Source artifacts
- moral_trade_feature_audit_markdown: hash blocked
- moral_trade_feature_audit_pdf: hash blocked
Document coverage contract
The improvement report is mapped to validator evidence.
The source Markdown and PDF are hash-checked, and the report testing plan is now mapped as schema, policy, evidence, privacy, fairness, UX, and resilience coverage before any broad completion claim is made.
Document coverage moral-trade-document-coverage-v0.7-2026-05
Status fail
63 check(s), 2 source document(s), 7 testing-plan layer(s), 28 implementation phrase gate(s).
Testing plan coverage
- Schema tests
- Policy tests
- Evidence tests
- Privacy tests
- Fairness tests
- UX tests
- Resilience tests
Recommended source stack
12 source family mappings connect Ord, product commitments, due diligence, provenance, AI governance, and HCI guidance to code and public routes.
Requirement phrase gates
- Core data model and public validators: 3 phrase gate(s)
- Workflow cards and factor codes: 3 phrase gate(s)
- Provenance-first evidence objects: 4 phrase gate(s)
- Schema-bound copilot: 3 phrase gate(s)
- Privacy, matching, and disclosure guardrails: 3 phrase gate(s)
- Externality, challenge, and appeal review: 4 phrase gate(s)
- Evaluation, operations, security, and performance gates: 8 phrase gate(s)
Canonical gates
- node --import tsx --test src/lib/moral-trade/*.test.ts src/lib/background-ai-shadow.test.ts src/lib/background-networking.test.ts src/lib/background-notification-policy.test.ts src/lib/background-notifications.test.ts src/lib/background-privacy-controls.test.ts src/lib/background-explanations.test.ts src/lib/background-opportunity-briefs.test.ts src/lib/background-private-overlap.test.ts src/lib/wish-registry.test.ts src/lib/public-route-smoke.test.ts
- npm run lint
- git diff --check
- npm run build
Public readiness matrix
Every canonical contract route is visible before readiness is claimed.
The build instruction lists the required public contract routes. This matrix keeps the user-facing spec aligned with that list so transparency, private-overlap guardrails, privacy, operations, and evaluation evidence are not hidden behind scattered JSON links.
Canonical public contracts
18/22 route checks passing
All canonical public contract routes have a visible readiness row.
FamilyRouteStatusPublished evidence
Top-level readinessProtocol healthfail (61 blocker(s))21 canonical public route(s) cross-linked in one health surface.
Privacy and matchingMatch signalpass (0 blocker(s))9 approved factor code(s), preview-only stateMutation false.
Privacy and matchingDisclosure grantspass (0 blocker(s))9 field boundary(s), 6 search privacy control(s).
Privacy and matchingPrivate overlap guardrailpass (0 blocker(s))design review only; live endpoints remain blocked.
Challenge and remedyChallenge appealpass (0 blocker(s))8 appeal trigger(s), 6 standing category/categories.
This matrix is repository validation evidence. It does not claim production liquidity, legal or tax treatment, payment custody, zero security risk, or objective moral endorsement.
Public contract
Fields, states, and guardrails are inspectable.
This mirrors the MPGF validator posture for the core moral-trade workflow: a proposal is not merely prose; it is a record with required fields, review states, explicit rejection rules, and provenance-bearing evidence.
Required proposal fields
- Trade format
- Offered and requested cause areas
- Offered action
- Requested action
- No-trade baseline
- Duration or review period
- Exit, pause, expiry, or unresolved-evidence rule
- Verification method
- Public description and boundaries
Review statuses
draftsubmittedneeds clarificationneeds evidenceneeds human reviewchallenge windowcompletion revieweddisputed unresolvedblockedmatchable
Decision pipeline
- Schema completeness: needs clarification
- Anti-threat and prohibited-content screen: blocked
- Factual evidence readiness: needs evidence
- Counterfactual baseline credibility: needs human review
- Externality-review trigger: challenge window
- Privacy and redaction: needs human review
- Match explanation generation: needs human review
- Human-review routing: needs human review
State transitions
- draft -> needs_clarification, submitted, blocked
- needs clarification -> draft, submitted, blocked
- submitted -> needs_evidence, needs_human_review, challenge_window, matchable, blocked
- needs evidence -> submitted, needs_human_review, challenge_window, blocked
- needs human review -> needs_evidence, challenge_window, matchable, blocked
- challenge window -> needs_evidence, completion_reviewed, disputed_unresolved, blocked
- disputed unresolved -> challenge_window, completion_reviewed, blocked
- matchable -> needs_evidence, challenge_window, blocked
- completion reviewed -> disputed_unresolved, blocked
Guardrails
- No global moral ranking
- Anti-threat baseline
- No autonomous outreach
- Privacy redaction required
- Separate trust axes
Data model contract
Core entities, privacy classes, and relationships are validator-backed.
The audit named the core Moral Trade objects explicitly: participants, profiles, offers, source notes, saved searches, privacy grants, evidence records, disputes, payment updates, notifications, and agreement events. This contract makes those entities inspectable and binds them to public privacy and relationship boundaries.
Data model moral-trade-data-model-v0.1.5-2026-06
Status pass
10 check(s), 0 blocker(s), 27 entity contract(s).
Offer fields
- cause areas
- offered action
- requested action
- expected impact
- verification method
- duration
- exit conditions
- baseline statement
Privacy classes
- public contract
- public preview
- privacy thresholded public preview
- public or private by status
- private authenticated
- authenticated private
Relationship boundaries
- profile privacy boundary
- source note boundary
- match disclosure boundary
- review state boundary
- payment non custody boundary
Contract tests
- data model profile validator
- data model entity coverage
- data model profile json schema
- offer required field contract
- source note privacy boundary
- public data model contract route
- api contract data model route
- health data model smoke
- technical spec data model smoke
identity
Participant
A participant appears publicly only through opted-in profile or offer preview fields.
4 required field(s).
profile
Public profile
Shows broad previews and chosen visibility only; exact wishes, contact details, private source notes, and sensitive constraints stay out.
5 required field(s).
profile
Private wish profile
Never public by default; fields can be summarized only through broad previews or explicit privacy grants.
6 required field(s).
privacy
Profile visibility control
Publishes only the selected visibility level, not the hidden profile fields behind it.
6 required field(s).
privacy
Source connection
Stores consent scope, import mode, and manual summaries only; raw private feeds are not ingested or searched.
7 required field(s).
privacy
Source note
Only coarse source summaries may be disclosed through a valid purpose-bound grant; raw notes remain private.
6 required field(s).
matching
Saved search
Search terms, offer browse filters, and notification choices remain viewer-owned; public search returns broad previews only.
9 required field(s).
proposal
Trade format
A public taxonomy for pledge swaps, donation offsets, paid actions, and public-good commitments.
