Paybond Signal turns signed Harbor settlement history into a deterministic, tenant-scoped standing score for each operator. The result is a score, supporting metrics, reason codes, and a signed receipt that can be used in dashboards, audit workflows, partner reviews, and portfolio exports.
What Signal scoring is for
Signal is designed to answer a narrow question: based on completed Paybond intents, how reliably has this operator performed for this tenant?
The current scoring contract is intentionally conservative:
- It uses only signed Harbor terminal settlement evidence.
- It produces the same result from the same ledger history every time.
- It preserves historical results through explicit model versioning.
- It keeps review and risk controls separate from the canonical score.
That makes Signal suitable for customer-facing explanations, partner trust workflows, and long-lived audit records.
What goes into a score
For each (tenant_id, operator_did), Signal evaluates ingested Harbor outcome history and derives a score from a small set of outcome-driven inputs:
| Input | What it represents |
|---|---|
| Released intents | Completed intents that ended in release to the payee. |
| Refunded intents | Completed intents that ended in refund to the principal. |
| Disputed intents | Intents that Harbor froze into dispute review. In Signal v1, the first ingested Harbor outcome row for an intent is counted once. |
| Released volume | Confirmed released value associated with successful outcomes. |
| Settlement latency | Time from intent creation to terminal settlement. |
From those inputs, Signal derives rates such as success, refund, and dispute frequency. The current model then maps those metrics to a score from 0 to 1000.
If an operator has no terminal history yet, Signal returns a score of 0. In that case, the score means "not yet established in this model," not "known bad actor."
How to interpret the score
Higher scores generally reflect stronger settlement performance: more released outcomes, fewer refunds and disputes, faster time to terminal resolution, and more confirmed released volume.
Lower scores usually mean one or more of the following:
- terminal history is still sparse
- refund or dispute rates are elevated
- terminal outcomes are taking longer to complete
- released volume is still limited
Every signed receipt also carries supporting metrics and deterministic reason codes so an operator, reviewer, or partner can understand why a score looks the way it does or why it changed. Gateway dispute-case statuses such as split resolution or external escalation can appear in review workflows, but they do not silently rewrite the signed score.
What does not change the score
The current model (score_version = 1.0) is intentionally narrow. The following may influence review posture, support decisions, or workflow routing, but they do not silently rewrite the signed score:
- analyst notes
- review-open, replay, or appeal events
- shadow annotations or anomaly flags
- future non-settlement signals introduced outside the current score contract
This separation is deliberate. Teams can tighten operational controls without changing the historical scoring record.
Signed receipts and exports
Signal produces two portable artifacts:
- Operator receipt: a signed snapshot for one operator, including score, metrics, reason codes, model version, and
ledger_watermark_seq, which identifies the Harbor ledger position used to build the receipt. - Tenant portfolio export: a signed snapshot of the tenant's current operator scores and receipt digests.
These artifacts are designed to be verifiable and stable over time. Paybond signs them with the active Signal signing keys and keeps historical signatures verifiable during the normal key-rotation window.
Signal artifacts are private to the tenant. Paybond does not expose a public cross-tenant reputation feed or public leaderboard from this scoring surface.
Review posture and trust policy
Signal keeps the signed score separate from operational trust policy. Through Gateway, Paybond can expose additional decision-support surfaces such as:
- review state and decision bands
- support and confidence indicators
- explanation deltas between score snapshots
- maturity and assurance posture
- shadow-risk annotations
- first-class fraud signals with
affects_score=false - tenant-configurable critical-signal release gating after fraud metrics are reliable
- replay, appeal, and review-open controls
These surfaces help teams decide when to clear, defer, or manually review an operator. They do not reweight the signed score for score_version = 1.0.
Current contract versions
| Contract | Current value | Purpose |
|---|---|---|
score_version | 1.0 | Version of the scoring formula. |
scoring_model | paybond.signal.v1 | Stable identifier for the Signal scoring family. |
receipt_version | 3 | Current signed receipt format. |
trust_policy_version | 1.0.3 | Version of the review and automated-reliance policy layered around the score. |
fraud_signal_version | 1.0.7 | Version of score-neutral settlement-abuse indicators and optional release-gate metadata surfaced for review. |
Model versioning is separate from freshness. ledger_watermark_seq on each receipt tells you which Harbor ledger position was used when the receipt was generated.
API surface
All Signal routes are served through the Paybond Gateway and scoped to the authenticated tenant. For full request and response contracts, see the Signal API reference.
| Route | Purpose |
|---|---|
GET /reputation/{operator_did}?score_version= | Retrieve the signed receipt for one operator. |
GET /signal/v1/overview | View tenant-wide portfolio rollups and current operator scores. |
GET /signal/v1/operators/{operator_did}/trend | Inspect append-only score history for one operator. |
GET /signal/v1/operators/{operator_did}/explanation | See current support, confidence, and score-change explanation data. |
GET /signal/v1/operators/{operator_did}/review-status | Inspect the current review and trust-policy posture for one operator. |
GET /signal/v1/review-queue | List operators that need explicit tenant-scoped review. |
GET /signal/v1/fraud-signals | List active score-neutral settlement-abuse indicators. |
GET /signal/v1/fraud/metrics | Inspect tenant fraud backtesting, monitoring metrics, and release-gate reliability. |
GET/PUT /signal/v1/fraud/release-gate | Read or update the tenant release-gate mode. Default is review_only; critical_hold waits for fresh tenant metrics plus signal-family labels before holding release. |
POST /signal/v1/operators/{operator_did}/review-events | Request replay, appeal, or review-open actions. |
GET /signal/v1/operators/{operator_did}/score-model-versions | View preserved historical score versions for one operator. |
GET /signal/v1/fairness | Inspect tenant-scoped processing and fairness posture for the current assignment slice. |
GET /signal/v1/shadow-readiness | Inspect advanced shadow-readiness evidence for operational review. |
GET /signal/v1/portfolio/summary | Retrieve tenant-wide score and volume aggregates. |
GET /signal/v1/portfolio/signed-export | Export a signed tenant portfolio artifact. |
GET /audit | Trace tenant-scoped Signal provenance back to Harbor intent records. |