SSM-NET — Fetch, Pinning & Offline Replay (7G)

Verify independently: fetch rulebooks, pin bytes, walk continuity, replay without coordination

Purpose (7G)

This subsection defines how any receiver — system, analyst, auditor, or tool — can fetch manifests, pin the exact bytes, read the current HEAD, and replay continuity offline. The process is identity-free, transport-agnostic, and preserves payload invariance (phi((m,a)) = m).

7G.1 Minimal client behavior (normative)

  1. Fetch manifest by ID
    GET /.well-known/ssmnet/manifest/<manifest_id> → byte-stable text.
  2. Compute local pin
manifest_sha256 := sha256(manifest_bytes)
manifest_pin    := "sha256=" + manifest_sha256
  1. Verify band locally using the pinned manifest.
  2. Fetch checkpoint
    GET /.well-known/ssmnet/checkpoint[?scope=<name>]HEAD=<HEX>.
  3. Persist for offline replay:
    • manifest_bytes
    • manifest_pin
    • HEAD
    • envelopes (declared canonical subset only)

7G.2 Pinning contract (normative)

# use the pinned manifest bytes when verifying any envelope
require sha256(manifest_bytes_local) == manifest_pin

# if mismatch:
# treat as E_MANIFEST_PIN → fetch again or operator review
  • No in-place manifest edits. Any change requires a new manifest_id (rotation rule).

7G.3 Offline replay (deterministic)

Inputs:
manifests.json, envelopes.jsonl, hashes.txt, checkpoint.txt

Steps:

1. compute sha256(subset_bytes [+ raw_body_bytes_if_declared])
   compare with hashes.txt

2. walk prev chain:
   stamp := "SSMCLOCK1|<UTC_ISO>|nonce|sha256=HEAD|prev=PREV"

3. if align is public:
   a_c := clamp(a_raw, -1+eps_a, +1-eps_a)
   u   := atanh(a_c)
   U  += w*u ; W += w
   align := tanh( U / max(W, eps_w) )
   band := cutpoint_map(align, manifest_id)

4. confirm final HEAD == checkpoint.txt's HEAD

7G.4 Caching & freshness (client hints)

  • Manifest: long TTL; validated by pin, not timestamp.
  • Checkpoint: short TTL; refresh opportunistically.
  • If network unavailable: continue replay using pinned manifest; defer only actions that require newer rules.

7G.5 Failure codes (wire-surface, illustrative)

CodeMeaning
E_MANIFEST_MISSManifest not retrievable
E_MANIFEST_PINPin mismatch (bytes changed or stale)
E_CHECKPOINT_DRIFTComputed HEAD ≠ published HEAD
E_SUBSET_DECLCanonical subset inconsistent or malformed
E_BODY_HASH_MISMATCHDigest mismatch over declared bytes

7G.6 Security & privacy

  • No identity drag: fetching manifests and checkpoints never requires identity.
  • Canonical subsets exclude PII: posture describes system state, not people.
  • Pinned manifest ensures reproducibility: recency does not override integrity.

7G.7 Minimal operator checklist (paste-ready)

[ ] Serve manifests at stable paths; byte-stable; include edges and eps_a / eps_w.
[ ] Publish checkpoint with HEAD=<HEX> and short TTL.
[ ] Do not edit old manifest_id files; rotate with new IDs when changing policy.
[ ] Provide evidence bundles (manifests.json, envelopes.jsonl, hashes.txt, checkpoint.txt, verify.sh).
[ ] Ensure UTF-8 NFC normalization for all hash-relevant text.

Navigation

Previous: SSM-NET — Well-known endpoints: Evolution & Operations (7E–7F)
Next: SSM-NET — Error Model: Philosophy & Signaling (8.0–8B)