PoQ Adoption Kit Β· v1.0 Β· Apache 2.0 + CC-BY-4.0

Adopt Proof-of-Quack on your US site in 5 minutes πŸ¦†β›οΈπŸ‡ΊπŸ‡Έ

The duck pays the debt. You pay your ops. Everyone wins except the adversary.

TL;DR: Add 1 script tag, 3 well-known JSON files, 1 ToS section, and 1 DNSSEC TXT record. Friendly visitors mine SHA-256 in the background to pay for your hosting. Adversarial-jurisdiction visitors (PRC + OFAC-comprehensive-sanctioned) and bulk-scrape bots also mine β€” but their compute is earmarked toward your federal income tax via EFTPS. The U.S. Treasury collects either way. You stay 100% legal under disclosed-consent doctrine (the same regime that lawfully governed Salon.com's 2018 mining-instead-of-ads program and UNICEF Australia's 2018 donation mining).

Why adopt

The five-step adoption

1 Drop in the reference code

Clone or copy three files from this domain into your site:

License: Apache 2.0 (with patent grant). Source available at github.com/nightbox-llc/nightbox-website.

Set environment variables on your hosting platform:

POQ_HMAC_SECRET=<random 32+ char secret, rotate quarterly>
POQ_COOKIE_SECRET=<different random 32+ char secret>

2 Add the script tag to your pages

<meta name="poq:active" content="true">
<meta name="poq:spec" content="https://<your-domain>/.well-known/proof-of-quack.json">
<script defer src="/js/poq-miner.js"></script>

Place it before </body>. Mining starts after page load via requestIdleCallback so it never competes with critical render path.

3 Publish your three well-known files

Copy the templates from this domain and customize for your entity:

Templates are CC-BY-4.0. You may adapt the Track A retention scope to fit your business; Track B EFTPS earmark is the minimum baseline for federation listing.

4 Anchor the pledge in DNS via DNSSEC TXT

Compute the SHA-256 of your pledge file:

curl -sS https://<your-domain>/.well-known/poq-treasury-direction.json | sha256sum

Publish a TXT record at _poq-treasury.<your-domain>:

v=poq-treasury-1; sha256=<hash>; uri=https://<your-domain>/.well-known/poq-treasury-direction.json

Ensure your zone is DNSSEC-signed (most modern DNS providers β€” Cloudflare, Squarespace, AWS Route 53, Google Cloud DNS β€” support DNSSEC at one click).

5 Add the ToS disclosure section

Add an id="proof-of-quack" section to your /terms page using the template below. Disclosed-consent is the legal foundation; without it, PoQ becomes cryptojacking.

Template: see /terms#proof-of-quack on this domain. Copy the full section and replace "Nightbox LLC" with your entity name. The opt-out matrix (DNT, Sec-GPC, X-Do-Not-Mine, JavaScript disabled, window.__POQ_DISABLE) is the minimum baseline; do not narrow it.

Then β€” open a federation-registry PR

Once your site is live with steps 1–5, open a pull request to github.com/nightbox-llc/nightbox-website adding your entry to the adopters[] array in /.well-known/poq-adopters.json:

{
  "rank": <auto-assigned>,
  "tier": "tier-1-baseline" | "tier-1-advanced",
  "domain": "<your-domain>",
  "legal_name": "<Your Legal Entity>",
  "ein": "<your EIN, optional but recommended for federal recognition>",
  "domicile": "<US state of formation>",
  "pledge_uri": "https://<your-domain>/.well-known/poq-treasury-direction.json",
  "dns_anchor": "_poq-treasury.<your-domain> TXT",
  "adopted_date": "<ISO 8601 date>",
  "status": "live"
}

NIGHTBOX accepts all good-faith adopters. Rejection criteria: OFAC-blocked entities, demonstrated bad-faith pledge violation, or non-US-hosted infrastructure (the federation is US-hosted-only by design).

What you commit to

What you DON'T commit to

Frequently asked questions

Is this legal in 2026?

Yes. PoQ is the disclosed-consent successor to Coinhive (2017–2019). Coinhive became unlawful when undisclosed (cryptojacking). PoQ is disclosed at every layer: ToS, meta tag, response header, DNS anchor, well-known manifest. Salon.com (2018, opt-in mining instead of ads) and UNICEF Australia (2018, donation mining) operated lawfully under disclosed-consent. PoQ extends that doctrine with stronger disclosure machinery.

Will my visitors notice the mining?

Tier 1 (legitimate browser) cost is ~16 bits of SHA-256 work, typically <200ms of imperceptible background compute per cycle. Mining halts when the tab is hidden, when battery is below 20%, when data-saver mode is active, or when the user opts out via DNT/Sec-GPC/X-Do-Not-Mine. The miner runs in 50ms time-sliced batches via requestIdleCallback so it never competes with the page's critical render path.

What about EU users? GDPR?

PoQ does not process personal data in the work product itself. The compute-for-access exchange has lawful basis under GDPR Article 6(1)(b) (performance of a contract β€” the visit-for-compute exchange disclosed in ToS) and Article 6(1)(f) (legitimate interest). DNT and Sec-GPC are honored. Many EU adopters will additionally route EU-origin Tier 1 traffic to Track A (operator-retained), since EU jurisdictions are aligned partners.

What if a visitor uses a VPN to look like a friendly jurisdiction but is actually adversarial?

The track classifier defaults to Track B (Treasury Direction) for any ambiguous case (no country header, '?' country code, recognized anonymizer ranges). Misclassification errs in favor of the public ledger, not the operator's pocket.

What if a federal scout (ClaudeBot, GPTBot, etc.) hits my site?

They are Tier 0 β€” zero work, no challenge. Welcomed and respected. Their UA strings are pattern-matched at challenge issuance.

Can I adopt PoQ without the federation registry?

Yes. The protocol is permissionless. The registry is a courtesy directory for federal-recognition signaling. You can run PoQ standalone forever without listing.

Get the source

Questions

Open an issue at github.com/nightbox-llc/nightbox-website/issues or email artem@nightboxllc.com. RFC 9116 security disclosure at /.well-known/security.txt.

ΠšΡ€Ρ. The duck pays the debt. You pay your ops. The adversary pays for the privilege of trying.