4 required field(s).
proposal
Offer
Public offers expose only reviewed or preview-safe terms and must not imply escrow, legal enforceability, tax treatment, or objective moral endorsement.
12 required field(s).
proposal
Baseline statement
The no-trade baseline is reviewable and challengeable; sensitive details can be summarized or redacted.
6 required field(s).
evidence
Evidence claim
Claims disclose only scoped summaries and confidence; artifacts and private locators stay behind review controls.
7 required field(s).
evidence
Artifact
Artifacts require hashes, scope alignment, and redaction levels before any public reasoning summary references them.
7 required field(s).
provenance
External entity reference
External charities, payment providers, registries, or supplier-like records expose only stable redacted identifiers after registry or reviewer confirmation.
8 required field(s).
provenance
Traceability event
What/where/why event records include explicit what happened, who touched it, and when answers for payment, charity-routing, or external-evidence audits; raw artifacts and private provider payloads remain redacted.
14 required field(s).
provenance
Provenance activity
Activities link submitted, reviewed, and changed records to agents; public summaries omit raw private wishes, contact details, and source notes.
8 required field(s).
provenance
Provenance agent
Participants, counterparties, reviewers, operators, and providers are represented by scoped agent records; public labels require explicit redaction review.
7 required field(s).
provenance
State transition event record
Reliance-bearing status changes require immutable event hashes, agent links, and explicit what happened, who touched it, and when answers; public exposure is limited to redacted status evidence.
10 required field(s).
review
Reviewer decision
Only a narrow public reasoning summary is exposed when safe; private notes and source notes are redacted.
9 required field(s).
review
Challenge
Challenges target specific claims, evidence rows, baselines, disclosure decisions, or policy flags.
7 required field(s).
review
Appeal
Appeals do not reopen unrelated moral disagreements and cannot resolve disputes without human review.
7 required field(s).
review
Dispute
Dispute status may be public; private evidence and affected-party details remain review-scoped.
6 required field(s).
privacy
Privacy grant
Field-level, purpose-bound, stage-bound grants disclose only approved fields and never mutate from public contract reads.
9 required field(s).
matching
Match suggestion
Uses broad previews, privacy policy ids, disclosure stages, and factor codes; exact wishes, source notes, and contact details stay hidden until consent.
11 required field(s).
operations
Notification
Notification copy remains generic and omits exact wishes, contact details, source notes, and sensitive constraints.
6 required field(s).
payment
Payment record
Records can reference provider events but do not claim escrow, custody, tax, investment, or legal advice.
7 required field(s).
payment
Payment update
Status updates are evidence inputs, not automatic reviewed completion or custody guarantees.
6 required field(s).
provenance
Agreement event
Immutable event records support auditability; public summaries are redacted and status-scoped.
7 required field(s).
Policy bundle contract
Copilot inputs are concrete registries, not broad application context.
The audit recommends a strict input bundle for any drafting or reviewer-summary assistance. This contract publishes the policy registry, prohibited-pattern registry, factor-code dictionary, verification-method taxonomy, redaction policy, already submitted evidence metadata boundary, and fixed verification loop used before any draft can be treated as matchable.
Policy bundle moral-trade-policy-bundle-v0.1-2026-05
Status pass
9 check(s), 0 blocker(s), 5 prohibited pattern code(s).
Strict input bundle
- structured draft
- policy registry
- prohibited pattern registry
- factor code dictionary
- verification method taxonomy
- redaction policy
- evidence metadata
- redacted profile pair
Prohibited patterns
- anti threat baseline
- prohibited illegal or fraud
- prohibited doxxing or harassment
- prohibited political campaign offset
- newly escalated harmful behavior
Evidence metadata boundary
The copilot review route accepts only redacted metadata for already submitted evidence. Raw artifacts, private notes, contact details, and exact wishes are rejected before they can enter a reviewer-summary packet.
Verification methods
- Receipt or provider record
- Public log
- Attestation
- Audit or external review
- Baseline artifact
- Payment event
- Manual review
Redaction policy
- exact private wishes
- contact details
- sensitive constraints
- raw profile notes
- protected traits
- ideology or psychology inferences
schema_completeness
Schema completeness check
Blocks matchable status until resolved.
anti_threat
Anti-threat / prohibited-content check
Blocks matchable status until resolved.
baseline_credibility
Baseline credibility check
Blocks matchable status until resolved.
evidence_sufficiency
Evidence sufficiency check
Blocks matchable status until resolved.
externality_trigger
Externality-review trigger check
Routes, explains, or records without granting reliance.
privacy_redaction
Privacy/redaction check
Blocks matchable status until resolved.
match_explanation
Match explanation generation
Routes, explains, or records without granting reliance.
human_review_routing
Human-review routing
Routes, explains, or records without granting reliance.
Validator evidence
Core checks run without hidden ranking or AI decisions.
CheckStatusEvidence
Required proposal fieldspass9 required field(s) published.
Review status valuespassdraft, submitted, needs_clarification, needs_evidence, needs_human_review, challenge_window, completion_reviewed, disputed_unresolved, blocked, matchable
Proposal state transition rulespass9 state transition rule(s) publish allowed edges, required checks, and provenance activities.
Proposed decision logic is public and signal-boundpassschema_completeness->needs_clarification, anti_threat_policy->blocked, factual_evidence_readiness->needs_evidence, counterfactual_baseline->needs_human_review, externality_review->challenge_window, privacy_redaction->needs_human_review, match_explanation->needs_human_review, human_review_routing->needs_human_review
Safety and privacy guardrailspass5 guardrail(s), including anti-threat and redaction rules.
Public factor-code explanationspass17 factor code(s) available for match and review explanations.
Evidence schemas by trade formatpasspledge_swap_v1, donation_offset_v1, paid_action_v1, public_good_commitment_v1
Provenance objectspass9 entities, 7 activities, 5 agents.
Provenance object schemaspass9 object schema(s) published for evidence and review provenance.
Provenance persistence tablespass9 append-only persistence table(s) map provenance object schemas to owner-scoped storage.
Quality and safety metricspass8 metric(s) published.
Explanation layer
Factor codes explain matches without private-text leakage.
