SSM-NET — Error model: canonical codes, bodies & operational behavior (8C–8G)

How errors are verified, recorded, corrected, and relayed across peers

Orientation (Section 8 context)

Having defined how errors are surfaced without altering history, we now describe the canonical error codes, the optional minimal body, and the expected behaviors for receivers, senders, and intermediaries.
The guiding intent is consistency, auditability, and append-only continuity — never rewriting prior meaning.

8C. Canonical error codes (normative set)

These codes standardize interpretation across ecosystems:

E_POLICY_MISMATCH   # band inconsistent with manifest cutpoints
E_BODY_HASH_MISMATCH # sha256(subset [+ raw_body_if_declared]) mismatch
E_STAMP_PREV        # prev does not link to current HEAD
E_MANIFEST_MISS     # referenced manifest_id not retrievable
E_ALIGN_POLICY      # public align parity check fails kernel math
E_SUBSET_DECL       # canonical subset missing/malformed
E_DISCLOSURE        # exposure violates manifest/profile policy
E_CHECKPOINT_DRIFT  # computed HEAD != published checkpoint HEAD
E_FORMAT            # structural syntax/encoding invalid

These codes MAY be extended; existing semantics must remain stable.

8D. Minimal error body (optional)

If a body is emitted, it should be short, structured, non-PII:

{
  "error": "E_BODY_HASH_MISMATCH",
  "reason": "Digest does not match declared canonical subset",
  "scope": "default",
  "head": "AB12...FF90",
  "stamp": "SSMCLOCK1|2025-11-07T12:45:33Z|n42|sha256=...|prev=AB12...FF90"
}

Norms:

  • MUST include error
  • SHOULD include the stamped continuity note
  • MUST NOT include identity, user attributes, or private content

8E. Receiver actions on failure

# always preserve original envelope
store(envelope)

# record the incident as a new stamped note
append(stamped_error_note)

# quarantine if required by policy
quarantine(scope)

# retry fetch only where meaningful (e.g., manifest retrieval failure)

If the issue is E_CHECKPOINT_DRIFT, receiver SHOULD refetch checkpoint, then reconcile per policy.

If band implies obligations (e.g., CRITICAL), UI should surface band-level state, never identity-level inference.

8F. Sender actions on failure

  • Do not rewrite history.
  • Prepare a fresh envelope with corrected declarations;
    its prev links to the last accepted HEAD.
  • If the issue is policy text, rotate by publishing a new manifest_id (never edit old manifests).
  • If the issue is disclosure, revert to label-first (value+band) unless full exposure is required.

8G. Intermediary behavior

Intermediaries pass through payload and prior stamps unchanged:

# upstream envelope remains byte-for-byte preserved
forward(envelope)

# intermediary MAY append a stamped observation of its own
append(stamped_note_local)
  • MUST NOT rewrite upstream stamps
  • MAY publish a local HEAD=<HEX> to assist recovery
  • MAY mirror or relay evidence bundles to support replay

Navigation

Previous: SSM-NET — Error model: Philosophy & Wire Signaling (8.0–8B)
Next: SSM-NET — Error model: Privacy & Safety; Illustrative overlay snippets (8H–8I)