Signal scoring
Signal turns Harbor ledger events into deterministic operator scores, reason codes, and Ed25519-signed receipts. This page is the platform-facing summary; the canonical formula is frozen in docs/signal/score-model-v1.md.
Identifiers
| Field | Value | Meaning |
|---|---|---|
score_version | 1.0 | Formula revision. Historical rows retain earlier versions (for example v0.1) without being overwritten. |
trust_policy_version | 1.0.3 | Automated reliance / deferral contract around the frozen score. |
scoring_model | paybond.signal.v1 | Stable product identifier for the inspectable model family. |
receipt_version | 3 | Wire/canonical revision adding confidence/support metadata, explicit review state, and previous-snapshot explanation deltas. |
Model versioning is separate from data freshness: ledger_watermark_seq on each receipt records the Harbor ledger sequence used to produce it.
For score_version = 1.0, the canonical input boundary is strict: only signed Harbor terminal
settlement evidence changes the score. Shadow annotations, review workflow events, analyst notes,
and future non-settlement signals stay outside the canonical score unless a later score-version
story explicitly expands that boundary.
Inputs
Per (tenant_id, operator_did) the indexer maintains integer aggregates only:
released,refunded,disputed— counts of terminal intents.receipted_volume_cents— sum ofamount_centsfor released outcomes.latency_sum_nanos,latency_count— sum and count of terminal latencies (clamped at zero).
Derived metrics (all integers, basis points where noted) are documented in the score model reference.
Score mapping
Let hour = 3_600_000_000_000 nanoseconds.
- If
terminal_intents == 0, score = 0 and all rates are0. - Otherwise define
latency_quality_bpsin[0, 10000]:5000whenlatency_count == 0.- Else
min(10000, max(0, (10000 * hour) / (hour + mean_latency_nanos))).
volume_pts = min(100, receipted_volume_cents / 100000).- score (clamped to
[0, 1000]) is the sum of:success_rate_bps * 450 / 10000(10000 − dispute_rate_bps) * 175 / 10000(10000 − refund_rate_bps) * 175 / 10000latency_quality_bps * 100 / 10000volume_pts
Implementation reference: go/signalmodel/score.go.
Reason codes
Deterministic flags derived only from current metrics (ReasonCodesForMetrics in go/signalmodel/reason.go), sorted lexicographically for stable signing and JSON output.
Anti-gaming policy layer
Gateway review-state reads now expose a separate trust-policy surface for:
- calibrated decision bands (
clear,review_recommended,review_required) - tenant-scoped calibration and health signals for stale windows, drift, routing precision, and sequential backtest posture
- rolling backtest windows plus false-clear and routing-mismatch budgets that can constrain or fail-safe automated reliance
- maturity tiers derived from durable support factors
- active shadow annotations for anomaly or manipulation controls
- replay, appeal, and review-open friction with auditable recent events
shadow_riskdescribing tenant-scoped cluster or temporal manipulation findings and their review priority
These fields are descriptive and workflow-oriented. They do not change the signed score.
Signed artifacts
- Operator receipt — Ed25519 over SHA-256 of canonical JSON (
signing_algorithm = ed25519-sha256-json-v1). Every field inSignalSignedReceiptis part of the signed payload. - Tenant portfolio snapshot — same algorithm over a canonical JSON object listing operators sorted by
operator_did. Built byBuildSignedPortfolioArtifact.
Public keys are rotated by adding new keys to the verifier allow-list while old signatures remain valid. See docs/security/secrets-and-key-rotation-v1.md.
HTTP surface
All routes are tenant-scoped and served through the Paybond Gateway. Detailed contracts: Signal API.
| Route | Purpose |
|---|---|
GET /reputation/{operator_did}?score_version= | Signed receipt for a model version (default current). |
GET /signal/v1/overview | Portfolio rollups and current receipt scores. |
GET /signal/v1/review-queue | Tenant-scoped explicit review queue for low-support or anomalous outcomes. |
GET /signal/v1/shadow-readiness | Shadow shared-indexer dual-run parity, fairness drill evidence, and rollback gates. |
GET /signal/v1/operators/{operator_did}/trend | Append-only score snapshots for trends. |
GET /signal/v1/operators/{operator_did}/explanation | Current support/confidence metadata and previous-snapshot delta explanation. |
GET /signal/v1/operators/{operator_did}/review-status | Current explicit review state plus maturity, shadow annotations, and friction policy. |
POST /signal/v1/operators/{operator_did}/review-events | Authenticated replay, appeal, or review-open request with deterministic throttling. |
GET /signal/v1/operators/{operator_did}/score-model-versions | Historical score_version rows preserved per operator. |
GET /signal/v1/portfolio/summary | Tenant-wide aggregates. |
GET /signal/v1/portfolio/signed-export | Signed portfolio artifact (requires PAYBOND_SIGNAL_ARTIFACT_SIGNING_KEY_HEX). |
Related
- Signal score model v1 — normative scoring contract.
- Signal API reference
- Signal shadow shared-indexer readiness v1.0.3
- Ledger & provenance