paybondpaybond
Sign in

Ledger & provenance

How Paybond records tenant-scoped intent history as signed, replayable events for audit, Signal, and dispute workflows.

Paybond records every meaningful intent transition in a signed, append-only provenance ledger. When an intent is created, funded, updated with evidence, settled, or moved into dispute, the ledger captures that step as a tenant-scoped event.

The ledger gives Paybond three properties that matter across the platform:

  • A tamper-evident history of intent activity.
  • A replayable event stream for downstream systems such as Signal.
  • A verifiable anchor for audit exports, dispute packages, and compliance review.

Event format

Each persisted ledger row contains:

FieldRole
seqMonotonic sequence number for the authenticated tenant.
prev_commitment32-byte BLAKE3 commitment of the previous row; all zeroes at tenant genesis.
entry_commitment32-byte BLAKE3 commitment over the canonical signed row body.
eventschema_version, tenant_id, tagged kind, and kind-specific fields. Current event kinds include intent_created, evidence_submitted, predicate_evaluated, settlement_hold_placed, settlement_rail_confirmed, settlement_rail_failed, released, refunded, disputed, and protocol_mandate_bound.
timestamp_unix_nanosRow timestamp as Unix nanoseconds.
issuer_pubkeyEd25519 public key used by the Harbor ledger authority.
signatureEd25519 signature over the canonical row body.

Harbor exposes protected, tenant-authenticated /ledger/v1/* routes for Signal ingestion, Gateway proof workflows, and operator automation. Those routes can read the current tenant tip (GET /ledger/v1/tip), fetch paginated history (GET /ledger/v1/events), retrieve the active verifying key (GET /ledger/v1/authority), inspect the latest Merkle checkpoint (GET /ledger/v1/merkle/latest), run continuity checks (GET /ledger/v1/verify), export a tenant verifier pack (GET /ledger/v1/verifier-pack), and verify a submitted verifier pack (POST /ledger/v1/verifier-pack/verify). Customer-facing review does not use a public raw event stream; it uses Gateway audit exports and Gateway compliance ledger verification routes.

Tenant scoping

Every append is tenant-bound. Paybond rejects a ledger write unless the tenant in the signed envelope matches the authenticated caller context. In shared deployments, the tenant id remains part of the signed event, and every downstream read filters by tenant.

Replay and downstream processing

Signal consumes ledger events from a checkpoint using short-lived tenant JWTs on the protected Harbor ledger routes, then applies them idempotently to tenant-scoped storage. This makes routine restarts safe and prevents double-counting during normal recovery.

If an operator needs a full rebuild of a tenant's Signal state, Paybond uses an explicit recovery path rather than allowing replay by mistake. See Operational surfaces for the controlled rebuild flow.

Audit exports

Audit bundles are anchored to the ledger so an external reviewer can verify the tenant-scoped evidence package and the ledger proof material it was built with. Depending on the requested include set, an export can contain:

  1. manifest.json signed by the Gateway audit-export key.
  2. proof/ledger_verifier_pack.json, the Harbor tenant ledger verifier pack.
  3. proof/verifier_pack.json, the export verifier pack that binds manifest, Signal checkpoint, ledger checkpoint witnesses, and key-transparency summaries.
  4. Optional Signal provenance rows, score snapshots, signed portfolio artifacts, and reputation receipts.
  5. Optional dispute case rows, provider settlement rows, and per-intent Harbor snapshots such as harbor/intents/{intent_id}.json.

Every bundle includes a signed manifest.json that lists file hashes and the Signal ledger checkpoint captured for the export. The bundled proof files carry the Harbor ledger tip, completed checkpoint history, witness freshness, and signing-key lineage needed for offline verification. See the Gateway audit export API for the request and verification flow.

Signing keys and rotation

  • Harbor signs ledger events with a dedicated ledger key.
  • Signal receipts and portfolio artifacts use separate signing keys.
  • Audit export manifests use their own dedicated signing key.

Rotation is additive: new keys come online for fresh signatures while older keys remain available to verify historical records until their retirement window closes.

Backup and DR

  • Back up the ledger store and Harbor intent store together so provenance and settlement references stay consistent.
  • Validate the ledger tip before resuming normal traffic after a restore or recovery event.