Required
id
Private: Stable Buttondown subscriber key for dedupe and ledger reconciliation.
Public: Never displayed.
MY-2571 wiring contract
Buttondown export fields before a live leaderboard.
Define the minimum Buttondown subscriber export shape needed to build a private Winchester referral ledger and a redacted public leaderboard.
Do not publish live rankings, email subscribers, contact referrers, fulfil rewards or expose raw Buttondown exports until attribution, abuse review and editor approval have passed.
Export inputs
Fields required from Buttondown
Required
Private: Hash immediately with a per-market salt before storage.
Public: Never displayed or written to public JSON.
Required
creation_date
Private: Used to order referral credit and detect burst abuse.
Public: Never displayed.
Required
metadata.referral_source
Private: Maps a confirmed subscriber to the inviting reader token.
Public: Used only after aggregation into confirmed referral counts.
Required
metadata.reader_token
Private: Maps the subscriber to their own invite link.
Public: Never displayed raw.
Required
metadata.signup_market
Private: Filters exports to Winchester only.
Public: Can only appear as broad market label.
Required
tags
Private: Confirms website-subscribe origin and excludes imports/test rows.
Public: Never displayed.
Required
is_confirmed
Private: Only confirmed subscribers increment referral totals.
Public: Never displayed.
Private ledger schema
These fields stay outside public website output
Private field
buttondown_subscriber_id
Private field
confirmed_email_hash
Private field
reader_token_hash
Private field
referral_source_hash
Private field
signup_market
Private field
created_at
Private field
confirmed_at
Private field
source_tag
Private field
fraud_review_status
Private field
manual_reward_status
Public JSON schema
Safe public fields only
Public field
rank
Public field
display_name
Public field
area
Public field
confirmed_referrals
Public field
reward_tier
Public field
reviewed_at
Transform checks
Assertions before any live export
Transform check
Reject rows where signup_market is not good-morning-winchester.
Transform check
Reject rows without website-subscribe tag unless they are manually whitelisted.
Transform check
Reject rows where is_confirmed is false.
Transform check
Hash email, reader_token and referral_source before writing any private ledger file.
Transform check
Exclude self-referrals where subscriber hash and referrer-owned hash match.
Transform check
Exclude duplicate confirmed_email_hash rows from public counts.
Transform check
Emit only publicLeaderboardSchema fields to website/public/leaderboard/leaderboard.json.
Dry-run proof
Evidence to attach before enabling live attribution
Dry-run proof
Run export transform against a fixture with confirmed, unconfirmed, duplicate and self-referral rows.
Dry-run proof
Assert no email, Buttondown id, raw reader token or raw referral source appears in public JSON.
Dry-run proof
Assert the public leaderboard stays hidden if any top-ten row has fraud_review_status other than cleared.
Dry-run proof
Record fixture result in Linear MY-2571 before enabling a live Buttondown export.
Next actions
Internal prep only
Next action
Create a local fixture for the export shape above.
Next action
Add a transform script that writes private and public outputs separately.
Next action
Wire the public page to leaderboard.json only after the privacy assertions pass.
Next action
Request explicit approval before any live Buttondown API export or reward publication.