Skip to content
monsys.ai

Trust Score

/[locale]/trust-score shows a single number plus the per-category breakdown. The algorithm processes every signal_streams row that arrived in the last 30 days.

Algorithm

  1. Collect every signal with severity NOT IN (NULL, 'info') from the last 30 days for the tenant.
  2. Severity → numeric weight: 
    info=0   low=1   medium=4   high=15   critical=40
  3. Per category: category_score = max(0, 100 - sum(weights) * scaling_factor) with scaling_factor = 1.0. A single critical alone drops -40 (100 → 60), three criticals clamp to 0.
  4. score_total = weighted average across the eight categories, using trust_score_weights.config as the weights.

Eight categories

KeyDefault weightSources that feed in
cves15supply_chain (Phase 4.2)
compliance20license_check (1.8)
identity15secrets_scan, endpoint_posture, identity_audit, auth_geo
ai_risk10(ai_traces.pii_hits via separate path)
process_dna10clock_check, container_posture
cert_dns10cert_scan(_internal), ct_monitor, dns_check
backup10backup_check
incident_response10(alert lifecycle, Phase 5.1)

Per-tenant override via POST /api/v1/trust-score/weights (admin/owner + TOTP in production).

Reproducibility

inputs_hash = sha256(window_start.Unix || window_end.Unix || sorted [signal_id|severity|category]).

The worker only writes a new snapshot when inputs_hash differs from the previous row — no empty time-series between findings.

Endpoints

GET  /api/v1/trust-score/current
GET  /api/v1/trust-score/history?window=90d           1h..365d
GET  /api/v1/trust-score/category/:cat/contributors   top 20 per category
GET  /api/v1/trust-score/explain                      top 10 across all
POST /api/v1/trust-score/weights                      admin + TOTP-prod

History default window is 90 days; the weights API accepts exactly the 8 keys above, sum > 0.

Under the hood

  • Table: trust_score_snapshots(computed_at, tenant_id, score_total, category_scores JSONB, weights_version, inputs_hash)
  • Weights: trust_score_weights(id PK, tenant_id NULLABLE, weights_version, config JSONB) — NULL tenant_id = global default default-v1
  • Calculator: hub/api/trust_score/calculator.go — testable via Calculator.CalculateAt(ctx, tenant, now)