GDS Rate Verification

Loaded is not verified

How Rate Verification works, end to end. The platform proves a negotiated rate is actually loaded, in the right field, under the right identity, and bookable, instead of trusting that it was.

The core idea

Loaded is not verified.

Loaded is the loader claim: a code was entered into the chain. Verified is the engine proof: the negotiated rate actually returns to an agent, in the correct field, under an authorized identity, at the negotiated value, and is bookable on the dates it should be.

Most loading errors are silent. The code looks entered, but it returns under the wrong field, or a different value, or a squatter property answers, or it is closed on a peak night it was supposed to protect. Each of those is lost revenue or a corporate-audit failure. This platform turns every one into a named, evidenced catch.

The dashboard leads with the gap: rates at risk, loaded but broken, verified, and the negotiated value at risk per night.
The verification dashboard: rates at risk and the value at risk, not assumed loaded.

The lifecycle of an instruction

Every RLI moves through these stages.

  1. 1

    RLI received RECEIVED

    A Rate Loading Instruction arrives in any format: a branded table, a GBTA master form, an email, or a paste. It enters the queue as the raw record.

  2. 2

    Normalized NORMALIZED

    The AI extractor turns the RLI into structured rows, one per property, GDS, and room type. It maps any terminology to canonical fields and never invents codes. Low confidence routes to review.

  3. 3

    Screened SCREENED

    Deterministic checks run against the client registry before anyone loads anything. Bad or incomplete instructions are caught here, not after the load.

  4. 4

    Loading LOADING

    The instruction is assigned to a loader and loaded into the chain. The platform tracks the assignment but does not auto-commit: loading stays a human, credential-gated step.

  5. 5

    Verifying VERIFYING

    A loader pastes the live agent-view screen for a property and GDS. The engine reconciles what actually returned against what was expected and records every discrepancy.

  6. 6

    Complete or Flagged COMPLETE

    When every task verifies, the RLI completes. Anything unresolved keeps it open. A screening blocker flags it for human review before it can move.

Type and how it arrives

One type today; two ways an instruction reaches verification.

Every instruction today is Type: Rate Load: a negotiated rate to load and prove. The type field is built to grow, but Rate Load is the only one for now.

It reaches the platform one of two ways. A received instruction is an RLI a client or program sent in, normalized from whatever format it arrived in. An Audit is a self-initiated sweep: a manager runs it, and the engine generates the expected states straight from the client registry to check what is already loaded against the program on file. Audits carry a distinct AUDIT badge wherever they appear.

The registry is the source of truth

Every check compares against the client on file.

Each client carries the authoritative program: its GDS profiles (which code goes in which field for each GDS), authorized booking identities, in-scope properties, canonical room types and their aliases, and the contracted blackout dates. Screening and verification both read from it, so the two always agree. The platform verifies against this profile; it never claims contract authority of its own.

Screening (before the load)

Deterministic checks that catch a bad instruction before anyone loads it.

WRONG_GDS_FOR_CLIENTA GDS appears that is not configured for this client.
WRONG_CODE_FOR_CLIENTThe code does not match the registry slot for that GDS, or sits in the wrong field, or targets the wrong return field.
MISSING_FIELDA field the registry expects (code, pseudo city, office ID) is absent on the row.
ROOM_TYPE_MISMATCHA loaded room type did not resolve to a canonical type for this program.
LRA_REQUIREDThe program requires Last Room Availability but the row is not marked LRA.
DUPLICATEThe same GDS and room type appears twice, with or without a conflicting code.
BLACKOUT_DATESBlackout dates are declared. They are applied as close-outs in the reservation system, separately from the rate-code load.
BLACKOUT_MISMATCHThe blackout dates on the instruction differ from the program on file.
EFFECTIVE_DATESNo effective date range is stated. The directive is treated as ongoing.
INCOMPLETELow extraction confidence, or nothing loadable could be extracted.

Verification (after the load)

Paste the live agent-view screen; the engine reconciles what returned against what was expected.

A loader opens the verify panel, picks a property and GDS, and pastes the real screen an agent would see. The engine canonicalizes each returned row, matches it against the expected state, and records a discrepancy for anything that does not line up. It checks the code, the field it sits in, the value, the room type, the identity (name, pseudo city, office ID, chain code), and whether anything is bookable. Re-running recomputes the whole RLI, so the result is always current.

Verification (after the load)

Two dimensions are kept separate on purpose. Load correctness (is the right code in the right place at the right value) always fails when wrong. Bookability (is it open or closed, and why) only grades a load that is otherwise correct. A closed rate never hides a wrong code, and a correct rate that is merely yield-closed is not called a failure.

The catches

Every discrepancy the engine can record, and what it means.

WRONG_RATE_CODEThe loaded code is not the program code. Agents pull a different rate than negotiated.FAILED
WRONG_FIELDThe correct code is loaded in the wrong field, so it never returns to the agent view.FAILED
WRONG_RATE_VALUEThe nightly rate does not match the negotiated rate. The diagnosis names the dollars per night at risk.FAILED
WRONG_ROOM_TYPEA loaded room did not match any canonical room type for the program.FAILED
WRONG_NAMEThe rate is loaded under a name that is not the authorized program name.FAILED
WRONG_PSEUDO_CITYThe rate is released under a pseudo city that is not authorized.FAILED
WRONG_OFFICE_IDThe rate is released under an office ID that is not authorized.FAILED
CHAIN_CODE_MISMATCHThe chain code on the load does not match what is expected.FAILED
WRONG_CATEGORYThe rate is loaded under the wrong category (for example not Negotiated).FAILED
COMMISSION_MODEL_MISMATCHThe rate is loaded net when the program is commissionable, or commissionable when it is net. The dollars can be right while the channel economics are wrong. Only fires when the instruction stated a model and a model was read off the screen.FAILED
WRONG_EFFECTIVE_DATEThe rate returns for some stay windows but is empty for an in-contract window, so the dates it is live for do not match the negotiated period. A coverage gap, distinct from a wrong value or an expired rate.FAILED
DROPPED_RESTRICTIONA restriction the program required (Last Room Availability or rate parity) was not carried onto the load. These are not on an agent-view screen, so it is confirmed by attestation. A CRS record escalates an LRA drop to FAILED; a human attestation or any parity drop routes to review.FAILED / Review
NEVER_LOADEDNothing returned for a code, a room type, or a whole property and GDS, including a rate sitting at the chain level but not returning to the agent view. The negotiated rate is simply not there.FAILED
MISSED_PROPERTYOn an audit, an in-scope property and GDS returned nothing at all.FAILED
SQUATTERA property that is not in the program scope is loading this client rate. Surfaced, but removal is a human call.FAILED
LRA_FAILOn an LRA program, the negotiated rate is closed while other rooms or rates are still bookable.FAILED
BLACKOUT_NOT_APPLIEDThe rate is bookable on a contracted blackout date. The close-out that should protect those peak nights was not applied.FAILED
EXPIREDThe negotiated period has ended and no renewal supersedes it. The rate needs renewing or removing, but the load may otherwise be correct, so it routes to review (NEEDS_RENEWAL), not a hard fail.Review
Every flagged catch names the property, the diagnosis, and the value at risk, with a one-click fix where one exists.
Flagged catches, each named with its diagnosis and dollars per night at risk.

Blackout dates

The contractual exception to Last Room Availability, verified in both directions.

Blackout dates are the peak nights a program negotiated to exclude. They are applied as close-outs in the reservation system, separately from the rate-code load, which is exactly where revenue quietly leaks. The platform verifies them two ways:

  • Not applied: the negotiated rate is bookable on a contracted blackout date. The close-out is missing. This is a failure (BLACKOUT_NOT_APPLIED) and the Fix button can stage the close-out.
  • Correctly closed: a rate closed on a blackout date is expected. The engine never reads that as a failure.

One honest guard: if nothing returns for a window that sits entirely inside a blackout, that is consistent with the close-out, but silence cannot confirm the load was ever done correctly. The task stays PENDING (load-unconfirmed), never falsely VERIFIED and never falsely failed. Verify it from a non-blackout date.

Effective dates and renewals

Verifying the rate is live for the period it was negotiated for, not just present today.

A rate can be loaded at the right value and still be wrong on dates: live for the wrong window, or expired with no renewal behind it. The platform checks the effective period two ways.

  • Coverage gap (WRONG_EFFECTIVE_DATE): a loader probes a few stay windows. If the negotiated rate returns for one window but is empty for another window that sits inside the contracted period, the dates it is live for do not match the negotiated period. To avoid a false catch, the proof window must actually contain the negotiated code, and the proof and the empty window must come from the same pseudo city, so a rate released to one office but not another reads as a release gap, not a date gap.
  • Expired (EXPIRED): the negotiated period has ended and no renewal supersedes it (a later or open-ended window for the same program would). This is a soft review (NEEDS_RENEWAL), not a hard fail: the rate needs renewing or removing, but it may be loaded perfectly otherwise, so it never reads as a broken load and never as VERIFIED.

Restrictions: LRA and rate parity

The terms that are not printed on an agent-view screen.

Last Room Availability and rate parity are real program requirements, but neither prints on the agent-view screen a loader pastes. LRA is an inventory and sell control; parity is a cross-channel comparison. So the platform does not guess them from the paste. A named person, or a CRS record, attests whether a required restriction was carried onto the load, and only a required restriction attested as dropped produces a finding (DROPPED_RESTRICTION).

The authority of that attestation is graded honestly. A CRS record showing an LRA drop is machine-grade and fails the load. A human attestation of an LRA drop caps the task at UNVERIFIABLE_LRA until a CRS record confirms it, rather than overclaiming a failure. A parity drop always caps at UNVERIFIABLE_PARITY, because true parity can only be proven by cross-channel shopping. The engine records the attested fact; it never invents one, so an attestation can never manufacture a false failure.

Separately, when the negotiated rate is present but closed while other inventory still sells on an LRA program, that confirmed breach is its own catch (LRA_FAIL), read directly from the paste.

Fixing a catch

The platform already computed the correction.

Where a discrepancy has a concrete corrective value (a wrong code, value, field, identity, commission model, or a missing blackout close-out), a Fix button shows the exact change the connected version would stage: the correct value, for that property and GDS, replacing what is loaded. It stages nothing today. Automated write and re-verification needs the enterprise CRS credentials connected. Removals, never-loaded gaps, and attested restrictions are a human call and are not auto-fixable.

What the platform does not do yet

The boundaries, stated plainly. It proves what it can see and routes the rest to a human.

Automated write-backThe Fix button computes the exact correction but stages nothing. Writing it into the chain and re-verifying needs the enterprise CRS credentials connected. Today every load and commit stays a credential-gated human step.
Back-office and CRS readsEverything verified comes from the pasted agent-view screen, the same thing an agent sees. The platform does not pull the property CRS or rate-load record. That is why Last Room Availability and parity rely on attestation rather than a direct read.
Cross-channel parity shoppingRate parity is confirmed by attestation, never shopped. The platform does not compare the negotiated rate against public or other-channel rates across sites.
Other load-time restrictionsCancellation, deposit and guarantee, advance-purchase, and minimum-stay terms are not verified yet. They live in the rate-rules or rate-detail display and the CRS, not the agent-view screen the platform parses.
Rate-structure checksPercent-off-BAR and other dynamic rate structures (a discount off a moving Best Available Rate, a cap used as a floor) are modeled but the engine does not grade them yet. Fixed negotiated values are fully verified.
Per-booking dollar lossWithout the public BAR and booking volume, the platform never invents a realized-loss figure. The dashboard leads with rates at risk as a count and shows the negotiated nightly value at risk, clearly marked as exposure, not money already lost.
One instruction typeEvery instruction today is a Rate Load. The type field is built to grow, but Rate Load is the only one live.

The client portal

Selection-bound rate requests, matched or flagged.

Clients submit rate requests from a form where every field is chosen from their own authorized program, so an off-program request is structurally impossible. Each submission is matched against the client prior loads: an identical request is auto-eligible and enters the normal flow; a changed or new one is flagged for human review. A changed blackout set is treated as inherently suspicious, since contract terms do not normally amend mid-program. The load and commit always stay the chain job, credential and approval gated.

Clients submit rate requests from a form bound to their own authorized program, so an off-program request is structurally impossible.
The client portal: a rate request bound to the authorized program.

Every action across the vertical is recorded in the immutable audit log, including the AI decision metadata behind each normalization.