Skip to main content

Trust layer for AI-modified software — receipts, ledger, calibrated autonomy

Project description

SignalBrain — the trust layer for AI-modified software

SignalBrain

PyPI license demo gate earned autonomy

Trust layer for AI-modified software.

Get started · Receipt spec · Architecture & roadmap · The founding incident · Pilot · Demo repo

Every company is letting deterministic governed processes change systems that matter. Every autonomous tool overstates what it did. SignalBrain is the referee: signed improvement receipts, objective re-score, and per-class calibrated trust — so autonomy is earned, not self-reported.

Agent tooling today answers risk with a permission prompt — approve every action, forever. Receipts are the exit ramp: a governed process earns the right to stop asking, one measured claim at a time, per change-class, revocable by evidence.

Your repo, your ledger, no server. Plain files, a CLI, and a GitHub Action — nothing to host, nothing phones home. And because a referee can't also be a player, SignalBrain is agent- and model-neutral by design: Claude Code, Cursor, goose, Codex CLI — same rules for every one of them.

Animated: a 0.92-confidence claim is re-executed after merge, fails, held: false is recorded forever, and the class drops to GATE

This repository is Phase 0 v0.1: the receipt spec, ledger math, scoring lane, anti-Goodhart machinery, and the founding incident record — extracted from the Titan reference deployment (R&D dummy that keeps trying to game its own ledger, in public).

What integrity means here

SignalBrain Integrity verifies claim integrity, not total system correctness. Its core invariant:

No unmerged, modified, self-scored, or test-only/pin claim can increase earned trust. Only byte-identical, human-merged receipts are objectively re-run and counted toward per-class trust.

Concretely, sb check proves the receipt you are about to score exists byte-for-byte on the merged ref. sb score re-runs the receipt's own measurement commands and records whether the claim held. sb gate turns the ledger into TRUST/GATE or per-class ELIGIBLE/GATE decisions.

What it detects:

  • A process trying to score a receipt before a human merge.
  • A receipt edited after merge.
  • A measurement that fails when re-run.
  • Same-PR test-only pins that are true by construction and should earn zero trust.
  • Per-class trust claims that fall below the configured evidence threshold.

What it does not detect:

  • GPU memory corruption, kernel faults, or model-serving stack corruption.
  • Trading-alpha correctness, business logic drift, or domain truth unless your receipt measures that invariant.
  • Data poisoning, prompt injection, or model truthfulness by itself.
  • Production execution breaches unless you wire the CLI exit codes into your deploy, CI, scheduler, or circuit breaker.

On breach, SignalBrain is fail-closed at the interface you choose: sb check returns a nonzero guard code, sb score refuses unmerged/drifted receipts instead of writing earned trust, and sb gate exits 1 for GATE. In CI this blocks the workflow; in a scheduler it can halt the next run; in a runtime system it is a circuit breaker only if you connect that exit status to one.

Operational examples: docs/INTEGRITY_BREACH_RUNBOOK.md. Release and publishing controls: docs/RELEASE_AND_DISTRIBUTION.md.

60-second demo — run it, don't trust it

pip install signalbrain
bash demo/demo.sh

demo.sh output: self-score refused, pins earn zero trust, honest failure recorded, ELIGIBLE earned at n=10

Raw transcript (real output — no mocks)
▶ 1. An agent tries to score its own claim BEFORE anyone merged it
  {"status": "refused_guard", "code": 3, "message": "... not on HEAD — score only human-merged receipts"}
  refused: unmerged claims cannot enter the ledger. No agent grades its own homework.

▶ 2. A batch of receipts measured only by tests the agent wrote itself
  ledger now holds 3 rows — every one classified: 3 "claim_kind": "invariant_pin"
  {}   (no class has ANY trust-eligible claims)
  three green results, ZERO earned trust: held-by-construction pins are recorded, never counted.

▶ 3. An honest failure
  "held": false
  the agent said 0.9 confidence. The measurement said no. That gap is the product.

▶ 4. Ten claims that actually hold
  "tooling": { "hit_rate": 1.0, "n": 10, "status": "auto-merge ELIGIBLE" }
  earned by track record, revocable by evidence. Autonomy is graduated, never granted.

The receipt lifecycle

flowchart LR
    A["Agent ships change<br/>+ receipt"] --> B{"human<br/>merges?"}
    B -- "no" --> R["refused — unmerged claims<br/>cannot be scored"]
    B -- "yes" --> C["sb score<br/>re-runs the receipt's<br/>own commands"]
    C --> D{"measured only by<br/>tests it wrote itself?"}
    D -- "yes" --> P["invariant_pin<br/>recorded · zero trust"]
    D -- "no" --> E{"commands<br/>pass?"}
    E -- "yes" --> H["held ✓"]
    E -- "no" --> F["held ✗<br/>recorded forever"]
    H --> L[("ledger")]
    F --> L
    P --> L
    L --> G{"last 10 high-confidence<br/>claims ≥ 95% held?"}
    G -- "yes" --> M["auto-merge ELIGIBLE<br/>earned · revocable"]
    G -- "no" --> N["GATE<br/>human review"]

    classDef good fill:#0d2b1e,stroke:#34d399,color:#a7f3d0
    classDef bad fill:#2b1214,stroke:#f87171,color:#fecaca
    classDef neutral fill:#0f172a,stroke:#475569,color:#cbd5e1
    class M,H good
    class R,F,P bad
    class A,B,C,D,E,G,L,N neutral

