Short, non-PII signals; stamped continuity; copy-ready wire shapes
8H. Privacy and safety
• Least disclosure. Error text SHOULD be short and abstract (e.g., “digest mismatch”), avoiding specifics that reveal internals.
• No lane leakage. Do NOT include align/align_ascii in errors unless already public by policy.
• No identity drag. Error surfaces describe content/system posture, not people; exclude PII from canonical subsets and bodies.
• Scoped facts only. Reference scope names and manifest IDs; omit tenant/user identifiers.
• Replay without secrets. Provide only what’s needed to independently verify the failure (code, stamp, optional HEAD).
• UI hygiene. If shown to humans, render compact chips (e.g., INCIDENT • E_BODY_HASH_MISMATCH) without exposing hidden dials.
8I. Illustrative overlay snippets (wire-shape examples; non-normative formatting)
HTTP-M style (headers):
SSMNET-Error: E_STAMP_PREV
SSMNET-Error-Reason: continuity link does not match current HEAD
SSMNET-Stamp: SSMCLOCK1|2025-11-07T12:47:02Z|n7|sha256=...|prev=1F3C...A902
SSMNET-Checkpoint: HEAD=1F3C...A902
Minimal JSON body (optional, non-PII):
{
"error": "E_BODY_HASH_MISMATCH",
"reason": "Digest does not match declared canonical subset",
"scope": "default",
"head": "AB12...FF90",
"stamp": "SSMCLOCK1|2025-11-07T12:45:33Z|n42|sha256=...|prev=AB12...FF90"
}
Stream frame note:
type: ssmnet.error
error: E_POLICY_MISMATCH
stamp: "SSMCLOCK1|2025-11-07T12:47:55Z|n8|sha256=...|prev=..."
hint: "band not derivable from manifest cutpoints"
Notes:
• Keep byte-for-byte preservation of upstream envelopes; error notes are append-only.
• Text used in any digest computation MUST be UTF-8 NFC.
• Prefer stable, human-readable scope names; avoid embedding secrets in any field.
• No lane leakage unless align is declared public by manifest.
Navigation
Previous: SSM-NET — Error model: canonical codes, bodies & operational behavior (8C–8G)
Next: SSM-NET — Security, Privacy, and Ethics (9.0–9C)
SHUNYAYA 