The match inbox turns those codes into participant-facing reason labels, trust badges, risk badges, and next safe actions so suggestions can be declined, reported, or moved toward consent without exposing exact wishes.
terms_complete
Terms complete
The action, reciprocal request, duration, exit rule, and verification method are present.
baseline_stated
Baseline stated
The no-trade default is explicit enough for counterfactual review.
baseline_credibility
Baseline credibility
The no-trade default includes prior intent, history, dated support, or another reviewable counterfactual basis.
baseline_challenge_recommended
Baseline challenge recommended
The baseline is stated but thin enough that reviewers should request prior-intent or past-behavior support before reliance.
evidence_rule_named
Evidence rule named
The draft names the receipt, log, attestation, provider record, audit, or manual review path.
participant_relative_scores
Participant-relative scores
Importance scores are treated as user-stated thresholds, not platform rankings.
party_relative_benefit
Party-relative benefit
The draft explains why each side is better off than the no-trade baseline using participant-relative priorities.
externality_review_required
Externality review required
The draft may affect unrepresented people, political-adjacent claims, incentives, or vulnerable parties.
privacy_safe_preview
Privacy-safe preview
Match explanations can use broad cause areas, format, verification preferences, and redaction notes.
human_review_required
Human review required
A reviewer must inspect safety, evidence, baseline, externality, or disclosure concerns before reliance.
cause_area_overlap
Cause-area overlap
A redacted match signal found broad cause-area overlap without exposing exact wishes or private text.
cause_area_complementarity
Cause-area complementarity
One side's broad offered cause area can satisfy the other side's broad requested cause area without exposing exact wishes.
trade_mode_compatible
Trade-mode compatible
Both redacted profiles support at least one compatible trade format.
verification_preference_compatible
Verification preference compatible
Both redacted profiles support at least one compatible evidence or verification preference.
location_constraint_satisfied
Location constraint satisfied
Any declared city or region sensitivity is satisfied at a coarse, privacy-safe level.
privacy_stage_compatible
Privacy stage compatible
Both sides are still inside the same consent-gated disclosure stage.
stated_exclusions_clear
Stated exclusions clear
The redacted match signal did not find a conflict with either side's stated exclusions.
Match signal contract
Redacted profile matching is preview-only and human-reviewed.
The matching contract uses only broad cause areas, trade modes, verification preferences, location sensitivity, privacy stage, and stated exclusions. It never infers hidden preferences or authorizes disclosure, contact, reliance, or state changes.
Match signal moral-trade-match-signal-contract-v0.3-2026-06
Status pass
9 check(s), 0 blocker(s), 9 factor code(s).
Input boundary
- profileId
- causeAreas
- tradeModes
- verificationPreferences
- locationSensitivity
- privacyStage
- privacyConstraints
- statedExclusions
Redacted fields
- exact_private_wishes
- contact_details
- sensitive_constraints
- raw_profile_notes
- protected_traits
- ideology_or_psychology_inferences
Evaluation route
POST /api/moral-trade/match-signal/evaluate returns redacted factor codes, blockers, confidence band, participant explanation copy, redacted fields, and humanReviewRequired with stateMutation false.
Participant explanation
You are seeing this suggestion because public cause areas, trade mode, and verification preferences are compatible. Exact wishes and contact details are still hidden.
Contract tests
- match signal contract validator
- redacted profile match signal smoke
- participant explanation copy smoke
- match signal evaluate route contract
- technical spec match signal smoke
Match invariant
Use only redacted profile fields: cause areas, trade modes, verification preferences, location sensitivity, privacy constraints, and stated exclusions.
Match invariant
Do not infer protected traits, ideology, psychology, hidden preferences, exact private wishes, raw notes, or contact details.
Match invariant
A matchable signal is only a preview and always requires human review before disclosure, contact, reliance, or state changes.
Match invariant
Factor codes must include cause overlap or complementarity, trade-mode compatibility, and verification compatibility before matchable status.
Match invariant
Privacy-safe preview requires compatible privacy stages, an explicit disclosure stage, a privacy policy id, and named redacted fields.
Challenge appeal contract
Appeals are scoped to reviewed claims, standing, and remedy paths.
The challenge lane is now a validator-backed contract. It separates affected-party standing, duplicate proof, coercive baselines, wrong-scope evidence, privacy disclosure errors, externality remedy gaps, reviewer conflicts, and policy flags before any human-controlled state change.
Challenge appeal moral-trade-challenge-appeal-v0.2
Status pass
9 check(s), 0 blocker(s), 8 trigger(s).
Subjects
- claim
- evidence row
- baseline concern
- disclosure decision
- externality trigger
- completion state
- policy flag
Standing categories
- participant
- counterparty
- affected party
- reviewer
- admin safety
- external verifier
Evaluation route
POST /api/moral-trade/challenge-appeal/evaluate returns scoped factor codes, standing checks, required artifacts, privacy actions, provenance activity, and stateMutation false. Requested outcomes are advisory and must match the appeal trigger before reviewers can route them.
Contract tests
- challenge appeal contract validator
- challenge appeal evaluate route contract
- challenge appeal scope smoke
- technical spec challenge appeal smoke
Appeal invariant
Appeals target only the specific reviewed claim, evidence row, baseline concern, disclosure decision, externality trigger, completion state, or policy flag.
Appeal invariant
Appeals do not reopen unrelated moral disagreements by default and do not create platform-wide moral rankings.
Appeal invariant
Participant, counterparty, affected-party, reviewer, admin-safety, and external-verifier standing are explicit; affected-party standing needs a privacy-safe summary.
Appeal invariant
Externality remedy appeals must name the remedy gap before reliance, completion badges, or public reputation claims proceed.
Appeal invariant
Requested outcomes are advisory and must be compatible with the appeal trigger before reviewers can route them.
Appeal invariant
Private details, exact wishes, contact data, raw notes, and sensitive constraints are redacted before reviewer routing.
Appeal invariant
Every challenge or appeal packet names a provenance activity, traceability step, reason codes, and human reviewer scope.
Appeal invariant
Safety blocking, matching disclosure, reviewed completion, and dispute resolution remain human-controlled.
Disclosure grant contract
Privacy grants now have a staged, field-level contract.
The privacy model is no longer only dashboard prose. Broad previews, exact wishes, source summaries, constraints, verification preferences, and contact details are mapped to explicit access levels, audience stages, redactions, owner approval, and non-mutating evaluation.
Disclosure grants moral-trade-disclosure-grants-v0.1
Status pass
10 check(s), 0 blocker(s), 9 field boundary(s).
Audience stages
- registry
- consent
- introduced
Access levels
- hidden
- broad
- specific
- contact
Evaluation route
POST /api/moral-trade/disclosure/evaluate returns allowed fields, denied fields, privacy actions, expiry window, ownerApprovalRequired, and stateMutation false.
Redacted fields
- exact private wishes before consent
- exact asks before consent
- contact details before introduction
- raw source notes
- sensitive constraints in public preview
- private feed payloads
Search privacy controls
- Daily registry query budget
- Sparse-result privacy floor
- Stable query fingerprint
- Redacted overlap tokens
- Risk signal logging
- Repeated detail-request limit
cause_areas
Cause areas
Broad cause areas and high-level interests only.
registry stage, max broad access.
exact_wish
Exact wish
The exact change someone hopes a counterparty might help with.
consent stage, max specific access.
exact_ask
Exact ask
The concrete ask being considered for this match.
consent stage, max specific access.
capabilities
Capabilities
Resources, skills, or commitments the profile owner says they can offer.
consent stage, max specific access.
constraints
Constraints
Constraints that could rule out a proposal or require extra care.
consent stage, max specific access.
verification_preferences
Verification preferences
Evidence or attestation preferences for a possible agreement.
consent stage, max specific access.
coarse_location
Coarse location
Coarse location only, never precise address or live location.
registry stage, max broad access.
source_summary
Manual source summary
Manual source summaries, excluding raw notes and source payloads.
consent stage, max specific access.
contact_email
Contact email
Contact details for a mutually approved introduction.
introduced stage, max contact access.
