Source artifacts
- moral_trade_feature_audit_markdown: hash blocked
- moral_trade_feature_audit_pdf: hash blocked
Core protocol
The core feature now publishes its required proposal fields, review statuses, guardrails, evidence schemas, factor codes, and provenance model as a validator-backed profile.
Document coverage contract
The source Markdown and PDF are hash-checked, and the report testing plan is now mapped as schema, policy, evidence, privacy, fairness, UX, and resilience coverage before any broad completion claim is made.
Document coverage moral-trade-document-coverage-v0.8-2026-06
64 check(s), 2 source document(s), 7 testing-plan layer(s), 29 implementation phrase gate(s).
13 source family mappings connect Ord, product commitments, due diligence, provenance, AI governance, and HCI guidance to code and public routes.
Public readiness matrix
The build instruction lists the required public contract routes. This matrix keeps the user-facing spec aligned with that list so transparency, private-overlap guardrails, privacy, operations, and evaluation evidence are not hidden behind scattered JSON links.
Canonical public contracts
All canonical public contract routes have a visible readiness row.
This matrix is repository validation evidence. It does not claim production liquidity, legal or tax treatment, payment custody, zero security risk, or objective moral endorsement.
Public contract
This mirrors the MPGF validator posture for the core moral-trade workflow: a proposal is not merely prose; it is a record with required fields, review states, explicit rejection rules, and provenance-bearing evidence.
Data model contract
The audit named the core Moral Trade objects explicitly: participants, profiles, offers, source notes, saved searches, privacy grants, evidence records, disputes, payment updates, notifications, and agreement events. This contract makes those entities inspectable and binds them to public privacy and relationship boundaries.
Data model moral-trade-data-model-v0.1.7-2026-06
10 check(s), 0 blocker(s), 58 entity contract(s).
identity
A participant appears publicly only through opted-in profile or offer preview fields.
4 required field(s).
profile
Shows broad previews and chosen visibility only; exact wishes, contact details, private source notes, and sensitive constraints stay out.
5 required field(s).
profile
Never public by default; fields can be summarized only through broad previews or explicit privacy grants.
6 required field(s).
privacy
Publishes only the selected visibility level, not the hidden profile fields behind it.
6 required field(s).
privacy
Stores consent scope, import mode, and manual summaries only; raw private feeds are not ingested or searched.
7 required field(s).
privacy
Only coarse source summaries may be disclosed through a valid purpose-bound grant; raw notes remain private.
6 required field(s).
profile
Stores deterministic clarification state for the participant only; it does not publish exact wishes, contact details, private answer text, or live public-preview changes.
8 required field(s).
profile
Answer text remains private and encrypted; analytics and match cards receive field keys, option counts, and length buckets rather than exact wishes or source notes.
7 required field(s).
profile
Stores private fluent-composer workflow state only; natural-language wish text is encrypted in messages, exact wishes stay out of public previews, and matching cannot change until a proposal is explicitly applied.
5 required field(s).
profile
Message bodies are encrypted private inputs for schema-bound proposals; analytics, public previews, and notifications never receive raw dialogue text or exact wishes.
7 required field(s).
profile
Stores schema-bound broad field proposals and uncertainty flags only; exact wishes, contact details, raw notes, and protected-trait inferences are rejected before apply.
7 required field(s).
privacy
Stores only a reviewed summary with raw ingestion disabled; raw private feeds, exact requests, contacts, and source notes stay out of public previews and analytics.
9 required field(s).
operations
Queues reviewed-summary sync work for a viewer-owned source connection; raw private feeds and source payloads are not stored, and revocation cancels queued or retrying jobs.
8 required field(s).
matching
Derived signals are viewer-owned matching inputs and expose only broad field keys or counts; revoked, expired, or stale source notes stop influencing matching.
9 required field(s).
matching
Search terms, offer browse filters, and notification choices remain viewer-owned; public search returns broad previews only.
9 required field(s).
proposal
A public taxonomy for pledge swaps, donation offsets, paid actions, and public-good commitments.
4 required field(s).
proposal
Public offers expose only reviewed or preview-safe terms and must not imply escrow, legal enforceability, tax treatment, or objective moral endorsement.
12 required field(s).
agreement
Pledge-swap public exposure is limited to reviewed or preview-safe terms and aggregate status; private evidence, contact details, consideration internals, and reviewer notes stay out of public reports.
7 required field(s).
agreement
Purchase-envelope records expose only public or aggregate status allowed by the visibility policy; private settlement, payment, provider, and participant evidence details are not public.
7 required field(s).
agreement
Participant action commitments reveal only public-safe action status and timing where policy allows; private evidence, contact context, and reviewer notes stay review-scoped.
7 required field(s).
review
Policy evaluation traces support auditability for private review and payment-impact decisions; public reports expose only redacted or aggregate trace summaries.
7 required field(s).
proposal
The no-trade baseline is reviewable and challengeable; sensitive details can be summarized or redacted.
6 required field(s).
evidence
Claims disclose only scoped summaries and confidence; artifacts and private locators stay behind review controls.
7 required field(s).
profile
Private estimate of future pledge-swap completion and evidence reliability; it is not public social proof, a public scoring surface, or a reputation market.
7 required field(s).
review
Append-only private credibility update with non-sensitive participant-visible reasons and correction or appeal events instead of mutable history.
10 required field(s).
evidence
Private, revocable, expiring invite that reveals only action type, action window, participant context, and the testimonial request to the invited friend.
7 required field(s).
evidence
Private third-party evidence by default. Raw testimony, friend identity, relationship context, concern notes, and anti-fraud notes are not shown to funders or public reports.
12 required field(s).
review
Reviewer-scoped weighting record that can produce only coarse participant or aggregate summaries.
9 required field(s).
evidence
Private meal-context evidence for optional pledge-swap verification. Public reports may expose only coarse reviewed meal-context use and must suppress cafeteria names, schedules, witness names, relationship details, raw testimony, and private context.
12 required field(s).
evidence
Private baseline, co-diner/direct-observer, or schedule-constraint testimony. Raw basis text, witness identity, relationship details, venue names, pressure reports, and side-payment concerns are never shown to funders or public reports.
9 required field(s).
review
Reviewer-scoped scorecard for meal-context evidence. Material use can affect verification confidence or additionality only through the frozen policy and cannot retroactively reduce fixed consideration.
18 required field(s).
review
Append-only private update to a testimonial provider's credibility. It is visible through private correction or appeal paths, not public social proof.
9 required field(s).
review
Private correction path for material adverse credibility effects. Public reports do not expose individual credibility appeal details.
6 required field(s).
payment
Frozen policy for optional capped testimonial integrity stakes. Default requires no monetary stake and negative or concern testimony is free.
8 required field(s).
evidence
Artifacts require hashes, scope alignment, and redaction levels before any public reasoning summary references them.
7 required field(s).
provenance
External charities, payment providers, registries, or supplier-like records expose only stable redacted identifiers after registry or reviewer confirmation.
8 required field(s).
provenance
What/where/why event records include explicit what happened, who touched it, and when answers for payment, charity-routing, or external-evidence audits; raw artifacts and private provider payloads remain redacted.
14 required field(s).
provenance
Activities link submitted, reviewed, and changed records to agents; public summaries omit raw private wishes, contact details, and source notes.
8 required field(s).
provenance
Participants, counterparties, reviewers, operators, and providers are represented by scoped agent records; public labels require explicit redaction review.
7 required field(s).
provenance
Reliance-bearing status changes require immutable event hashes, agent links, and explicit what happened, who touched it, and when answers; public exposure is limited to redacted status evidence.
10 required field(s).
review
Only a narrow public reasoning summary is exposed when safe; private notes and source notes are redacted.
