Check if a US consumer subscription purchase can be returned. Returns RETURNABLE, EXPIRED, or NON_RETURNABLE with return type (full_refund, prorated, credit) and method.
Check free trial availability and terms for a US consumer subscription. Returns TRIAL_AVAILABLE or NO_TRIAL with trial length, card requirement, and auto-conversion status.
Deterministic Decision API engine powering workflow applications, stable MCP notary remotes, decision memo packets, and execution gates
Positioning: Decide is the API engine and compatibility surface. Krafthaus workflow apps, Policy MCP Notaries, decision memo packets, and execution gates are application surfaces that reuse the same verdict, request ID, and evidence contract.
Production Determinism Boundary
Binding production verdicts should use a versioned declarative rulebook:
The production core is hybrid_declarative_rulebook_with_trusted_adapters:
direct declarative rulebooks are supported, registered first-party trusted
adapters may supply bounded facts, and customer executable rulebooks are
rejected. In both supported binding modes, Rulebook v1 remains the only binding
verdict selector.
mode: "rulebook" does not call an LLM. It validates the request rulebook
against the published JSON Schema, hashes the rulebook, evaluates bounded
conditions, and returns yes, no, or review alongside the application
verdict, action, reason code, matched rule, and evaluator_version. Responses
also include rulebook_contract with the enforced schema URL/hash,
runtime_binding with the direct or trusted-adapter binding mode, input_hash,
a SHA-256 hash of the canonical inputs or adapter facts consumed by the
declarative evaluator, plus a rulebook_attestation_v1 bundle hash over the
deterministic execution tuple.
Production deployments can sign that bundle hash with a
rulebook_attestation_signature_v1 Ed25519 envelope; verification keys are
published at /.well-known/rulebook-attestation-keys.json. Set
DECIDE_RULEBOOK_ATTESTATION_SIGNATURE_REQUIRED=true in production to fail
closed instead of returning unsigned Rulebook decisions. Publish retired public
verification keys with DECIDE_RULEBOOK_ATTESTATION_KEY_HISTORY_JSON so older
Decision Records remain verifiable after rotation.
Rulebook requests cannot preload Decide-generated Decision Record material.
Fields such as runtime_binding, trusted_adapter, adapter_facts,
rulebook_attestation, application_verdict, and action are response-only at
the request body, context.inputs, and adapter-facts boundaries; attempts return
RULEBOOK_OUTPUT_MATERIAL_FORBIDDEN.
Legacy single, multi, and runtime requests remain available for
AI-assisted exploration, but they are not binding production verdicts. Those
responses include decision_contract with authority: "advisory_only" and
production_verdict: false, plus production_binding_required: true and the
supported production binding modes; callers that need deterministic execution
must use mode: "rulebook" and capture rulebook_contract, runtime_binding,
and the Rulebook attestation material.
At the public Decision Record boundary, successful evaluations are registered
as immutable tenant-scoped snapshots. Historical replay restores the original
canonical input and stored rulebook snapshot rather than trusting a caller
override or the current application deployment.
Rulebook v1 also supports registered first-party trusted adapters for bounded
fact normalization. Adapter requests pin an exact semantic version and manifest
hash; responses attest the bundled implementation source hash plus canonical
input/output hashes and the enforced execution contract. Each invocation runs
once in an empty-environment worker with hard time/resource limits and denied
common ambient capabilities. The declarative rulebook remains the only binding
verdict selector. See docs/TRUSTED_ADAPTERS_V1.md.
The current reference applications prove both production patterns: Solana
Execution Gate, Decision Memo Readiness Gate, and Krafthaus Workflow Readiness Binding
use trusted adapters before Rulebook v1, while the Refund, Trial, Cancel, and
Return Policy MCP notaries supply normalized facts directly to Rulebook v1 and
expose the signed rulebook result through their stable REST and MCP surfaces.
Before evaluator, adapter, or rulebook changes ship, run the local historical
replay gate:
bash
npm run rulebook:migration-dry-run -- --json
Use --candidate-rulebook, --candidate-adapter, and
--candidate-evaluator-version to compare proposed migrations against the
golden replay corpus before production routing changes.
For release gates, prefer a rulebook_migration_v1 manifest so candidate
artifacts, expected drift, and approval status are reviewed together:
bash
npm run rulebook:migration-dry-run -- --migration path/to/migration.json --json
The manifest schema is published at
https://api.decide.fyi/schemas/rulebook-migration-v1.schema.json, and the dry
run validates manifests against that closed schema before replay.
After production routing or runtime-contract changes ship, run the production
runtime smoke:
bash
npm run smoke:rulebook-runtime
This hits https://api.decide.fyi from outside the runtime and always verifies
the published hybrid_declarative_rulebook_with_trusted_adapters manifest,
closed Rulebook v1 schema, attestation key endpoint, and protected Decision API
edge. Supply DECIDE_RULEBOOK_RUNTIME_SMOKE_API_KEY to also exercise live
declarative evaluation, rejection behavior, and advisory-only legacy metadata.
GitHub Actions runs the public boundary checks as the scheduled/manual
Rulebook Runtime Production Smoke workflow and runs the authenticated checks
when its optional smoke credential is configured.
The legacy single, multi, and runtime modes are AI-assisted surfaces.