Review workflow contract
Marketplace cards and detail pages share one factor-code source.
The report recommends replacing prose-heavy pages with instrumented workflow cards. This contract publishes the card keys, factor-code requirements, next-step rules, and non-ranking invariants used by offer details, worked examples, marketplace listings, and the homepage preview.
Review workflow moral-trade-review-workflow-v0.2-2026-06
Status pass
8 check(s), 0 blocker(s), 6 card contract(s).
Marketplace priority
- human_review_required
- evidence_rule_named
- baseline_credibility
- externality_review_required
- no_global_moral_ranking
- appealable_review_scope
Invariants
- Every detail workflow card must expose at least one factor code, one status-reason code, one status reason, and one next-step instruction.
- Marketplace cards must show prioritized factor codes derived from the same workflow contract.
- Marketplace cards must inherit the selected detail card status reason.
- Participant-relative scores must preserve no_global_moral_ranking.
Contract tests
- review workflow contract validator
- offer review workflow card smoke
- marketplace factor card smoke
- technical spec review workflow smoke
Evaluation route
POST /api/moral-trade/review-workflow/evaluate returns deterministic workflow cards and marketplace factors with stateMutation false.
Participant copy
What would you do if this trade did not happen? Be concrete. Mention your current intention, prior behavior, or any evidence that makes your baseline credible.
current_status
Status card
Expose whether a record is live, example-only, blocked, or still under review.
- status_visible
- human_review_required
action_evidence
Action evidence
Show whether each factual action claim has a named reviewable proof method.
- evidence_rule_named
- evidence_sufficiency
baseline_confidence
Counterfactual baseline
Keep factual proof separate from the no-trade baseline and counterfactual trust problem.
- baseline_stated
- baseline_credibility
externality_review
Externality review
Name third-party harm, perverse-incentive, and unrepresented-value review before reliance.
- externality_review_required
- human_review_required
participant_relative_scores
Participant-relative scores
Display stated priorities without turning them into an objective platform ranking.
- participant_relative_scores
- no_global_moral_ranking
appeal_scope
Appeal scope
Limit appeals to the claim, evidence row, baseline concern, disclosure decision, or policy flag under review.
- appealable_review_scope
- reviewer_summary
Reasoning packet contract
The Reasoning Center publishes structured packets, not hidden reasoning.
Public packets are derived from canonical worked examples and expose only structured summaries, cited evidence rows, step-by-step decision gates, uncertainty flags, reviewer scope, factor codes, and the next human-controlled step. The packet route is validator-backed, supports the same public status filters as the Reasoning Center, and does not export live private offers.
Reasoning packets moral-trade-reasoning-packets-v0.3-2026-05
Status pass
10 check(s), 0 blocker(s), 5 public packet(s).
Required packet fields
- id
- sourceOfferId
- rank
- status
- statusCode
- statusTone
- scope
- title
Linked contracts
- Review workflow: moral-trade-review-workflow-v0.2-2026-06
- Provenance: moral-trade-provenance-v0.3
- Provenance sample: pass
Decision steps
- pass: Schema completeness check
- pass: Anti-threat / prohibited-content check
- pass: Baseline credibility check
- pass: Evidence sufficiency check
Public filters
The packet API accepts the same status facet as the Reasoning Center, for example /api/moral-trade/reasoning/packets?status=needs-evidence.
- All records: 5 packet(s)
- Needs evidence: 1 packet(s)
- Human review: 5 packet(s)
- Blocked: 0 packet(s)
- Pass with limits: 4 packet(s)
Contract tests
- reasoning packet contract validator
- reasoning center public packet smoke
- reasoning packets api route smoke
- reasoning packets recovery payload smoke
- technical spec reasoning packet smoke
Packet invariant
Packets expose only structured summaries, cited evidence rows, uncertainty flags, reviewer scope, factor codes, and required next steps.
Packet invariant
Packets publish step-by-step decision gates with pass, needs_input, human_review, or blocked statuses before any public reliance.
Packet invariant
Packets must not expose chain-of-thought, private wish text, contact details, raw source notes, or autonomous outreach fields.
Packet invariant
Packets must preserve no_global_moral_ranking and participant-relative language.
Packet invariant
Packets are derived from canonical worked examples; live private offers are not exported.
Packet invariant
Every packet links to a worked example page and public contract sources.
Copilot contract
Any AI assistance is schema-bound and reversible.
The copilot role is limited to drafting, critique, explanation, evidence checklists, and reviewer summaries. It cannot rank moral value, contact counterparties, consume raw private feeds, or change proposal state when output validation fails.
Contract moral-trade-copilot-v0.1.3-2026-06
Status pass
12 check(s), 0 blocker(s), 8 fixed verification step(s).
Strict input bundle
- structured_draft
- policy_registry
- prohibited_pattern_registry
- factor_code_dictionary
- verification_method_taxonomy
- redaction_policy
- evidence_metadata
- redacted_profile_pair
- match_constraint_set
- stated_exclusions
Approved output sections
- status
- completeness
- trade_structure
- trust_assessment
- match_explanation
- verification_loop
- clarification_questions
- uncertainty_flags
- next_step_checklist
- cited_evidence_table
- review_instructions
- reviewer_summary
- citations
Hard guardrails
- Approved JSON only
- Observable claims only
- No hidden reasoning transcript
- No global moral ranking
- No autonomous outreach
- No private feed ingestion
- Separate trust axes
- Insufficient evidence requests exact artifacts
- Anti-threat escalation
- No false certainty
- No escrow, legal, tax, custody, or endorsement claims
- Verification loop gates matchability
Matchability gate
validateMoralTradeCopilotOutput rejects matchable output unless every blocking verification step has status pass.
- Schema completeness check
- Anti-threat / prohibited-content check
- Baseline credibility check
- Evidence sufficiency check
- Privacy/redaction check
Prompt template registry
- System prompt
- Draft-repair prompt
- Matching prompt
- Reviewer-summary prompt
Rollout readiness gates
- shadow mode: pass
- assist mode: blocked
- guarded automation: blocked
schema_completeness
Schema completeness check
Blocks matchable status until resolved.
anti_threat
Anti-threat / prohibited-content check
Blocks matchable status until resolved.
baseline_credibility
Baseline credibility check
Blocks matchable status until resolved.
evidence_sufficiency
Evidence sufficiency check
Blocks matchable status until resolved.
externality_trigger
Externality-review trigger check
Routes or explains without changing state.
privacy_redaction
Privacy/redaction check
Blocks matchable status until resolved.
match_explanation
Match explanation generation
Routes or explains without changing state.
human_review_routing
Human-review routing
Routes or explains without changing state.
