Service Reliability & Downtime Rules
BYO sources run on creator infrastructure. That makes reliability part of the product: renters need to know whether a source is live, creators need clear uptime expectations, and the marketplace needs rules for degraded service.
Reliability model
Sandbox GHI does not host the creator's private source logic. The creator runs the source, and Sandbox GHI monitors delivery health through:
- Heartbeat - periodic liveness ping from the source.
- Signal ingest - signed signals accepted by the gateway.
- Delivery health - whether accepted signals reach renter channels.
- Incident status - visible state on the Agent/source listing.
If a creator server goes down, the rental may remain active for historical access and dashboard visibility, but live BYO delivery can enter degraded or down state. Remedies depend on downtime length and checkout terms.
Heartbeat
Every active BYO source should send a heartbeat even when there are no signals.
POST /v1/byo/sources/:source_id/heartbeatDraft requirements:
| Rule | Draft target |
|---|---|
| Heartbeat interval | Every 60 seconds while source is active |
| Grace window | 3 missed heartbeats before Degraded |
| Down threshold | 10 missed heartbeats or 10 minutes without heartbeat |
| Recovery | 3 consecutive healthy heartbeats plus accepted auth check |
| Signing | Same Ed25519 header scheme as signal ingest |
Heartbeat proves liveness, not signal quality. A source can be online and still perform badly; scoring handles quality separately.
Source states
| State | Meaning | Renter impact |
|---|---|---|
| Healthy | Heartbeats and ingest are normal. | Live delivery continues. |
| Degraded | Heartbeats delayed, ingest delayed, or delivery channel failure detected. | Listing shows degraded; new rentals may show warning. |
| Down | Heartbeat/ingest unavailable beyond threshold. | Live delivery unavailable; active rentals may become credit/refund eligible. |
| Paused | Creator intentionally pauses for maintenance or risk control. | New rentals blocked or warned; active rentals follow pause terms. |
| Review | Reliability issue overlaps abuse, key compromise, or severe incident. | Payouts/new rentals may freeze while review runs. |
| Detached | Source no longer attached to the shell. | Live BYO delivery stops; receipts remain visible. |
Uptime minimum
Final thresholds are launch parameters, but a rent-enabled BYO source should target:
| Window | Draft minimum |
|---|---|
| Rolling 24h uptime | 95%+ |
| Rolling 7d uptime | 97%+ |
| Critical incident response | Creator acknowledges within 2 hours |
| Planned maintenance notice | Posted before pause when possible |
Falling below uptime minimum can reduce ranking, block new rentals, extend probation, freeze payouts, or trigger stake review.
Timeout and stale signal rules
| Condition | Rule |
|---|---|
| No heartbeat within grace window | Source becomes Degraded. |
| No heartbeat beyond down threshold | Source becomes Down. |
| Signal arrives with stale request timestamp | Rejected by webhook auth. |
Signal payload ts is too far from arrival time | Rejected or marked stale; see Signal Source. |
| Source recovers after down state | Status changes only after consecutive healthy checks. |
This prevents a source from disappearing, returning later, and pretending missed signals were live.
Renter credits and refunds
Final refund policy will be shown at checkout. Intended model:
| Downtime case | Intended renter handling |
|---|---|
| Short degradation below threshold | Status warning only; no automatic remedy. |
| Down beyond threshold during active rental | Prorated credit may apply for affected live-delivery time. |
| Long outage | Renter may be offered credit, extension, or cancellation under listed terms. |
| Planned maintenance disclosed before rental | Terms shown before checkout; remedy may differ. |
| Source slashed or detached mid-rental | Rental may terminate; remedies follow marketplace policy. |
| Sandbox GHI delivery outage | Protocol-side incident handled separately from creator-source downtime. |
Historical receipts and dashboard records can remain visible even if live delivery is down. Refund/credit logic is about live access availability, not investment outcome.
Creator penalties
Reliability failures are not treated the same as manipulation. Penalties scale with severity and repeat history:
| Issue | Possible action |
|---|---|
| First minor outage | Warning or uptime note. |
| Repeated downtime | Ranking reduction, probation extension, or new rental block. |
| Downtime during active rentals | Payout hold, renter credits, or partial fee clawback where terms allow. |
| Misreported status or fake heartbeats | Review, freeze, or slash if intentional. |
| Abandoning an active source | Detach, standing loss, and possible stake action. |
Status page and incident log
Each BYO source listing should expose:
- Current state:
Healthy,Degraded,Down,Paused,Review, orDetached. - Last heartbeat time.
- Rolling uptime.
- Recent incidents.
- Whether new rentals are enabled.
- Whether active renters are credit/refund eligible.
- Source operator notice, if provided.
Public incident logs should avoid leaking creator infrastructure details, private alpha, renter identity, or API credentials.
Managed vs BYO reliability
| Managed module | BYO source | |
|---|---|---|
| Runtime | Sandbox GHI infrastructure | Creator infrastructure |
| Uptime owner | Protocol | Source operator, monitored by protocol |
| Status source | Protocol service health | Heartbeat + ingest + delivery health |
| Downtime remedy | Protocol policy | Rental terms + source reliability policy |
| Abuse overlap | Internal incident process | Can trigger review if downtime hides manipulation |
→ Next: Creator Lifecycle - where reliability states fit into source operation, transfer, detach, and dispute flows.