimint G-Bot API for guided federation bootstrap with Docker fallback.
2.0Spire: Full Privacy + Commerce
Mixed maturity phase: some capabilities are production-ready, others are partial integrations or prototype scaffolding.
ecash across multiple mints, tap-to-pay, real-time monitoring
Latest security and performance improvements
Generator paths target "Lighthouse" v0.10.0; root local compose still needs full parity.
High-privacy off-chain spending layer
SovereignArkClient interface exists with stub-mode behavior pending full upstream integration.
Production-grade mint with real database and monitoring
CDK generation path exists; default local stack still uses Nutshell for quick start.
Spread trust across multiple ecash providers
Manager and swap scaffolding are in place; operational hardening and broader coverage continue.
Scan or tap to pay, just like a credit card
cashu:// URI format for merchant QR codes and payment requests.
Receive Bitcoin without reusing addresses
Scanner/indexer/key-delegation scaffolding is implemented with remaining protocol-level hardening.
Real-time health dashboards for community operators
Prometheus/Grafana generation is implemented; deployment parity across all compose paths is ongoing.
Ecash automatically converts to Lightning when needed
Bridge flow is implemented with placeholder preimage handling pending final production wiring.
3.0Aether: Advanced Features
Advanced capabilities are in experimental groundwork mode and depend on upstream protocol maturity for production use.
programmable payments, hardware wallet support, tap-to-pay
Rules for who runs the shared vault and how
Selection criteria, rotation policy, incident response, quorum management.
Smart contracts for ecash — escrow, subscriptions, automated payments
Conditional tokens: escrow, subscriptions, proof-of-service.
Cryptographic proof that agent wallets are honest
Audit-log + ZK reissuance for stateless agent wallets.
Sign transactions with your hardware device
SP descriptor support and PSBT spending for hardware signing devices.
Multi-mint atomic swaps and proof verification
P2BK, background proof state verification, multi-mint atomic swaps.
Tap your card to pay at any merchant
Tap-to-pay for merchants using Numo NFC cards.
4.0Citadel: Production + Grants
Production rollout phase: pilot deployment, grant execution, and replication at community scale.
pilot deployment plus grant-backed expansion
Real businesses, real customers, real sats changing hands
Deploy pilot with merchant and user KPIs, uptime targets, and monitored operations.
Funding to scale from pilot to production
FBCE, OpenSats, and Fedi application templates and workflow support.
Transparent progress tracking for funders
Export monthly/quarterly KPI snapshots and reporting artifacts.
Step-by-step guide for any community to copy this
Open-source "BCE in a box" playbook generated from pilot configuration.
Connect Longmont to other cities on the same rails
Expand pilot model into multi-city commerce via multi-mint and Lightning bridge routes.
Appendix A: Contribute
ArxMint is open source infrastructure. Review the specification, audit the code, or submit proposals for the active phase.