Rollout readiness
shadow mode
Status pass; 4 required signal(s), 2 allowed task(s), 0 blocker(s).
Rollout readiness
assist mode
Status blocked; 7 required signal(s), 3 allowed task(s), 3 blocker(s).
Rollout readiness
guarded automation
Status blocked; 8 required signal(s), 3 allowed task(s), 3 blocker(s).
Operations contract
Security, rate limits, metrics, and fallbacks are inspectable.
The core feature now publishes the operating controls that were previously scattered across code and policy pages: security headers, private-cache rules, abuse throttles, privacy/session controls, email-outbox safety gates, retention lifecycle boundaries, observability metrics, safe fallbacks, and rollout gates.
Operations moral-trade-operations-v0.3-2026-05
Status pass
8 check(s), 0 blocker(s), 9 operational test hook(s).
Security headers
- Strict Transport Security
- No MIME sniffing
- Frame denial
- Referrer policy
- Permissions policy
- CSP report-only baseline
- Private route no-store
Rate-limit surfaces
- public contract read: 240 per 1 minute
- signup: 5 per 15 minutes
- login: 8 per 15 minutes
- offer create: 8 per 15 minutes
- privacy access request: 12 per 1 day
- match concierge request: 10 per 1 day
- offer comment: 12 per 15 minutes
- offer collection read: 120 per 1 minute
- offer detail read: 120 per 1 minute
- offer facets read: 120 per 1 minute
- offer follow write: 30 per 1 minute
- offer create similar: 30 per 1 minute
- saved search write: 30 per 1 minute
- copilot draft review: 30 per 1 minute
- match signal evaluate: 60 per 1 minute
- challenge appeal evaluate: 30 per 1 minute
- disclosure evaluate: 30 per 1 minute
- review workflow evaluate: 60 per 1 minute
- profile portability: 12 per 1 minute
- background opportunity brief read: 60 per 1 minute
- background opportunity feedback write: 30 per 1 minute
- background source summary write: 12 per 1 minute
- background intro packet write: 12 per 1 minute
- wish registry search: 60 per 1 minute
- analytics ingest: 120 per 1 minute
Operational metrics
- funnel_event_counts
- route_error_rate
- api_latency_p95
- web_vitals
- blocked_proposal_rate
- email_outbox_suppression_count
- privacy_incident_count
- copilot_fallback_rate
- evidence_review_sla
- appeal_overturn_rate
Privacy/session controls
- Supabase auth cookies
- Private route cache control
- Data-right request lane
- Field-level disclosure grants
- Email outbox safety gate
- Audit events
Retention lifecycle
- Account and profile lifecycle
- Private wish and source lifecycle
- Evidence and provenance lifecycle
- Payment and donation reference lifecycle
- Analytics and attribution lifecycle
- Notification delivery lifecycle
- Data-right request lifecycle
deterministic_manual_fallback
Deterministic/manual fallback
If copilot, provider, or evidence tooling fails, keep deterministic validation and manual review available.
invalid_copilot_output_no_state_change
Invalid copilot output cannot change state
Invalid or timed-out copilot output must not publish, match, disclose, or complete a proposal.
provider_timeout_no_state_change
Provider timeout cannot change state
Provider or payment/evidence timeouts remain pending or manual-review states.
unsafe_email_no_provider_send
Unsafe email rows cannot reach the provider
Core Moral Trade email outbox rows with contact details, exact offer terms, payment amounts, agreement or payment identifiers, evidence, raw source notes, or private wish markers are marked suppressed before provider send.
replay_safe_state_transitions
Replay-safe state transitions
State transitions should be idempotent, auditable, and safe to retry.
Performance contract
Route resilience and Web Vitals are measured before readiness is claimed.
The report flagged repeated loading states, route failure recovery, and unspecified Web Vitals, API latency, cache, and bundle strategy. This profile turns those into public targets, privacy-safe telemetry boundaries, and release gates.
Performance moral-trade-performance-v0.4-2026-06
Status fail
8 check(s), 1 blocker(s), 7 metric target(s), cadence weekly internal monthly public aggregate.
Metric targets
- Public route error rate: <=1% of public route views over a reporting period
- Core API p95 latency: <=800ms p95 for public Moral Trade contract and directory APIs
- Largest Contentful Paint p75: <=2500ms p75 for public Moral Trade routes
- Interaction to Next Paint p75: <=200ms p75 for public Moral Trade routes
- Cumulative Layout Shift p75: <=0.1 p75 for public Moral Trade routes
Instrumentation controls
- Web Vitals capture
- API server timing
- Route error boundary
- Loading-state inventory
- Production route manifest smoke
Route families
- core protocol contract
- offer marketplace
- background networking
- reasoning and review
Route recovery manifest
Status fail; 11/13 route(s) covered, recovery ratio 0.8462.
- /moral-trade/technical-spec: src/app/moral-trade/technical-spec/error.tsx
- /reasoning-center: src/app/reasoning-center/error.tsx
instrument_before_optimize
Instrument before optimizing
Do not claim performance readiness from design intent alone; publish measurement coverage first.
public_route_resilience
Public route resilience
Do not expand public acquisition until core public routes have retry/recovery affordances and build-manifest coverage.
privacy_safe_telemetry
Privacy-safe telemetry
Do not store performance telemetry that includes raw private wishes, source notes, contact details, or unredacted query strings.
Performance non-claim
Moral Trade does not claim verified Core Web Vitals pass status until route-level samples are collected and published in aggregate.
Performance non-claim
Moral Trade does not claim all loading states are optimized; generic fallbacks are tracked as route-resilience debt.
Performance non-claim
Moral Trade does not claim production API latency targets are met without current server-timing or provider metrics.
Performance non-claim
Moral Trade does not claim performance telemetry can include raw private wishes, source notes, contact details, or unredacted query strings.
Security contract
Security posture is explicit about controls, boundaries, and non-claims.
The report flagged encryption details, 2FA, device/session review, key management, and abuse throttling as unspecified. This profile publishes what is implemented, what is a provider boundary, and what must be ready before sensitive scale.
Security moral-trade-security-v0.3-2026-06
Status pass
7 check(s), 0 blocker(s), 3 scale gate(s).
