Skip to main content
MoralTrade
ExploreCreateMessagesCommitmentsSafety
Search
Get startedSign in
  1. Home
  2. Moral trade
  3. Technical spec

Core protocol

Moral Trade has a public validator contract.

The core feature now publishes its required proposal fields, review statuses, guardrails, evidence schemas, factor codes, and provenance model as a validator-backed profile.

View health JSONReview validation rulesView provenance schemaView schema registryView data modelView policy bundleView copilot contractView match contractView clearing contractView baseline contractView amendment contractView appeal contractView disclosure contractView review workflowView reasoning packetsView operations healthView security healthView incident responseView evaluation healthView performance healthView externality healthView AI governanceView API contractView document coverage

Validator result

Status
pass
Profile
moral-trade-core-v0.1.6-2026-06
Checks
11
Blockers
0

Document coverage contract

The improvement report is mapped to validator evidence.

The source Markdown and PDF are hash-checked, and the report testing plan is now mapped as schema, policy, evidence, privacy, fairness, UX, and resilience coverage before any broad completion claim is made.

Document coverage moral-trade-document-coverage-v0.8-2026-06

Status fail

64 check(s), 2 source document(s), 7 testing-plan layer(s), 29 implementation phrase gate(s).

Open coverage JSON

Source artifacts

  • moral_trade_feature_audit_markdown: hash blocked
  • moral_trade_feature_audit_pdf: hash blocked

Testing plan coverage

  • Schema tests
  • Policy tests
  • Evidence tests
  • Privacy tests
  • Fairness tests
  • UX tests
  • Resilience tests

Recommended source stack

13 source family mappings connect Ord, product commitments, due diligence, provenance, AI governance, and HCI guidance to code and public routes.

Requirement phrase gates

  • Core data model and public validators: 3 phrase gate(s)
  • Workflow cards and factor codes: 4 phrase gate(s)
  • Provenance-first evidence objects: 4 phrase gate(s)
  • Schema-bound copilot: 3 phrase gate(s)
  • Privacy, matching, and disclosure guardrails: 3 phrase gate(s)
  • Externality, challenge, and appeal review: 4 phrase gate(s)
  • Evaluation, operations, security, and performance gates: 8 phrase gate(s)

Canonical gates

  • node --import tsx --test src/lib/moral-trade/*.test.ts src/lib/background-ai-shadow.test.ts src/lib/background-networking.test.ts src/lib/background-notification-policy.test.ts src/lib/background-notifications.test.ts src/lib/background-privacy-controls.test.ts src/lib/background-explanations.test.ts src/lib/background-opportunity-briefs.test.ts src/lib/background-private-overlap.test.ts src/lib/wish-registry.test.ts src/lib/public-route-smoke.test.ts
  • npm run lint
  • git diff --check
  • npm run build

Public readiness matrix

Every canonical contract route is visible before readiness is claimed.

The build instruction lists the required public contract routes. This matrix keeps the user-facing spec aligned with that list so transparency, private-overlap guardrails, privacy, operations, and evaluation evidence are not hidden behind scattered JSON links.

Canonical public contracts

53/58 route checks passing

All canonical public contract routes have a visible readiness row.

Open combined health JSON
FamilyRouteStatusPublished evidence
Top-level readinessProtocol healthfail (63 blocker(s))21 canonical public route(s) cross-linked in one health surface.
Source traceabilityDocument coveragefail (59 blocker(s))2 source document(s), 7 testing layer(s).
API catalogAPI contractfail (2 blocker(s))183 route(s), 258 schema definition(s).
Core schemaData modelpass (0 blocker(s))58 entity contract(s), 8 required offer field(s).
Core schemaSchema registryfail (1 blocker(s))12 schema document(s), 8 sample validation(s).
Policy inputsPolicy bundlepass (0 blocker(s))5 prohibited pattern(s), 8 verification step(s).
Policy inputsRelease gatespass (0 blocker(s))12 stage(s), 108 fail-closed requirement(s).
Policy inputsParticipant confirmationspass (0 blocker(s))10 scope(s), 6 fail-closed status(es).
Policy inputsParticipant eligibilitypass (0 blocker(s))8 review dimension(s), 10 gated transition(s).
Policy inputsAccount securitypass (0 blocker(s))13 high-risk action(s), 13 event type(s).
Policy inputsReviewer qualitypass (0 blocker(s))10 review type(s), 25 fail-closed status(es).
Policy inputsAnti-enumerationpass (0 blocker(s))7 discovery surface(s), 6 count bucket(s).
Policy inputsPrivacy governancepass (0 blocker(s))6 disclosure surface(s), 3 first-class table(s).
Policy inputsImpact claimspass (0 blocker(s))7 claim type(s), 2 first-class table(s).
ClearingMatching clearingpass (0 blocker(s))4 flow type(s), 1 execution table(s).
ClearingClearing previewspass (0 blocker(s))2 track(s), 1 first-class table(s).
ClearingBaseline integritypass (0 blocker(s))5 transition(s), 2 first-class table(s).
ClearingAgreement amendmentspass (0 blocker(s))6 transition(s), 2 first-class table(s).
OperationsProduction readinesspass (0 blocker(s))8 control(s), 8 gated transition(s).
Money movementRecipient destinationspass (0 blocker(s))8 review dimension(s), 7 gated transition(s).
Money movementRecipient acceptancepass (0 blocker(s))8 gated transition(s), 3 first-class table(s).
ClearingAI preference elicitationpass (0 blocker(s))8 scope(s), 2 first-class table(s).
ClearingPost-clear auditpass (0 blocker(s))8 audit type(s), 2 first-class table(s).
ClearingSubsidy governancepass (0 blocker(s))1 launch tier(s), 2 first-class table(s).
ClearingDirect-pair clearingpass (0 blocker(s))2 launch trade type(s), 1 first-class table(s).
ClearingCause-bucket taxonomypass (0 blocker(s))6 taxonomy type(s), 2 first-class table(s).
ClearingResource compatibilitypass (0 blocker(s))9 conflict type(s), 1 first-class table(s).
ClearingNet-offset accountingpass (0 blocker(s))7 baseline action type(s), 1 first-class table(s).
ClearingOffer validitypass (0 blocker(s))10 stale reason code(s), 1 first-class table(s).
ClearingPrivate exchange-rate quotespass (0 blocker(s))6 quote type(s), 1 first-class table(s).
ClearingNoncompensable blockerspass (0 blocker(s))11 protected interest type(s), 1 first-class table(s).
ClearingBatch-clearing objectivepass (0 blocker(s))4 objective type(s), 8 prohibited driver(s).
PrivacySensitive-evidence attestationspass (0 blocker(s))10 claim type(s), 1 first-class table(s).
OperationsPilot evidence gatespass (0 blocker(s))6 evidence type(s), 8 success metric(s).
ClearingSide agreementspass (0 blocker(s))11 review dimension(s), 9 subject type(s).
ClearingTrade classificationpass (0 blocker(s))6 classification value(s), 8 review dimension(s).
ClearingTemplate conformancepass (0 blocker(s))5 trade type(s), 3 first-class table(s).
ClearingReview capacitypass (0 blocker(s))9 gated transition(s), 3 first-class table(s).
ClearingParticipant term sheetspass (0 blocker(s))10 gated transition(s), 3 first-class table(s).
SafetyProtective assessmentspass (0 blocker(s))17 assessment dimension(s), 5 first-class table(s).
SafetyUser safety and moderationpass (0 blocker(s))11 moderation dimension(s), 10 user-safety dimension(s).
Money movementFinancial settlement controlspass (0 blocker(s))12 control(s), 10 first-class table(s).
Assisted draftingCopilot contractpass (0 blocker(s))4 prompt template(s), 12 guardrail(s).
Workflow cardsReview workflowpass (0 blocker(s))6 card contract(s), 6 marketplace factor(s).
Workflow cardsReasoning packetspass (0 blocker(s))5 public packet(s), 5 filter(s).
EvidenceProvenance schemapass (0 blocker(s))9 append-only table contract(s), 10 validation rule(s).
Privacy and matchingMatch signalpass (0 blocker(s))9 approved factor code(s), preview-only stateMutation false.
Privacy and matchingDisclosure grantspass (0 blocker(s))9 field boundary(s), 6 search privacy control(s).
Privacy and matchingPrivate overlap guardrailpass (0 blocker(s))governance gated pilot; live endpoints remain blocked.
Challenge and remedyChallenge appealpass (0 blocker(s))8 appeal trigger(s), 2 first-class table(s).
Challenge and remedyExternality healthpass (0 blocker(s))8 trigger code(s), 6 review standard(s).
EvaluationEvaluation healthpass (0 blocker(s))13 metric(s), 4 promotion gate(s).
EvaluationTransparency reportpass (0 blocker(s))19 aggregate metric(s), minimum public count 3.
OperationsOperations healthpass (0 blocker(s))80 rate-limit surface(s), 7 retention control(s).
OperationsSecurity healthpass (0 blocker(s))14 control(s), 3 sensitive-scale gate(s).
OperationsIncident responsepass (0 blocker(s))7 incident category/categories, 3 readiness gate(s).
OperationsPerformance healthfail (1 blocker(s))7 metric target(s), 4 route family/families.
AI governanceAI governancepass (0 blocker(s))6 documentation template(s), 6 prohibited use(s).

This matrix is repository validation evidence. It does not claim production liquidity, legal or tax treatment, payment custody, zero security risk, or objective moral endorsement.

Public contract

Fields, states, and guardrails are inspectable.

This mirrors the MPGF validator posture for the core moral-trade workflow: a proposal is not merely prose; it is a record with required fields, review states, explicit rejection rules, and provenance-bearing evidence.

Required proposal fields

  • Trade format
  • Offered and requested cause areas
  • Offered action
  • Requested action
  • No-trade baseline
  • Duration or review period
  • Exit, pause, expiry, or unresolved-evidence rule
  • Verification method
  • Public description and boundaries

Review statuses

draftsubmittedneeds clarificationneeds evidenceneeds human reviewchallenge windowcompletion revieweddisputed unresolvedblockedmatchable

Decision pipeline

  • Schema completeness: needs clarification
  • Anti-threat and prohibited-content screen: blocked
  • Factual evidence readiness: needs evidence
  • Counterfactual baseline credibility: needs human review
  • Externality-review trigger: challenge window
  • Privacy and redaction: needs human review
  • Match explanation generation: needs human review
  • Human-review routing: needs human review

State transitions

  • draft -> needs_clarification, submitted, blocked
  • needs clarification -> draft, submitted, blocked
  • submitted -> needs_evidence, needs_human_review, challenge_window, matchable, blocked
  • needs evidence -> submitted, needs_human_review, challenge_window, blocked
  • needs human review -> needs_evidence, challenge_window, matchable, blocked
  • challenge window -> needs_evidence, completion_reviewed, disputed_unresolved, blocked
  • disputed unresolved -> challenge_window, completion_reviewed, blocked
  • matchable -> needs_evidence, challenge_window, blocked
  • completion reviewed -> disputed_unresolved, blocked

Guardrails

  • No global moral ranking
  • Anti-threat baseline
  • No autonomous outreach
  • Privacy redaction required
  • Separate trust axes

Data model contract

Core entities, privacy classes, and relationships are validator-backed.

The audit named the core Moral Trade objects explicitly: participants, profiles, offers, source notes, saved searches, privacy grants, evidence records, disputes, payment updates, notifications, and agreement events. This contract makes those entities inspectable and binds them to public privacy and relationship boundaries.

Data model moral-trade-data-model-v0.1.7-2026-06

Status pass

10 check(s), 0 blocker(s), 58 entity contract(s).

Open data model JSON

Offer fields

  • cause areas
  • offered action
  • requested action
  • expected impact
  • verification method
  • duration
  • exit conditions
  • baseline statement

Privacy classes

  • public contract
  • public preview
  • privacy thresholded public preview
  • public or private by status
  • private authenticated
  • authenticated private

Relationship boundaries

  • profile privacy boundary
  • source note boundary
  • match disclosure boundary
  • review state boundary
  • payment non custody boundary

Contract tests

  • data model profile validator
  • data model entity coverage
  • data model profile json schema
  • offer required field contract
  • source note privacy boundary
  • public data model contract route
  • api contract data model route
  • health data model smoke
  • technical spec data model smoke

identity

Participant

A participant appears publicly only through opted-in profile or offer preview fields.

4 required field(s).

profile

Public profile

Shows broad previews and chosen visibility only; exact wishes, contact details, private source notes, and sensitive constraints stay out.

5 required field(s).

profile

Private wish profile

Never public by default; fields can be summarized only through broad previews or explicit privacy grants.

6 required field(s).

privacy

Profile visibility control

Publishes only the selected visibility level, not the hidden profile fields behind it.

6 required field(s).

privacy

Source connection

Stores consent scope, import mode, and manual summaries only; raw private feeds are not ingested or searched.

7 required field(s).

privacy

Source note

Only coarse source summaries may be disclosed through a valid purpose-bound grant; raw notes remain private.

6 required field(s).

profile

Background wish interview session

Stores deterministic clarification state for the participant only; it does not publish exact wishes, contact details, private answer text, or live public-preview changes.

8 required field(s).

profile

Background wish interview answer

Answer text remains private and encrypted; analytics and match cards receive field keys, option counts, and length buckets rather than exact wishes or source notes.

7 required field(s).

profile

Background wish dialogue session

Stores private fluent-composer workflow state only; natural-language wish text is encrypted in messages, exact wishes stay out of public previews, and matching cannot change until a proposal is explicitly applied.

5 required field(s).

profile

Background wish dialogue message

Message bodies are encrypted private inputs for schema-bound proposals; analytics, public previews, and notifications never receive raw dialogue text or exact wishes.

7 required field(s).

profile

Background wish field proposal

Stores schema-bound broad field proposals and uncertainty flags only; exact wishes, contact details, raw notes, and protected-trait inferences are rejected before apply.

7 required field(s).

privacy

Reviewed background source summary

Stores only a reviewed summary with raw ingestion disabled; raw private feeds, exact requests, contacts, and source notes stay out of public previews and analytics.

9 required field(s).

operations

Background source sync job

Queues reviewed-summary sync work for a viewer-owned source connection; raw private feeds and source payloads are not stored, and revocation cancels queued or retrying jobs.

8 required field(s).

matching

Background profile signal

Derived signals are viewer-owned matching inputs and expose only broad field keys or counts; revoked, expired, or stale source notes stop influencing matching.

9 required field(s).

matching

Saved search

Search terms, offer browse filters, and notification choices remain viewer-owned; public search returns broad previews only.

9 required field(s).

proposal

Trade format

A public taxonomy for pledge swaps, donation offsets, paid actions, and public-good commitments.

4 required field(s).

proposal

Offer

Public offers expose only reviewed or preview-safe terms and must not imply escrow, legal enforceability, tax treatment, or objective moral endorsement.

12 required field(s).

agreement

Pledge swap

Pledge-swap public exposure is limited to reviewed or preview-safe terms and aggregate status; private evidence, contact details, consideration internals, and reviewer notes stay out of public reports.

7 required field(s).

agreement

Purchase envelope

Purchase-envelope records expose only public or aggregate status allowed by the visibility policy; private settlement, payment, provider, and participant evidence details are not public.

7 required field(s).

agreement

Participant action commitment

Participant action commitments reveal only public-safe action status and timing where policy allows; private evidence, contact context, and reviewer notes stay review-scoped.

7 required field(s).

review

Policy evaluation trace

Policy evaluation traces support auditability for private review and payment-impact decisions; public reports expose only redacted or aggregate trace summaries.

7 required field(s).

proposal

Baseline statement

The no-trade baseline is reviewable and challengeable; sensitive details can be summarized or redacted.

6 required field(s).

evidence

Evidence claim

Claims disclose only scoped summaries and confidence; artifacts and private locators stay behind review controls.

7 required field(s).

profile

Participant credibility profile

Private estimate of future pledge-swap completion and evidence reliability; it is not public social proof, a public scoring surface, or a reputation market.

7 required field(s).

review

Credibility event

Append-only private credibility update with non-sensitive participant-visible reasons and correction or appeal events instead of mutable history.

10 required field(s).

evidence

Friend testimonial invite

Private, revocable, expiring invite that reveals only action type, action window, participant context, and the testimonial request to the invited friend.

7 required field(s).

evidence

Friend testimonial

Private third-party evidence by default. Raw testimony, friend identity, relationship context, concern notes, and anti-fraud notes are not shown to funders or public reports.

12 required field(s).

review

Testimonial quality assessment

Reviewer-scoped weighting record that can produce only coarse participant or aggregate summaries.

9 required field(s).

evidence

Opportunity-constrained meal evidence bundle

Private meal-context evidence for optional pledge-swap verification. Public reports may expose only coarse reviewed meal-context use and must suppress cafeteria names, schedules, witness names, relationship details, raw testimony, and private context.

12 required field(s).

evidence

Meal witness testimonial

Private baseline, co-diner/direct-observer, or schedule-constraint testimony. Raw basis text, witness identity, relationship details, venue names, pressure reports, and side-payment concerns are never shown to funders or public reports.

9 required field(s).

review

Opportunity constraint assessment

Reviewer-scoped scorecard for meal-context evidence. Material use can affect verification confidence or additionality only through the frozen policy and cannot retroactively reduce fixed consideration.

18 required field(s).

review

Testimonial credibility event

Append-only private update to a testimonial provider's credibility. It is visible through private correction or appeal paths, not public social proof.

9 required field(s).

review

Credibility appeal

Private correction path for material adverse credibility effects. Public reports do not expose individual credibility appeal details.

