The Record Got Fixed. The Old Payout Didn’t.
The bad feeling started because both screens were telling the truth.
On the left, Sign Protocol showed the updated credential. Clean now. Correct issuer. Correct status. The user had the thing they were supposed to have all along. You could open the record, check the fields, follow the update trail, and feel that small bureaucratic relief people mistake for closure.
On the right, the old TokenTable output still had them at zero.
Not missing. Worse. Decided.
That was the part that stuck in my throat a little.
The program had already run one distribution round off an earlier state of that same person’s record. Back then the credential was incomplete, or pending, or attached to the wrong judgment, whatever the right word is for a record that had not fully become itself yet. So TokenTable did what it was supposed to do with the state it was given. It built the set. Included some people. Excluded others. Amounts hardened. Finance exported the file. Somebody signed off. Value moved.
Then the issuer corrected the record in Sign.
Not a new person. Not a forged claim suddenly passing. The same person, but the verification layer got better after the money had already listened to the worse version.
That is such a Sign problem.
Because Sign lets the record improve. That is part of the point. Credentials can be updated, corrected, reissued, clarified. The verification surface stays alive instead of pretending the first pass was holy. Fine. Good, even.
But TokenTable does not behave like a living surface once a round is done. It behaves like history. Cold rows. Frozen decisions. Wallet beside amount. Or wallet beside nothing. Which is its own amount, really.
So now you get this ugly split across time.
Open Sign today and the user looks eligible.
Open the historical payout file and the same user looks like they were correctly excluded.
And nobody in the room gets the easy version of the story anymore.
Support sees the updated credential and asks why the user was denied.
Treasury sees the historical export and asks whether anyone is proposing to reopen a finalized distribution.
Ops tries to explain that both are tied to the same person, just not the same moment of that person’s record, and you can feel the explanation getting thinner while you say it.
My fingers were actually hovering over the backfill sheet at that point. Not touching anything. Just there. Because every option starts sounding bad once the correction arrives after the financial history has already become official.
Do you rerun the old round for one user?
Do you create a make-good payment outside the original TokenTable output?
Do you leave the old exclusion untouched and say the updated Sign record only applies going forward?
All of those choices preserve something and break something.
That is the mean little operational truth hiding under “living verification.” The infrastructure can get more accurate in the present without giving you a clean way to unmake what the earlier version already caused. Sign can repair the record. It cannot quietly pull the old judgment back out of the distribution history that listened to it.
So the credential improves. The user finally looks like themselves. And the older payout round just sits there, carrying a decision made about a version of that person that Sign no longer shows, but TokenTable absolutely did.