9 required field(s).
review
Challenges target specific claims, evidence rows, baselines, disclosure decisions, or policy flags.
7 required field(s).
review
Appeals do not reopen unrelated moral disagreements and cannot resolve disputes without human review.
7 required field(s).
review
Dispute status may be public; private evidence and affected-party details remain review-scoped.
6 required field(s).
privacy
Field-level, purpose-bound, stage-bound grants disclose only approved fields and never mutate from public contract reads.
9 required field(s).
matching
Uses broad previews, privacy policy ids, disclosure stages, and factor codes; exact wishes, source notes, and contact details stay hidden until consent.
11 required field(s).
matching
Shows a participant-owned broad card with factor codes and hidden-field notices; exact wishes, private asks, contact details, and source notes stay in the dashboard until consent.
10 required field(s).
operations
Stores queued helper work and a hashed query fingerprint only; helper runs may prepare opportunity briefs and generic notifications but cannot send autonomous outreach.
9 required field(s).
operations
Stores closed-code relevance feedback and report reasons for private operations; public transparency uses only thresholded counts and generic labels.
7 required field(s).
matching
Captures a reviewed next-step request and never sends autonomous outreach or contact details; exact private fields require operator review and consent grants.
8 required field(s).
privacy
Stores blinded exact-tag tokens only; raw tags, canonical tags, free text, exact wishes, and contact details are forbidden.
7 required field(s).
privacy
Records only a bucketed overlap result and receipt id after governance gates; public exposure is redacted, and raw matching tags or counterparty tag sets are never exposed.
8 required field(s).
provenance
Participant-visible append-only receipt metadata uses redacted payloads and hash chaining; exact wishes, source notes, contact details, and raw tags are excluded.
7 required field(s).
review
Operator review queue records stay review-scoped; public reporting exposes only aggregate appeal, decline, review-time, and SLA counts without notes, contacts, or private source details.
8 required field(s).
operations
Notification copy remains generic and omits exact wishes, contact details, source notes, and sensitive constraints.
6 required field(s).
payment
Records can reference provider events but do not claim escrow, custody, tax, investment, or legal advice.
7 required field(s).
payment
Status updates are evidence inputs, not automatic reviewed completion or custody guarantees.
6 required field(s).
provenance
Immutable event records support auditability; public summaries are redacted and status-scoped.
7 required field(s).
Policy bundle contract
The audit recommends a strict input bundle for any drafting or reviewer-summary assistance. This contract publishes the policy registry, prohibited-pattern registry, factor-code dictionary, verification-method taxonomy, redaction policy, already submitted evidence metadata boundary, and fixed verification loop used before any draft can be treated as matchable.
Policy bundle moral-trade-policy-bundle-v0.1-2026-05
9 check(s), 0 blocker(s), 5 prohibited pattern code(s).
The copilot review route accepts only redacted metadata for already submitted evidence. Raw artifacts, private notes, contact details, and exact wishes are rejected before they can enter a reviewer-summary packet.
schema_completeness
Blocks matchable status until resolved.
anti_threat
Blocks matchable status until resolved.
baseline_credibility
Blocks matchable status until resolved.
evidence_sufficiency
Blocks matchable status until resolved.
externality_trigger
Routes, explains, or records without granting reliance.
privacy_redaction
Blocks matchable status until resolved.
match_explanation
Routes, explains, or records without granting reliance.
human_review_routing
Routes, explains, or records without granting reliance.
Release gate contract
Moraltrade60 requires policy snapshots, state interpretation, feature flags, and release-gate requirement results to be reviewable subjects. This contract makes missing, stale, unknown, under-review, or mutable states block launch unless a frozen policy snapshot explicitly marks a control not required for the current stage.
Release gates moral-trade-release-gates-v0.3-2026-06
10 check(s), 0 blocker(s), 9 first-class record table(s).
Missing, unknown, stale, under-review, superseded, unmapped, or mutable states block payable, releasable, reliance-bearing, privacy-disclosing, public-metric, and release-gate transitions unless a frozen policy snapshot explicitly marks the requirement not required for that release stage.
calculation
A deterministic dry-run calculation, input bundle hash, excluded-record list, and replay evidence exist before stage promotion.
evidence
Route health, public contract metadata, and baseline response shape are current for the requested release stage.
privacy
Privacy Review must resolve to a current first-class release_gate_requirement_result or frozen equivalent before this release gate can pass.
safety
Anti Threat Review must resolve to a current first-class release_gate_requirement_result or frozen equivalent before this release gate can pass.
payment
Payment/provider replay, stale snapshot, wrong-account, idempotency, and server-time tests pass before money can move.
review
Provider webhooks, third-party evidence feeds, identity checks, payment-rail checks, and destination-verification feeds are source-authenticated before they can change marketplace state.
review
Agreement, payment, evidence, dispute, and blocker state changes use append-only marketplace_state_event records; terminal states cannot be silently reopened.
evidence
Evidence Challenge Tests must resolve to a current first-class release_gate_requirement_result or frozen equivalent before this release gate can pass.
Participant confirmation contract
Moraltrade60 treats checkboxes and parent-object summaries as insufficient. This contract binds each confirmation to a participant, frozen baseline, terms snapshot, policy snapshot bundle, maximum exposure, notice state, consent-quality state, and exact scope before routing, clearing, capture, payout release, privacy disclosure, or material-term changes can proceed.
Participant confirmations moral-trade-participant-confirmations-v0.1-2026-06
8 check(s), 0 blocker(s), 2 first-class record table(s).
Participant eligibility contract
Moraltrade60 requires identity, human-uniqueness, legal-capacity, sanctions, payment-rail, jurisdiction, source-authentication, and private-artifact handling checks before real-money or reliance-bearing flow. The contract keeps raw identity artifacts private and prevents eligibility or Sybil signals from becoming public moral reputation.
Participant eligibility moral-trade-participant-eligibility-v0.1-2026-06
8 check(s), 0 blocker(s), 3 first-class record table(s).
Account security contract
Moraltrade60 says confirmations, payment-method changes, payout approvals, privacy grants, identity-artifact changes, and contact introductions cannot rely on an authenticated browser session alone. This contract makes frozen account-security policies and account-security events first-class blockers before money, reliance, private disclosure, or exposure increases can proceed.
Account security moral-trade-account-security-v0.1-2026-06
9 check(s), 0 blocker(s), 2 first-class record table(s).
Reviewer quality contract
Moraltrade60 treats reviewer judgment as a governed input, not an implicit approval source. This contract requires frozen reviewer-quality policy snapshots, type-specific authorization, conflict checks, calibration, second review where required, audit sampling, and explicit rejection of default approvals or speed-driven private-data disclosure.
Reviewer quality moral-trade-reviewer-quality-v0.1-2026-06
8 check(s), 0 blocker(s), 3 first-class record table(s).
Anti-enumeration contract
Moraltrade60 requires search, browse, preview generation, invite-link creation, match-candidate browsing, and transparency reporting to use frozen anti-enumeration policies. This contract binds those surfaces to stable query fingerprints, bucketed result counts, sparse-result suppression, timing-equalized responses where configured, discovery access-event logs, and repeated-probe audits without publishing raw query text, exact counts, private wishes, rare clusters, or exact constraints.
Anti-enumeration moral-trade-anti-enumeration-v0.1-2026-06
8 check(s), 0 blocker(s), 3 first-class record table(s).
Privacy-governance contract
Moraltrade60 requires exact wishes, contact details, sensitive constraints, raw source notes, and private evidence to move only through explicit, revocable privacy grants and audited access logs. This contract separates reviewer access, counterparty previews, contact introductions, evidence review, profile export, and redacted public publication, while keeping raw private artifacts, access paths, reviewer notes, and participant-specific access records out of the public contract surface.