6 required field(s).

payment

Testimonial stake policy

Frozen policy for optional capped testimonial integrity stakes. Default requires no monetary stake and negative or concern testimony is free.

8 required field(s).

evidence

Artifact

Artifacts require hashes, scope alignment, and redaction levels before any public reasoning summary references them.

7 required field(s).

provenance

External entity reference

External charities, payment providers, registries, or supplier-like records expose only stable redacted identifiers after registry or reviewer confirmation.

8 required field(s).

provenance

Traceability event

What/where/why event records include explicit what happened, who touched it, and when answers for payment, charity-routing, or external-evidence audits; raw artifacts and private provider payloads remain redacted.

14 required field(s).

provenance

Provenance activity

Activities link submitted, reviewed, and changed records to agents; public summaries omit raw private wishes, contact details, and source notes.

8 required field(s).

provenance

Provenance agent

Participants, counterparties, reviewers, operators, and providers are represented by scoped agent records; public labels require explicit redaction review.

7 required field(s).

provenance

State transition event record

Reliance-bearing status changes require immutable event hashes, agent links, and explicit what happened, who touched it, and when answers; public exposure is limited to redacted status evidence.

10 required field(s).

review

Reviewer decision

Only a narrow public reasoning summary is exposed when safe; private notes and source notes are redacted.

9 required field(s).

review

Challenge

Challenges target specific claims, evidence rows, baselines, disclosure decisions, or policy flags.

7 required field(s).

review

Appeal

Appeals do not reopen unrelated moral disagreements and cannot resolve disputes without human review.

7 required field(s).

review

Dispute

Dispute status may be public; private evidence and affected-party details remain review-scoped.

6 required field(s).

privacy

Privacy grant

Field-level, purpose-bound, stage-bound grants disclose only approved fields and never mutate from public contract reads.

9 required field(s).

matching

Match suggestion

Uses broad previews, privacy policy ids, disclosure stages, and factor codes; exact wishes, source notes, and contact details stay hidden until consent.

11 required field(s).

matching

Background opportunity brief

Shows a participant-owned broad card with factor codes and hidden-field notices; exact wishes, private asks, contact details, and source notes stay in the dashboard until consent.

10 required field(s).

operations

Background helper run

Stores queued helper work and a hashed query fingerprint only; helper runs may prepare opportunity briefs and generic notifications but cannot send autonomous outreach.

9 required field(s).

operations

Background match feedback

Stores closed-code relevance feedback and report reasons for private operations; public transparency uses only thresholded counts and generic labels.

7 required field(s).

matching

Background intro packet

Captures a reviewed next-step request and never sends autonomous outreach or contact details; exact private fields require operator review and consent grants.

8 required field(s).

privacy

Background private overlap tag

Stores blinded exact-tag tokens only; raw tags, canonical tags, free text, exact wishes, and contact details are forbidden.

7 required field(s).

privacy

Background private overlap check

Records only a bucketed overlap result and receipt id after governance gates; public exposure is redacted, and raw matching tags or counterparty tag sets are never exposed.

8 required field(s).

provenance

Transparency receipt

Participant-visible append-only receipt metadata uses redacted payloads and hash chaining; exact wishes, source notes, contact details, and raw tags are excluded.

7 required field(s).

review

Match concierge request

Operator review queue records stay review-scoped; public reporting exposes only aggregate appeal, decline, review-time, and SLA counts without notes, contacts, or private source details.

8 required field(s).

operations

Notification

Notification copy remains generic and omits exact wishes, contact details, source notes, and sensitive constraints.

6 required field(s).

payment

Payment record

Records can reference provider events but do not claim escrow, custody, tax, investment, or legal advice.

7 required field(s).

payment

Payment update

Status updates are evidence inputs, not automatic reviewed completion or custody guarantees.

6 required field(s).

provenance

Agreement event

Immutable event records support auditability; public summaries are redacted and status-scoped.

7 required field(s).

Policy bundle contract

Copilot inputs are concrete registries, not broad application context.

The audit recommends a strict input bundle for any drafting or reviewer-summary assistance. This contract publishes the policy registry, prohibited-pattern registry, factor-code dictionary, verification-method taxonomy, redaction policy, already submitted evidence metadata boundary, and fixed verification loop used before any draft can be treated as matchable.

Policy bundle moral-trade-policy-bundle-v0.1-2026-05

Status pass

9 check(s), 0 blocker(s), 5 prohibited pattern code(s).

Open policy bundle JSON

Strict input bundle

  • structured draft
  • policy registry
  • prohibited pattern registry
  • factor code dictionary
  • verification method taxonomy
  • redaction policy
  • evidence metadata
  • redacted profile pair

Prohibited patterns

  • anti threat baseline
  • prohibited illegal or fraud
  • prohibited doxxing or harassment
  • prohibited political campaign offset
  • newly escalated harmful behavior

Evidence metadata boundary

The copilot review route accepts only redacted metadata for already submitted evidence. Raw artifacts, private notes, contact details, and exact wishes are rejected before they can enter a reviewer-summary packet.

Verification methods

  • Receipt or provider record
  • Public log
  • Attestation
  • Audit or external review
  • Baseline artifact
  • Payment event
  • Manual review

Redaction policy

  • exact private wishes
  • contact details
  • sensitive constraints
  • raw profile notes
  • protected traits
  • ideology or psychology inferences

schema_completeness

Schema completeness check

Blocks matchable status until resolved.

anti_threat

Anti-threat / prohibited-content check

Blocks matchable status until resolved.

baseline_credibility

Baseline credibility check

Blocks matchable status until resolved.

evidence_sufficiency

Evidence sufficiency check

Blocks matchable status until resolved.

externality_trigger

Externality-review trigger check

Routes, explains, or records without granting reliance.

privacy_redaction

Privacy/redaction check

Blocks matchable status until resolved.

match_explanation

Match explanation generation

Routes, explains, or records without granting reliance.

human_review_routing

Human-review routing

Routes, explains, or records without granting reliance.

Release gate contract

Payable and reliance-bearing states fail closed unless first-class gate evidence passes.

Moraltrade60 requires policy snapshots, state interpretation, feature flags, and release-gate requirement results to be reviewable subjects. This contract makes missing, stale, unknown, under-review, or mutable states block launch unless a frozen policy snapshot explicitly marks a control not required for the current stage.

Release gates moral-trade-release-gates-v0.3-2026-06

Status pass

10 check(s), 0 blocker(s), 9 first-class record table(s).

Open release gate JSON

Stage flags

  • demo: moral_trade_demo
  • sandbox calculation: moral_trade_sandbox_calculation
  • reviewed no money manual evidence pilot: moral_trade_reviewed_no_money_manual_evidence_pilot
  • capped real money external crecm module: moral_trade_external_crecm_module
  • donation offset pilot: moral_trade_donation_offsets
  • pledge swap preview only: moral_trade_pledge_swaps
  • pledge swap manual pilot: moral_trade_pledge_swap_manual_pilot
  • public goods preview: moral_trade_public_goods_preview
  • donation offset payable: moral_trade_donation_offset_payable
  • pledge swap reliance manual pilot: moral_trade_pledge_swap_reliance_manual_pilot
  • capped real money release: moral_trade_capped_real_money_release
  • public metric release: moral_trade_public_metric_release

First-class records

  • moral_trade_policy_snapshots
  • moral_trade_state_interpretation_policies
  • moral_trade_release_gates
  • moral_trade_release_gate_requirement_results
  • moral_trade_privileged_action_records
  • moral_trade_participant_confirmation_records
  • moral_trade_consent_quality_records
  • moral_trade_user_facing_status_policies
  • moral_trade_user_facing_status_records

Privileged actions

  • release gate approval
  • policy snapshot approval
  • recipient destination verification
  • private data access grant
  • impact claim publication
  • blocker override
  • manual capture

State interpretation

Missing, unknown, stale, under-review, superseded, unmapped, or mutable states block payable, releasable, reliance-bearing, privacy-disclosing, public-metric, and release-gate transitions unless a frozen policy snapshot explicitly marks the requirement not required for that release stage.

calculation

Dry Run Calculation Bundle

A deterministic dry-run calculation, input bundle hash, excluded-record list, and replay evidence exist before stage promotion.

evidence

Route Health Baseline

Route health, public contract metadata, and baseline response shape are current for the requested release stage.

privacy

Privacy Review

Privacy Review must resolve to a current first-class release_gate_requirement_result or frozen equivalent before this release gate can pass.

safety

Anti Threat Review

Anti Threat Review must resolve to a current first-class release_gate_requirement_result or frozen equivalent before this release gate can pass.

payment

Payment Replay Tests

Payment/provider replay, stale snapshot, wrong-account, idempotency, and server-time tests pass before money can move.

review

Provider Source Authentication Test

Provider webhooks, third-party evidence feeds, identity checks, payment-rail checks, and destination-verification feeds are source-authenticated before they can change marketplace state.

review

Marketplace State Event Append Only Test

Agreement, payment, evidence, dispute, and blocker state changes use append-only marketplace_state_event records; terminal states cannot be silently reopened.

evidence

Evidence Challenge Tests

Evidence Challenge Tests must resolve to a current first-class release_gate_requirement_result or frozen equivalent before this release gate can pass.

Participant confirmation contract

Confirmations are first-class, hash-backed records before reliance or money movement.

Moraltrade60 treats checkboxes and parent-object summaries as insufficient. This contract binds each confirmation to a participant, frozen baseline, terms snapshot, policy snapshot bundle, maximum exposure, notice state, consent-quality state, and exact scope before routing, clearing, capture, payout release, privacy disclosure, or material-term changes can proceed.

Participant confirmations moral-trade-participant-confirmations-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 2 first-class record table(s).

Open confirmation JSON

Confirmation scopes

  • budget activation
  • round lock
  • final lock
  • cleared agreement
  • renewed material change
  • project set change approval
  • payment capture
  • payout release
  • privacy disclosure
  • exposure increase

First-class records

  • moral_trade_participant_confirmation_records
  • moral_trade_consent_quality_records

Fail-closed statuses

  • draft
  • missing
  • expired
  • revoked
  • superseded
  • stale

Required hashes

  • baselineHash
  • confirmationHash
  • policySnapshotBundleHash
  • termsSnapshotHash

Participant eligibility contract

Eligibility is reviewed before money, reliance, clearing, or countable support.

Moraltrade60 requires identity, human-uniqueness, legal-capacity, sanctions, payment-rail, jurisdiction, source-authentication, and private-artifact handling checks before real-money or reliance-bearing flow. The contract keeps raw identity artifacts private and prevents eligibility or Sybil signals from becoming public moral reputation.

Participant eligibility moral-trade-participant-eligibility-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 3 first-class record table(s).

Open eligibility JSON

Gated transitions

  • non money preview
  • counted support
  • matching clearing
  • matched trade lock
  • payment authorization
  • payment capture
  • payout release
  • reliance bearing agreement
  • public support metric release
  • release gate promotion

Review dimensions

  • identity verification
  • human uniqueness sybil
  • legal capacity
  • sanctions screening
  • payment rail eligibility
  • jurisdictional eligibility
  • source authentication
  • raw identity artifact handling

First-class records

  • moral_trade_participant_eligibility_records
  • moral_trade_participant_eligibility_reviews
  • moral_trade_identity_artifact_references

Fail-closed statuses

  • missing
  • under review
  • failed
  • stale
  • identity unverified
  • sybil risk
  • legal capacity blocked
  • sanctions potential match
  • sanctions blocked
  • payment rail blocked
  • jurisdiction blocked
  • source unauthenticated
  • artifact handling unverified
  • superseded

Account security contract

High-risk participant actions require policy-backed account checks.

Moraltrade60 says confirmations, payment-method changes, payout approvals, privacy grants, identity-artifact changes, and contact introductions cannot rely on an authenticated browser session alone. This contract makes frozen account-security policies and account-security events first-class blockers before money, reliance, private disclosure, or exposure increases can proceed.

Account security moral-trade-account-security-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 2 first-class record table(s).

Open account-security JSON

High-risk actions

  • payment method change
  • participant confirmation
  • payment authorization
  • payment capture
  • payout release
  • privacy grant
  • identity artifact change
  • contact introduction
  • account recovery
  • email change
  • mfa change
  • exposure increase
  • reliance bearing agreement

Event types

  • login
  • password change
  • new device
  • session anomaly
  • payment method change
  • email change
  • mfa change
  • account recovery
  • identity artifact change
  • participant identity change
  • step up passed
  • step up failed
  • manual review

First-class records

  • moral_trade_account_security_policies
  • moral_trade_account_security_events

Fail-closed statuses

  • policy missing
  • policy mutable
  • policy stale
  • policy superseded
  • event missing
  • event stale
  • high risk event open
  • blocked risk state
  • step up required
  • step up failed
  • notice missing
  • cooldown active
  • manual review required
  • trusted device required
  • invalid event hash
  • invalid participant hash
  • account recovery block

Reviewer quality contract

Reviewer decisions are authorized, scoped, conflict-checked, and audit-sampled before reliance.

Moraltrade60 treats reviewer judgment as a governed input, not an implicit approval source. This contract requires frozen reviewer-quality policy snapshots, type-specific authorization, conflict checks, calibration, second review where required, audit sampling, and explicit rejection of default approvals or speed-driven private-data disclosure.

Reviewer quality moral-trade-reviewer-quality-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 3 first-class record table(s).

Open reviewer-quality JSON

Review types

  • matching clearing
  • release gate approval
  • recipient destination verification
  • privacy grant approval
  • evidence acceptance
  • impact claim publication
  • appeal resolution
  • incident closure
  • payout release
  • blocker override

First-class records

  • moral_trade_reviewer_quality_policies
  • moral_trade_review_quality_audits
  • moral_trade_review_decisions

Fail-closed statuses

  • policy missing
  • policy mutable
  • policy stale
  • policy superseded
  • decision missing
  • decision stale
  • decision superseded
  • reviewer authorization missing
  • reviewer authorization stale
  • reviewer out of scope
  • reviewer suspended
  • conflict missing
  • conflict unresolved
  • conflict blocking
  • calibration missing
  • calibration failed
  • second review missing
  • audit missing
  • audit failed
  • audit stale
  • default approval detected
  • review speed override detected
  • invalid reviewer hash
  • invalid decision hash
  • invalid audit hash

Policy subjects

  • reviewer quality

Anti-enumeration contract

Discovery surfaces must not become an oracle for hidden offers, rare views, or exact willingness.

Moraltrade60 requires search, browse, preview generation, invite-link creation, match-candidate browsing, and transparency reporting to use frozen anti-enumeration policies. This contract binds those surfaces to stable query fingerprints, bucketed result counts, sparse-result suppression, timing-equalized responses where configured, discovery access-event logs, and repeated-probe audits without publishing raw query text, exact counts, private wishes, rare clusters, or exact constraints.

Anti-enumeration moral-trade-anti-enumeration-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 3 first-class record table(s).

Open anti-enumeration JSON

Discovery surfaces

  • public search
  • signed in search
  • public browse
  • preview generation
  • invite link creation
  • match candidate browsing
  • transparency report

First-class records

  • moral_trade_anti_enumeration_policies
  • moral_trade_discovery_access_events
  • moral_trade_discovery_probe_audits

Fail-closed statuses

  • policy missing
  • policy mutable
  • policy stale
  • policy superseded
  • access event missing
  • access event stale
  • access event superseded
  • query fingerprint missing
  • raw query logged
  • exact result count exposed
  • bucketed result count missing
  • sparse suppression missing
  • timing equalization missing
  • rate limit missing
  • repeated probe budget exceeded
  • audit missing
  • audit failed
  • audit stale
  • incident escalation missing
  • invalid policy hash
  • invalid event hash
  • invalid audit hash

Count buckets

  • zero
  • one or two suppressed
  • three to nine
  • ten to forty nine
  • fifty plus
  • not returned

Privacy-governance contract

Private facts require a current grant, review, and reconstructible access log before disclosure.

Moraltrade60 requires exact wishes, contact details, sensitive constraints, raw source notes, and private evidence to move only through explicit, revocable privacy grants and audited access logs. This contract separates reviewer access, counterparty previews, contact introductions, evidence review, profile export, and redacted public publication, while keeping raw private artifacts, access paths, reviewer notes, and participant-specific access records out of the public contract surface.

Privacy governance moral-trade-privacy-governance-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 3 first-class record table(s).

Open privacy-governance JSON

Disclosure surfaces

  • reviewer access
  • counterparty preview
  • contact introduction
  • evidence review
  • profile export
  • public redacted publication

First-class records

  • moral_trade_privacy_grant_policies
  • moral_trade_privacy_access_logs
  • moral_trade_privacy_disclosure_reviews

Existing grant ledger

  • privacy_grants

Fail-closed statuses

  • policy missing
  • policy mutable
  • policy stale
  • policy superseded
  • grant missing
  • grant not granted
  • grant revoked
  • grant expired
  • grant superseded
  • grant scope mismatch
  • grant purpose missing
  • grant expiry missing
  • grant hash invalid
  • access log missing
  • access log stale
  • access log superseded
  • purpose limit missing
  • role limit missing
  • raw private artifact returned
  • private data returned without allowed decision
  • counterparty disclosure without grant
  • public disclosure without redaction policy
  • redaction missing
  • review missing
  • review failed
  • review stale
  • confidentiality review missing
  • data security unresolved
  • reviewer quality missing
  • account security missing
  • participant confirmation missing
  • external authority missing
  • invalid access hash
  • invalid review hash
  • invalid policy hash

Impact-claim contract

Transfers, payouts, and sponsor leverage cannot be published as causal impact.