They are not the production determinism boundary for loosely defined business
judgment.
# Handler-level smoke checks (no running server required)
npm run smoke
# MCP endpoint checks (requires a running server)
npm run mcp:check
# Self-contained local MCP check; starts/stops vercel dev on localhost:3000
npm run mcp:check:local# End-to-end workflow fixture (example -> result)
npm run workflow:test# Production customer-key verification after provisioning a key
DECIDE_SMOKE_API_KEY='<customer-key>' npm run smoke:customer-key
Zendesk Workflow Orchestrators
Use workflow endpoints when you want one request to return:
decision classification (yes | no) from /api/decide
policy result from the relevant notary endpoint
recommended Zendesk action + tags + private note with request_id
Endpoints
POST https://refund.decide.fyi/api/v1/workflows/zendesk/refund
POST https://cancel.decide.fyi/api/v1/workflows/zendesk/cancel
POST https://return.decide.fyi/api/v1/workflows/zendesk/return
POST https://trial.decide.fyi/api/v1/workflows/zendesk/trial
Request
json
{"ticket_id":"ZD-9001","workflow_type":"refund","question":"Should this Adobe annual plan refund request proceed under policy?","vendor":"adobe","region":"US","plan":"individual","days_since_purchase":5}
For refund and return, include days_since_purchase.
Deterministic test mode
Set decision_override to bypass model classification during fixtures and CI:
Checks if a subscription purchase is within the vendor's refund window.
Input:vendor, days_since_purchase, region, plan
json
{"refundable":true,"verdict":"ALLOWED","code":"WITHIN_WINDOW","message":"Refund is allowed. Purchase is 12 day(s) old, within 14 day window.","vendor":"adobe","window_days":14}
Checks cancellation penalties — early termination fees, contract locks, or free cancellation.
Input:vendor, region, plan
json
{"verdict":"PENALTY","code":"EARLY_TERMINATION_FEE","message":"adobe charges an early termination fee: 50% of remaining months on annual plan.","vendor":"adobe","policy":"etf"}
Checks if a subscription purchase can be returned/reversed, with return type and method.
Input:vendor, days_since_purchase, region, plan
json
{"returnable":true,"verdict":"RETURNABLE","code":"FULL_RETURN","message":"Return is available. Purchase is 5 day(s) old, within 14-day window.","vendor":"adobe","return_type":"full_refund","method":"self_service"}
Each policy family has deterministic rules and source metadata for 100 vendors.
The source tracker monitors official vendor documentation and terms of service;
it does not automatically promote page text into a verdict.
Six-hour source checks — The Daily Policy Check workflow runs every six hours across refund, cancellation, return, and trial sources. Material signals enter a human review queue.
Human-verification freshness — npm run audit:policy-freshness reports the age of the last reviewed source set independently from tracker uptime.
Policy source URLs tracked — Each policy family has its own sources file in rules/ linking to official policy pages.
Compliance export — GET /api/compliance-export returns a CSV snapshot of tracked sources, hashes, and pending candidate changes (?format=json for machine-readable output).
Versioned rules — Each rules file includes a rules_version field for staleness detection.
Architecture
Stateless verdict runtime — Policy calls do not create sessions or mutate policy rules
Deterministic — Same input always produces same output
Versioned Rules — Rules files include version for tracking changes
Scheduled Monitoring — GitHub Action checks all vendor policy pages every six hours
Serverless — Runs on Vercel serverless functions
Zero Dependencies — Core compute logic has no external dependencies
Hostname-based middleware routing for all subdomains
Policy source files and daily checking for cancel, return, and trial policies
Systems/Agents mode framing on landing page
MCP catalog with cards for all 4 servers
Fixed:
Daily policy checker: added contents:write permission and fixed shell logic
Removed dead Cloudflare email-decode scripts causing 404s
v1.1.0 (2026-02-01)
Added:
Expanded from 64 to 100 supported vendors
Daily policy-check GitHub Action (cron at 08:00 UTC)
Policy source URLs tracked in rules/policy-sources.json
MCP vendor enum in inputSchema for agent discoverability
Fixed:
ERR_IMPORT_ATTRIBUTE_MISSING crash on Vercel (Node 22 import attributes)
v1.0.0 (2026-01-15)
Added:
Initial release with REST API and MCP server
Support for 9 vendors
Public Policy APIs And Protected Decision API
All 4 policy servers are free to use. No authentication. No API keys.
/api/decide requires a trusted proxy or API credential in production. Local and preview deployments can opt into the same boundary with DECIDE_API_AUTH_REQUIRED=1; configuring DECIDE_API_KEY or DECIDE_PROXY_SHARED_TOKEN also enables it.
If you run decide behind the decidesite proxy with dynamic customer keys, also set:
DECIDE_PROXY_SHARED_TOKEN: shared secret required in x-decide-proxy-token header for trusted proxy calls.
DECIDE_API_KEY: optional direct backend credential for trusted server-side callers.
DECIDE_GEMINI_TIMEOUT_MS: total Gemini model-ladder deadline (defaults to 15 seconds).
DECIDE_GEMINI_ATTEMPT_TIMEOUT_MS: per-model attempt deadline (defaults to 5 seconds, bounded by the total deadline).