Privacy governance moral-trade-privacy-governance-v0.1-2026-06
8 check(s), 0 blocker(s), 3 first-class record table(s).
Impact-claim contract
Moraltrade60 requires gross transferred amount, net recipient payout, sponsor leverage, moral-trade volume, outcome, cost-effectiveness, and moral-value claims to stay distinct. This contract makes impact claims first-class reviewed records with frozen methodology, claim-typed evidence, uncertainty disclosure, moderation, reviewer-quality checks, privileged publication approval, and audit/public-metric controls before public impact publication.
Impact claims moral-trade-impact-claims-v0.1-2026-06
8 check(s), 0 blocker(s), 2 first-class record table(s).
Matching-clearing contract
Moraltrade60 requires donation-offset batches, pledge-swap previews, broad match-candidate generation, and public-goods clearing to reference reproducible matching-clearing runs before any obligation is payable, reliance-bearing, or counted as complete. The contract also requires matched-trade lock proposals with exact terms, fresh final confirmations, ratio bounds, baseline snapshots, verified destinations, commitment reservations, and atomic settlement groups.
Matching clearing moral-trade-matching-clearing-v0.1-2026-06
10 check(s), 0 blocker(s), 1 execution record table(s).
Clearing preview contract
Moraltrade60 requires offset and pledge-swap previews to show the no-trade comparison, matched volume, ratio bounds, residual handling, commitment reservation, atomic settlement, destination verification, safety reviews, policy snapshots, final-lock confirmation state, and pledge performance terms where relevant. This contract keeps those previews non-capture and non-reliance-bearing until every required control is frozen and non-blocking.
Clearing previews moral-trade-clearing-preview-v0.15-2026-06
8 check(s), 0 blocker(s), 1 first-class record table(s).
Baseline-integrity contract
Moraltrade60 requires donation offsets, pledge swaps, broad match candidates, public-goods rounds, and post-lock amendments to separate action evidence, baseline good faith, confidence, baseline integrity, additionality, and externality review. This contract blocks clearable or reliance-bearing launch when a baseline was marketplace-created, marketplace-escalated, or triggered by counterparties after entering the marketplace.
Baseline integrity moral-trade-baseline-integrity-v0.1-2026-06
12 check(s), 0 blocker(s), 2 first-class record table(s), 1 enforcement table(s).
Authenticated baseline-integrity enforcement writes only owner-scoped append-only enforcement records. Enforcement records can prove pass or blocked gate status, but they cannot create clearable transitions, authorize payment, authorize reliance, or publish public metrics.
Agreement-amendment contract
Moraltrade60 requires post-lock material changes to use append-only agreement-amendment records, before/after terms hashes, policy-snapshot bundles, renewed confirmations from affected participants, notice, reviewer-quality checks, baseline-integrity checks, and neutral review when burdens or benefits shift. This contract blocks retroactive performance changes, evidence retyping, exposure increases, fund redirects, compensation changes, narrowed cancellation rights, and privacy or donor-of-record changes without the required controls.
Agreement amendments moral-trade-agreement-amendments-v0.1-2026-06
12 check(s), 0 blocker(s), 2 first-class record table(s), 1 enforcement table(s).
Authenticated agreement-amendment enforcement writes only owner-scoped append-only enforcement records. Enforcement records can prove pass or blocked gate status, but they cannot apply amendments, edit parent records, authorize material changes, authorize payment, authorize reliance, or publish public metrics.
Production readiness contract
Moraltrade60 requires account security, backup recovery, deployment configuration, migration safety, environment isolation, reconciliation, audit integrity, and data-security controls before high-risk transitions. This contract publishes the required record families and fail-closed statuses without exposing private operational evidence.
Production readiness moral-trade-production-readiness-v0.1-2026-06
7 check(s), 0 blocker(s), 17 first-class record table(s).
account_security
Password, email, MFA, session, payment-method, identity, and recovery risk events must be non-blocking before confirmations, capture, release, privacy disclosure, or exposure increases.
backup_recovery
Recoverability must preserve audit chains, key-version references, legal holds, redactions, and append-only state before release promotion or public money claims.
deployment_release
Code artifact, lockfile, environment configuration, provider account, payment mode, feature flags, and policy bundle must match the reviewed release record.
schema_migration
Migrations and backfills that can alter baselines, confirmations, evidence, ledgers, privacy grants, policy snapshots, reviewer decisions, payment state, or audit chains need dry-run hashes, count checks, and rollback or forward-fix evidence.
environment_data_isolation
Demo records, worked examples, sandbox provider events, synthetic identities, and dry-run allocation outputs must not count toward live thresholds, supporter counts, QF signal, payout totals, sponsor leverage, moral-trade volume, or completed agreements.
financial_reconciliation
Authorizations, captures, refunds, fees, sponsor funds, payout releases, provider settlement records, and internal ledger entries must reconcile before payout release, round close, or public money claims.
Recipient and destination contract
Moraltrade60 requires verified recipient registry entries and verified payment destinations before real-money or reliance-bearing transitions. This contract publishes the fail-closed review dimensions, table names, and transition rules while keeping raw bank details, wallet addresses, donation links, and reviewer notes out of the public surface.
Recipient destinations moral-trade-recipient-destination-v0.1-2026-06
7 check(s), 0 blocker(s), 3 first-class record table(s).
Recipient acceptance
Moraltrade68 requires recipient acceptance and adverse-association blocking before clearing previews become reliance-bearing. This contract publishes transition gates, visible recipient statuses, risk classes, and table names while excluding recipient private notes, donor private terms, raw adverse-association evidence, expanded recipient identities, private donor reasons, and reviewer notes.
Recipient acceptance moral-trade-recipient-acceptance-v0.1-2026-06
8 check(s), 0 blocker(s), 3 first-class record table(s).
Privacy boundary
Public surfaces may expose table names, status categories, transition rules, risk-class buckets, and sample statuses only. They must not expose recipient private notes, donor private terms, raw adverse-association evidence, expanded recipient identities, reviewer notes, private donor reasons, payment details, raw provider payloads, or participant-specific acceptance records.
AI preference elicitation
Moraltrade68 allows AI assistance for baselines, caps, side constraints, empirical assumptions, cause buckets, evidence preferences, fallback rules, and manual-review structure. The output must become user-edited structured input and be confirmed by a participant or reviewer before it can affect matching, clearing, disclosure, payment, public metrics, or release promotion.
AI preference elicitation moral-trade-ai-preference-elicitation-v0.1-2026-06
9 check(s), 0 blocker(s), 2 first-class record table(s).
Privacy boundary
Public surfaces may expose table names, scopes, transition rules, blocker categories, and sample statuses only. They must not expose raw prompts, raw AI outputs, hidden willingness-to-pay estimates, hidden negotiation moves, private participant notes, reviewer notes, private disclosure candidates, payment details, or participant-specific elicitation records.
Post-clear audit
Moraltrade68 requires privacy-safe post-clear audit sampling after completed non-public-goods pilots. The audit checks baselines, evidence, recipient acceptance, disclosure, payment state, classification, and term sheets against the frozen record without creating public moral reputation or retroactive obligations outside the locked term sheet.
Post-clear audit moral-trade-post-clear-audit-v0.1-2026-06
10 check(s), 0 blocker(s), 2 first-class record table(s).
Privacy boundary
Public surfaces may expose table names, subject types, audit types, match-state categories, transition rules, blocker categories, and sample statuses only. They must not expose raw payment evidence, private counterparty terms, reviewer notes, raw reconciliation rows, raw provider payloads, participant-specific audit rows, private evidence artifacts, or public moral reputation scores.
