Paybond platform overview
Paybond is a tenant-scoped platform for agent-authored commercial intents. It runs a signed, audited escrow (Harbor), a deterministic reputation system (Signal), and a shared Gateway that mediates auth, SSO, compliance exports, and partner integrations.
Drill down:
- Console sign-in and workspace access — who should use
/console/login, which plans it applies to, and how sign-in differs from signup. - Tenant model — the single severity-zero invariant and how it is enforced on every surface.
- Self-serve signup and plan selection — which plans belong on
/signup, which do not, and how the UI connects to Gateway and Harbor. - Intent lifecycle — states, transitions, and signing versions.
- Ledger & provenance — how every state change becomes a signed, replayable event.
- Signal scoring — deterministic scores and signed receipts derived from ledger events.
- Operational surfaces — audit exports, reconciliation, disputes, and the operator console.
If you are implementing an integration, pair this with the API documentation and Kit quickstarts.
Repositories and runtimes
Integrations are defined by HTTP contracts and Kit APIs; language choices are an implementation detail. When you need the source layout (on-call, patches, security review), map components to repos like this:
| Area | Where it lives |
|---|---|
| Harbor intent-escrow, provenance ledger, predicate VM, Kit native core | crates/ (Rust) |
| Gateway, Signal indexer, Signal model | go/ (Go) |
| Published Kit (TypeScript, Python) | kit/ts, kit/python |
| Admin console | apps/admin (Next.js) |
Guiding invariants
- Tenant isolation is severity-zero. Every state-changing path derives tenant and operator context from authenticated credentials before persistence or outbound payment. See Tenant model.
- Every mutation is signed and idempotent. Harbor POSTs honor
idempotency-key; the ledger append carries a tenant-envelope signature; Signal receipts are Ed25519-signed over canonical JSON. - The ledger is the ground truth. Harbor persists sled rows for online reads, but Signal rollups, audit bundles, and arbitration exports all reconcile back to signed ledger events.
- Predicates are sandboxed. Evidence evaluation uses a tiny DSL with fixed fuel and nesting limits; no network I/O, no cross-tenant reads. See Harbor predicate DSL.