Freeze the rulebook in time so meaning can be replayed forever
3A. Purpose of a manifest
A manifest is the frozen rulebook that defines how the alignment lane becomes a human band. It answers, at the moment of emission: what counts as safe, amber, or critical; what tolerances apply; which obligations follow each band; and under which assumptions the policy holds. Once published, the manifest for a given manifest_id is never edited. If meaning changes, a new manifest_id is minted. This prevents silent policy drift and makes audits replayable.
3B. Manifest fields (minimum required)
Manifests should be plain, canonical text with explicit boundaries and tolerances.
# minimal manifest (illustrative)
manifest_id: "TRANSPORT_POSTURE.DEMO"
bands:
- "A++" : [-1.00, -0.80]
- "A0" : (-0.80, +0.60]
- "CRITICAL" : (+0.60, +1.00]
boundary_inclusivity:
A++: left-inclusive, right-inclusive
A0: left-open, right-inclusive
CRITICAL: left-open, right-inclusive
# kernel safeguards (match sender/receiver math)
eps_a: 1e-6
eps_w: 1e-9
# weighting policy
weight_rule: equal # or "sample_based", "trust_based:<rule>", etc.
# disclosure mode
disclosure: value+band # default; "full" when align must be public
# numeric tolerances near cuts
cmp_tolerance: 1e-9
# text normalization for hashing
text_norm: "utf8_nfc"
# epoch guidance (optional)
epoch_policy:
mode: "count"
rollover_after: 5000
note: "Emit stamped rollover marker at each boundary."
# assumptions (non-secret operational notes)
assumptions: "Nominal sampling; no guaranteed rate enforcement."
# evidence discovery (optional but helpful)
evidence_links:
checkpoints: "/.well-known/ssmnet/checkpoint/TRANSPORT_POSTURE.DEMO"
bundles: "/.well-known/ssmnet/evidence/TRANSPORT_POSTURE.DEMO"
Why these fields matter (quick map).
bands,cutpoints,boundary_inclusivity→ ensure deterministic band decisions.eps_a,eps_w,weight_rule→ keep math parity between sender and receiver.disclosure→ defines privacy posture (label-first vs full).cmp_tolerance,text_norm→ eliminate off-by-one and encoding drift.epoch_policy→ allows(U,W)resets without ambiguity.evidence_links→ speed audit and catch-up.
3C. Rotation principle (critical invariant)
If any band meaning, threshold, inclusivity, or obligation changes, the manifest rotates:
# rotation rule
if policy_changes == true:
manifest_id := NEW_ID # mint new identifier
publish(manifest_id) # publish new immutable rulebook
start_using(manifest_id) # future envelopes reference NEW_ID
# never edit old manifest text
Why rotation is non-negotiable.
- No rewrites in place. Past envelopes keep the band meanings that applied when they were produced.
- Fair audits. Reviewers replay exactly the same rulebook the sender used.
- Policy clarity. Any change is visible as a new
manifest_id, not an undetected edit.
Practical checklist (senders & publishers).
- Treat manifest text as immutable per manifest_id.
- Version by rotation (new manifest_id), not by editing.
- Keep old manifests online for replay (long TTL; stable bytes).
- Announce effective-from timestamps in release notes (non-normative).
Navigation
Previous: SSM-NET — Epochs & Scope Lifecycle (2H)
Next: SSM-NET — Publication & discovery (3D)
SHUNYAYA 