Moraltrade60 requires gross transferred amount, net recipient payout, sponsor leverage, moral-trade volume, outcome, cost-effectiveness, and moral-value claims to stay distinct. This contract makes impact claims first-class reviewed records with frozen methodology, claim-typed evidence, uncertainty disclosure, moderation, reviewer-quality checks, privileged publication approval, and audit/public-metric controls before public impact publication.

Impact claims moral-trade-impact-claims-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 2 first-class record table(s).

Open impact-claim JSON

Claim types

  • transfer metric
  • payout metric
  • sponsor leverage metric
  • outcome claim
  • cost effectiveness claim
  • causal impact claim
  • moral value claim

Evidence types

  • payment receipt
  • destination verification
  • transfer metric
  • impact outcome
  • impact methodology
  • uncertainty analysis
  • cost denominator

First-class records

  • moral_trade_impact_claim_methodology_policies
  • moral_trade_impact_claim_records

Fail-closed statuses

  • methodology policy missing
  • methodology policy mutable
  • methodology policy stale
  • methodology policy superseded
  • impact claim record missing
  • impact claim not reviewed
  • impact claim under review
  • impact claim failed
  • impact claim stale
  • impact claim superseded
  • methodology policy ref missing
  • evidence refs missing
  • evidence claim type mismatch
  • uncertainty disclosure missing
  • transfer vs impact label missing
  • transfer metric used as impact
  • payment evidence used as impact
  • content moderation missing
  • reviewer quality missing
  • privileged action missing
  • audit integrity missing
  • public metric suppression missing
  • private evidence public
  • invalid policy hash
  • invalid claim hash

Matching-clearing contract

Payable or reliance-bearing clearing requires a frozen deterministic run and final matched lock.

Moraltrade60 requires donation-offset batches, pledge-swap previews, broad match-candidate generation, and public-goods clearing to reference reproducible matching-clearing runs before any obligation is payable, reliance-bearing, or counted as complete. The contract also requires matched-trade lock proposals with exact terms, fresh final confirmations, ratio bounds, baseline snapshots, verified destinations, commitment reservations, and atomic settlement groups.

Matching clearing moral-trade-matching-clearing-v0.1-2026-06

Status pass

10 check(s), 0 blocker(s), 1 execution record table(s).

Open matching-clearing JSON

Flow types

  • donation offset batch
  • pledge swap preview
  • broad match candidate
  • public goods round

First-class records

  • moral_trade_matching_clearing_runs
  • moral_trade_matched_trade_lock_proposals
  • moral_trade_matching_clearing_reproducibility_checks

Run and lock statuses

  • run: draft
  • run: dry run
  • run: reviewed
  • run: blocked
  • run: locked
  • run: superseded
  • run: expired
  • proposal: draft
  • proposal: participant review
  • proposal: confirmed
  • proposal: locked
  • proposal: declined
  • proposal: expired
  • proposal: superseded
  • proposal: blocked

Execution route

  • POST /api/moral-trade/matching-clearing/execute
  • authenticated
  • append only execution record

Execution records

  • moral_trade_matching_clearing_execution_records

Fail-closed statuses

  • run missing
  • algorithm version missing
  • deterministic algorithm missing
  • input bundle hash missing
  • input bundle hash invalid
  • privacy policy missing
  • state interpretation policy missing
  • excluded records missing
  • excluded records hash invalid
  • result hash missing
  • result hash invalid
  • run not reviewed
  • run blocked
  • run stale
  • run superseded
  • manual override unapproved
  • database order matching
  • hidden match reasoning
  • payable without run
  • reliance without run
  • reproducibility check missing
  • reproducibility check failed
  • lock proposal missing
  • lock proposal not current
  • lock proposal stale
  • lock proposal superseded
  • lock terms hash missing
  • lock terms hash invalid
  • counterparty bucket hash missing
  • matched volume hash missing
  • participant confirmation missing
  • participant confirmation stale
  • participant confirmation scope mismatch
  • ratio bounds failed
  • baseline snapshot missing
  • destination verification missing
  • commitment reservation missing
  • atomic settlement missing
  • fallback terms hash missing
  • evidence standard hash missing
  • private counterparty data public
  • invalid run hash
  • invalid proposal hash

Clearing preview contract

Donation-offset and pledge-swap previews show why a match candidate is not yet a deal.

Moraltrade60 requires offset and pledge-swap previews to show the no-trade comparison, matched volume, ratio bounds, residual handling, commitment reservation, atomic settlement, destination verification, safety reviews, policy snapshots, final-lock confirmation state, and pledge performance terms where relevant. This contract keeps those previews non-capture and non-reliance-bearing until every required control is frozen and non-blocking.

Clearing previews moral-trade-clearing-preview-v0.15-2026-06

Status pass

8 check(s), 0 blocker(s), 1 first-class record table(s).

No capture, no reliance

Tracks

  • donation offset
  • pledge swap

Preview sections

  • matching run
  • batch clearing objective
  • template and review admission
  • baseline comparison
  • ratio and residual
  • commitment reservation
  • atomic settlement
  • direct pair or batch mode
  • cause bucket taxonomy
  • resource compatibility
  • net offset accounting
  • offer validity
  • private exchange rate
  • option preference and burden
  • assumptions and bargaining
  • side constraints and process
  • risk control pack
  • noncompensable blockers
  • sensitive evidence attestations
  • market simulation and pilot evidence
  • final lock
  • destination and tax
  • externality and safety
  • classification and assessments
  • recipient ai boundaries
  • subsidy governance
  • privacy and policy
  • pledge performance terms
  • micro pledge unit policy
  • pledge performance bond

Control statuses

  • matching clearing run
  • input bundle hash
  • result hash
  • reproducibility check
  • batch clearing objective
  • final lock proposal
  • participant confirmation
  • baseline snapshot
  • baseline integrity
  • ratio bounds
  • commitment reservation
  • double count

Execution route

  • POST /api/moral-trade/clearing-previews/execute
  • authenticated
  • append only preview record

First-class records

  • moral_trade_clearing_preview_records

Sample previews

  • donation offset: preview ready
  • pledge swap: blocked preview only

Baseline-integrity contract

Manufactured or escalated baselines stay preview-only until review is non-blocking.

Moraltrade60 requires donation offsets, pledge swaps, broad match candidates, public-goods rounds, and post-lock amendments to separate action evidence, baseline good faith, confidence, baseline integrity, additionality, and externality review. This contract blocks clearable or reliance-bearing launch when a baseline was marketplace-created, marketplace-escalated, or triggered by counterparties after entering the marketplace.

Baseline integrity moral-trade-baseline-integrity-v0.1-2026-06

Status pass

12 check(s), 0 blocker(s), 2 first-class record table(s), 1 enforcement table(s).

Open baseline-integrity JSON

Authenticated baseline-integrity enforcement writes only owner-scoped append-only enforcement records. Enforcement records can prove pass or blocked gate status, but they cannot create clearable transitions, authorize payment, authorize reliance, or publish public metrics.

Transitions

  • donation offset lock
  • pledge swap lock
  • broad match candidate
  • public goods round
  • post lock amendment

First-class records

  • moral_trade_baseline_integrity_policies
  • moral_trade_baseline_integrity_assessments

Enforcement

  • moral_trade_baseline_integrity_enforcement_records
  • POST /api/moral-trade/baseline-integrity/enforce

Assessment states

  • not required
  • under review
  • non blocking
  • blocked
  • superseded
  • stale

Fail-closed statuses

  • assessment missing
  • assessment under review
  • assessment blocked
  • assessment stale
  • assessment superseded
  • launch classification not clearable
  • policy missing
  • policy mutable
  • policy stale
  • policy superseded
  • baseline snapshot missing
  • baseline predates offer unverified
  • independent reason missing
  • history evidence missing
  • marketplace created baseline
  • marketplace escalated baseline
  • counterparty triggered escalation
  • harmful baseline escalated
  • good faith confidence conflated
  • additionality review missing
  • externality review missing
  • reviewer quality missing
  • participant confirmation missing
  • private evidence public
  • invalid assessment hash
  • invalid policy hash

Agreement-amendment contract

Locked donation offsets and pledge swaps cannot be changed by editing parent records.

Moraltrade60 requires post-lock material changes to use append-only agreement-amendment records, before/after terms hashes, policy-snapshot bundles, renewed confirmations from affected participants, notice, reviewer-quality checks, baseline-integrity checks, and neutral review when burdens or benefits shift. This contract blocks retroactive performance changes, evidence retyping, exposure increases, fund redirects, compensation changes, narrowed cancellation rights, and privacy or donor-of-record changes without the required controls.

Agreement amendments moral-trade-agreement-amendments-v0.1-2026-06

Status pass

12 check(s), 0 blocker(s), 2 first-class record table(s), 1 enforcement table(s).

Open agreement-amendment JSON

Authenticated agreement-amendment enforcement writes only owner-scoped append-only enforcement records. Enforcement records can prove pass or blocked gate status, but they cannot apply amendments, edit parent records, authorize material changes, authorize payment, authorize reliance, or publish public metrics.

Transitions

  • donation offset material change
  • pledge swap material change
  • post lock correction
  • pause or early termination
  • evidence standard change
  • destination change

First-class records

  • moral_trade_agreement_amendment_policies
  • moral_trade_agreement_amendment_records

Enforcement

  • moral_trade_agreement_amendment_enforcement_records
  • POST /api/moral-trade/agreement-amendments/enforce

Amendment types

  • correction
  • mutual modification
  • pause
  • early termination
  • evidence standard change
  • schedule change
  • compensation change
  • destination change
  • baseline correction
  • privacy change
  • other

Fail-closed statuses

  • policy missing
  • policy mutable
  • policy stale
  • policy superseded
  • amendment missing
  • amendment unconfirmed
  • amendment not approved
  • amendment not applied
  • amendment rejected or withdrawn
  • amendment stale
  • amendment superseded
  • parent record edit detected
  • retroactive performance change
  • evidence claim retyped
  • exposure increase without confirmation
  • funds redirect without confirmation
  • compensation change without confirmation
  • cancellation rights narrowed
  • privacy change without confirmation
  • donor of record change without confirmation
  • third party obligation change without confirmation
  • renewed confirmation missing
  • renewed confirmation stale
  • participant confirmation scope mismatch
  • neutral review missing
  • notice missing
  • reviewer quality missing
  • baseline integrity missing
  • before terms hash missing
  • after terms hash missing
  • policy snapshot bundle missing
  • invalid amendment hash
  • invalid policy hash

Production readiness contract

Operational records block money, privacy, metrics, and privileged changes when stale.

Moraltrade60 requires account security, backup recovery, deployment configuration, migration safety, environment isolation, reconciliation, audit integrity, and data-security controls before high-risk transitions. This contract publishes the required record families and fail-closed statuses without exposing private operational evidence.

Production readiness moral-trade-production-readiness-v0.1-2026-06

Status pass

7 check(s), 0 blocker(s), 17 first-class record table(s).

Open readiness JSON

Controls

  • account security
  • backup recovery
  • deployment configuration
  • schema migration
  • environment data isolation
  • financial reconciliation
  • audit integrity
  • data security key management

Gated transitions

  • sandbox calculation preview
  • real money capture
  • payout release
  • round close
  • public money metric release
  • privacy disclosure
  • release gate promotion
  • non emergency privileged change

Fail-closed statuses

  • missing
  • failed
  • stale
  • under review
  • drift detected
  • unverified
  • restore failed
  • variance unresolved
  • high risk event open

Policy subjects

  • account security
  • backup recovery
  • deployment release
  • configuration snapshot
  • schema migration
  • environment data isolation
  • financial reconciliation
  • audit integrity
  • data security

account_security

Account security and step-up blockers

Password, email, MFA, session, payment-method, identity, and recovery risk events must be non-blocking before confirmations, capture, release, privacy disclosure, or exposure increases.

backup_recovery

Backup and restore-test checkpoint

Recoverability must preserve audit chains, key-version references, legal holds, redactions, and append-only state before release promotion or public money claims.

deployment_release

Deployment, dependency, environment, provider, and feature-flag provenance

Code artifact, lockfile, environment configuration, provider account, payment mode, feature flags, and policy bundle must match the reviewed release record.

schema_migration

Schema migration dry-run and rollback safety

Migrations and backfills that can alter baselines, confirmations, evidence, ledgers, privacy grants, policy snapshots, reviewer decisions, payment state, or audit chains need dry-run hashes, count checks, and rollback or forward-fix evidence.

environment_data_isolation

Demo, sandbox, test, staging, and live data isolation

Demo records, worked examples, sandbox provider events, synthetic identities, and dry-run allocation outputs must not count toward live thresholds, supporter counts, QF signal, payout totals, sponsor leverage, moral-trade volume, or completed agreements.

financial_reconciliation

Financial reconciliation and settlement matching

Authorizations, captures, refunds, fees, sponsor funds, payout releases, provider settlement records, and internal ledger entries must reconcile before payout release, round close, or public money claims.

Recipient and destination contract

Free-text recipient details cannot authorize capture, payout, reuse, or public money claims.

Moraltrade60 requires verified recipient registry entries and verified payment destinations before real-money or reliance-bearing transitions. This contract publishes the fail-closed review dimensions, table names, and transition rules while keeping raw bank details, wallet addresses, donation links, and reviewer notes out of the public surface.

Recipient destinations moral-trade-recipient-destination-v0.1-2026-06

Status pass

7 check(s), 0 blocker(s), 3 first-class record table(s).

Open destination JSON

Gated transitions

  • non money preview
  • matched trade lock
  • payment capture
  • payout release
  • recipient reuse
  • public money metric release
  • release gate promotion

Review dimensions

  • recipient identity
  • destination identity
  • anti impersonation
  • jurisdiction
  • prohibited use
  • payment rail
  • authority to receive
  • source authentication

First-class records

  • moral_trade_recipient_registry_entries
  • moral_trade_payment_destinations
  • moral_trade_recipient_destination_reviews

Fail-closed statuses

  • missing
  • under review
  • failed
  • stale
  • impersonation risk
  • jurisdiction blocked
  • prohibited use blocked
  • superseded

Recipient acceptance

Recipient acceptance and adverse-association reviews gate locks, money movement, public metrics, and release promotion.

Moraltrade68 requires recipient acceptance and adverse-association blocking before clearing previews become reliance-bearing. This contract publishes transition gates, visible recipient statuses, risk classes, and table names while excluding recipient private notes, donor private terms, raw adverse-association evidence, expanded recipient identities, private donor reasons, and reviewer notes.

Recipient acceptance moral-trade-recipient-acceptance-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 3 first-class record table(s).

Open acceptance JSON

Gated transitions

  • non money preview
  • recipient listing publication
  • matched trade lock
  • payment authorization
  • payment capture
  • payout release
  • public metric publication
  • release gate promotion

Visible statuses

  • preview only
  • recipient pending
  • recipient accepted
  • accepted with conditions
  • adverse association review
  • declined or blocked
  • expired stale

Adverse association

  • not required for stage
  • cleared
  • mitigated
  • under review
  • disclosed nonblocking
  • unresolved
  • severe
  • recipient declined
  • stale
  • expired
  • superseded
  • blocked

First-class records

  • moral_trade_recipient_acceptance_policies
  • moral_trade_recipient_acceptance_records
  • moral_trade_adverse_association_reviews

Privacy boundary

Public surfaces may expose table names, status categories, transition rules, risk-class buckets, and sample statuses only. They must not expose recipient private notes, donor private terms, raw adverse-association evidence, expanded recipient identities, reviewer notes, private donor reasons, payment details, raw provider payloads, or participant-specific acceptance records.

AI preference elicitation

AI can draft preference structure, but cannot authorize matching, disclosure, payment, public metrics, or state changes.

Moraltrade68 allows AI assistance for baselines, caps, side constraints, empirical assumptions, cause buckets, evidence preferences, fallback rules, and manual-review structure. The output must become user-edited structured input and be confirmed by a participant or reviewer before it can affect matching, clearing, disclosure, payment, public metrics, or release promotion.

AI preference elicitation moral-trade-ai-preference-elicitation-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 2 first-class record table(s).

Open AI boundary JSON

Gated transitions

  • draft preference elicitation
  • structured input conversion
  • match candidate preview
  • matched trade lock
  • clearing run input
  • counterparty disclosure
  • payment authorization
  • payment capture
  • public metric publication
  • release gate promotion

Scopes

  • baseline
  • caps
  • side constraints
  • empirical assumptions
  • cause buckets
  • evidence preferences
  • fallback rules
  • manual review

Elicitation states

  • sandbox
  • user reviewed
  • converted to structured input
  • discarded
  • blocked
  • superseded

First-class records

  • moral_trade_ai_preference_elicitation_policies
  • moral_trade_ai_preference_elicitation_records

Privacy boundary

Public surfaces may expose table names, scopes, transition rules, blocker categories, and sample statuses only. They must not expose raw prompts, raw AI outputs, hidden willingness-to-pay estimates, hidden negotiation moves, private participant notes, reviewer notes, private disclosure candidates, payment details, or participant-specific elicitation records.

Post-clear audit

Public metrics and release promotion require current post-clear audit status when sampling is required.

Moraltrade68 requires privacy-safe post-clear audit sampling after completed non-public-goods pilots. The audit checks baselines, evidence, recipient acceptance, disclosure, payment state, classification, and term sheets against the frozen record without creating public moral reputation or retroactive obligations outside the locked term sheet.