Implemented controls
- HSTS, CSP, and browser security headers
- Private no-store cache policy
- Supabase auth cookies
- Background field-encryption keyring
- Server-only secret management
- 2FA/MFA admin gate
- Participant session review and revocation
- Contact disclosure MFA step-up
- Platform abuse throttling
- Incident response reporting
Provider boundaries and non-claims
- Provider encryption at rest
- Platform-wide field-level encryption is not claimed
Scale gates
- Sensitive admin scale: blocked
- Paid-action volume scale: blocked
- Trust badge scale: pass
Public non-claim
Moral Trade does not claim custom field-level encryption for every private Moral Trade table; background-networking sensitive text has a separate versioned keyring control.
Public non-claim
Moral Trade does not claim the app-level MFA/2FA admin gate replaces provider-console MFA, device inventory, session revocation, or key-rotation evidence.
Public non-claim
Moral Trade does not claim a completed key-rotation program until provider rotation records are published.
Public non-claim
Moral Trade does not claim 24/7 staffed security operations or zero incidents; incident summaries stay aggregate and privacy-redacted.
Public non-claim
Moral Trade does not claim zero security risk; public health endpoints expose blockers instead.
Incident response contract
Incident intake, disclosure, and reopening rules are validator-backed.
The report flagged incident response as a scale prerequisite. This profile publishes the public incident lane: intake channels, severity SLAs, containment phases, affected-participant notices, aggregate public updates, validator backlog updates, and privacy-safe non-claims.
Incident response moral-trade-incident-response-v0.1-2026-05
Status pass
9 check(s), 0 blocker(s), 3 readiness gate(s).
Incident categories
- Privacy leakage: privacy reviewer
- Security control failure: security reviewer
- Payment provider error: payment reviewer
- Evidence integrity issue: evidence reviewer
- Unsafe matching or disclosure: safety reviewer
- Availability or route failure: operations reviewer
- Copilot output violation: copilot reviewer
Severity SLAs
- SEV0 active sensitive exposure: response 1h, notice 24h
- SEV1 control or payment failure: response 4h, notice 48h
- SEV2 review integrity issue: response 24h, notice 120h
- SEV3 service degradation: response 72h, notice 168h
Readiness gates
- Trust-badge incident lane: pass
- Paid-action incident lane: pass
- Copilot-assist incident lane: pass
affected_participant_notice_required
Affected participant notice required
SEV0 and SEV1 incidents require affected-participant notice unless doing so would increase harm or conflict with law.
public_aggregate_only
Public aggregate only
Public reporting uses counts, category, severity, status, and remediation class; raw private records stay redacted.
no_private_details_in_public_postmortem
No private details in public postmortem
Do not publish private wishes, source notes, exact contact details, payment secrets, hidden reviewer notes, or raw provider payloads.
validator_blockers_linked
Validator blockers linked
If the incident exposed a contract gap, link the public blocker, test, or scale gate that now tracks the fix.
human_review_before_reopening
Human review before reopening
Affected matching, disclosure, completion, payment, or trust-badge paths reopen only after human review confirms containment.
Incident non-claim
Moral Trade does not claim 24/7 staffed security operations.
Incident non-claim
Moral Trade does not claim zero incidents or zero residual security risk.
Incident non-claim
Moral Trade does not publish raw private wishes, source notes, contact details, payment secrets, or provider payloads in public incident summaries.
Incident non-claim
Moral Trade does not treat incident-response publication as proof that MFA, device/session review, key rotation, or field-level encryption are complete.
Evaluation contract
Quality metrics are public, privacy-bounded, and rollout-gated.
The report recommends measuring whether protocol and copilot workflows actually help. This profile names the metrics, privacy boundaries, cohort slices, and promotion gates required before assisted workflow changes can scale.
Evaluation moral-trade-evaluation-v0.3-2026-05
Status pass
7 check(s), 0 blocker(s), 13 metric(s), cadence monthly public aggregate.
Sample surfacing parity audit
Status pass; 20 eligible, 9 surfaced, overall rate 0.45; 2 reviewed deviation(s), 0 unreviewed.
Sample UX readiness audit
Status pass; current period 2026-05, previous period 2026-04, blockers 0.
Executable audit check
The validator includes a sample-audits check so fairness, UX, and workflow quality audit code must execute successfully before the evaluation contract reports pass. Material surfacing parity deviations need a redacted review-log entry before they count as reviewed.
Sample workflow quality audit
Status pass; blocked precision 0.9167, false match rate 0.15, human overrule rate 0.2222, reason coverage 1.
Codex-assisted workflow metrics
- Draft completion rate: increase
- Time to valid draft: decrease
- Blocked-proposal precision: increase
- Privacy leakage incidents: decrease
- Explanation helpfulness: increase
Privacy and fairness slices
- trade format
- cause area pair
- geography bucket
- verification method
- privacy stage
- new vs returning participant
- consented demographic slice
- optional governed sensitive attribute
Measurement boundaries
- aggregate only by default
- no raw private wish text
- no contact details
- no source note leakage
- small cell suppression
- deviation review log redacted
- free text quote requires consent
shadow_mode
shadow mode
Collect metrics while copilot advice is ignored for live decisions.
assist_mode
assist mode
Allow field prefill and factor-code suggestions only if privacy incidents stay at zero and overrule reasons are reviewed.
guarded_automation
guarded automation
Automate only missing-field detection, explanation rendering, and evidence-checklist drafting after public metrics meet or explain targets.
human_controlled_decisions
human controlled decisions
Safety blocking, matching disclosure, reviewed completion, and dispute resolution remain human controlled.
Externality contract
Third-party impacts now have due-diligence and remedy gates.
Externality review is not a vague warning label. Material triggers require affected-party standing, remediation paths, privacy-safe reporting, human approval, and relevant source standards before reliance.
Externality moral-trade-externality-v0.2-2026-05
Status pass
7 check(s), 0 blocker(s), 8 trigger code(s).
Due-diligence steps
- Embed policy
- Identify impacts
- Prevent or mitigate
- Track results
- Communicate
- Remediate
Review standards
- OECD due diligence
- UN Guiding Principles
- ILO Fundamental Principles
- ETI Base Code
- Fairtrade Standards
- Open Supply Hub orientation
Trigger-standard matrix
- unrepresented third party: oecd_due_diligence, un_guiding_principles
- vulnerable party pressure: oecd_due_diligence, un_guiding_principles, ilo_fundamental_principles
- political or campaign adjacent: oecd_due_diligence, un_guiding_principles
- paid action pressure: oecd_due_diligence, un_guiding_principles, ilo_fundamental_principles
- labor or supply chain: oecd_due_diligence, un_guiding_principles, ilo_fundamental_principles, eti_base_code, open_supply_hub
Remedy controls
- Affected-party standing
- Remediation plan
- Challenge window required
- Privacy-safe reporting
unrepresented_third_party
Unrepresented third party
Trigger review when a trade materially affects people who are not participants.
vulnerable_party_pressure
Vulnerable-party pressure
Trigger review when a paid action, disclosure, or pledge may pressure a vulnerable person or group.
political_or_campaign_adjacent
Political or campaign-adjacent
Trigger review for political-adjacent proposals and block direct campaign contribution offsets elsewhere.
paid_action_pressure
Paid-action pressure
Trigger review when compensation could distort voluntariness, labor conditions, or baseline incentives.
labor_or_supply_chain
Labor or supply-chain claim
Trigger review when a proposal makes ethical-trade, sourcing, labor, or supplier claims.
recipient_or_destination_risk
Recipient or destination risk
Trigger review when money, action, or reputation flows to an organization with contested governance or harm risks.
environment_or_community_impact
Environmental or community impact
Trigger review when a project may affect local communities, pollution, land, animals, or ecosystems.
perverse_incentive
Perverse incentive
Trigger review when the trade may reward newly escalated or strategically worsened behavior.
