SSM-NET — Federation levels: Intermediaries, Privacy by level, Failure & fallback (10F–10H)

Clear pass-through rules, disclosure posture per level, and safe fallbacks when parity isn’t possible

10F. Intermediaries across levels

  • Pass-through. An L1 mirror MUST NOT strip L2/L3 fields. It may hide fields from its own consumers, but upstream bytes and stamps must be preserved byte-for-byte.
  • Append-only notes. Intermediaries may add their own stamped observation; they MUST NOT rewrite upstream stamps or subsets.
# upstream envelope remains byte-for-byte preserved
forward(envelope)

# intermediary MAY append a stamped observation of its own
append(stamped_note_local)  # SSMCLOCK1|UTC_ISO|nonce|sha256=...|prev=...
  • Checkpoint relay. At L3, intermediaries SHOULD expose HEAD=<HEX> to aid fast replay and fork detection.
  • Transparency. When adding a local observation, SHOULD cite the local manifest_id used for any remap in that stamped note.

10G. Privacy posture by level

  • L1 — Label-first (minimum). Strongest default privacy; communicates band and manifest_id with verifiable continuity. Numeric lane (align) stays private.
  • L2 — Parity transparency. Reveals align / align_ascii for independent math checks across vendors; same bands/manifest_id travel.
  • L3 — Audit transparency. Adds downloadable evidence bundle for offline reproduction without private coordination.
Level   Public fields                               Private by default
-----   ------------------------------------------  -------------------
L1      value(bytes), band, manifest_id, stamp      align
L2      L1 + align/align_ascii                      —
L3      L2 + evidence bundle                        —

10H. Failure and fallback

  • Lane parity unavailable (L2 → L1). If a receiver at L2 cannot parity-check align, it MUST treat the session as L1 (label-first) and signal a non-fatal notice.
  • Evidence fetch failure (L3 → L2/L1). If evidence cannot be fetched at L3, continue at L2 or L1 according to available fields; payload bytes remain valid under collapse parity.
# collapse parity (payload invariance)
phi((m,a)) = m
  • Hash-normalization issues. If canonical subset text cannot be normalized to UTF-8 NFC for hashing, the receiver MUST refuse parity checks and fall back to continuity verification only.
  • Broken linkage (chain gap). If prev does not connect to current HEAD, accept payload bytes unchanged (phi((m,a)) = m), mark the declaration non-evidential, and continue from the last valid HEAD (or require a documented repair).
# continuity stamp (single link)
SSMCLOCK1|<UTC_ISO>|nonce=<...>|sha256=<HEAD>|prev=<HEX or NONE>

One-line takeaway for Section 10
Declare your maximum, meet at the minimum: posture travels at L1, numeric parity at L2, full offline replay at L3 — always append-only, never coercive.

Navigation
Previous: SSM-NET — Federation: Negotiation, Link Contents, Divergent Policy Handling (10C–10E)
Next: End of Section 10