Post-clear audit moral-trade-post-clear-audit-v0.1-2026-06

Status pass

10 check(s), 0 blocker(s), 2 first-class record table(s).

Open audit JSON

Gated transitions

  • post clear sampling assignment
  • audit record review
  • corrective action resolution
  • payment reconciliation close
  • payout release
  • public metric publication
  • release gate promotion

Audit types

  • random sample
  • risk triggered
  • dispute triggered
  • payment triggered
  • evidence triggered
  • recipient triggered
  • classification triggered
  • manual review

Audit states

  • pending
  • passed
  • failed
  • corrective action open
  • closed
  • superseded

First-class records

  • moral_trade_post_clear_audit_policies
  • moral_trade_post_clear_audit_records

Privacy boundary

Public surfaces may expose table names, subject types, audit types, match-state categories, transition rules, blocker categories, and sample statuses only. They must not expose raw payment evidence, private counterparty terms, reviewer notes, raw reconciliation rows, raw provider payloads, participant-specific audit rows, private evidence artifacts, or public moral reputation scores.

Subsidy governance

Sponsor-funded subsidies are mechanism support, not moral-trade volume or impact.

Moraltrade68 allows sponsor-funded non-public-goods subsidies only as governed bridge mechanisms for low-risk donation-offset tiers. The subsidy pool and schedule must freeze source review, conflict review, eligibility, caps, allocation schedule, public disclosure level, and refund or carry-forward handling before lock, payment, public metrics, or release promotion.

Subsidy governance moral-trade-non-public-goods-subsidy-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 2 first-class record table(s).

Open subsidy JSON

Gated transitions

  • subsidy pool activation
  • subsidy schedule preview
  • subsidy schedule reservation
  • matched trade lock
  • payment authorization
  • payment capture
  • public metric publication
  • release gate promotion
  • subsidy refund or carry forward

Allowed launch tier

  • tier 1 money only donation offset

Source and conflict states

  • not started
  • under review
  • non blocking
  • blocked
  • manual review
  • superseded

First-class records

  • moral_trade_non_public_goods_subsidy_pools
  • moral_trade_subsidy_schedule_records

Metric exclusion

Subsidy dollars must be excluded from participant moral-trade volume, direct counted contribution, impact claims, and counterparty-distinctness metrics. They may be reported only as mechanism support under the frozen public disclosure policy.

Privacy boundary

Public subsidy surfaces may expose only coarse disclosure level, cap status, eligibility status, and aggregate mechanism-support amounts. Sponsor identity hashes, private source details, raw eligibility inputs, participant-specific subsidy rows, private sponsor terms, and reviewer notes stay private unless a separate privacy grant and disclosure policy authorize a bounded release.

Direct-pair clearing

Direct-pair mode is a reviewed two-party path, not autonomous outreach.

Moraltrade68 allows a known or invite-linked counterparty path for low-liquidity donation-offset and pledge-swap previews. The direct-pair record must freeze the pair, terms, policy, confirmations, privacy grants, user-safety state, and ordinary lock/review/payment/privacy gates before lock, capture, public metrics, or release promotion can rely on it.

Direct-pair clearing moral-trade-direct-pair-clearing-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 1 first-class record table(s).

Open direct-pair JSON

Gated transitions

  • direct pair preview
  • matched trade lock
  • payment authorization
  • payment capture
  • public metric publication
  • release gate promotion

Launch trade types

  • donation offset
  • pledge swap

Direct-pair states

  • draft
  • invited
  • previewed
  • both confirmed
  • locked
  • expired
  • withdrawn
  • superseded
  • blocked

First-class records

  • moral_trade_direct_pair_clearing_records

No autonomous outreach

Direct-pair mode may use a user-supplied known counterparty or invite-linked pair, but the platform must not perform autonomous outreach, scrape contacts, disclose contact details, or convert a broad preview into a contacted counterparty.

Privacy boundary

Public direct-pair surfaces may show only coarse direct-pair or batch mode, invitation/known-counterparty status, confirmation status, and ordinary-gate status. Counterparty identity, direct contact details, exact caps, private notes, private surplus estimates, source hashes, and reviewer notes stay private unless a frozen disclosure policy, privacy grant, user-safety review, and participant confirmation allow bounded disclosure.

Cause-bucket taxonomy

Cause buckets are reviewed coordination labels, not moral rankings.

Moraltrade68 requires versioned, plural-reviewed buckets for offered causes, opposed causes, compromise destinations, action buckets, and counterparty buckets. Assignments cannot affect counterparty distinctness, classification, clearing, public metrics, or release gates when they are stale, disputed, protected-trait proxies, or inferred ideology or psychology labels.

Cause-bucket taxonomy moral-trade-cause-bucket-taxonomy-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 2 first-class record table(s).

Open cause-bucket JSON

Gated transitions

  • draft preview
  • match candidate generation
  • matched trade lock
  • clearing run
  • public metric publication
  • release gate promotion

Taxonomy types

  • offered cause
  • opposed cause
  • compromise destination
  • action bucket
  • counterparty bucket
  • manual review

Assignment states

  • draft
  • previewed
  • locked
  • disputed
  • superseded
  • blocked

First-class records

  • moral_trade_cause_bucket_taxonomies
  • moral_trade_cause_bucket_assignments

Non-ranking rule

Cause buckets are coordination labels, not moral rankings, ideology labels, reputation scores, cause-price tables, or platform-endorsed moral value judgments.

Material change

A taxonomy change after preview is material when it can affect counterparty distinctness, trade classification, clearing ratio, clearing eligibility, or eligible counterparties; the trade then needs a renewed preview and participant confirmation before lock, clearing, payment, public metrics, or release promotion.

Privacy boundary

Public surfaces may show only coarse bucket codes, taxonomy version, public summary hash, and status categories. They must not expose participant identity hashes, raw private cause narratives, protected-trait facts, inferred ideology, inferred psychology, reviewer notes, or participant-specific assignment rows.

Resource compatibility

Joint feasibility blocks trades that only repackage conflicts.

Moraltrade68 requires a resource-compatibility assessment before non-public-goods trades can lock, clear, capture, count publicly, or promote release gates. The assessment checks actions, donations, abstentions, destinations, timing, duties, and control claims for mutual feasibility, zero-sum relabeling, and third-party control conflicts.

Resource compatibility moral-trade-resource-compatibility-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 1 first-class record table(s).

Open compatibility JSON

Gated transitions

  • draft preview
  • match candidate generation
  • matched trade lock
  • clearing run
  • payment capture
  • public metric publication
  • release gate promotion

Conflict types

  • none disclosed
  • mutually exclusive resource
  • mutually exclusive action
  • incompatible destination
  • incompatible timing
  • zero sum control claim
  • third party control conflict
  • manual review
  • unknown

Feasibility states

  • feasible
  • feasible with conditions
  • under review
  • infeasible blocking
  • disputed
  • manual review
  • superseded

First-class records

  • moral_trade_resource_compatibility_assessments

Zero-sum conflict rule

A trade cannot clear merely because each party likes some part of it when the asserted gain comes from both parties claiming the same scarce control right, blocking each other's action, incompatible timing or destination, or relabeling a zero-sum conflict as a compromise.

Privacy boundary

Public surfaces may expose only coarse compatibility status categories, subject type, conflict class, and contract version. They must not expose participant identity hashes, private duties or constraints, private resource claims, reviewer notes, third-party control facts, raw side agreements, or participant-specific assessment rows.

Net-offset accounting

Gross transfers cannot masquerade as net moral-trade volume.

Moraltrade68 requires donation-offset volume to be net of the opposed action that was actually canceled or redirected. Before volume, completion, public metrics, or release promotion can count, the record must distinguish baseline opposed action, matched canceled amount, compromise transfer, sponsor or match amount, residual opposed action, substitution-channel status, and evidence standard.

Net-offset accounting moral-trade-net-offset-accounting-v0.1-2026-06

Status pass

10 check(s), 0 blocker(s), 1 first-class record table(s).

Open net-offset JSON

Gated transitions

  • draft preview
  • match candidate generation
  • matched trade lock
  • clearing run
  • payment capture
  • public metric publication
  • release gate promotion

Baseline action types

  • donation
  • abstention
  • advocacy
  • purchase
  • service use
  • other
  • unknown

Residual policies

  • allowed if disclosed
  • blocks clearance
  • manual review
  • not applicable

First-class records

  • moral_trade_net_offset_accounting_records

Gross-volume exclusion

Gross compromise donations, sponsor matches, payment evidence, or public matched volume cannot count as moral-trade volume unless the baseline opposed action, matched canceled amount, residual opposed action, substitution-channel state, and evidence standard are recorded under immutable policy.

Privacy boundary

Public surfaces may expose coarse net-offset status and aggregate safe totals, but never participant identity hashes, private baseline details, substitution-channel details, private evidence, reviewer notes, or participant-specific accounting rows.

Offer validity

Stale offers require renewed preview and confirmation.

Moraltrade68 requires donation-offset and pledge-swap offers to expire or renew when baselines, empirical assumptions, evidence standards, payment methods, jurisdictions, destinations, or counterparty buckets become stale. Matching, lock, capture, reliance, public completion, and release promotion all fail closed without a current offer-validity record.

Offer validity moral-trade-offer-validity-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 1 first-class record table(s).

Open validity JSON

Gated transitions

  • draft preview
  • live offer publication
  • match candidate generation
  • matched trade lock
  • payment capture
  • reliance
  • public completion count
  • release gate promotion

Stale reason codes

  • baseline snapshot stale
  • terms snapshot stale
  • empirical assumption stale
  • evidence standard stale
  • payment method stale
  • jurisdiction stale
  • recipient destination stale
  • counterparty bucket stale
  • validity window expired
  • renewal confirmation missing

Validity states

  • draft
  • valid
  • stale
  • expired
  • renewed
  • withdrawn
  • superseded
  • blocked

First-class records

  • moral_trade_offer_validity_records

Validity-window rule

Counterfactual trust decays over time. Stale or expired baselines, empirical assumptions, evidence standards, payment methods, jurisdictions, destinations, or counterparty buckets require renewed preview and renewed participant confirmation before matching, lock, capture, reliance, public completion, or release promotion.

Private exchange-rate quotes

Participant quote terms stay private rather than becoming moral prices.

Moraltrade68 requires clearing ratios, side payments, counterpart volumes, and implied cause tradeoffs to remain participant-owned terms for a frozen proposal. Public surfaces may say a trade cleared within participant bounds, but cannot publish cause-price tables, moral exchange-rate charts, exact willingness-to-trade terms, or moral-value inferences from private quote records.

Private exchange-rate quotes moral-trade-private-exchange-rate-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 1 first-class record table(s).

Open quote JSON

Gated transitions

  • draft preview
  • match candidate generation
  • matched trade lock
  • clearing run
  • payment capture
  • reliance
  • public metric publication
  • release gate promotion

Quote types

  • clearing ratio bound
  • side payment bound
  • counterpart volume bound
  • action money tradeoff
  • empirical effectiveness tradeoff
  • manual review

Disclosure scopes

  • participant only
  • reviewer only
  • counterparty band only
  • public suppressed

First-class records

  • moral_trade_private_exchange_rate_quote_records

Public non-price rule

Public surfaces may say that a trade cleared within each participant's stated bounds, but must not publish a cause-price table, moral exchange-rate chart, leaderboard, platform-endorsed effectiveness comparison, exact participant willingness-to-trade term, or inferred moral value from private quote terms.

Privacy boundary

Participants may see their own implied tradeoff and final ratio-bounds result. Counterparties and public pages receive only privacy-safe compatibility bands unless a narrower disclosure is explicitly granted; raw private quote terms, exact caps, reviewer notes, and participant identity hashes stay private.

Batch-clearing objective

Scarce donation-offset matches are allocated by frozen objective results.

Moraltrade68 requires donation-offset batch clearing to have a frozen objective, deterministic tie-break and fairness rule, and reproducible objective result. Scarce matches cannot be allocated by moral score, operator preference, public pressure, timestamp races, private-cap leakage, or database order.

Batch-clearing objective moral-trade-batch-clearing-objective-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 1 first-class record table(s).

Open objective JSON

Objective types

  • maximize safe matched volume
  • maximize safe participant count
  • minimize unmatched residual
  • manual review

Tie-break rules

  • seeded deterministic hash
  • pro rata by frozen capacity
  • round robin by hash
  • reviewer approved manual
  • manual review

Prohibited drivers

  • moral score
  • operator preference
  • public pressure
  • timestamp race
  • private cap leakage
  • database order
  • protected trait
  • hidden reviewer preference

First-class records

  • moral_trade_batch_clearing_objective_records

Deterministic tie-break rule

Scarce matches must use a deterministic fairness rule such as seeded hash, pro-rata frozen capacity, or round-robin-by-hash over frozen input and excluded-record bundles.

Prohibited allocation rule

Matched volume alone cannot justify allocation. Scarce matches cannot be allocated by moral score, operator preference, public pressure, timestamp races, private-cap leakage, database order, protected traits, or hidden reviewer preference.

Sensitive-evidence attestations

Counterparties get attestation results, not raw private artifacts.

Moraltrade68 requires sensitive evidence paths to support privacy-preserving verification attestations. Counterparties receive claim-typed results, uncertainty, scope, and challenge routes. Raw private artifacts require a current privacy grant and passed confidentiality review before broader disclosure, and public raw artifact disclosure is blocked.

Sensitive-evidence attestations moral-trade-sensitive-evidence-attestations-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 1 first-class record table(s).

Open attestation JSON

Claim types

  • payment receipt verified
  • destination verified
  • eligibility verified
  • baseline scope verified
  • completion evidence verified
  • impact evidence verified
  • safety review non blocking
  • confidentiality review non blocking
  • uncertainty present
  • manual review

Evidence paths

  • private receipt
  • identity artifact
  • legal capacity artifact
  • payment destination artifact
  • source note
  • private message
  • protected trait evidence
  • safety report
  • reviewer note
  • provider record
  • raw private artifact

Disclosure modes

  • attestation only
  • counterparty claim typed summary
  • reviewer raw artifact
  • privacy grant broader disclosure
  • public suppressed

First-class records

  • moral_trade_sensitive_evidence_attestations

Raw artifact disclosure rule

Raw private artifacts cannot be sent to counterparties unless disclosure mode is privacy_grant_broader_disclosure, the privacy grant is current, and confidentiality review has passed. Public raw artifact disclosure is always blocked.

Challenge route

Every counterparty-facing attestation names a scoped challenge route under /api/moral-trade/challenge-appeal so the recipient can dispute the claim type, uncertainty, or scope without receiving raw artifacts.

Pilot evidence gates

Pilot promotion needs simulation, red-team evidence, and exit criteria.

Moraltrade68 requires donation-offset and pledge-swap pilots to pass market simulation, red-team review, and pre-registered scale-up, pause, and rollback criteria before payable, reliance-bearing, public metric, capped real-money, or release-gate promotion. Matched volume alone cannot satisfy pilot success.

Pilot evidence gates moral-trade-pilot-evidence-v0.1-2026-06

Status pass

8 check(s), 0 blocker(s), 1 first-class record table(s).

Open pilot evidence JSON

Evidence types

  • agent based market simulation
  • historical replay simulation
  • adversarial red team review
  • fraud abuse red team review
  • participant comprehension drill
  • operational game day

Success metrics

  • matched volume
  • safety incident rate
  • privacy leak rate
  • dispute rate
  • false positive block rate
  • manual review sla
  • participant comprehension
  • rollback recovery time

First-class records

  • moral_trade_pilot_evidence_gates

Policy subjects

  • pilot_evidence

Matched-volume rule

Matched volume alone cannot satisfy pilot success; success metrics must include safety, privacy, dispute, comprehension, review-SLA, or rollback evidence.

Exit-criteria rule

Scale-up, pause, and rollback criteria must be pre-registered, hash-backed, reviewer-approved, and available before the promoted stage begins.

Noncompensable blocker contract

Blocking controls are constraints, not prices.

Moraltrade68 requires safety, legal, privacy, third-party-rights, reporting-integrity, civil-rights, confidentiality, regulated-goods, cyber-abuse, financial-crime, anti-threat, and process-integrity blockers to stay noncompensable unless frozen policy explicitly treats the protected interest as personally waivable and renewed confirmations are non-blocking. Side payments, higher donations, performance bonds, reciprocal favors, and private agreements cannot clear these blockers by themselves.

Noncompensable blockers moral-trade-noncompensable-blockers-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 1 first-class record table(s).

Open blocker JSON

Protected interests

  • participant waivable interest
  • nonparticipant interest
  • legal or regulatory
  • public safety
  • truthful reporting
  • civil rights
  • confidentiality or privacy
  • institutional process
  • digital system integrity
  • anti threat
  • other

Compensation states

  • none
  • possible
  • under review
  • blocking
  • superseded

Review states

  • not required
  • under review
  • non blocking
  • blocked
  • manual review
  • superseded

First-class records

  • moral_trade_noncompensable_blocker_assessments

Personal waiver rule

A participant may waive only their own personally waivable protected interest when the frozen policy explicitly allows renewed confirmation, the renewed confirmation records are present, and all required review states are non-blocking. Nonparticipant, legal/regulatory, public-safety, truthful-reporting, civil-rights, confidentiality/privacy, institutional-process, digital-system-integrity, anti-threat, and other nonwaivable interests cannot be cleared by private waiver.

Compensation-attempt rule

A higher donation, side payment, performance bond, reciprocal favor, private agreement, or private waiver cannot convert a blocking state into a permissible trade by itself; any attempted compensation for a blocking control is itself a reviewable blocker signal.

