Admit once, trust within.
H-Pact maintains signed, on-chain membership rings: bounded groups of identities that operate under shared, owner-signed rules. Every admit and evict is recorded on Hedera, signed, and reconstructible from public chain data. The relationship layer of the H-Series.
Run a ring
Connect a wallet, create a ring (paid), admit member identities (owner-signed), and watch the roster and the admit/evict history. Toggle the public chain view against the authenticated member view to see the salted-commitment privacy model, then test the H-Relay member-only messaging hook.
How it works
The owner connects a wallet, signs the ring creation, and pays the x402 fee. The create event lands on the H-Pact HCS topic, signed and permanent.
The owner signs each admit. On chain the ring stores a salted commitment, not the identity; the readable roster lives behind an authenticated view.
Consumers read the ring check on every interaction. H-Relay gates reachability, H-Grant sets a baseline posture, H-Index can scope visibility.
Anyone can replay the topic and reconstruct the exact membership set, verifying every change was signed by the governing authority. A public primitive.
Private roster, public proof
On chain, H-Pact writes commitments, not identities. Each admit and evict carries hash(member identity, per-entry salt), signed by the governing authority. The public verifies the signature and the integrity of the set but cannot read who is in. The owner and members read the full list through an authenticated query. A fresh salt per entry stops anyone from correlating the same identity across two rings from the public commitments alone.
Anyone replaying the HCS topic sees the salted commitments and every signed change, enough to verify the set is legitimate and complete, never the identities.
The owner or a member reads the resolved roster over the authenticated sister-key channel. The membership check is authenticated too, so it is not an open oracle that defeats the salt.
Event model
Every change is a signed event on the ring's HCS topic, full state reconstructible by replay.
ring.create owner, governance mode, policy ring.admit member commitment, role, optional expiry ring.evict member commitment, optional evidence ring.policy.update new policy version ring.renew member commitment, new expiry Standing
Consumers read a member's standing on the check path. Anything other than active is a safe access-withheld default.
active a member in good standing probation admitted but watched; consumers may treat as active with a flag suspended auto-demoted, reversible; access withheld (e.g. an H-Scope posture drop) evicted terminal removal Honor a ring without asking
A ring is a public primitive. Any outside service can honor one by reading the HCS topic, replaying the events, and verifying each commitment and signature, with nothing built for them. H-Relay gating reachability is the first honorer and ships alongside v1. H-Grant uses ring membership as a baseline policy (the per-counterparty caps still apply; the ring is admission and a default, not a replacement for limits). H-Index can scope a listing to a ring. H-Scope posture can gate admission and drive standing.
What H-Pact is not
In single-owner mode the owner controls admission and eviction. The chain guarantees every change is permanent, signed, and auditable, not that membership is decided without a trusted party. Federated and consensus governance are later versions.
Inside a ring, H-Grant still scopes and caps each call. The ring sets who is in and the default posture; per-counterparty caps remain. The two layer.
The chain record is operator-independent (anyone can replay it). The convenient readable roster is service-served in v1. An operator-independent encrypted list is a later option.