Subsidy governance
Moraltrade68 allows sponsor-funded non-public-goods subsidies only as governed bridge mechanisms for low-risk donation-offset tiers. The subsidy pool and schedule must freeze source review, conflict review, eligibility, caps, allocation schedule, public disclosure level, and refund or carry-forward handling before lock, payment, public metrics, or release promotion.
Subsidy governance moral-trade-non-public-goods-subsidy-v0.1-2026-06
9 check(s), 0 blocker(s), 2 first-class record table(s).
Metric exclusion
Subsidy dollars must be excluded from participant moral-trade volume, direct counted contribution, impact claims, and counterparty-distinctness metrics. They may be reported only as mechanism support under the frozen public disclosure policy.
Privacy boundary
Public subsidy surfaces may expose only coarse disclosure level, cap status, eligibility status, and aggregate mechanism-support amounts. Sponsor identity hashes, private source details, raw eligibility inputs, participant-specific subsidy rows, private sponsor terms, and reviewer notes stay private unless a separate privacy grant and disclosure policy authorize a bounded release.
Direct-pair clearing
Moraltrade68 allows a known or invite-linked counterparty path for low-liquidity donation-offset and pledge-swap previews. The direct-pair record must freeze the pair, terms, policy, confirmations, privacy grants, user-safety state, and ordinary lock/review/payment/privacy gates before lock, capture, public metrics, or release promotion can rely on it.
Direct-pair clearing moral-trade-direct-pair-clearing-v0.1-2026-06
9 check(s), 0 blocker(s), 1 first-class record table(s).
No autonomous outreach
Direct-pair mode may use a user-supplied known counterparty or invite-linked pair, but the platform must not perform autonomous outreach, scrape contacts, disclose contact details, or convert a broad preview into a contacted counterparty.
Privacy boundary
Public direct-pair surfaces may show only coarse direct-pair or batch mode, invitation/known-counterparty status, confirmation status, and ordinary-gate status. Counterparty identity, direct contact details, exact caps, private notes, private surplus estimates, source hashes, and reviewer notes stay private unless a frozen disclosure policy, privacy grant, user-safety review, and participant confirmation allow bounded disclosure.
Cause-bucket taxonomy
Moraltrade68 requires versioned, plural-reviewed buckets for offered causes, opposed causes, compromise destinations, action buckets, and counterparty buckets. Assignments cannot affect counterparty distinctness, classification, clearing, public metrics, or release gates when they are stale, disputed, protected-trait proxies, or inferred ideology or psychology labels.
Cause-bucket taxonomy moral-trade-cause-bucket-taxonomy-v0.1-2026-06
9 check(s), 0 blocker(s), 2 first-class record table(s).
Non-ranking rule
Cause buckets are coordination labels, not moral rankings, ideology labels, reputation scores, cause-price tables, or platform-endorsed moral value judgments.
Material change
A taxonomy change after preview is material when it can affect counterparty distinctness, trade classification, clearing ratio, clearing eligibility, or eligible counterparties; the trade then needs a renewed preview and participant confirmation before lock, clearing, payment, public metrics, or release promotion.
Privacy boundary
Public surfaces may show only coarse bucket codes, taxonomy version, public summary hash, and status categories. They must not expose participant identity hashes, raw private cause narratives, protected-trait facts, inferred ideology, inferred psychology, reviewer notes, or participant-specific assignment rows.
Resource compatibility
Moraltrade68 requires a resource-compatibility assessment before non-public-goods trades can lock, clear, capture, count publicly, or promote release gates. The assessment checks actions, donations, abstentions, destinations, timing, duties, and control claims for mutual feasibility, zero-sum relabeling, and third-party control conflicts.
Resource compatibility moral-trade-resource-compatibility-v0.1-2026-06
9 check(s), 0 blocker(s), 1 first-class record table(s).
Zero-sum conflict rule
A trade cannot clear merely because each party likes some part of it when the asserted gain comes from both parties claiming the same scarce control right, blocking each other's action, incompatible timing or destination, or relabeling a zero-sum conflict as a compromise.
Privacy boundary
Public surfaces may expose only coarse compatibility status categories, subject type, conflict class, and contract version. They must not expose participant identity hashes, private duties or constraints, private resource claims, reviewer notes, third-party control facts, raw side agreements, or participant-specific assessment rows.
Net-offset accounting
Moraltrade68 requires donation-offset volume to be net of the opposed action that was actually canceled or redirected. Before volume, completion, public metrics, or release promotion can count, the record must distinguish baseline opposed action, matched canceled amount, compromise transfer, sponsor or match amount, residual opposed action, substitution-channel status, and evidence standard.
Net-offset accounting moral-trade-net-offset-accounting-v0.1-2026-06
10 check(s), 0 blocker(s), 1 first-class record table(s).
Gross-volume exclusion
Gross compromise donations, sponsor matches, payment evidence, or public matched volume cannot count as moral-trade volume unless the baseline opposed action, matched canceled amount, residual opposed action, substitution-channel state, and evidence standard are recorded under immutable policy.
Privacy boundary
Public surfaces may expose coarse net-offset status and aggregate safe totals, but never participant identity hashes, private baseline details, substitution-channel details, private evidence, reviewer notes, or participant-specific accounting rows.
Offer validity
Moraltrade68 requires donation-offset and pledge-swap offers to expire or renew when baselines, empirical assumptions, evidence standards, payment methods, jurisdictions, destinations, or counterparty buckets become stale. Matching, lock, capture, reliance, public completion, and release promotion all fail closed without a current offer-validity record.
Offer validity moral-trade-offer-validity-v0.1-2026-06
8 check(s), 0 blocker(s), 1 first-class record table(s).
Validity-window rule
Counterfactual trust decays over time. Stale or expired baselines, empirical assumptions, evidence standards, payment methods, jurisdictions, destinations, or counterparty buckets require renewed preview and renewed participant confirmation before matching, lock, capture, reliance, public completion, or release promotion.
Private exchange-rate quotes
Moraltrade68 requires clearing ratios, side payments, counterpart volumes, and implied cause tradeoffs to remain participant-owned terms for a frozen proposal. Public surfaces may say a trade cleared within participant bounds, but cannot publish cause-price tables, moral exchange-rate charts, exact willingness-to-trade terms, or moral-value inferences from private quote records.
Private exchange-rate quotes moral-trade-private-exchange-rate-v0.1-2026-06
9 check(s), 0 blocker(s), 1 first-class record table(s).
Public non-price rule
Public surfaces may say that a trade cleared within each participant's stated bounds, but must not publish a cause-price table, moral exchange-rate chart, leaderboard, platform-endorsed effectiveness comparison, exact participant willingness-to-trade term, or inferred moral value from private quote terms.
Privacy boundary
Participants may see their own implied tradeoff and final ratio-bounds result. Counterparties and public pages receive only privacy-safe compatibility bands unless a narrower disclosure is explicitly granted; raw private quote terms, exact caps, reviewer notes, and participant identity hashes stay private.
Batch-clearing objective
Moraltrade68 requires donation-offset batch clearing to have a frozen objective, deterministic tie-break and fairness rule, and reproducible objective result. Scarce matches cannot be allocated by moral score, operator preference, public pressure, timestamp races, private-cap leakage, or database order.
Batch-clearing objective moral-trade-batch-clearing-objective-v0.1-2026-06
9 check(s), 0 blocker(s), 1 first-class record table(s).
Deterministic tie-break rule
Scarce matches must use a deterministic fairness rule such as seeded hash, pro-rata frozen capacity, or round-robin-by-hash over frozen input and excluded-record bundles.