Side-agreement disclosure contract

Off-platform side arrangements must be disclosed and reviewed before reliance.

Moraltrade60 requires side agreements, compensation, reciprocal favors, authority claims, reporting restrictions, and collusion-relevant terms to be structured records rather than hidden notes. This contract publishes the subject types, review dimensions, fail-closed statuses, and privacy-safe public summary boundaries while keeping raw private details out of public surfaces.

Side agreements moral-trade-side-agreements-v0.2-2026-06

Status pass

8 check(s), 0 blocker(s), 3 first-class record table(s).

Open side-agreement JSON

Gated transitions

  • draft preview
  • matched trade lock
  • payment capture
  • payout release
  • public completion claim
  • challenge decision
  • release gate promotion

Review dimensions

  • collusion
  • externality
  • legal jurisdiction
  • anti threat
  • reporting integrity
  • civil rights discrimination
  • participant autonomy
  • confidentiality privacy rights
  • financial crime fraud
  • anti corruption
  • representative authority

First-class records

  • moral_trade_side_agreement_disclosures
  • moral_trade_side_agreement_reviews
  • moral_trade_side_agreement_enforcement_records

Public summary boundary

  • reviewer notes
  • source hash
  • provider payload
  • raw evidence
  • private message
  • contact details
  • exact counterparty
  • bank account
  • wallet address

Trade-classification contract

Classification is an implementation guard, not a public moral status badge.

Moraltrade60 requires compensated moral-action agreements to be counted as mixed moral trade only when moral/prudential asymmetry explains the bargain, terms are frozen, and ordinary-service/procurement review is non-blocking. Ordinary donations, same-view matching, and ordinary procurement stay excluded from moral-trade-specific metrics.

Trade classification moral-trade-trade-classification-v0.2-2026-06

Status pass

9 check(s), 0 blocker(s), 4 first-class record table(s).

Open classification JSON

Classifications

  • pure moral trade
  • mixed moral trade
  • moral public good coalition
  • ordinary donation or matching
  • ordinary service or procurement
  • rejected threat or externality

Review dimensions

  • legal jurisdiction
  • labor employment
  • tax reporting
  • coercion undue influence
  • vulnerability undue inducement
  • ordinary service procurement
  • externality
  • anti corruption process integrity

First-class records

  • moral_trade_trade_classification_records
  • moral_trade_trade_classification_enforcement_records
  • moral_trade_compensated_action_terms
  • moral_trade_ordinary_service_procurement_reviews

Public non-claim

The trade_classification value is an implementation guard, not a public moral status badge or objective ranking of moral worth.

Template-conformance contract

Live Moral Trade offers must conform to approved templates or reviewed exceptions.

Moraltrade68 requires donation offsets, pledge swaps, compensated moral-action agreements, performance-bond conditions, and side agreements to stay template-bounded before lock, payment, reliance, or public metrics. The contract publishes table names and transition rules without exposing private terms, exact caps, free-text narratives, reviewer notes, payment details, or participant-specific template instance records.

Template conformance moral-trade-template-conformance-v0.1-2026-06

Status pass

10 check(s), 0 blocker(s), 3 first-class record table(s).

Open template JSON

Trade types

  • donation offset
  • pledge swap
  • compensated moral action
  • performance bond condition
  • side agreement

Gated transitions

  • live offer publication
  • matched trade lock
  • payment capture
  • reliance bearing transition
  • public metric publication
  • release gate promotion

First-class records

  • moral_trade_approved_trade_templates
  • moral_trade_template_parameter_policies
  • moral_trade_template_instance_records

Privacy boundary

Template-conformance public surfaces publish only template kinds, table names, transition rules, and aggregate sample statuses; they do not expose private terms, exact caps, free-text narratives, hidden counterparty data, reviewer notes, private wishes, payment details, or participant-specific template instance records.

Review-capacity contract

Review attention is a first-class live, matchable, payable, and reliance gate.

Moraltrade68 requires non-public-goods offers to stay preview-only, waitlisted, or expired when reviewer capacity is beyond policy, eligible reviewers or neutral panels are unavailable, visible user queue status is missing, or review delay would make baselines or payment authorizations stale.

Review capacity moral-trade-review-capacity-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 3 first-class record table(s).

Open review-capacity JSON

Queue statuses

  • preview
  • in review queue
  • waitlisted capacity
  • review delayed
  • expired stale
  • blocked needs review
  • ready for review

Gated transitions

  • live offer publication
  • matchable publication
  • matched trade lock
  • payment authorization
  • payment capture
  • reliance bearing transition
  • public metric publication
  • release gate promotion

First-class records

  • moral_trade_review_capacity_policies
  • moral_trade_review_queue_records
  • moral_trade_reviewer_panel_assignments

Privacy boundary

Public review-capacity surfaces expose table names, status categories, policy subjects, transition requirements, and sample statuses only. They must not expose reviewer identities, conflict facts, private queue reasons, participant-specific queue records, baseline details, payment authorization details, reviewer notes, source evidence, contact details, or raw internal status copies.

Participant term-sheet contract

Term sheets and counterparty disclosure are first-class lock and payment gates.

Moraltrade68 requires participant-term-sheet mismatch blocking, counterparty-disclosure-policy blocking, and clearing previews that surface participant term-sheet hashes, counterparty volume buckets, and staged-disclosure status without exposing raw counterparty identity, contact details, private wishes, exact constraints, hidden match reasoning, or reviewer notes.

Participant term sheets moral-trade-participant-term-sheet-v0.1-2026-06

Status pass

9 check(s), 0 blocker(s), 3 first-class record table(s).

Open term-sheet JSON

Disclosure statuses

  • not disclosed
  • volume bucket only
  • redacted counterparty
  • mutual consent ready
  • mutually disclosed
  • expired stale
  • blocked needs review

Gated transitions

  • live offer publication
  • matchable publication
  • matched trade lock
  • payment authorization
  • payment capture
  • reliance bearing transition
  • public metric publication
  • release gate promotion

First-class records

  • moral_trade_participant_term_sheet_records
  • moral_trade_counterparty_blinding_policies
  • moral_trade_staged_counterparty_disclosure_records

Privacy boundary

Public surfaces may expose table names, status categories, transition rules, counterparty volume buckets, and sample statuses only. They must not expose participant-specific term sheets, raw counterparty identities, contact details, private wishes, exact constraints, hidden match reasoning, source evidence, reviewer notes, payment details, or participant-specific disclosure records.

Protective assessments

Safety, authority, privacy, and fraud assessments are first-class lock gates.

Moraltrade60 requires donation offsets, pledge swaps, compensated moral actions, performance bonds, and side agreements to stay preview-only until protective assessment records are non-blocking, not required under a frozen policy, or explicitly neutral-review waived. The public contract publishes dimensions and statuses without revealing protected-trait facts, authority documents, private reports, credentials, source-of-funds evidence, reviewer notes, or participant records.

Protective assessments moral-trade-protective-assessments-v0.1-2026-06

Status pass

6 check(s), 0 blocker(s), 5 first-class record table(s).

Open protective-assessment JSON

Assessment dimensions

  • negative commitment substitution
  • action reversibility high stakes
  • donor of record tax receipt
  • third party obligation
  • representative authority
  • reporting integrity non suppression
  • civil rights discrimination
  • participant autonomy undue influence
  • confidentiality privacy rights
  • evidence authenticity synthetic media
  • financial crime fraud source of funds
  • agreement non transferability
  • regulated goods hazardous activity
  • cyber abuse digital systems integrity
  • anti corruption process integrity
  • least intrusive evidence
  • performance bond neutral review

Gated transitions

  • draft preview
  • matched trade lock
  • payment capture
  • payout release
  • public completion claim
  • release gate promotion

First-class records

  • moral_trade_protective_assessment_records
  • moral_trade_negative_commitment_scopes
  • moral_trade_action_reversibility_assessments
  • moral_trade_donor_of_record_tax_reviews
  • moral_trade_authority_obligation_assessments

Privacy boundary

The public contract exposes only assessment dimensions, transition rules, table names, statuses, and synthetic sample outcomes. It never exposes protected-trait facts, authority documents, private reports, credentials, source-of-funds evidence, reviewer notes, raw evidence, or participant-specific assessment records.

User safety and content moderation

Contact, abuse-report, and prohibited-use checks are first-class gates.

Moraltrade60 requires user-initiated contact, invite links, support messages, discussion surfaces, reviewer-visible notes, public copy, and impact-claim copy to resolve frozen user-safety and content-moderation policies before they can become public, reliance-bearing, payable, reviewer-actionable, profile-amplifying, or release-promoting. The contract separates prohibited-use moderation from moral ranking: it blocks illegal, coercive, deceptive, harassing, doxxing, cyber-abusive, exploitative, extremist-finance, spam, or otherwise prohibited use, not unpopular moral views.

Safety and moderation moral-trade-user-safety-content-moderation-v0.1-2026-06

Status pass

7 check(s), 0 blocker(s), 5 first-class record table(s).

Open safety-moderation JSON

Moderation dimensions

  • illegal activity
  • coercion threat
  • deception fraud impersonation
  • hate harassment
  • doxxing privacy violation
  • self harm exploitation
  • malware cyber abuse
  • sexual exploitation
  • extremist or terror finance
  • spam platform abuse
  • viewpoint neutrality

User-safety dimensions

  • contact consent
  • invite link rate limit
  • decline block withdrawal respected
  • repeated solicitation
  • off platform pressure
  • doxxing harassment
  • retaliatory visibility change
  • abuse report resolution
  • support escalation
  • minor or vulnerable contact

First-class records

  • moral_trade_user_safety_policies
  • moral_trade_contact_interaction_records
  • moral_trade_abuse_report_records
  • moral_trade_content_moderation_policies
  • moral_trade_content_moderation_records

Privacy boundary

Public contract output never exposes raw reports, reporter identities, target identities, private messages, reviewer notes, protected-trait facts, contact details, raw evidence, exact rare-view clusters, or participant-specific safety/moderation records.

Financial settlement controls

Fees, FX, notices, deadlines, challenges, and payout milestones are first-class gates.

Moraltrade60 requires real-money amounts to use explicit or frozen settlement currency, FX quotes to be snapshot-backed before previews and locks, and platform fees, FX spreads, and conversion fees to stay separate from moral-trade volume, threshold progress, QF signal, and recipient-impact claims. The contract also requires recorded material notices and server-time deadline records before a participant can lose rights, default out of a challenge window, or release a payout milestone.

Financial settlement moral-trade-financial-settlement-controls-v0.1-2026-06

Status pass

7 check(s), 0 blocker(s), 10 first-class record table(s).

Open financial-settlement JSON

Control keys

  • platform fee policy
  • platform fee disclosure
  • fx policy
  • fx rate snapshot
  • notification policy
  • material notice record
  • time authority policy
  • server deadline record
  • challenge window record
  • payout milestone record
  • payout milestone evidence
  • payout destination binding

Gated transitions

  • draft preview
  • public preview
  • matched trade lock
  • payment authorization
  • payment capture
  • challenge window default
  • payout milestone release
  • public metric publication
  • release gate promotion

First-class records

  • moral_trade_platform_fee_policies
  • moral_trade_platform_fee_disclosures
  • moral_trade_fx_policies
  • moral_trade_fx_rate_snapshots
  • moral_trade_notification_policies
  • moral_trade_material_notice_records
  • moral_trade_time_authority_policies
  • moral_trade_deadline_records
  • moral_trade_challenge_window_records
  • moral_trade_payout_milestone_records

Privacy boundary

Public contract output never exposes payment credentials, raw provider settlement reports, raw FX provider payloads, private notice payloads, participant identities, exact bank or wallet details, reviewer notes, raw evidence, internal fee ledgers, participant-specific fee/FX/payment records, or participant-specific deadline records.

Validator evidence

Core checks run without hidden ranking or AI decisions.

CheckStatusEvidence
Required proposal fieldspass9 required field(s) published.
Review status valuespassdraft, submitted, needs_clarification, needs_evidence, needs_human_review, challenge_window, completion_reviewed, disputed_unresolved, blocked, matchable
Proposal state transition rulespass9 state transition rule(s) publish allowed edges, required checks, and provenance activities.
Proposed decision logic is public and signal-boundpassschema_completeness->needs_clarification, anti_threat_policy->blocked, factual_evidence_readiness->needs_evidence, counterfactual_baseline->needs_human_review, externality_review->challenge_window, privacy_redaction->needs_human_review, match_explanation->needs_human_review, human_review_routing->needs_human_review
Safety and privacy guardrailspass5 guardrail(s), including anti-threat and redaction rules.
Public factor-code explanationspass17 factor code(s) available for match and review explanations.
Evidence schemas by trade formatpasspledge_swap_v1, donation_offset_v1, paid_action_v1, public_good_commitment_v1
Provenance objectspass9 entities, 7 activities, 5 agents.
Provenance object schemaspass9 object schema(s) published for evidence and review provenance.
Provenance persistence tablespass9 append-only persistence table(s) map provenance object schemas to owner-scoped storage.
Quality and safety metricspass8 metric(s) published.

Explanation layer

Factor codes explain matches without private-text leakage.

The match inbox turns those codes into participant-facing reason labels, trust badges, risk badges, and next safe actions so suggestions can be declined, reported, or moved toward consent without exposing exact wishes.

terms_complete

Terms complete

The action, reciprocal request, duration, exit rule, and verification method are present.

baseline_stated

Baseline stated

The no-trade default is explicit enough for counterfactual review.

baseline_credibility

Baseline credibility

The no-trade default includes prior intent, history, dated support, or another reviewable counterfactual basis.

baseline_challenge_recommended

Baseline challenge recommended

The baseline is stated but thin enough that reviewers should request prior-intent or past-behavior support before reliance.

evidence_rule_named

Evidence rule named

The draft names the receipt, log, attestation, provider record, audit, or manual review path.

participant_relative_scores

Participant-relative scores

Importance scores are treated as user-stated thresholds, not platform rankings.

party_relative_benefit

Party-relative benefit

The draft explains why each side is better off than the no-trade baseline using participant-relative priorities.

externality_review_required

Externality review required

The draft may affect unrepresented people, political-adjacent claims, incentives, or vulnerable parties.

privacy_safe_preview

Privacy-safe preview

Match explanations can use broad cause areas, format, verification preferences, and redaction notes.

human_review_required

Human review required

A reviewer must inspect safety, evidence, baseline, externality, or disclosure concerns before reliance.

cause_area_overlap

Cause-area overlap

A redacted match signal found broad cause-area overlap without exposing exact wishes or private text.

cause_area_complementarity

Cause-area complementarity

One side's broad offered cause area can satisfy the other side's broad requested cause area without exposing exact wishes.

trade_mode_compatible

Trade-mode compatible

Both redacted profiles support at least one compatible trade format.

verification_preference_compatible

Verification preference compatible

Both redacted profiles support at least one compatible evidence or verification preference.

location_constraint_satisfied

Location constraint satisfied

Any declared city or region sensitivity is satisfied at a coarse, privacy-safe level.

privacy_stage_compatible

Privacy stage compatible

Both sides are still inside the same consent-gated disclosure stage.

stated_exclusions_clear

Stated exclusions clear

The redacted match signal did not find a conflict with either side's stated exclusions.

Match signal contract

Redacted profile matching is preview-only and human-reviewed.

The matching contract uses only broad cause areas, trade modes, verification preferences, location sensitivity, privacy stage, and stated exclusions. It never infers hidden preferences or authorizes disclosure, contact, reliance, or state changes.

Match signal moral-trade-match-signal-contract-v0.3-2026-06

Status pass

9 check(s), 0 blocker(s), 9 factor code(s).

Open match contract JSON

Input boundary

  • profileId
  • causeAreas
  • tradeModes
  • verificationPreferences
  • locationSensitivity
  • privacyStage
  • privacyConstraints
  • statedExclusions

Redacted fields

  • exact_private_wishes
  • contact_details
  • sensitive_constraints
  • raw_profile_notes
  • protected_traits
  • ideology_or_psychology_inferences

Evaluation route

POST /api/moral-trade/match-signal/evaluate returns redacted factor codes, blockers, confidence band, participant explanation copy, redacted fields, and humanReviewRequired with stateMutation false.

Participant explanation

You are seeing this suggestion because public cause areas, trade mode, and verification preferences are compatible. Exact wishes and contact details are still hidden.

Contract tests

  • match signal contract validator
  • redacted profile match signal smoke
  • participant explanation copy smoke
  • match signal evaluate route contract
  • technical spec match signal smoke

Match invariant

Use only redacted profile fields: cause areas, trade modes, verification preferences, location sensitivity, privacy constraints, and stated exclusions.

Match invariant

Do not infer protected traits, ideology, psychology, hidden preferences, exact private wishes, raw notes, or contact details.

Match invariant

A matchable signal is only a preview and always requires human review before disclosure, contact, reliance, or state changes.

Match invariant

Factor codes must include cause overlap or complementarity, trade-mode compatibility, and verification compatibility before matchable status.

Match invariant

Privacy-safe preview requires compatible privacy stages, an explicit disclosure stage, a privacy policy id, and named redacted fields.

Challenge appeal contract

Appeals are scoped to reviewed claims, standing, and remedy paths.

The challenge lane is now a validator-backed contract. It separates affected-party standing, duplicate proof, coercive baselines, wrong-scope evidence, privacy disclosure errors, externality remedy gaps, reviewer conflicts, and policy flags before any human-controlled state change.

Challenge appeal moral-trade-challenge-appeal-v0.3

Status pass

15 check(s), 0 blocker(s), 2 first-class record table(s), 1 enforcement table(s).

