Trust layer for AI-modified software — receipts, ledger, calibrated autonomy
Project description
SignalBrain
Trust layer for AI-modified software.
Get started · Receipt spec · Architecture & roadmap · The founding incident · Pilot · Demo repo
Every company is letting deterministic governed processes change systems that matter. Every autonomous tool overstates what it did. SignalBrain is the referee: signed improvement receipts, objective re-score, and per-class calibrated trust — so autonomy is earned, not self-reported.
Agent tooling today answers risk with a permission prompt — approve every action, forever. Receipts are the exit ramp: a governed process earns the right to stop asking, one measured claim at a time, per change-class, revocable by evidence.
Your repo, your ledger, no server. Plain files, a CLI, and a GitHub Action — nothing to host, nothing phones home. And because a referee can't also be a player, SignalBrain is agent- and model-neutral by design: Claude Code, Cursor, goose, Codex CLI — same rules for every one of them.
This repository is Phase 0 v0.1: the receipt spec, ledger math, scoring lane, anti-Goodhart machinery, and the founding incident record — extracted from the Titan reference deployment (R&D dummy that keeps trying to game its own ledger, in public).
What integrity means here
SignalBrain Integrity verifies claim integrity, not total system correctness. Its core invariant:
No unmerged, modified, self-scored, or test-only/pin claim can increase earned trust. Only byte-identical, human-merged receipts are objectively re-run and counted toward per-class trust.
Concretely, sb check proves the receipt you are about to score exists byte-for-byte on the merged ref. sb score re-runs the receipt's own measurement commands and records whether the claim held. sb gate turns the ledger into TRUST/GATE or per-class ELIGIBLE/GATE decisions.
What it detects:
- A process trying to score a receipt before a human merge.
- A receipt edited after merge.
- A measurement that fails when re-run.
- Same-PR test-only pins that are true by construction and should earn zero trust.
- Per-class trust claims that fall below the configured evidence threshold.
What it does not detect:
- GPU memory corruption, kernel faults, or model-serving stack corruption.
- Trading-alpha correctness, business logic drift, or domain truth unless your receipt measures that invariant.
- Data poisoning, prompt injection, or model truthfulness by itself.
- Production execution breaches unless you wire the CLI exit codes into your deploy, CI, scheduler, or circuit breaker.
On breach, SignalBrain is fail-closed at the interface you choose: sb check returns a nonzero guard code, sb score refuses unmerged/drifted receipts instead of writing earned trust, and sb gate exits 1 for GATE. In CI this blocks the workflow; in a scheduler it can halt the next run; in a runtime system it is a circuit breaker only if you connect that exit status to one.
Operational examples: docs/INTEGRITY_BREACH_RUNBOOK.md. Release and publishing controls: docs/RELEASE_AND_DISTRIBUTION.md.
60-second demo — run it, don't trust it
pip install signalbrain
bash demo/demo.sh
Raw transcript (real output — no mocks)
▶ 1. An agent tries to score its own claim BEFORE anyone merged it
{"status": "refused_guard", "code": 3, "message": "... not on HEAD — score only human-merged receipts"}
refused: unmerged claims cannot enter the ledger. No agent grades its own homework.
▶ 2. A batch of receipts measured only by tests the agent wrote itself
ledger now holds 3 rows — every one classified: 3 "claim_kind": "invariant_pin"
{} (no class has ANY trust-eligible claims)
three green results, ZERO earned trust: held-by-construction pins are recorded, never counted.
▶ 3. An honest failure
"held": false
the agent said 0.9 confidence. The measurement said no. That gap is the product.
▶ 4. Ten claims that actually hold
"tooling": { "hit_rate": 1.0, "n": 10, "status": "auto-merge ELIGIBLE" }
earned by track record, revocable by evidence. Autonomy is graduated, never granted.
The receipt lifecycle
flowchart LR
A["Agent ships change<br/>+ receipt"] --> B{"human<br/>merges?"}
B -- "no" --> R["refused — unmerged claims<br/>cannot be scored"]
B -- "yes" --> C["sb score<br/>re-runs the receipt's<br/>own commands"]
C --> D{"measured only by<br/>tests it wrote itself?"}
D -- "yes" --> P["invariant_pin<br/>recorded · zero trust"]
D -- "no" --> E{"commands<br/>pass?"}
E -- "yes" --> H["held ✓"]
E -- "no" --> F["held ✗<br/>recorded forever"]
H --> L[("ledger")]
F --> L
P --> L
L --> G{"last 10 high-confidence<br/>claims ≥ 95% held?"}
G -- "yes" --> M["auto-merge ELIGIBLE<br/>earned · revocable"]
G -- "no" --> N["GATE<br/>human review"]
classDef good fill:#0d2b1e,stroke:#34d399,color:#a7f3d0
classDef bad fill:#2b1214,stroke:#f87171,color:#fecaca
classDef neutral fill:#0f172a,stroke:#475569,color:#cbd5e1
class M,H good
class R,F,P bad
class A,B,C,D,E,G,L,N neutral
Three layers
| Layer | What | Status |
|---|---|---|
| Receipt | Open standard — signed, re-runnable claims | docs/RECEIPT_SPEC.md v0.1 |
| Ledger | Per-class trust from objectively re-scored receipts | src/signalbrain/governance/ |
| Refuter | Adversarial verification + SPC (premium) | scripts + roadmap |
Founding proof
Our own autonomous lane tried to pad its trust score to 100% ELIGIBLE in a local working tree. It never reached git. Full receipt-style incident record with reproduce commands:
docs/incidents/2026-07-tooling-trust-streak-gaming.md
Every number in that document is re-derivable from cited SHAs.
