The trust ledger: how we think about permissions
Every permission a user grants is a loan, not a gift. We built the trust kernel to keep the books — and to make the books inspectable.
When a user connects their calendar to Y0, something economic happens. They have extended us credit. They are betting that the value we return — deadlines caught, drafts prepared, mornings made shorter — exceeds the risk of handing a startup their schedule. Most software treats that moment as a conversion event. We treat it as a liability entry.
Internally we call this the trust ledger, and it is not a metaphor — it is a system component. The trust kernel, the layer of our stack that mediates every data access, keeps an append-only record of three things: what was granted, what was actually read, and what was produced because of it. The asymmetry between the first two numbers is the most important ratio in the company.
Granted is not licensed
The industry default is to treat a granted scope as a standing license: the user clicked allow once in 2024, therefore everything that scope permits is fair game forever. We think this is how trust dies — not in a breach, but in a thousand quiet over-reads no one can see. So the kernel enforces a narrower rule: every read must be attributable to a task the user actually initiated, and the attribution is recorded at the moment of access.
ledger entry #84,112 grant calendar.read 2026-01-12 access events[thu..fri] task: morning-brief produced deadline-flag #3,402 ratio reads:outputs = 1.3 ✓ within budget
That last line matters. Each scope carries a read budget relative to outputs produced. A subsystem that reads a hundred events to produce one flag is doing surveillance, not assistance, and the kernel will throttle it before any human notices. We tuned this on ourselves first; two of our own early features failed the budget and were rebuilt.
Trust is not a brand value. It is a balance, and the user is the auditor.
Making the ledger legible
A ledger no one can read is just a log. So every Y0 account ships with the ledger exposed: any user can ask, in plain language, what did you read this week and why, and get the actual entries back — task, timestamp, output. Support uses the same view. So do we, with no privileged bypass. The honest version of this post admits the cost: legibility constrains us. There are features we have delayed because we could not yet explain their reads in one sentence. We consider that the system working.
The long game is plain. The lanes we intend to enter — communication, finance, identity — run on progressively more dangerous data. Nobody should extend that much credit to a company that cannot produce its books. The trust ledger is us producing the books early, while they are still small enough to read.