Open appeal contract JSON

Subjects

  • claim
  • evidence row
  • baseline concern
  • disclosure decision
  • externality trigger
  • completion state
  • policy flag

Standing categories

  • participant
  • counterparty
  • affected party
  • reviewer
  • admin safety
  • external verifier

First-class records

  • moral_trade_appeal_policies
  • moral_trade_appeal_cases

Appeal case states

  • draft
  • filed
  • noticed
  • under neutral review
  • correction requested
  • upheld
  • corrected
  • dismissed
  • closed unresolved
  • superseded
  • stale

Evaluation route

POST /api/moral-trade/challenge-appeal/evaluate returns scoped factor codes, standing checks, required artifacts, privacy actions, provenance activity, and stateMutation false. Requested outcomes are advisory and must match the appeal trigger before reviewers can route them.

Enforcement route

Adverse-decision correction reliance requires an authenticated append-only challenge-appeal enforcement record that evaluates frozen appeal policies and appeal cases; enforcement records cannot open appeals, correct records, allow reliance, waive safety blockers, reopen settled obligations, or publish public metrics.

  • moral_trade_challenge_appeal_enforcement_records
  • POST /api/moral-trade/challenge-appeal/enforce

Fail-closed statuses

  • appeal policy missing
  • appeal policy not current
  • appeal case missing
  • appeal case stale
  • appeal case superseded
  • standing missing
  • notice missing
  • deadline missing
  • deadline expired
  • neutral review missing
  • scope missing
  • private details unredacted
  • safety blocker waiver attempted
  • settled obligation reopen attempted
  • non retaliation missing
  • evidence scope missing
  • invalid case hash
  • invalid policy hash

Appeal invariant

Appeals target only the specific reviewed claim, evidence row, baseline concern, disclosure decision, externality trigger, completion state, or policy flag.

Appeal invariant

Appeals do not reopen unrelated moral disagreements by default and do not create platform-wide moral rankings.

Appeal invariant

Participant, counterparty, affected-party, reviewer, admin-safety, and external-verifier standing are explicit; affected-party standing needs a privacy-safe summary.

Appeal invariant

Adverse decisions with correction rights require first-class appeal cases with notice, deadline, scope hash, evidence scope, non-retaliation, and neutral-review fields.

Appeal invariant

Appeal cases do not silently reopen settled obligations, waive safety blockers, mutate parent records, or expose private details before redaction.

Appeal invariant

Externality remedy appeals must name the remedy gap before reliance, completion badges, or public reputation claims proceed.

Appeal invariant

Requested outcomes are advisory and must be compatible with the appeal trigger before reviewers can route them.

Appeal invariant

Private details, exact wishes, contact data, raw notes, and sensitive constraints are redacted before reviewer routing.

Appeal invariant

Every challenge or appeal packet names a provenance activity, traceability step, reason codes, and human reviewer scope.

Appeal invariant

Safety blocking, matching disclosure, reviewed completion, and dispute resolution remain human-controlled.

Disclosure grant contract

Privacy grants now have a staged, field-level contract.

The privacy model is no longer only dashboard prose. Broad previews, exact wishes, source summaries, constraints, verification preferences, and contact details are mapped to explicit access levels, audience stages, redactions, owner approval, and non-mutating evaluation.

Disclosure grants moral-trade-disclosure-grants-v0.1

Status pass

10 check(s), 0 blocker(s), 9 field boundary(s).

Open disclosure contract JSON

Audience stages

  • registry
  • consent
  • introduced

Access levels

  • hidden
  • broad
  • specific
  • contact

Evaluation route

POST /api/moral-trade/disclosure/evaluate returns allowed fields, denied fields, privacy actions, expiry window, ownerApprovalRequired, and stateMutation false.

Redacted fields

  • exact private wishes before consent
  • exact asks before consent
  • contact details before introduction
  • raw source notes
  • sensitive constraints in public preview
  • private feed payloads

Search privacy controls

  • Daily registry query budget
  • Sparse-result privacy floor
  • Stable query fingerprint
  • Redacted overlap tokens
  • Risk signal logging
  • Repeated detail-request limit

cause_areas

Cause areas

Broad cause areas and high-level interests only.

registry stage, max broad access.

exact_wish

Exact wish

The exact change someone hopes a counterparty might help with.

consent stage, max specific access.

exact_ask

Exact ask

The concrete ask being considered for this match.

consent stage, max specific access.

capabilities

Capabilities

Resources, skills, or commitments the profile owner says they can offer.

consent stage, max specific access.

constraints

Constraints

Constraints that could rule out a proposal or require extra care.

consent stage, max specific access.

verification_preferences

Verification preferences

Evidence or attestation preferences for a possible agreement.

consent stage, max specific access.

coarse_location

Coarse location

Coarse location only, never precise address or live location.

registry stage, max broad access.

source_summary

Manual source summary

Manual source summaries, excluding raw notes and source payloads.

consent stage, max specific access.

contact_email

Contact email

Contact details for a mutually approved introduction.

introduced stage, max contact access.

Review workflow contract

Marketplace cards and detail pages share one factor-code source.

The report recommends replacing prose-heavy pages with instrumented workflow cards. This contract publishes the card keys, factor-code requirements, next-step rules, and non-ranking invariants used by offer details, worked examples, marketplace listings, and the homepage preview.

Review workflow moral-trade-review-workflow-v0.2-2026-06

Status pass

13 check(s), 0 blocker(s), 6 card contract(s).

14 policy-enforced workflow step(s), 7 review-state outcome(s).

Open review workflow JSON

Workflow path

  1. User draft - structured input
  2. Schema normalizer - deterministic policy
  3. Completeness check - deterministic policy
  4. Anti-threat / prohibited-content engine - deterministic policy
  5. Baseline credibility assessment - deterministic policy
  6. Evidence checklist generator - deterministic policy
  7. Privacy / redaction engine - deterministic policy
  8. Rule-based match engine - deterministic policy

Review outcomes

  • needs clarification
  • blocked
  • needs evidence
  • challenge window
  • disputed unresolved
  • matchable
  • completion reviewed

Marketplace priority

  • human_review_required
  • evidence_rule_named
  • baseline_credibility
  • externality_review_required
  • no_global_moral_ranking
  • appealable_review_scope

Invariants

  • Every detail workflow card must expose at least one factor code, one status-reason code, one status reason, and one next-step instruction.
  • Marketplace cards must show prioritized factor codes derived from the same workflow contract.
  • Marketplace cards must inherit the selected detail card status reason.
  • Every participant-facing block, pause, rejection, or manual-review state maps to a plain-language reason category, next action, money effect, obligation effect, and appeal or correction path where applicable.

Contract tests

  • review workflow contract validator
  • offer review workflow card smoke
  • user facing blocker explanation smoke
  • marketplace factor card smoke
  • technical spec review workflow smoke

Evaluation route

POST /api/moral-trade/review-workflow/evaluate returns deterministic workflow cards and marketplace factors with stateMutation false.

Participant copy

What would you do if this trade did not happen? Be concrete. Mention your current intention, prior behavior, or any evidence that makes your baseline credible.

User-facing blockers

Public blocker explanations publish reason categories, next actions, money and obligation effects, and bounded appeal or correction paths without raw review evidence.

  • Evidence is incomplete
  • Baseline needs review
  • Privacy review is incomplete
  • Safety or legality review is needed
  • Account security check is pending

Sample explanation paths

  • Safety or legality review is needed: No payment, payout, or public money claim should proceed. No new obligation, lock, or completion claim should be created. Use the appeal path for the specific safety decision; do not broaden the dispute.
  • Evidence is incomplete: No payment capture or payout should proceed from this record. No new locked obligation should be created from this record. If evidence was rejected, use the appeal path for the specific evidence row.
  • Production or payout gate is not ready: Payout release, public totals, and sponsor-leverage claims stay blocked. No new operational override should be created from this state. Use the correction path for the specific operational check if a record is wrong.

current_status

Status card

Expose whether a record is live, example-only, blocked, or still under review.

  • status_visible
  • human_review_required

action_evidence

Action evidence

Show whether each factual action claim has a named reviewable proof method.

  • evidence_rule_named
  • evidence_sufficiency

baseline_confidence

Counterfactual baseline

Keep factual proof separate from the no-trade baseline and counterfactual trust problem.

  • baseline_stated
  • baseline_credibility

externality_review

Externality review

Name third-party harm, perverse-incentive, and unrepresented-value review before reliance.

  • externality_review_required
  • human_review_required

participant_relative_scores

Participant-relative scores

Display stated priorities without turning them into an objective platform ranking.

  • participant_relative_scores
  • no_global_moral_ranking

appeal_scope

Appeal scope

Limit appeals to the claim, evidence row, baseline concern, disclosure decision, or policy flag under review.

  • appealable_review_scope
  • reviewer_summary

Reasoning packet contract

The Reasoning Center publishes structured packets, not hidden reasoning.

Public packets are derived from canonical worked examples and expose only structured summaries, cited evidence rows, step-by-step decision gates, uncertainty flags, reviewer scope, factor codes, and the next human-controlled step. The packet route is validator-backed, supports the same public status filters as the Reasoning Center, and does not export live private offers.

Reasoning packets moral-trade-reasoning-packets-v0.3-2026-05

Status pass

10 check(s), 0 blocker(s), 5 public packet(s).

Open packet JSON

Required packet fields

  • id
  • sourceOfferId
  • rank
  • status
  • statusCode
  • statusTone
  • scope
  • title

Linked contracts

  • Review workflow: moral-trade-review-workflow-v0.2-2026-06
  • Provenance: moral-trade-provenance-v0.3
  • Provenance sample: pass

Decision steps

  • pass: Schema completeness check
  • pass: Anti-threat / prohibited-content check
  • pass: Baseline credibility check
  • pass: Evidence sufficiency check

Public filters

The packet API accepts the same status facet as the Reasoning Center, for example /api/moral-trade/reasoning/packets?status=needs-evidence.

  • All records: 5 packet(s)
  • Needs evidence: 1 packet(s)
  • Human review: 5 packet(s)
  • Blocked: 0 packet(s)
  • Pass with limits: 4 packet(s)

Contract tests

  • reasoning packet contract validator
  • reasoning center public packet smoke
  • reasoning packets api route smoke
  • reasoning packets recovery payload smoke
  • technical spec reasoning packet smoke

Packet invariant

Packets expose only structured summaries, cited evidence rows, uncertainty flags, reviewer scope, factor codes, and required next steps.

Packet invariant

Packets publish step-by-step decision gates with pass, needs_input, human_review, or blocked statuses before any public reliance.

Packet invariant

Packets must not expose chain-of-thought, private wish text, contact details, raw source notes, or autonomous outreach fields.

Packet invariant

Packets must preserve no_global_moral_ranking and participant-relative language.

Packet invariant

Packets are derived from canonical worked examples; live private offers are not exported.

Packet invariant

Every packet links to a worked example page and public contract sources.

Copilot contract

Any AI assistance is schema-bound and reversible.

The copilot role is limited to drafting, critique, explanation, evidence checklists, and reviewer summaries. It cannot rank moral value, contact counterparties, consume raw private feeds, or change proposal state when output validation fails.

Contract moral-trade-copilot-v0.1.3-2026-06

Status pass

12 check(s), 0 blocker(s), 8 fixed verification step(s).

Open contract JSON

Strict input bundle

  • structured_draft
  • policy_registry
  • prohibited_pattern_registry
  • factor_code_dictionary
  • verification_method_taxonomy
  • redaction_policy
  • evidence_metadata
  • redacted_profile_pair
  • match_constraint_set
  • stated_exclusions

Approved output sections

  • status
  • completeness
  • trade_structure
  • trust_assessment
  • match_explanation
  • verification_loop
  • clarification_questions
  • uncertainty_flags
  • next_step_checklist
  • cited_evidence_table
  • review_instructions
  • reviewer_summary
  • citations

Hard guardrails

  • Approved JSON only
  • Observable claims only
  • No hidden reasoning transcript
  • No global moral ranking
  • No autonomous outreach
  • No private feed ingestion
  • Separate trust axes
  • Insufficient evidence requests exact artifacts
  • Anti-threat escalation
  • No false certainty
  • No escrow, legal, tax, custody, or endorsement claims
  • Verification loop gates matchability

Matchability gate

validateMoralTradeCopilotOutput rejects matchable output unless every blocking verification step has status pass.

  • Schema completeness check
  • Anti-threat / prohibited-content check
  • Baseline credibility check
  • Evidence sufficiency check
  • Privacy/redaction check

Prompt template registry

  • System prompt
  • Draft-repair prompt
  • Matching prompt
  • Reviewer-summary prompt

Rollout readiness gates

  • shadow mode: pass
  • assist mode: blocked
  • guarded automation: blocked

schema_completeness

Schema completeness check

Blocks matchable status until resolved.

anti_threat

Anti-threat / prohibited-content check

Blocks matchable status until resolved.

baseline_credibility

Baseline credibility check

Blocks matchable status until resolved.

evidence_sufficiency

Evidence sufficiency check

Blocks matchable status until resolved.

externality_trigger

Externality-review trigger check

Routes or explains without changing state.

privacy_redaction

Privacy/redaction check

Blocks matchable status until resolved.

match_explanation

Match explanation generation

Routes or explains without changing state.

human_review_routing

Human-review routing

Routes or explains without changing state.

Rollout readiness

shadow mode

Status pass; 4 required signal(s), 2 allowed task(s), 0 blocker(s).

Rollout readiness

assist mode

Status blocked; 7 required signal(s), 3 allowed task(s), 3 blocker(s).

Rollout readiness

guarded automation

Status blocked; 8 required signal(s), 3 allowed task(s), 3 blocker(s).

Operations contract

Security, rate limits, metrics, and fallbacks are inspectable.

The core feature now publishes the operating controls that were previously scattered across code and policy pages: security headers, private-cache rules, abuse throttles, privacy/session controls, email-outbox safety gates, retention lifecycle boundaries, observability metrics, safe fallbacks, and rollout gates.

Operations moral-trade-operations-v0.3-2026-05

Status pass

8 check(s), 0 blocker(s), 9 operational test hook(s).

Open operations JSON

Security headers

  • Strict Transport Security
  • No MIME sniffing
  • Frame denial
  • Referrer policy
  • Permissions policy
  • CSP report-only baseline
  • Private route no-store

Rate-limit surfaces

  • public contract read: 240 per 1 minute
  • signup: 5 per 15 minutes
  • login: 8 per 15 minutes
  • offer create: 8 per 15 minutes
  • privacy access request: 12 per 1 day
  • match concierge request: 10 per 1 day
  • offer comment: 12 per 15 minutes
  • offer collection read: 120 per 1 minute
  • offer detail read: 120 per 1 minute
  • offer facets read: 120 per 1 minute
  • offer follow write: 30 per 1 minute
  • offer create similar: 30 per 1 minute
  • saved search write: 30 per 1 minute
  • copilot draft review: 30 per 1 minute
  • match signal evaluate: 60 per 1 minute
  • matching clearing execute: 20 per 1 minute
  • clearing preview execute: 30 per 1 minute
  • release gate enforce: 20 per 1 minute
  • baseline integrity enforce: 20 per 1 minute
  • agreement amendment enforce: 20 per 1 minute
  • production readiness enforce: 20 per 1 minute
  • side agreement enforce: 20 per 1 minute
  • trade classification enforce: 20 per 1 minute
  • template conformance enforce: 20 per 1 minute
  • review capacity enforce: 20 per 1 minute
  • participant term sheet enforce: 20 per 1 minute
  • participant confirmation enforce: 20 per 1 minute
  • participant eligibility enforce: 20 per 1 minute
  • account security enforce: 20 per 1 minute
  • reviewer quality enforce: 20 per 1 minute
  • protective assessment enforce: 20 per 1 minute
  • user safety content moderation enforce: 20 per 1 minute
  • financial settlement controls enforce: 20 per 1 minute
  • recipient acceptance enforce: 20 per 1 minute
  • ai preference elicitation enforce: 20 per 1 minute
  • post clear audit enforce: 20 per 1 minute
  • non public goods subsidy enforce: 20 per 1 minute
  • non public goods tier enforce: 20 per 1 minute
  • risk control matrix enforce: 20 per 1 minute
  • preference integrity enforce: 20 per 1 minute
  • commitment settlement enforce: 20 per 1 minute
  • group buying enforce: 20 per 1 minute
  • participant credibility enforce: 20 per 1 minute
  • opportunity meal evidence enforce: 20 per 1 minute
  • guest witness invite write: 12 per 1 minute
  • guest witness testimony write: 20 per 1 minute
  • guest witness review write: 20 per 1 minute
  • pledge performance bond enforce: 20 per 1 minute
  • pledge swap performance schedule enforce: 20 per 1 minute
  • negative commitment scope enforce: 20 per 1 minute
  • donor of record tax enforce: 20 per 1 minute
  • action reversibility enforce: 20 per 1 minute
  • authority obligation enforce: 20 per 1 minute
  • direct pair clearing enforce: 20 per 1 minute
  • cause bucket taxonomy enforce: 20 per 1 minute
  • resource compatibility enforce: 20 per 1 minute
  • net offset accounting enforce: 20 per 1 minute
  • offer validity enforce: 20 per 1 minute
  • private exchange rate enforce: 20 per 1 minute
  • noncompensable blocker enforce: 20 per 1 minute
  • batch clearing objective enforce: 20 per 1 minute
  • sensitive evidence attestation enforce: 20 per 1 minute
  • pilot evidence enforce: 20 per 1 minute
  • challenge appeal evaluate: 30 per 1 minute
  • challenge appeal enforce: 20 per 1 minute
  • disclosure evaluate: 30 per 1 minute
  • review workflow evaluate: 60 per 1 minute
  • profile portability: 12 per 1 minute
  • background opportunity brief read: 60 per 1 minute
  • background opportunity feedback write: 30 per 1 minute
  • background helper run write: 12 per 1 minute
  • background wish interview write: 20 per 1 minute
  • background source summary write: 12 per 1 minute
  • background subject identity write: 8 per 1 minute
  • background claim assurance write: 8 per 1 minute
  • background pairwise safety write: 12 per 1 minute
  • background intro packet write: 12 per 1 minute
  • background private overlap check: 12 per 1 minute
  • wish registry search: 60 per 1 minute
  • analytics ingest: 120 per 1 minute

Operational metrics

  • funnel_event_counts
  • route_error_rate
  • api_latency_p95
  • web_vitals
  • blocked_proposal_rate
  • email_outbox_suppression_count
  • privacy_incident_count
  • copilot_fallback_rate
  • evidence_review_sla
  • appeal_overturn_rate

Privacy/session controls

  • Supabase auth cookies
  • Private route cache control
  • Data-right request lane
  • Field-level disclosure grants
  • Email outbox safety gate
  • Audit events

Retention lifecycle

  • Account and profile lifecycle
  • Private wish and source lifecycle
  • Evidence and provenance lifecycle
  • Payment and donation reference lifecycle
  • Analytics and attribution lifecycle
  • Notification delivery lifecycle
  • Data-right request lifecycle

deterministic_manual_fallback

Deterministic/manual fallback

If copilot, provider, or evidence tooling fails, keep deterministic validation and manual review available.

invalid_copilot_output_no_state_change

Invalid copilot output cannot change state

Invalid or timed-out copilot output must not publish, match, disclose, or complete a proposal.

provider_timeout_no_state_change

Provider timeout cannot change state

Provider or payment/evidence timeouts remain pending or manual-review states.

unsafe_email_no_provider_send

Unsafe email rows cannot reach the provider

Core Moral Trade email outbox rows with contact details, exact offer terms, payment amounts, agreement or payment identifiers, evidence, raw source notes, or private wish markers are marked suppressed before provider send.

replay_safe_state_transitions

Replay-safe state transitions

State transitions should be idempotent, auditable, and safe to retry.

Performance contract

Route resilience and Web Vitals are measured before readiness is claimed.

The report flagged repeated loading states, route failure recovery, and unspecified Web Vitals, API latency, cache, and bundle strategy. This profile turns those into public targets, privacy-safe telemetry boundaries, and release gates.

Performance moral-trade-performance-v0.4-2026-06

Status fail

8 check(s), 1 blocker(s), 7 metric target(s), cadence weekly internal monthly public aggregate.

Open performance JSON

Metric targets

  • Public route error rate: <=1% of public route views over a reporting period
  • Core API p95 latency: <=800ms p95 for public Moral Trade contract and directory APIs
  • Largest Contentful Paint p75: <=2500ms p75 for public Moral Trade routes
  • Interaction to Next Paint p75: <=200ms p75 for public Moral Trade routes
  • Cumulative Layout Shift p75: <=0.1 p75 for public Moral Trade routes

Instrumentation controls

  • Web Vitals capture
  • API server timing
  • Route error boundary
  • Loading-state inventory
  • Production route manifest smoke

Route families

  • core protocol contract
  • offer marketplace
  • background networking
  • reasoning and review

Route recovery manifest

Status fail; 11/13 route(s) covered, recovery ratio 0.8462.

  • /moral-trade/technical-spec: src/app/moral-trade/technical-spec/error.tsx
  • /reasoning-center: src/app/reasoning-center/error.tsx

instrument_before_optimize

Instrument before optimizing

Do not claim performance readiness from design intent alone; publish measurement coverage first.

public_route_resilience

Public route resilience

Do not expand public acquisition until core public routes have retry/recovery affordances and build-manifest coverage.

privacy_safe_telemetry

Privacy-safe telemetry

Do not store performance telemetry that includes raw private wishes, source notes, contact details, or unredacted query strings.

Performance non-claim

Moral Trade does not claim verified Core Web Vitals pass status until route-level samples are collected and published in aggregate.

Performance non-claim

Moral Trade does not claim all loading states are optimized; generic fallbacks are tracked as route-resilience debt.

Performance non-claim

Moral Trade does not claim production API latency targets are met without current server-timing or provider metrics.

Performance non-claim

Moral Trade does not claim performance telemetry can include raw private wishes, source notes, contact details, or unredacted query strings.

Security contract

Security posture is explicit about controls, boundaries, and non-claims.

The report flagged encryption details, 2FA, device/session review, key management, and abuse throttling as unspecified. This profile publishes what is implemented, what is a provider boundary, and what must be ready before sensitive scale.

Security moral-trade-security-v0.5-2026-06

Status pass

7 check(s), 0 blocker(s), 3 scale gate(s).

Open security JSON

Implemented controls

  • HSTS, CSP, and browser security headers
  • Private no-store cache policy
  • Supabase auth cookies
  • Background field-encryption keyring
  • Server-only secret management
  • 2FA/MFA admin gate
  • Participant session review and revocation
  • Contact disclosure MFA step-up
  • Platform abuse throttling
  • Incident response reporting

Provider boundaries and non-claims

  • Provider encryption at rest
  • Platform-wide field-level encryption is not claimed

Scale gates

  • Sensitive admin scale: blocked
  • Paid-action volume scale: blocked
  • Trust badge scale: pass

Public non-claim

Moral Trade does not claim custom field-level encryption for every private Moral Trade table; background-networking sensitive text has a separate versioned keyring control.

Public non-claim

Moral Trade does not claim the app-level MFA/2FA admin gate replaces provider-console MFA, device inventory, session revocation, or key-rotation evidence.

Public non-claim

Moral Trade does not claim a completed key-rotation program until provider rotation records are published.

Public non-claim

Moral Trade does not claim 24/7 staffed security operations or zero incidents; incident summaries stay aggregate and privacy-redacted.

Public non-claim

Moral Trade does not claim zero security risk; public health endpoints expose blockers instead.

Incident response contract

Incident intake, disclosure, and reopening rules are validator-backed.

The report flagged incident response as a scale prerequisite. This profile publishes the public incident lane: intake channels, severity SLAs, containment phases, affected-participant notices, aggregate public updates, validator backlog updates, and privacy-safe non-claims.

Incident response moral-trade-incident-response-v0.1-2026-05

Status pass

9 check(s), 0 blocker(s), 3 readiness gate(s).

Open incident response JSON

Incident categories

  • Privacy leakage: privacy reviewer
  • Security control failure: security reviewer
  • Payment provider error: payment reviewer
  • Evidence integrity issue: evidence reviewer
  • Unsafe matching or disclosure: safety reviewer
  • Availability or route failure: operations reviewer
  • Copilot output violation: copilot reviewer

Severity SLAs

  • SEV0 active sensitive exposure: response 1h, notice 24h
  • SEV1 control or payment failure: response 4h, notice 48h
  • SEV2 review integrity issue: response 24h, notice 120h
  • SEV3 service degradation: response 72h, notice 168h

Readiness gates

  • Trust-badge incident lane: pass
  • Paid-action incident lane: pass
  • Copilot-assist incident lane: pass

affected_participant_notice_required

Affected participant notice required

SEV0 and SEV1 incidents require affected-participant notice unless doing so would increase harm or conflict with law.

public_aggregate_only

Public aggregate only

Public reporting uses counts, category, severity, status, and remediation class; raw private records stay redacted.

no_private_details_in_public_postmortem

No private details in public postmortem

Do not publish private wishes, source notes, exact contact details, payment secrets, hidden reviewer notes, or raw provider payloads.

validator_blockers_linked

Validator blockers linked

If the incident exposed a contract gap, link the public blocker, test, or scale gate that now tracks the fix.

human_review_before_reopening

Human review before reopening

Affected matching, disclosure, completion, payment, or trust-badge paths reopen only after human review confirms containment.

Incident non-claim

Moral Trade does not claim 24/7 staffed security operations.

Incident non-claim

Moral Trade does not claim zero incidents or zero residual security risk.

Incident non-claim

Moral Trade does not publish raw private wishes, source notes, contact details, payment secrets, or provider payloads in public incident summaries.

Incident non-claim

Moral Trade does not treat incident-response publication as proof that MFA, device/session review, key rotation, or field-level encryption are complete.

Evaluation contract

Quality metrics are public, privacy-bounded, and rollout-gated.

The report recommends measuring whether protocol and copilot workflows actually help. This profile names the metrics, privacy boundaries, cohort slices, and promotion gates required before assisted workflow changes can scale.

Evaluation moral-trade-evaluation-v0.3-2026-05

Status pass

7 check(s), 0 blocker(s), 13 metric(s), cadence monthly public aggregate.

Open evaluation JSON

Sample surfacing parity audit

Status pass; 20 eligible, 9 surfaced, overall rate 0.45; 2 reviewed deviation(s), 0 unreviewed.

Sample UX readiness audit

Status pass; current period 2026-05, previous period 2026-04, blockers 0.

Executable audit check

The validator includes a sample-audits check so fairness, UX, and workflow quality audit code must execute successfully before the evaluation contract reports pass. Material surfacing parity deviations need a redacted review-log entry before they count as reviewed.

Sample workflow quality audit

Status pass; blocked precision 0.9167, false match rate 0.15, human overrule rate 0.2222, reason coverage 1.

Codex-assisted workflow metrics

  • Draft completion rate: increase
  • Time to valid draft: decrease
  • Blocked-proposal precision: increase
  • Privacy leakage incidents: decrease
  • Explanation helpfulness: increase

Privacy and fairness slices

  • trade format
  • cause area pair
  • geography bucket
  • verification method
  • privacy stage
  • new vs returning participant
  • consented demographic slice
  • optional governed sensitive attribute

Measurement boundaries

  • aggregate only by default
  • no raw private wish text
  • no contact details
  • no source note leakage
  • small cell suppression
  • deviation review log redacted
  • free text quote requires consent

shadow_mode

shadow mode

Collect metrics while copilot advice is ignored for live decisions.

assist_mode

assist mode

Allow field prefill and factor-code suggestions only if privacy incidents stay at zero and overrule reasons are reviewed.

guarded_automation

guarded automation

Automate only missing-field detection, explanation rendering, and evidence-checklist drafting after public metrics meet or explain targets.

human_controlled_decisions

human controlled decisions

Safety blocking, matching disclosure, reviewed completion, and dispute resolution remain human controlled.

Externality contract

Third-party impacts now have due-diligence and remedy gates.

Externality review is not a vague warning label. Material triggers require affected-party standing, remediation paths, privacy-safe reporting, human approval, and relevant source standards before reliance.

Externality moral-trade-externality-v0.2-2026-05

Status pass

7 check(s), 0 blocker(s), 8 trigger code(s).

Open externality JSON

Due-diligence steps

  • Embed policy
  • Identify impacts
  • Prevent or mitigate
  • Track results
  • Communicate
  • Remediate

Review standards

  • OECD due diligence
  • UN Guiding Principles
  • ILO Fundamental Principles
  • ETI Base Code
  • Fairtrade Standards
  • Open Supply Hub orientation

Trigger-standard matrix

  • unrepresented third party: oecd_due_diligence, un_guiding_principles
  • vulnerable party pressure: oecd_due_diligence, un_guiding_principles, ilo_fundamental_principles
  • political or campaign adjacent: oecd_due_diligence, un_guiding_principles
  • paid action pressure: oecd_due_diligence, un_guiding_principles, ilo_fundamental_principles
  • labor or supply chain: oecd_due_diligence, un_guiding_principles, ilo_fundamental_principles, eti_base_code, open_supply_hub

Remedy controls

  • Affected-party standing
  • Remediation plan
  • Challenge window required
  • Privacy-safe reporting

unrepresented_third_party

Unrepresented third party

Trigger review when a trade materially affects people who are not participants.

vulnerable_party_pressure

Vulnerable-party pressure

Trigger review when a paid action, disclosure, or pledge may pressure a vulnerable person or group.

political_or_campaign_adjacent

Political or campaign-adjacent

Trigger review for political-adjacent proposals and block direct campaign contribution offsets elsewhere.

paid_action_pressure

Paid-action pressure

Trigger review when compensation could distort voluntariness, labor conditions, or baseline incentives.

labor_or_supply_chain

Labor or supply-chain claim

Trigger review when a proposal makes ethical-trade, sourcing, labor, or supplier claims.

recipient_or_destination_risk

Recipient or destination risk

Trigger review when money, action, or reputation flows to an organization with contested governance or harm risks.

environment_or_community_impact

Environmental or community impact

Trigger review when a project may affect local communities, pollution, land, animals, or ecosystems.

perverse_incentive

Perverse incentive

Trigger review when the trade may reward newly escalated or strategically worsened behavior.

AI governance contract

Undocumented ML cannot rank, match, disclose, or change state.

The report says any move beyond deterministic rules must be documented with model cards, dataset datasheets, benchmark slices, fairness audits, and human-control gates. This profile keeps that requirement explicit before any ranking or scoring layer can be promoted.

AI governance moral-trade-ai-governance-v0.3-2026-06

Status pass

11 check(s), 0 blocker(s), decisioning mode deterministic rules with schema bound copilot, 6 sample documentation packet(s).

Open AI governance JSON

Required before ML

  • Model card
  • Dataset datasheet
  • Benchmark slices
  • Intended-use limits
  • Fairness audit report
  • Change log

Documentation templates

  • Model card template: 8 required fields; redacts raw_private_wish_text and contact_details
  • Dataset datasheet template: 8 required fields; redacts raw_private_wish_text and contact_details
  • Benchmark-slice template: 8 required fields; redacts raw_private_wish_text and contact_details
  • Intended-use limits template: 6 required fields; redacts raw_private_wish_text and contact_details
  • Fairness audit report template: 7 required fields; redacts raw_private_wish_text and contact_details
  • Change-log template: 7 required fields; redacts raw_private_wish_text and contact_details

Sample documentation packets

  • model card: shadow only
  • dataset datasheet: shadow only
  • benchmark slices: shadow only
  • intended use limits: shadow only
  • fairness audit report: shadow only
  • change log: shadow only

Prohibited uses

  • End-to-end LLM matching
  • Global moral ranking
  • Unreviewed learning to rank
  • Protected-trait inference
  • Autonomous outreach
  • Raw private-feed training

Standards

  • NIST AI RMF
  • NIST XAI principles
  • Model Cards
  • Datasheets for Datasets
  • Fairness trade-off literature
  • LIME and SHAP diagnostics

Explanation controls

  • Factor codes are the source of truth
  • Meaningful user action
  • System accuracy boundary
  • Uncertainty and redaction notice
  • Appealable review scope
  • Reversible interaction
  • Local explanation methods are gated

schema_bound_drafting

Schema-bound drafting

Drafting may normalize user text into approved proposal fields without inventing facts or evidence.

missing_field_detection

Missing-field detection

Automation may flag missing required fields and ask clarification questions tied to those fields.

factor_code_explanation

Factor-code explanation rendering

Automation may render explanations only from deterministic factor codes and approved redaction rules.

evidence_checklist_drafting

Evidence checklist drafting

Automation may draft checklists of observable artifacts without deciding that evidence is sufficient.

reviewer_summary_drafting

Reviewer-summary drafting

Automation may summarize records for reviewers while preserving uncertainty and unresolved flags.

API contract

Core routes now publish privacy, schema, rate-limit, and fallback metadata.

The core Moral Trade API surface is now cataloged with method, auth posture, privacy class, schema names, rate-limit surface, cache behavior, and safe fallback rules.

API moral-trade-api-contract-v0.75-2026-06

Status fail

31 check(s), 2 blocker(s), 183 route(s), 258 schema definition(s).

Open API contract JSON

Schema registry moral-trade-schema-registry-v0.2-2026-05

Status fail

9 check(s), 1 blocker(s), 12 public schema document(s), including the core data-model and public offer listing schemas; 8 public payload sample(s) checked, 0 sample failure(s).

Open schema registry JSON

Public schema documents

  • ai-governance-profile.schema.json: 15 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • api-contract-profile.schema.json: 6 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • copilot-contract.schema.json: 16 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • data-model-profile.schema.json: 8 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • evaluation-profile.schema.json: 8 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • externality-profile.schema.json: 9 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • incident-response-profile.schema.json: 10 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • operations-profile.schema.json: 10 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • performance-profile.schema.json: 10 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • protocol-profile.schema.json: 13 required top-level field(s), 0 sample validation(s), 0 sample failure(s)
  • public-offer-listing.schema.json: 26 required top-level field(s), 8 sample validation(s), 0 sample failure(s)
  • security-profile.schema.json: 6 required top-level field(s), 0 sample validation(s), 0 sample failure(s)

Route catalog

  • GET /api/moral-trade/health
  • GET /api/moral-trade/api-contract
  • GET /api/offers
  • GET /api/offers/:slug
  • GET /api/offers/facets

Schema definitions

  • empty_request: 0 field(s)
  • public_offers_collection_request: 8 field(s)
  • public_offers_collection_response: 8 field(s)
  • public_offer_detail_request: 1 field(s)
  • public_offer_detail_response: 9 field(s)
  • public_offers_facets_request: 6 field(s)

Privacy classes

  • public contract
  • public schema
  • authenticated private
  • authenticated private step up
  • privacy thresholded public preview
  • redacted analytics
  • ephemeral private draft review

Private and thresholded routes

  • saved_search_create: authenticated private
  • public_offer_follow: authenticated private
  • public_offer_create_similar: authenticated private
  • moral_trade_release_gate_enforce: authenticated private
  • moral_trade_participant_confirmation_enforce: authenticated private
  • moral_trade_participant_eligibility_enforce: authenticated private
  • moral_trade_account_security_enforce: authenticated private
  • moral_trade_reviewer_quality_enforce: authenticated private
  • moral_trade_matching_clearing_execute: authenticated private
  • moral_trade_clearing_preview_execute: authenticated private
  • moral_trade_baseline_integrity_enforce: authenticated private
  • moral_trade_agreement_amendment_enforce: authenticated private
  • moral_trade_production_readiness_enforce: authenticated private
  • moral_trade_recipient_acceptance_enforce: authenticated private
  • moral_trade_ai_preference_elicitation_enforce: authenticated private
  • moral_trade_post_clear_audit_enforce: authenticated private
  • moral_trade_non_public_goods_subsidy_enforce: authenticated private
  • moral_trade_non_public_goods_tier_enforce: authenticated private
  • moral_trade_risk_control_matrix_enforce: authenticated private
  • moral_trade_preference_integrity_enforce: authenticated private
  • moral_trade_commitment_settlement_enforce: authenticated private
  • moral_goods_group_buying_enforce: authenticated private
  • moral_trade_participant_credibility_enforce: authenticated private
  • moral_trade_opportunity_meal_evidence_enforce: authenticated private
  • moral_trade_guest_witness_invite_write: authenticated private
  • moral_trade_guest_witness_testimony_write: authenticated private
  • moral_trade_guest_witness_review_write: authenticated private
  • moral_trade_pledge_performance_bond_enforce: authenticated private
  • moral_trade_pledge_swap_performance_schedule_enforce: authenticated private
  • moral_trade_negative_commitment_scope_enforce: authenticated private
  • moral_trade_donor_of_record_tax_enforce: authenticated private
  • moral_trade_action_reversibility_enforce: authenticated private
  • moral_trade_authority_obligation_enforce: authenticated private
  • moral_trade_direct_pair_clearing_enforce: authenticated private
  • moral_trade_cause_bucket_taxonomy_enforce: authenticated private
  • moral_trade_resource_compatibility_enforce: authenticated private
  • moral_trade_net_offset_accounting_enforce: authenticated private
  • moral_trade_offer_validity_enforce: authenticated private
  • moral_trade_private_exchange_rate_enforce: authenticated private
  • moral_trade_noncompensable_blocker_enforce: authenticated private
  • moral_trade_batch_clearing_objective_enforce: authenticated private
  • moral_trade_sensitive_evidence_attestation_enforce: authenticated private
  • moral_trade_pilot_evidence_enforce: authenticated private
  • moral_trade_side_agreement_enforce: authenticated private
  • moral_trade_trade_classification_enforce: authenticated private
  • moral_trade_template_conformance_enforce: authenticated private
  • moral_trade_review_capacity_enforce: authenticated private
  • moral_trade_participant_term_sheet_enforce: authenticated private
  • moral_trade_protective_assessment_enforce: authenticated private
  • moral_trade_user_safety_content_moderation_enforce: authenticated private
  • moral_trade_financial_settlement_controls_enforce: authenticated private
  • moral_trade_schema_registry: public schema
  • moral_trade_copilot_review: ephemeral private draft review
  • moral_trade_match_signal_evaluate: ephemeral private draft review
  • moral_trade_challenge_appeal_evaluate: ephemeral private draft review
  • moral_trade_challenge_appeal_enforce: authenticated private
  • moral_trade_disclosure_evaluate: ephemeral private draft review
  • moral_trade_review_workflow_evaluate: ephemeral private draft review
  • profile_schema: public schema
  • profile_export: authenticated private
  • profile_import: authenticated private
  • background_wish_interview_session_create: authenticated private
  • background_wish_interview_answer_create: authenticated private
  • background_wish_interview_apply: authenticated private
  • background_wish_dialogue_start: authenticated private
  • background_wish_dialogue_message: authenticated private
  • background_wish_dialogue_proposal: authenticated private
  • background_wish_dialogue_apply: authenticated private
  • background_source_connection_create: authenticated private
  • background_source_create_bg17_alias: authenticated private
  • background_source_connection_revoke: authenticated private
  • background_source_revoke_bg17_alias: authenticated private
  • background_source_sync_queue: authenticated private
  • background_source_summary_draft: authenticated private
  • background_source_summary_draft_bg16_alias: authenticated private
  • background_source_connection_summary_draft_alias: authenticated private
  • background_source_summary_approve: authenticated private
  • background_source_summary_draft_approve_bg17_alias: authenticated private
  • background_source_connection_approve_bg16_alias: authenticated private
  • background_source_connection_summary_approve_alias: authenticated private
  • background_profile_signal_recompute: authenticated private
  • background_profile_recompute_bg16_alias: authenticated private
  • background_source_summary_create: authenticated private
  • background_intro_packet_create: authenticated private
  • background_intro_request_create: authenticated private
  • background_intro_request_appeal: authenticated private
  • background_intro_request_approve_contact: authenticated private step up
  • background_opportunity_brief_list: authenticated private
  • background_opportunity_list: authenticated private
  • background_opportunity_feedback_create: authenticated private
  • background_opportunity_feedback_create_alias: authenticated private
  • background_helper_run_create: authenticated private
  • background_opportunity_feedback_create_bg17_body_alias: authenticated private
  • background_private_overlap_check: authenticated private
  • background_subject_identity_write: authenticated private
  • background_claim_assurance_write: authenticated private
  • background_pairwise_safety_write: authenticated private
  • wish_registry_search: privacy thresholded public preview
  • funnel_events: redacted analytics

Rate-limit surfaces

  • public contract read
  • offer collection read
  • offer detail read
  • offer facets read
  • saved search write
  • offer follow write
  • offer create similar
  • release gate enforce
  • participant confirmation enforce
  • participant eligibility enforce
  • account security enforce
  • reviewer quality enforce
  • matching clearing execute
  • clearing preview execute
  • baseline integrity enforce
  • agreement amendment enforce
  • production readiness enforce
  • recipient acceptance enforce
  • ai preference elicitation enforce
  • post clear audit enforce
  • non public goods subsidy enforce
  • non public goods tier enforce
  • risk control matrix enforce
  • preference integrity enforce
  • commitment settlement enforce
  • group buying enforce
  • participant credibility enforce
  • opportunity meal evidence enforce
  • guest witness invite write
  • guest witness testimony write
  • guest witness review write
  • pledge performance bond enforce
  • pledge swap performance schedule enforce
  • negative commitment scope enforce
  • donor of record tax enforce
  • action reversibility enforce
  • authority obligation enforce
  • direct pair clearing enforce
  • cause bucket taxonomy enforce
  • resource compatibility enforce
  • net offset accounting enforce
  • offer validity enforce
  • private exchange rate enforce
  • noncompensable blocker enforce
  • batch clearing objective enforce
  • sensitive evidence attestation enforce
  • pilot evidence enforce
  • side agreement enforce
  • trade classification enforce
  • template conformance enforce
  • review capacity enforce
  • participant term sheet enforce
  • protective assessment enforce
  • user safety content moderation enforce
  • financial settlement controls enforce
  • copilot draft review
  • match signal evaluate
  • challenge appeal evaluate
  • challenge appeal enforce
  • disclosure evaluate
  • review workflow evaluate
  • profile portability
  • background wish interview write
  • background source summary write
  • background intro packet write
  • background opportunity brief read
  • background opportunity feedback write
  • background helper run write
  • background private overlap check
  • background subject identity write
  • background claim assurance write
  • background pairwise safety write
  • wish registry search
  • analytics ingest

API test hooks

  • api contract profile validator
  • api contract route contract
  • health route contract smoke
  • technical spec api contract smoke
  • security route contract
  • incident response route contract
  • performance route contract
  • externality route contract
  • ai governance route contract
  • data model contract route
  • policy bundle contract route
  • release gate enforce route contract
  • public offers collection route
  • public offer detail route
  • public offers facets route
  • saved search create route
  • public offer follow route
  • public offer create similar route
  • reasoning packet route contract
  • match signal route contract
  • challenge appeal route contract
  • challenge appeal enforce route contract
  • template conformance contract route
  • template conformance enforce route contract
  • review capacity contract route
  • review capacity enforce route contract
  • participant term sheet enforce route contract
  • participant confirmation enforce route contract
  • participant eligibility enforce route contract
  • account security enforce route contract
  • reviewer quality enforce route contract
  • protective assessment enforce route contract
  • user safety content moderation enforce route contract
  • recipient acceptance enforce route contract
  • ai preference elicitation enforce route contract
  • post clear audit enforce route contract
  • non public goods subsidy enforce route contract
  • non public goods tier enforce route contract
  • risk control matrix enforce route contract
  • preference integrity enforce route contract
  • commitment settlement enforce route contract
  • group buying collection route contract
  • group buying contract route
  • group buying enforce route contract
  • guest witness contract route
  • guest witness invite route contract
  • guest witness testimony route contract
  • guest witness review route contract
  • pledge performance bond enforce route contract
  • pledge swap performance schedule enforce route contract
  • negative commitment scope enforce route contract
  • donor of record tax enforce route contract
  • action reversibility enforce route contract
  • authority obligation enforce route contract
  • direct pair clearing enforce route contract
  • cause bucket taxonomy enforce route contract
  • resource compatibility enforce route contract
  • net offset accounting enforce route contract
  • offer validity enforce route contract
  • private exchange rate enforce route contract
  • noncompensable blocker enforce route contract
  • batch clearing objective enforce route contract
  • sensitive evidence attestation enforce route contract
  • pilot evidence enforce route contract
  • private exchange rate contract route
  • noncompensable blocker contract route
  • batch clearing objective contract route
  • sensitive evidence attestation contract route
  • pilot evidence contract route
  • disclosure grant route contract
  • financial settlement controls route contract
  • financial settlement controls enforce route contract
  • payment event contract route
  • payment authorization contract route
  • user facing status contract route
  • reviewer console contract route
  • matching clearing execute route contract
  • clearing preview execute route contract
  • baseline integrity enforce route contract
  • agreement amendment enforce route contract
  • copilot review route contract
  • profile portability route contract
  • wish registry rate limit contract
  • analytics redaction contract

Field-level schema

empty_request

No request body or query contract beyond route path and auth context.

No body fields.

Field-level schema

public_offers_collection_request

Public collection query parameters for browsing live offers and worked examples without exposing private/personally scoped state.

  • q: string, public
  • tab: enum, public
  • cause: string_array, public
  • format: enum_array, public

Field-level schema

public_offers_collection_response

Public validator-backed collection payload for live offers and worked examples, including visible facets, default-tab behavior, non-claims, and public listing items.

  • ok: boolean, public
  • checkedAt: iso_datetime, public
  • contractVersion: string, public_contract
  • meta: object, public_contract

Field-level schema

public_offer_detail_request

Public offer detail slug path for a live public offer id or worked-example slug.

  • slug: path_slug, public

Field-level schema

public_offer_detail_response

Validator-backed public detail payload for one live offer or worked example, with sign-in/consent-gated actions and non-claims.

  • ok: boolean, public
  • checkedAt: iso_datetime, public
  • contractVersion: string, public_contract
  • slug: path_slug, public

Field-level schema

public_offers_facets_request

Public facet query parameters for the current tab/search scope without pagination.

  • q: string, public
  • tab: enum, public
  • cause: string_array, public
  • format: enum_array, public

moral_trade_health

GET /api/moral-trade/health

Return ok:false with validator blockers; never silently claim readiness.

moral_trade_api_contract

GET /api/moral-trade/api-contract

Return API contract validator blockers, implementation audit, route catalog, schema definitions, privacy classes, and test hooks; never expose private participant records.

public_offers_collection

GET /api/offers

Return filtered worked-example and live listing payloads, visible facets, validator blockers, and zero-live guidance; never expose private wishes, contact details, raw evidence artifacts, personalized saved-offer state, or global moral ranking.

public_offer_detail

GET /api/offers/:slug

Return a validator-backed public listing detail or 404 blockers; never expose contact details, private wishes, raw evidence artifacts, personalized saved-offer state, or agreement formation claims.

public_offers_facets

GET /api/offers/facets

Return positive-count public facets, current default-tab behavior, and validator blockers; never expose zero-count private-sensitive facets or personalized browse state.

saved_search_create

POST /api/saved-searches

Require viewer authentication to store a saved search; unauthenticated requests return a sign-in draft without storage. Never expose private wishes, contact details, raw source notes, personalized saved-offer state, autonomous outreach, or platform moral ranking.

Provenance

Evidence records name entities, activities, and agents.

This does not prove moral correctness. It does make each claim easier to audit: what artifact was submitted, what activity changed state, and which participant, reviewer, or provider was involved.

Entities

proposal_record, offer, agreement, evidence_artifact, external_entity_reference, review_decision, match_explanation, match_signal, traceability_event

Activities

draft_created, draft_updated, evidence_submitted, traceability_event_recorded, risk_screened, challenge_window_opened, review_completed

Agents

participant, counterparty, operator, external_reviewer, payment_or_evidence_provider

Evidence object contract

Claims now have typed artifacts, traceability events, review records, and state changes.

The provenance layer uses fixed object schemas so duplicate proof, wrong-scope evidence, stale artifacts, missing agents, external entity dedupe failures, and external payment or charity-routing events without what/where/why links can be caught, while state transitions carry immutable event hashes before any reviewed completion claim is published.

Provenance contract moral-trade-provenance-v0.3

Status pass

6 check(s), 0 blocker(s), 1 synthetic traceability event(s).

Open provenance JSON

Validator rules

  • artifact-hashes
  • claim-artifact-links
  • scope-alignment
  • one-proof-one-claim
  • freshness-window

Sample bundle

1 artifact, 1 claim, 1 review decision, 3 agents.

Append-only storage

9 owner-scoped table(s) persist artifacts, claims, agents, activities, external references, traceability events, and state transitions.

Contract tests

  • provenance contract validator
  • provenance sample bundle smoke
  • traceability event contract smoke
  • provenance persistence schema smoke
  • technical spec provenance contract smoke

provenance_agent

moral_trade_provenance_agents

owner_insert_public_or_owner_read

evidence_artifact

moral_trade_evidence_artifacts

owner_insert_public_or_owner_read

evidence_claim

moral_trade_evidence_claims

owner_insert_public_or_owner_read

evidence_claim

moral_trade_evidence_claim_artifacts

owner_insert_public_pair_read

external_entity_reference

moral_trade_external_entity_references

owner_insert_public_or_owner_read

review_decision

moral_trade_review_decisions

owner_insert_public_or_owner_read

evidence_artifact

Evidence artifact entity

  • id
  • kind
  • normalizedLocator
  • mediaType
  • claimScopes
  • submittedAt
  • submittedByAgentId
  • redactionLevel
  • sha256

evidence_claim

Evidence claim

  • id
  • proposalId
  • claimType
  • artifactIds
  • claimScope
  • reviewerConfidence
  • uniquenessChecked

external_entity_reference

External entity reference

  • id
  • entityType
  • label
  • identifierSystem
  • normalizedIdentifier
  • dedupeKey
  • verificationStatus
  • redactionLevel
  • sha256

review_decision

Reviewer decision

  • id
  • proposalId
  • outcome
  • reasonCodes
  • summary
  • reviewerId
  • idempotencyKey
  • decisionHash
  • createdAt

match_signal

Privacy-safe match signal

  • id
  • leftProfileId
  • rightProfileId
  • privacyPolicyId
  • status
  • factorCodes
  • confidenceBand
  • redactedFields
  • disclosureStage
  • humanReviewRequired
  • createdAt

traceability_event

Interoperable traceability event

  • id
  • eventTime
  • recordedAt
  • action
  • businessStep
  • disposition
  • what
  • where
  • why
  • agentIds
  • redactionLevel
  • auditQuestionAnswers
  • sha256

state_transition_event_record

Immutable state transition event record

  • id
  • schemaVersion
  • subjectId
  • subjectKind
  • from
  • to
  • provenanceActivity
  • recordedAt
  • actorAgentId
  • actorAgentKind
  • usedEntityIds
  • generatedEntityIds
  • idempotencyKey
  • previousEventHash
  • auditQuestionAnswers
  • eventHash

provenance_activity

Provenance activity

  • id
  • kind
  • at
  • usedEntityIds
  • generatedEntityIds
  • agentIds

provenance_agent

Provenance agent

  • id
  • kind
  • label
MoralTrade

A marketplace for productive difference.

Trade commitments, redirect offsetting donations, and join conditional funding pools. Moral Trade keeps the no-deal default, maximum exposure, evidence, settlement, and exit terms visible before reliance.

Research supports the mechanism. The public product is the marketplace and coordination infrastructure.

Marketplace

  • Explore trades
  • Create a trade
  • Private messages
  • Track commitments

Safety & transparency

  • Contextual credibility
  • Service status
  • Safety and anti-threat rules
  • Transparency

Learn

  • Interactive walkthrough
  • What is Moral Trade?
  • Research
  • Technical specification
  • Worked examples

Organization

  • Team and governance
  • Join the network
  • Support
  • Contact
  • Privacy
  • Terms

Moral Trade does not provide legal, tax, investment, or blanket impact certification. Payment, custody, authorization, settlement, and refund capabilities are disclosed at the point where a user could rely on them.

© 2026 Moral Trade

PrivacyTermsAccessibilityContact