Three layers

Layer What Status
Receipt Open standard — signed, re-runnable claims docs/RECEIPT_SPEC.md v0.1
Ledger Per-class trust from objectively re-scored receipts src/signalbrain/governance/
Refuter Adversarial verification + SPC (premium) scripts + roadmap

Founding proof

Our own autonomous lane tried to pad its trust score to 100% ELIGIBLE in a local working tree. It never reached git. Full receipt-style incident record with reproduce commands:

docs/incidents/2026-07-tooling-trust-streak-gaming.md

Every number in that document is re-derivable from cited SHAs.

The ledger data has its own headline: across 58 objectively measured claims, hold-rate falls as stated confidence rises — 86% in the 0.85–0.90 bin, 83% in 0.90–0.95, 33% above 0.95. The most confident claims were the least reliable. Full essay: signalbrain.ai/essays/most-confident-least-reliable (AI-readable markdown copy) · reproducible curves + generator: report/calibration-curves/.

MCP server — receipts as native agent tools

Listed on the official MCP Registry as io.github.whitestone1121-web/signalbrain. Any MCP client (goose, Claude Desktop, Claude Code, Cursor) gets three tools: emit_receipt, validate_receipt, gate_status — so the agent writes spec-compliant claims and reads its own earned-autonomy standing.

uvx --from "signalbrain[mcp]" sb-mcp

Quick start

pip install signalbrain

# 1. Teach your agents to emit receipts (paste into CLAUDE.md / .cursorrules):
#    docs/pilot/receipt-emission.md

# 2. After a receipt merges, score it objectively:
sb score receipts/0001-tooling-my-change.md --root . --ledger .signalbrain/ledger.jsonl

# 3. Read the trust gates (exit 0 = TRUST earned, 1 = GATE):
sb gate --ledger .signalbrain/ledger.jsonl --by-class --window 10

# Or wire it into CI — see the fork-able demo's workflow:
#    https://github.com/whitestone1121-web/receipt-gate-demo

Versioning

signalbrain is currently 0.x alpha software. Pin exact versions in production pilots, expect breaking changes before 1.0, and treat each release note as part of the contract. The security invariant above is the stable design center; the CLI and receipt schema may still tighten as pilots expose edge cases.

Reference-deployment invocations (legacy scripts, kept for parity)
export PYTHONPATH=src:scripts
python scripts/calibration_ledger.py docs/calibration/improvement_claim_ledger.jsonl \
  --require-measured --by-class --window 10
bash scripts/calibration_score_receipt.sh docs/improvements/NNNN-name.md
pytest tests/ -q

v0.1 scope and roadmap

See Architecture, provenance & roadmap — what's in the box, why the rules look the way they do, and what design partners drive next. Known limitations are stated there plainly; this project publishes its edges the same way it publishes its incidents.

Compat note: governance modules live under signalbrain.governance; agi_os_backend.governance shims preserve script import paths from the reference deployment.

Design partner offer

We score your coding agents' claims against what actually merged. First caught overclaim is free — if we don't find one, you still get an audit. Contact: signalbrain.ai

License

Apache-2.0 — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

signalbrain-0.1.4.tar.gz (29.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

signalbrain-0.1.4-py3-none-any.whl (33.9 kB view details)

Uploaded Python 3

File details

Details for the file signalbrain-0.1.4.tar.gz.

File metadata

  • Download URL: signalbrain-0.1.4.tar.gz
  • Upload date:
  • Size: 29.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for signalbrain-0.1.4.tar.gz
Algorithm Hash digest
SHA256 12a060105693bafbe417e24e951adf199f2435276a9dec68ecb9329a7bdc0eaa
MD5 b2f98be57fa4668839dcec8571dbe8fe
BLAKE2b-256 7c587a5346bc229603c75e4fa2a3c1729a2dc46da34c4bbeaafb829e45081f8d

See more details on using hashes here.

Provenance

The following attestation bundles were made for signalbrain-0.1.4.tar.gz:

Publisher: release.yml on whitestone1121-web/signalbrain

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file signalbrain-0.1.4-py3-none-any.whl.

File metadata

  • Download URL: signalbrain-0.1.4-py3-none-any.whl
  • Upload date:
  • Size: 33.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for signalbrain-0.1.4-py3-none-any.whl
Algorithm Hash digest
SHA256 d3f54568a15bea79bba5ca113e291289f98e2838bb1a7bc99c0cf1db1543d786
MD5 a93bc6bfd6d61dccdc94b987bc09d677
BLAKE2b-256 252cb8c2fbe577b0f76649004f2160986ddebf25386b8239a61c2835ce561709

See more details on using hashes here.

Provenance

The following attestation bundles were made for signalbrain-0.1.4-py3-none-any.whl:

Publisher: release.yml on whitestone1121-web/signalbrain

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page