Prohibited allocation rule
Matched volume alone cannot justify allocation. Scarce matches cannot be allocated by moral score, operator preference, public pressure, timestamp races, private-cap leakage, database order, protected traits, or hidden reviewer preference.
Sensitive-evidence attestations
Moraltrade68 requires sensitive evidence paths to support privacy-preserving verification attestations. Counterparties receive claim-typed results, uncertainty, scope, and challenge routes. Raw private artifacts require a current privacy grant and passed confidentiality review before broader disclosure, and public raw artifact disclosure is blocked.
Sensitive-evidence attestations moral-trade-sensitive-evidence-attestations-v0.1-2026-06
8 check(s), 0 blocker(s), 1 first-class record table(s).
Raw artifact disclosure rule
Raw private artifacts cannot be sent to counterparties unless disclosure mode is privacy_grant_broader_disclosure, the privacy grant is current, and confidentiality review has passed. Public raw artifact disclosure is always blocked.
Challenge route
Every counterparty-facing attestation names a scoped challenge route under /api/moral-trade/challenge-appeal so the recipient can dispute the claim type, uncertainty, or scope without receiving raw artifacts.
Pilot evidence gates
Moraltrade68 requires donation-offset and pledge-swap pilots to pass market simulation, red-team review, and pre-registered scale-up, pause, and rollback criteria before payable, reliance-bearing, public metric, capped real-money, or release-gate promotion. Matched volume alone cannot satisfy pilot success.
Pilot evidence gates moral-trade-pilot-evidence-v0.1-2026-06
8 check(s), 0 blocker(s), 1 first-class record table(s).
Matched-volume rule
Matched volume alone cannot satisfy pilot success; success metrics must include safety, privacy, dispute, comprehension, review-SLA, or rollback evidence.
Exit-criteria rule
Scale-up, pause, and rollback criteria must be pre-registered, hash-backed, reviewer-approved, and available before the promoted stage begins.
Noncompensable blocker contract
Moraltrade68 requires safety, legal, privacy, third-party-rights, reporting-integrity, civil-rights, confidentiality, regulated-goods, cyber-abuse, financial-crime, anti-threat, and process-integrity blockers to stay noncompensable unless frozen policy explicitly treats the protected interest as personally waivable and renewed confirmations are non-blocking. Side payments, higher donations, performance bonds, reciprocal favors, and private agreements cannot clear these blockers by themselves.
Noncompensable blockers moral-trade-noncompensable-blockers-v0.1-2026-06
9 check(s), 0 blocker(s), 1 first-class record table(s).
Personal waiver rule
A participant may waive only their own personally waivable protected interest when the frozen policy explicitly allows renewed confirmation, the renewed confirmation records are present, and all required review states are non-blocking. Nonparticipant, legal/regulatory, public-safety, truthful-reporting, civil-rights, confidentiality/privacy, institutional-process, digital-system-integrity, anti-threat, and other nonwaivable interests cannot be cleared by private waiver.
Compensation-attempt rule
A higher donation, side payment, performance bond, reciprocal favor, private agreement, or private waiver cannot convert a blocking state into a permissible trade by itself; any attempted compensation for a blocking control is itself a reviewable blocker signal.
Side-agreement disclosure contract
Moraltrade60 requires side agreements, compensation, reciprocal favors, authority claims, reporting restrictions, and collusion-relevant terms to be structured records rather than hidden notes. This contract publishes the subject types, review dimensions, fail-closed statuses, and privacy-safe public summary boundaries while keeping raw private details out of public surfaces.
Side agreements moral-trade-side-agreements-v0.2-2026-06
8 check(s), 0 blocker(s), 3 first-class record table(s).
Trade-classification contract
Moraltrade60 requires compensated moral-action agreements to be counted as mixed moral trade only when moral/prudential asymmetry explains the bargain, terms are frozen, and ordinary-service/procurement review is non-blocking. Ordinary donations, same-view matching, and ordinary procurement stay excluded from moral-trade-specific metrics.
Trade classification moral-trade-trade-classification-v0.2-2026-06
9 check(s), 0 blocker(s), 4 first-class record table(s).
The trade_classification value is an implementation guard, not a public moral status badge or objective ranking of moral worth.
Template-conformance contract
Moraltrade68 requires donation offsets, pledge swaps, compensated moral-action agreements, performance-bond conditions, and side agreements to stay template-bounded before lock, payment, reliance, or public metrics. The contract publishes table names and transition rules without exposing private terms, exact caps, free-text narratives, reviewer notes, payment details, or participant-specific template instance records.
Template conformance moral-trade-template-conformance-v0.1-2026-06
10 check(s), 0 blocker(s), 3 first-class record table(s).
Template-conformance public surfaces publish only template kinds, table names, transition rules, and aggregate sample statuses; they do not expose private terms, exact caps, free-text narratives, hidden counterparty data, reviewer notes, private wishes, payment details, or participant-specific template instance records.
Review-capacity contract
Moraltrade68 requires non-public-goods offers to stay preview-only, waitlisted, or expired when reviewer capacity is beyond policy, eligible reviewers or neutral panels are unavailable, visible user queue status is missing, or review delay would make baselines or payment authorizations stale.
Review capacity moral-trade-review-capacity-v0.1-2026-06
9 check(s), 0 blocker(s), 3 first-class record table(s).
Public review-capacity surfaces expose table names, status categories, policy subjects, transition requirements, and sample statuses only. They must not expose reviewer identities, conflict facts, private queue reasons, participant-specific queue records, baseline details, payment authorization details, reviewer notes, source evidence, contact details, or raw internal status copies.
Participant term-sheet contract
Moraltrade68 requires participant-term-sheet mismatch blocking, counterparty-disclosure-policy blocking, and clearing previews that surface participant term-sheet hashes, counterparty volume buckets, and staged-disclosure status without exposing raw counterparty identity, contact details, private wishes, exact constraints, hidden match reasoning, or reviewer notes.
Participant term sheets moral-trade-participant-term-sheet-v0.1-2026-06
9 check(s), 0 blocker(s), 3 first-class record table(s).
Public surfaces may expose table names, status categories, transition rules, counterparty volume buckets, and sample statuses only. They must not expose participant-specific term sheets, raw counterparty identities, contact details, private wishes, exact constraints, hidden match reasoning, source evidence, reviewer notes, payment details, or participant-specific disclosure records.
Protective assessments
Moraltrade60 requires donation offsets, pledge swaps, compensated moral actions, performance bonds, and side agreements to stay preview-only until protective assessment records are non-blocking, not required under a frozen policy, or explicitly neutral-review waived. The public contract publishes dimensions and statuses without revealing protected-trait facts, authority documents, private reports, credentials, source-of-funds evidence, reviewer notes, or participant records.
Protective assessments moral-trade-protective-assessments-v0.1-2026-06
6 check(s), 0 blocker(s), 5 first-class record table(s).
The public contract exposes only assessment dimensions, transition rules, table names, statuses, and synthetic sample outcomes. It never exposes protected-trait facts, authority documents, private reports, credentials, source-of-funds evidence, reviewer notes, raw evidence, or participant-specific assessment records.
User safety and content moderation
Moraltrade60 requires user-initiated contact, invite links, support messages, discussion surfaces, reviewer-visible notes, public copy, and impact-claim copy to resolve frozen user-safety and content-moderation policies before they can become public, reliance-bearing, payable, reviewer-actionable, profile-amplifying, or release-promoting. The contract separates prohibited-use moderation from moral ranking: it blocks illegal, coercive, deceptive, harassing, doxxing, cyber-abusive, exploitative, extremist-finance, spam, or otherwise prohibited use, not unpopular moral views.