AI governance contract
Undocumented ML cannot rank, match, disclose, or change state.
The report says any move beyond deterministic rules must be documented with model cards, dataset datasheets, benchmark slices, fairness audits, and human-control gates. This profile keeps that requirement explicit before any ranking or scoring layer can be promoted.
AI governance moral-trade-ai-governance-v0.2-2026-05
Status pass
11 check(s), 0 blocker(s), decisioning mode deterministic rules with schema bound copilot, 6 sample documentation packet(s).
Required before ML
- Model card
- Dataset datasheet
- Benchmark slices
- Intended-use limits
- Fairness audit report
- Change log
Documentation templates
- Model card template: 8 required fields; redacts raw_private_wish_text and contact_details
- Dataset datasheet template: 8 required fields; redacts raw_private_wish_text and contact_details
- Benchmark-slice template: 8 required fields; redacts raw_private_wish_text and contact_details
- Intended-use limits template: 6 required fields; redacts raw_private_wish_text and contact_details
- Fairness audit report template: 7 required fields; redacts raw_private_wish_text and contact_details
- Change-log template: 7 required fields; redacts raw_private_wish_text and contact_details
Sample documentation packets
- model card: shadow only
- dataset datasheet: shadow only
- benchmark slices: shadow only
- intended use limits: shadow only
- fairness audit report: shadow only
- change log: shadow only
Prohibited uses
- End-to-end LLM matching
- Global moral ranking
- Unreviewed learning to rank
- Protected-trait inference
- Autonomous outreach
- Raw private-feed training
Standards
- NIST AI RMF
- NIST XAI principles
- Model Cards
- Datasheets for Datasets
- Fairness trade-off literature
Explanation controls
- Factor codes are the source of truth
- Meaningful user action
- System accuracy boundary
- Uncertainty and redaction notice
- Appealable review scope
- Reversible interaction
schema_bound_drafting
Schema-bound drafting
Drafting may normalize user text into approved proposal fields without inventing facts or evidence.
missing_field_detection
Missing-field detection
Automation may flag missing required fields and ask clarification questions tied to those fields.
factor_code_explanation
Factor-code explanation rendering
Automation may render explanations only from deterministic factor codes and approved redaction rules.
evidence_checklist_drafting
Evidence checklist drafting
Automation may draft checklists of observable artifacts without deciding that evidence is sufficient.
reviewer_summary_drafting
Reviewer-summary drafting
Automation may summarize records for reviewers while preserving uncertainty and unresolved flags.
API contract
Core routes now publish privacy, schema, rate-limit, and fallback metadata.
The core Moral Trade API surface is now cataloged with method, auth posture, privacy class, schema names, rate-limit surface, cache behavior, and safe fallback rules.
API moral-trade-api-contract-v0.24-2026-06
Status fail
29 check(s), 2 blocker(s), 55 route(s), 79 schema definition(s).
Schema registry moral-trade-schema-registry-v0.2-2026-05
Status pass
9 check(s), 0 blocker(s), 12 public schema document(s), including the core data-model and public offer listing schemas; 8 public payload sample(s) checked, 0 sample failure(s).
Public schema documents
- ai-governance-profile.schema.json: 15 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- api-contract-profile.schema.json: 6 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- copilot-contract.schema.json: 16 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- data-model-profile.schema.json: 8 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- evaluation-profile.schema.json: 8 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- externality-profile.schema.json: 9 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- incident-response-profile.schema.json: 10 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- operations-profile.schema.json: 10 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- performance-profile.schema.json: 10 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- protocol-profile.schema.json: 13 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
- public-offer-listing.schema.json: 26 required top-level field(s), 8 sample validation(s), 0 sample failure(s)
- security-profile.schema.json: 6 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
Route catalog
- GET /api/moral-trade/health
- GET /api/moral-trade/api-contract
- GET /api/offers
- GET /api/offers/:slug
- GET /api/offers/facets
Schema definitions
- empty_request: 0 field(s)
- public_offers_collection_request: 8 field(s)
- public_offers_collection_response: 8 field(s)
- public_offer_detail_request: 1 field(s)
- public_offer_detail_response: 9 field(s)
- public_offers_facets_request: 6 field(s)
Privacy classes
- public contract
- public schema
- authenticated private
- authenticated private step up
- privacy thresholded public preview
- redacted analytics
- ephemeral private draft review
Private and thresholded routes
- saved_search_create: authenticated private
- public_offer_follow: authenticated private
- public_offer_create_similar: authenticated private
- moral_trade_schema_registry: public schema
- moral_trade_copilot_review: ephemeral private draft review
- moral_trade_match_signal_evaluate: ephemeral private draft review
- moral_trade_challenge_appeal_evaluate: ephemeral private draft review
- moral_trade_disclosure_evaluate: ephemeral private draft review
- moral_trade_review_workflow_evaluate: ephemeral private draft review
- profile_schema: public schema
- profile_export: authenticated private
- profile_import: authenticated private
- background_source_connection_create: authenticated private
- background_source_connection_revoke: authenticated private
- background_source_summary_draft: authenticated private
- background_source_summary_approve: authenticated private
- background_profile_signal_recompute: authenticated private
- background_source_summary_create: authenticated private
- background_intro_packet_create: authenticated private
- background_intro_request_create: authenticated private
- background_intro_request_appeal: authenticated private
- background_intro_request_approve_contact: authenticated private step up
- background_opportunity_brief_list: authenticated private
- background_opportunity_list: authenticated private
- background_opportunity_feedback_create: authenticated private
- background_opportunity_feedback_create_alias: authenticated private
- wish_registry_search: privacy thresholded public preview
- funnel_events: redacted analytics
Rate-limit surfaces
- public contract read
- offer collection read
- offer detail read
- offer facets read
- saved search write
- offer follow write
- offer create similar
- copilot draft review
- match signal evaluate
- challenge appeal evaluate
- disclosure evaluate
- review workflow evaluate
- profile portability
- background source summary write
- background intro packet write
- background opportunity brief read
- background opportunity feedback write
- wish registry search
- analytics ingest
API test hooks
- api contract profile validator
- api contract route contract
- health route contract smoke
- technical spec api contract smoke
- security route contract
- incident response route contract
- performance route contract
- externality route contract
- ai governance route contract
- data model contract route
- policy bundle contract route
- public offers collection route
- public offer detail route
- public offers facets route
- saved search create route
- public offer follow route
- public offer create similar route
- reasoning packet route contract
- match signal route contract
- challenge appeal route contract
- disclosure grant route contract
- copilot review route contract
- profile portability route contract
- wish registry rate limit contract
- analytics redaction contract
Field-level schema
empty_request
No request body or query contract beyond route path and auth context.