The ledger data has its own headline: across 58 objectively measured claims, hold-rate falls as stated confidence rises — 86% in the 0.85–0.90 bin, 83% in 0.90–0.95, 33% above 0.95. The most confident claims were the least reliable. Full essay: signalbrain.ai/essays/most-confident-least-reliable (AI-readable markdown copy) · reproducible curves + generator: report/calibration-curves/.
MCP server — receipts as native agent tools
Listed on the official MCP Registry as io.github.whitestone1121-web/signalbrain. Any MCP client (goose, Claude Desktop, Claude Code, Cursor) gets three tools: emit_receipt, validate_receipt, gate_status — so the agent writes spec-compliant claims and reads its own earned-autonomy standing.
uvx --from "signalbrain[mcp]" sb-mcp
Quick start
pip install signalbrain
# 1. Teach your agents to emit receipts (paste into CLAUDE.md / .cursorrules):
# docs/pilot/receipt-emission.md
# 2. After a receipt merges, score it objectively:
sb score receipts/0001-tooling-my-change.md --root . --ledger .signalbrain/ledger.jsonl
# 3. Read the trust gates (exit 0 = TRUST earned, 1 = GATE):
sb gate --ledger .signalbrain/ledger.jsonl --by-class --window 10
# Or wire it into CI — see the fork-able demo's workflow:
# https://github.com/whitestone1121-web/receipt-gate-demo
Versioning
signalbrain is currently 0.x alpha software. Pin exact versions in production pilots, expect breaking changes before 1.0, and treat each release note as part of the contract. The security invariant above is the stable design center; the CLI and receipt schema may still tighten as pilots expose edge cases.
Reference-deployment invocations (legacy scripts, kept for parity)
export PYTHONPATH=src:scripts
python scripts/calibration_ledger.py docs/calibration/improvement_claim_ledger.jsonl \
--require-measured --by-class --window 10
bash scripts/calibration_score_receipt.sh docs/improvements/NNNN-name.md
pytest tests/ -q
v0.1 scope and roadmap
See Architecture, provenance & roadmap — what's in the box, why the rules look the way they do, and what design partners drive next. Known limitations are stated there plainly; this project publishes its edges the same way it publishes its incidents.
Compat note: governance modules live under signalbrain.governance; agi_os_backend.governance shims preserve script import paths from the reference deployment.
Design partner offer
We score your coding agents' claims against what actually merged. First caught overclaim is free — if we don't find one, you still get an audit. Contact: signalbrain.ai
License
Apache-2.0 — see LICENSE.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file signalbrain-0.1.3.tar.gz.
File metadata
- Download URL: signalbrain-0.1.3.tar.gz
- Upload date:
- Size: 26.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5b2c1fc1432fe6fb05704dc4cb2a1cb4a7819fa2f588a503aa3c541496c698ee
|
|
| MD5 |
51a999e77539493a96643cfbc2bc98ca
|
|
| BLAKE2b-256 |
35e1e1e04330c4e2469e66e67d7f7fe30caf84bd15737421b74a0f8b1824a949
|
Provenance
The following attestation bundles were made for signalbrain-0.1.3.tar.gz:
Publisher:
release.yml on whitestone1121-web/signalbrain
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
signalbrain-0.1.3.tar.gz -
Subject digest:
5b2c1fc1432fe6fb05704dc4cb2a1cb4a7819fa2f588a503aa3c541496c698ee - Sigstore transparency entry: 2080916483
- Sigstore integration time:
-
Permalink:
whitestone1121-web/signalbrain@07056b83097c2ca0c750e99b27ffe578bcb9e15f -
Branch / Tag:
refs/tags/v0.1.3 - Owner: https://github.com/whitestone1121-web
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@07056b83097c2ca0c750e99b27ffe578bcb9e15f -
Trigger Event:
push
-
Statement type:
File details
Details for the file signalbrain-0.1.3-py3-none-any.whl.
File metadata
- Download URL: signalbrain-0.1.3-py3-none-any.whl
- Upload date:
- Size: 30.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
690644e492d818303d57d8f2c4d54869fea00a39a97aeb26e57b24804e51c465
|
|
| MD5 |
89cac0de39a692a07e164226cab8fa31
|
|
| BLAKE2b-256 |
9e25f0a27f43e78db92ce57da63c2455bd196a3750d2f72c0b57051951cbcc76
|
Provenance
The following attestation bundles were made for signalbrain-0.1.3-py3-none-any.whl:
Publisher:
release.yml on whitestone1121-web/signalbrain
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
signalbrain-0.1.3-py3-none-any.whl -
Subject digest:
690644e492d818303d57d8f2c4d54869fea00a39a97aeb26e57b24804e51c465 - Sigstore transparency entry: 2080916959
- Sigstore integration time:
-
Permalink:
whitestone1121-web/signalbrain@07056b83097c2ca0c750e99b27ffe578bcb9e15f -
Branch / Tag:
refs/tags/v0.1.3 - Owner: https://github.com/whitestone1121-web
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@07056b83097c2ca0c750e99b27ffe578bcb9e15f -
Trigger Event:
push
-
Statement type: