SSM-NET — Continuity stamp (2E)

One line that proves time, order, and exactly-what-you-committed

What this subsection defines (in one line).
A compact, human-checkable stamp that binds a declared canonical subset (and optional body) to a precise UTC instant and a single-link chain—so anyone can replay order and detect edits or gaps without trusting intermediaries.

Stamp format (normative shell).

# continuity stamp
SSMCLOCK1|<UTC_ISO>|nonce=<...>|sha256=<HEAD>|prev=<HEX or NONE>

Field rules.

# UTC_ISO
- Format: YYYY-MM-DDThh:mm:ss[.sss]Z
- Always UTC ("Z"), no offsets

# nonce
- CSPRNG-derived, length = manifest.profile.nonce_bytes
- Rendered in the profile-declared alphabet (e.g., fixed-length hex or base64url, no padding)

# sha256
- <HEAD> is the 64-hex digest over the declared canonical subset
  [+ raw_body_bytes_if_declared], exactly as in 2D

# prev
- 64-hex digest of the last accepted item in the same scope (or "NONE" at genesis)

Scope, genesis, HEAD, and repairs.

# scope
- The deployment declares the chain scope (e.g., endpoint/resource + manifest_id)

# genesis
- First accepted item uses prev=NONE

# HEAD
- The last accepted digest in the scope (receivers may publish HEAD to aid audits)

# repairs (append-only)
- History is immutable: corrections are new stamped notes appended later
- Prior lines MUST NOT be edited or removed

Clock tolerance & accept window.

allowed_skew_s := value from policy/manifest
accept if |now_utc - UTC_ISO| <= allowed_skew_s
else: treat the stamp as non-evidential (payload may still be processed as bytes)

Nonce quality (safety).

- Nonces MUST be generated via a cryptographically secure PRNG
- Reuse within the same scope is prohibited

Rollover markers (operational clarity).

- When epoch rollover (U,W reset) is used, emit a stamped rollover note in the same scope
- prev still links linearly across the boundary

Minimal receiver checks (copy-ready).

# inputs: envelope e, local HEAD
# outputs: accept/flag, new HEAD

assert parse_ok(e.stamp)                           # syntax & required fields
t, nonce, head, prev := parse(e.stamp)
assert within_skew(t, allowed_skew_s)              # time window check
assert head == SHA256(serialize_declared_subset(e) # integrity over declared bytes
                     [+ raw_body_bytes_if_declared])
assert prev == local_HEAD or prev == "NONE"        # continuity
# optional: if align is public, recompute lane and confirm band via manifest
accept(); local_HEAD := head
# on failure: flag(); append stamped incident; do not advance HEAD

Why a single line works (human terms).
The stamp is simple to read and cheap to replay. With sha256=<HEAD> and prev=<...>, you can:

  • Prove what bytes were declared (subset/body parity).
  • Prove when they were declared (UTC anchor within policy skew).
  • Prove where they sit in sequence (single-link chain).
    Any deletion, reordering, or mutation becomes obvious.

Operational hints (non-normative).

- Publish HEAD (per scope) at a well-known path to speed auditor catch-up
- Log rejected items with their parsed fields to support incident forensics
- Keep stamp rendering stable across versions of your software

Navigation
Previous: SSM-NET — Canonical subset & body commitment (2D)
Next: SSM-NET — Disclosure & Intermediaries (2F–2G)