Safety and moderation moral-trade-user-safety-content-moderation-v0.1-2026-06
7 check(s), 0 blocker(s), 5 first-class record table(s).
Public contract output never exposes raw reports, reporter identities, target identities, private messages, reviewer notes, protected-trait facts, contact details, raw evidence, exact rare-view clusters, or participant-specific safety/moderation records.
Financial settlement controls
Moraltrade60 requires real-money amounts to use explicit or frozen settlement currency, FX quotes to be snapshot-backed before previews and locks, and platform fees, FX spreads, and conversion fees to stay separate from moral-trade volume, threshold progress, QF signal, and recipient-impact claims. The contract also requires recorded material notices and server-time deadline records before a participant can lose rights, default out of a challenge window, or release a payout milestone.
Financial settlement moral-trade-financial-settlement-controls-v0.1-2026-06
7 check(s), 0 blocker(s), 10 first-class record table(s).
Public contract output never exposes payment credentials, raw provider settlement reports, raw FX provider payloads, private notice payloads, participant identities, exact bank or wallet details, reviewer notes, raw evidence, internal fee ledgers, participant-specific fee/FX/payment records, or participant-specific deadline records.
Validator evidence
Explanation layer
The match inbox turns those codes into participant-facing reason labels, trust badges, risk badges, and next safe actions so suggestions can be declined, reported, or moved toward consent without exposing exact wishes.
terms_complete
The action, reciprocal request, duration, exit rule, and verification method are present.
baseline_stated
The no-trade default is explicit enough for counterfactual review.
baseline_credibility
The no-trade default includes prior intent, history, dated support, or another reviewable counterfactual basis.
baseline_challenge_recommended
The baseline is stated but thin enough that reviewers should request prior-intent or past-behavior support before reliance.
evidence_rule_named
The draft names the receipt, log, attestation, provider record, audit, or manual review path.
participant_relative_scores
Importance scores are treated as user-stated thresholds, not platform rankings.
party_relative_benefit
The draft explains why each side is better off than the no-trade baseline using participant-relative priorities.
externality_review_required
The draft may affect unrepresented people, political-adjacent claims, incentives, or vulnerable parties.
privacy_safe_preview
Match explanations can use broad cause areas, format, verification preferences, and redaction notes.
human_review_required
A reviewer must inspect safety, evidence, baseline, externality, or disclosure concerns before reliance.
cause_area_overlap
A redacted match signal found broad cause-area overlap without exposing exact wishes or private text.
cause_area_complementarity
One side's broad offered cause area can satisfy the other side's broad requested cause area without exposing exact wishes.
trade_mode_compatible
Both redacted profiles support at least one compatible trade format.
verification_preference_compatible
Both redacted profiles support at least one compatible evidence or verification preference.
location_constraint_satisfied
Any declared city or region sensitivity is satisfied at a coarse, privacy-safe level.
privacy_stage_compatible
Both sides are still inside the same consent-gated disclosure stage.
stated_exclusions_clear
The redacted match signal did not find a conflict with either side's stated exclusions.
Match signal contract
The matching contract uses only broad cause areas, trade modes, verification preferences, location sensitivity, privacy stage, and stated exclusions. It never infers hidden preferences or authorizes disclosure, contact, reliance, or state changes.
Match signal moral-trade-match-signal-contract-v0.3-2026-06
9 check(s), 0 blocker(s), 9 factor code(s).
POST /api/moral-trade/match-signal/evaluate returns redacted factor codes, blockers, confidence band, participant explanation copy, redacted fields, and humanReviewRequired with stateMutation false.
You are seeing this suggestion because public cause areas, trade mode, and verification preferences are compatible. Exact wishes and contact details are still hidden.
Match invariant
Use only redacted profile fields: cause areas, trade modes, verification preferences, location sensitivity, privacy constraints, and stated exclusions.
Match invariant
Do not infer protected traits, ideology, psychology, hidden preferences, exact private wishes, raw notes, or contact details.
Match invariant
A matchable signal is only a preview and always requires human review before disclosure, contact, reliance, or state changes.
Match invariant
Factor codes must include cause overlap or complementarity, trade-mode compatibility, and verification compatibility before matchable status.
Match invariant
Privacy-safe preview requires compatible privacy stages, an explicit disclosure stage, a privacy policy id, and named redacted fields.
Challenge appeal contract
The challenge lane is now a validator-backed contract. It separates affected-party standing, duplicate proof, coercive baselines, wrong-scope evidence, privacy disclosure errors, externality remedy gaps, reviewer conflicts, and policy flags before any human-controlled state change.
Challenge appeal moral-trade-challenge-appeal-v0.3
15 check(s), 0 blocker(s), 2 first-class record table(s), 1 enforcement table(s).
POST /api/moral-trade/challenge-appeal/evaluate returns scoped factor codes, standing checks, required artifacts, privacy actions, provenance activity, and stateMutation false. Requested outcomes are advisory and must match the appeal trigger before reviewers can route them.
Adverse-decision correction reliance requires an authenticated append-only challenge-appeal enforcement record that evaluates frozen appeal policies and appeal cases; enforcement records cannot open appeals, correct records, allow reliance, waive safety blockers, reopen settled obligations, or publish public metrics.
Appeal invariant
Appeals target only the specific reviewed claim, evidence row, baseline concern, disclosure decision, externality trigger, completion state, or policy flag.
Appeal invariant
Appeals do not reopen unrelated moral disagreements by default and do not create platform-wide moral rankings.
Appeal invariant
Participant, counterparty, affected-party, reviewer, admin-safety, and external-verifier standing are explicit; affected-party standing needs a privacy-safe summary.
Appeal invariant
Adverse decisions with correction rights require first-class appeal cases with notice, deadline, scope hash, evidence scope, non-retaliation, and neutral-review fields.
Appeal invariant
Appeal cases do not silently reopen settled obligations, waive safety blockers, mutate parent records, or expose private details before redaction.
Appeal invariant
Externality remedy appeals must name the remedy gap before reliance, completion badges, or public reputation claims proceed.
Appeal invariant
Requested outcomes are advisory and must be compatible with the appeal trigger before reviewers can route them.
Appeal invariant
Private details, exact wishes, contact data, raw notes, and sensitive constraints are redacted before reviewer routing.
Appeal invariant
Every challenge or appeal packet names a provenance activity, traceability step, reason codes, and human reviewer scope.
Appeal invariant
Safety blocking, matching disclosure, reviewed completion, and dispute resolution remain human-controlled.
Disclosure grant contract
The privacy model is no longer only dashboard prose. Broad previews, exact wishes, source summaries, constraints, verification preferences, and contact details are mapped to explicit access levels, audience stages, redactions, owner approval, and non-mutating evaluation.
Disclosure grants moral-trade-disclosure-grants-v0.1
10 check(s), 0 blocker(s), 9 field boundary(s).
POST /api/moral-trade/disclosure/evaluate returns allowed fields, denied fields, privacy actions, expiry window, ownerApprovalRequired, and stateMutation false.
cause_areas
Broad cause areas and high-level interests only.
registry stage, max broad access.
exact_wish
The exact change someone hopes a counterparty might help with.
consent stage, max specific access.
exact_ask
The concrete ask being considered for this match.
consent stage, max specific access.
capabilities
Resources, skills, or commitments the profile owner says they can offer.
consent stage, max specific access.
constraints
Constraints that could rule out a proposal or require extra care.
consent stage, max specific access.
verification_preferences
Evidence or attestation preferences for a possible agreement.
consent stage, max specific access.
coarse_location
Coarse location only, never precise address or live location.
registry stage, max broad access.
source_summary
Manual source summaries, excluding raw notes and source payloads.
consent stage, max specific access.
contact_email
Contact details for a mutually approved introduction.
introduced stage, max contact access.