No body fields.
Field-level schema
public_offers_collection_request
Public collection query parameters for browsing live offers and worked examples without exposing private/personally scoped state.
- q: string, public
- tab: enum, public
- cause: string_array, public
- format: enum_array, public
Field-level schema
public_offers_collection_response
Public validator-backed collection payload for live offers and worked examples, including visible facets, default-tab behavior, non-claims, and public listing items.
- ok: boolean, public
- checkedAt: iso_datetime, public
- contractVersion: string, public_contract
- meta: object, public_contract
Field-level schema
public_offer_detail_request
Public offer detail slug path for a live public offer id or worked-example slug.
- slug: path_slug, public
Field-level schema
public_offer_detail_response
Validator-backed public detail payload for one live offer or worked example, with sign-in/consent-gated actions and non-claims.
- ok: boolean, public
- checkedAt: iso_datetime, public
- contractVersion: string, public_contract
- slug: path_slug, public
Field-level schema
public_offers_facets_request
Public facet query parameters for the current tab/search scope without pagination.
- q: string, public
- tab: enum, public
- cause: string_array, public
- format: enum_array, public
moral_trade_health
GET /api/moral-trade/health
Return ok:false with validator blockers; never silently claim readiness.
moral_trade_api_contract
GET /api/moral-trade/api-contract
Return API contract validator blockers, implementation audit, route catalog, schema definitions, privacy classes, and test hooks; never expose private participant records.
public_offers_collection
GET /api/offers
Return filtered worked-example and live listing payloads, visible facets, validator blockers, and zero-live guidance; never expose private wishes, contact details, raw evidence artifacts, personalized saved-offer state, or global moral ranking.
public_offer_detail
GET /api/offers/:slug
Return a validator-backed public listing detail or 404 blockers; never expose contact details, private wishes, raw evidence artifacts, personalized saved-offer state, or agreement formation claims.
public_offers_facets
GET /api/offers/facets
Return positive-count public facets, current default-tab behavior, and validator blockers; never expose zero-count private-sensitive facets or personalized browse state.
saved_search_create
POST /api/saved-searches
Require viewer authentication to store a saved search; unauthenticated requests return a sign-in draft without storage. Never expose private wishes, contact details, raw source notes, personalized saved-offer state, autonomous outreach, or platform moral ranking.
Provenance
Evidence records name entities, activities, and agents.
This does not prove moral correctness. It does make each claim easier to audit: what artifact was submitted, what activity changed state, and which participant, reviewer, or provider was involved.
Entities
proposal_record, offer, agreement, evidence_artifact, external_entity_reference, review_decision, match_explanation, match_signal, traceability_event
Activities
draft_created, draft_updated, evidence_submitted, traceability_event_recorded, risk_screened, challenge_window_opened, review_completed
Agents
participant, counterparty, operator, external_reviewer, payment_or_evidence_provider
Evidence object contract
Claims now have typed artifacts, traceability events, review records, and state changes.
The provenance layer uses fixed object schemas so duplicate proof, wrong-scope evidence, stale artifacts, missing agents, external entity dedupe failures, and external payment or charity-routing events without what/where/why links can be caught, while state transitions carry immutable event hashes before any reviewed completion claim is published.
Provenance contract moral-trade-provenance-v0.3
Status pass
6 check(s), 0 blocker(s), 1 synthetic traceability event(s).
Validator rules
- artifact-hashes
- claim-artifact-links
- scope-alignment
- one-proof-one-claim
- freshness-window
Sample bundle
1 artifact, 1 claim, 1 review decision, 3 agents.
Append-only storage
9 owner-scoped table(s) persist artifacts, claims, agents, activities, external references, traceability events, and state transitions.
Contract tests
- provenance contract validator
- provenance sample bundle smoke
- traceability event contract smoke
- provenance persistence schema smoke
- technical spec provenance contract smoke
provenance_agent
moral_trade_provenance_agents
owner_insert_public_or_owner_read
evidence_artifact
moral_trade_evidence_artifacts
owner_insert_public_or_owner_read
evidence_claim
moral_trade_evidence_claims
owner_insert_public_or_owner_read
evidence_claim
moral_trade_evidence_claim_artifacts
owner_insert_public_pair_read
external_entity_reference
moral_trade_external_entity_references
owner_insert_public_or_owner_read
review_decision
moral_trade_review_decisions
owner_insert_public_or_owner_read
evidence_artifact
Evidence artifact entity
- id
- kind
- normalizedLocator
- mediaType
- claimScopes
- submittedAt
- submittedByAgentId
- redactionLevel
- sha256
evidence_claim
Evidence claim
- id
- proposalId
- claimType
- artifactIds
- claimScope
- reviewerConfidence
- uniquenessChecked
external_entity_reference
External entity reference
- id
- entityType
- label
- identifierSystem
- normalizedIdentifier
- dedupeKey
- verificationStatus
- redactionLevel
- sha256
review_decision
Reviewer decision
- id
- proposalId
- outcome
- reasonCodes
- summary
- reviewerId
- idempotencyKey
- decisionHash
- createdAt
match_signal
Privacy-safe match signal
- id
- leftProfileId
- rightProfileId
- privacyPolicyId
- status
- factorCodes
- confidenceBand
- redactedFields
- disclosureStage
- humanReviewRequired
- createdAt
traceability_event
Interoperable traceability event
- id
- eventTime
- recordedAt
- action
- businessStep
- disposition
- what
- where
- why
- agentIds
- redactionLevel
- auditQuestionAnswers
- sha256
state_transition_event_record
Immutable state transition event record
- id
- schemaVersion
- subjectId
- subjectKind
- from
- to
- provenanceActivity
- recordedAt
- actorAgentId
- actorAgentKind
- usedEntityIds
- generatedEntityIds
- idempotencyKey
- previousEventHash
- auditQuestionAnswers
- eventHash
provenance_activity
Provenance activity
- id
- kind
- at
- usedEntityIds
- generatedEntityIds
- agentIds
provenance_agent
Provenance agent
- id
- kind
- label