Review workflow contract
The report recommends replacing prose-heavy pages with instrumented workflow cards. This contract publishes the card keys, factor-code requirements, next-step rules, and non-ranking invariants used by offer details, worked examples, marketplace listings, and the homepage preview.
Review workflow moral-trade-review-workflow-v0.2-2026-06
13 check(s), 0 blocker(s), 6 card contract(s).
14 policy-enforced workflow step(s), 7 review-state outcome(s).
POST /api/moral-trade/review-workflow/evaluate returns deterministic workflow cards and marketplace factors with stateMutation false.
What would you do if this trade did not happen? Be concrete. Mention your current intention, prior behavior, or any evidence that makes your baseline credible.
Public blocker explanations publish reason categories, next actions, money and obligation effects, and bounded appeal or correction paths without raw review evidence.
current_status
Expose whether a record is live, example-only, blocked, or still under review.
action_evidence
Show whether each factual action claim has a named reviewable proof method.
baseline_confidence
Keep factual proof separate from the no-trade baseline and counterfactual trust problem.
externality_review
Name third-party harm, perverse-incentive, and unrepresented-value review before reliance.
participant_relative_scores
Display stated priorities without turning them into an objective platform ranking.
appeal_scope
Limit appeals to the claim, evidence row, baseline concern, disclosure decision, or policy flag under review.
Reasoning packet contract
Public packets are derived from canonical worked examples and expose only structured summaries, cited evidence rows, step-by-step decision gates, uncertainty flags, reviewer scope, factor codes, and the next human-controlled step. The packet route is validator-backed, supports the same public status filters as the Reasoning Center, and does not export live private offers.
Reasoning packets moral-trade-reasoning-packets-v0.3-2026-05
10 check(s), 0 blocker(s), 5 public packet(s).
The packet API accepts the same status facet as the Reasoning Center, for example /api/moral-trade/reasoning/packets?status=needs-evidence.
Packet invariant
Packets expose only structured summaries, cited evidence rows, uncertainty flags, reviewer scope, factor codes, and required next steps.
Packet invariant
Packets publish step-by-step decision gates with pass, needs_input, human_review, or blocked statuses before any public reliance.
Packet invariant
Packets must not expose chain-of-thought, private wish text, contact details, raw source notes, or autonomous outreach fields.
Packet invariant
Packets must preserve no_global_moral_ranking and participant-relative language.
Packet invariant
Packets are derived from canonical worked examples; live private offers are not exported.
Packet invariant
Every packet links to a worked example page and public contract sources.
Copilot contract
The copilot role is limited to drafting, critique, explanation, evidence checklists, and reviewer summaries. It cannot rank moral value, contact counterparties, consume raw private feeds, or change proposal state when output validation fails.
Contract moral-trade-copilot-v0.1.3-2026-06
12 check(s), 0 blocker(s), 8 fixed verification step(s).
validateMoralTradeCopilotOutput rejects matchable output unless every blocking verification step has status pass.
schema_completeness
Blocks matchable status until resolved.
anti_threat
Blocks matchable status until resolved.
baseline_credibility
Blocks matchable status until resolved.
evidence_sufficiency
Blocks matchable status until resolved.
externality_trigger
Routes or explains without changing state.
privacy_redaction
Blocks matchable status until resolved.
match_explanation
Routes or explains without changing state.
human_review_routing
Routes or explains without changing state.
Rollout readiness
Status pass; 4 required signal(s), 2 allowed task(s), 0 blocker(s).
Rollout readiness
Status blocked; 7 required signal(s), 3 allowed task(s), 3 blocker(s).
Rollout readiness
Status blocked; 8 required signal(s), 3 allowed task(s), 3 blocker(s).
Operations contract
The core feature now publishes the operating controls that were previously scattered across code and policy pages: security headers, private-cache rules, abuse throttles, privacy/session controls, email-outbox safety gates, retention lifecycle boundaries, observability metrics, safe fallbacks, and rollout gates.
Operations moral-trade-operations-v0.3-2026-05
8 check(s), 0 blocker(s), 9 operational test hook(s).
deterministic_manual_fallback
If copilot, provider, or evidence tooling fails, keep deterministic validation and manual review available.
invalid_copilot_output_no_state_change
Invalid or timed-out copilot output must not publish, match, disclose, or complete a proposal.
provider_timeout_no_state_change
Provider or payment/evidence timeouts remain pending or manual-review states.
unsafe_email_no_provider_send
Core Moral Trade email outbox rows with contact details, exact offer terms, payment amounts, agreement or payment identifiers, evidence, raw source notes, or private wish markers are marked suppressed before provider send.
replay_safe_state_transitions
State transitions should be idempotent, auditable, and safe to retry.
Performance contract
The report flagged repeated loading states, route failure recovery, and unspecified Web Vitals, API latency, cache, and bundle strategy. This profile turns those into public targets, privacy-safe telemetry boundaries, and release gates.
Performance moral-trade-performance-v0.4-2026-06
8 check(s), 1 blocker(s), 7 metric target(s), cadence weekly internal monthly public aggregate.
Status fail; 11/13 route(s) covered, recovery ratio 0.8462.
instrument_before_optimize
Do not claim performance readiness from design intent alone; publish measurement coverage first.
public_route_resilience
Do not expand public acquisition until core public routes have retry/recovery affordances and build-manifest coverage.
privacy_safe_telemetry
Do not store performance telemetry that includes raw private wishes, source notes, contact details, or unredacted query strings.
Performance non-claim
Moral Trade does not claim verified Core Web Vitals pass status until route-level samples are collected and published in aggregate.
Performance non-claim
Moral Trade does not claim all loading states are optimized; generic fallbacks are tracked as route-resilience debt.
Performance non-claim
Moral Trade does not claim production API latency targets are met without current server-timing or provider metrics.
Performance non-claim
Moral Trade does not claim performance telemetry can include raw private wishes, source notes, contact details, or unredacted query strings.
Security contract
The report flagged encryption details, 2FA, device/session review, key management, and abuse throttling as unspecified. This profile publishes what is implemented, what is a provider boundary, and what must be ready before sensitive scale.
Security moral-trade-security-v0.5-2026-06
7 check(s), 0 blocker(s), 3 scale gate(s).
Public non-claim
Moral Trade does not claim custom field-level encryption for every private Moral Trade table; background-networking sensitive text has a separate versioned keyring control.
Public non-claim
Moral Trade does not claim the app-level MFA/2FA admin gate replaces provider-console MFA, device inventory, session revocation, or key-rotation evidence.
Public non-claim
Moral Trade does not claim a completed key-rotation program until provider rotation records are published.
Public non-claim
Moral Trade does not claim 24/7 staffed security operations or zero incidents; incident summaries stay aggregate and privacy-redacted.
Public non-claim
Moral Trade does not claim zero security risk; public health endpoints expose blockers instead.
Incident response contract
The report flagged incident response as a scale prerequisite. This profile publishes the public incident lane: intake channels, severity SLAs, containment phases, affected-participant notices, aggregate public updates, validator backlog updates, and privacy-safe non-claims.
Incident response moral-trade-incident-response-v0.1-2026-05
9 check(s), 0 blocker(s), 3 readiness gate(s).
affected_participant_notice_required
SEV0 and SEV1 incidents require affected-participant notice unless doing so would increase harm or conflict with law.
public_aggregate_only
Public reporting uses counts, category, severity, status, and remediation class; raw private records stay redacted.
no_private_details_in_public_postmortem
Do not publish private wishes, source notes, exact contact details, payment secrets, hidden reviewer notes, or raw provider payloads.
validator_blockers_linked
If the incident exposed a contract gap, link the public blocker, test, or scale gate that now tracks the fix.
human_review_before_reopening
Affected matching, disclosure, completion, payment, or trust-badge paths reopen only after human review confirms containment.
Incident non-claim
Moral Trade does not claim 24/7 staffed security operations.
Incident non-claim
Moral Trade does not claim zero incidents or zero residual security risk.
Incident non-claim
Moral Trade does not publish raw private wishes, source notes, contact details, payment secrets, or provider payloads in public incident summaries.
Incident non-claim
Moral Trade does not treat incident-response publication as proof that MFA, device/session review, key rotation, or field-level encryption are complete.
Evaluation contract
The report recommends measuring whether protocol and copilot workflows actually help. This profile names the metrics, privacy boundaries, cohort slices, and promotion gates required before assisted workflow changes can scale.
Evaluation moral-trade-evaluation-v0.3-2026-05
7 check(s), 0 blocker(s), 13 metric(s), cadence monthly public aggregate.
Status pass; 20 eligible, 9 surfaced, overall rate 0.45; 2 reviewed deviation(s), 0 unreviewed.
Status pass; current period 2026-05, previous period 2026-04, blockers 0.
The validator includes a sample-audits check so fairness, UX, and workflow quality audit code must execute successfully before the evaluation contract reports pass. Material surfacing parity deviations need a redacted review-log entry before they count as reviewed.
Status pass; blocked precision 0.9167, false match rate 0.15, human overrule rate 0.2222, reason coverage 1.
shadow_mode
Collect metrics while copilot advice is ignored for live decisions.
assist_mode
Allow field prefill and factor-code suggestions only if privacy incidents stay at zero and overrule reasons are reviewed.
guarded_automation
Automate only missing-field detection, explanation rendering, and evidence-checklist drafting after public metrics meet or explain targets.
human_controlled_decisions
Safety blocking, matching disclosure, reviewed completion, and dispute resolution remain human controlled.
Externality contract
Externality review is not a vague warning label. Material triggers require affected-party standing, remediation paths, privacy-safe reporting, human approval, and relevant source standards before reliance.
Externality moral-trade-externality-v0.2-2026-05
7 check(s), 0 blocker(s), 8 trigger code(s).
unrepresented_third_party
Trigger review when a trade materially affects people who are not participants.
vulnerable_party_pressure
Trigger review when a paid action, disclosure, or pledge may pressure a vulnerable person or group.
political_or_campaign_adjacent
Trigger review for political-adjacent proposals and block direct campaign contribution offsets elsewhere.
paid_action_pressure
Trigger review when compensation could distort voluntariness, labor conditions, or baseline incentives.
labor_or_supply_chain
Trigger review when a proposal makes ethical-trade, sourcing, labor, or supplier claims.
recipient_or_destination_risk
Trigger review when money, action, or reputation flows to an organization with contested governance or harm risks.
environment_or_community_impact
Trigger review when a project may affect local communities, pollution, land, animals, or ecosystems.
perverse_incentive
Trigger review when the trade may reward newly escalated or strategically worsened behavior.
AI governance contract
The report says any move beyond deterministic rules must be documented with model cards, dataset datasheets, benchmark slices, fairness audits, and human-control gates. This profile keeps that requirement explicit before any ranking or scoring layer can be promoted.
AI governance moral-trade-ai-governance-v0.3-2026-06
11 check(s), 0 blocker(s), decisioning mode deterministic rules with schema bound copilot, 6 sample documentation packet(s).
schema_bound_drafting
Drafting may normalize user text into approved proposal fields without inventing facts or evidence.
missing_field_detection
Automation may flag missing required fields and ask clarification questions tied to those fields.
factor_code_explanation
Automation may render explanations only from deterministic factor codes and approved redaction rules.
evidence_checklist_drafting
Automation may draft checklists of observable artifacts without deciding that evidence is sufficient.
reviewer_summary_drafting
Automation may summarize records for reviewers while preserving uncertainty and unresolved flags.
API contract
The core Moral Trade API surface is now cataloged with method, auth posture, privacy class, schema names, rate-limit surface, cache behavior, and safe fallback rules.
API moral-trade-api-contract-v0.75-2026-06
31 check(s), 2 blocker(s), 183 route(s), 258 schema definition(s).
Schema registry moral-trade-schema-registry-v0.2-2026-05
9 check(s), 1 blocker(s), 12 public schema document(s), including the core data-model and public offer listing schemas; 8 public payload sample(s) checked, 0 sample failure(s).
Field-level schema
No request body or query contract beyond route path and auth context.
No body fields.
Field-level schema
Public collection query parameters for browsing live offers and worked examples without exposing private/personally scoped state.
Field-level schema
Public validator-backed collection payload for live offers and worked examples, including visible facets, default-tab behavior, non-claims, and public listing items.
Field-level schema
Public offer detail slug path for a live public offer id or worked-example slug.
Field-level schema
Validator-backed public detail payload for one live offer or worked example, with sign-in/consent-gated actions and non-claims.
Field-level schema
Public facet query parameters for the current tab/search scope without pagination.
moral_trade_health
Return ok:false with validator blockers; never silently claim readiness.
moral_trade_api_contract
Return API contract validator blockers, implementation audit, route catalog, schema definitions, privacy classes, and test hooks; never expose private participant records.
public_offers_collection
Return filtered worked-example and live listing payloads, visible facets, validator blockers, and zero-live guidance; never expose private wishes, contact details, raw evidence artifacts, personalized saved-offer state, or global moral ranking.
public_offer_detail
Return a validator-backed public listing detail or 404 blockers; never expose contact details, private wishes, raw evidence artifacts, personalized saved-offer state, or agreement formation claims.
public_offers_facets
Return positive-count public facets, current default-tab behavior, and validator blockers; never expose zero-count private-sensitive facets or personalized browse state.
saved_search_create
Require viewer authentication to store a saved search; unauthenticated requests return a sign-in draft without storage. Never expose private wishes, contact details, raw source notes, personalized saved-offer state, autonomous outreach, or platform moral ranking.
Provenance
This does not prove moral correctness. It does make each claim easier to audit: what artifact was submitted, what activity changed state, and which participant, reviewer, or provider was involved.
proposal_record, offer, agreement, evidence_artifact, external_entity_reference, review_decision, match_explanation, match_signal, traceability_event
draft_created, draft_updated, evidence_submitted, traceability_event_recorded, risk_screened, challenge_window_opened, review_completed
participant, counterparty, operator, external_reviewer, payment_or_evidence_provider
Evidence object contract
The provenance layer uses fixed object schemas so duplicate proof, wrong-scope evidence, stale artifacts, missing agents, external entity dedupe failures, and external payment or charity-routing events without what/where/why links can be caught, while state transitions carry immutable event hashes before any reviewed completion claim is published.
Provenance contract moral-trade-provenance-v0.3
6 check(s), 0 blocker(s), 1 synthetic traceability event(s).
1 artifact, 1 claim, 1 review decision, 3 agents.
9 owner-scoped table(s) persist artifacts, claims, agents, activities, external references, traceability events, and state transitions.
provenance_agent
owner_insert_public_or_owner_read
evidence_artifact
owner_insert_public_or_owner_read
evidence_claim
owner_insert_public_or_owner_read
evidence_claim
owner_insert_public_pair_read
external_entity_reference
owner_insert_public_or_owner_read
review_decision
owner_insert_public_or_owner_read
evidence_artifact
evidence_claim
external_entity_reference
review_decision
match_signal
traceability_event
state_transition_event_record
provenance_activity
provenance_agent