Freeze the rulebook in time so meaning can be replayed forever
3A. Purpose of a manifest
A manifest is the frozen rulebook that defines how the alignment lane becomes a human band. It answers, at the moment of emission: what counts as safe, amber, or critical; what tolerances apply; which obligations follow each band; and under which assumptions the policy holds. Once published, the manifest for a given manifest_id is never edited. If meaning changes, a new manifest_id is minted. This prevents silent policy drift and makes audits replayable.
3B. Manifest fields (minimum required)
Manifests should be plain, canonical text with explicit boundaries and tolerances.
# minimal manifest (illustrative) manifest_id: "TRANSPORT_POSTURE.DEMO" bands: - "A++" : [-1.00, -0.80] - "A0" : (-0.80, +0.60] - "CRITICAL" : (+0.60, +1.00] boundary_inclusivity: A++: left-inclusive, right-inclusive A0: left-open, right-inclusive CRITICAL: left-open, right-inclusive # kernel safeguards (match sender/receiver math) eps_a: 1e-6 eps_w: 1e-9 # weighting policy weight_rule: equal # or "sample_based", "trust_based:<rule>", etc. # disclosure mode disclosure: value+band # default; "full" when align must be public # numeric tolerances near cuts cmp_tolerance: 1e-9 # text normalization for hashing text_norm: "utf8_nfc" # epoch guidance (optional) epoch_policy: mode: "count" rollover_after: 5000 note: "Emit stamped rollover marker at each boundary." # assumptions (non-secret operational notes) assumptions: "Nominal sampling; no guaranteed rate enforcement." # evidence discovery (optional but helpful) evidence_links: checkpoints: "/.well-known/ssmnet/checkpoint/TRANSPORT_POSTURE.DEMO" bundles: "/.well-known/ssmnet/evidence/TRANSPORT_POSTURE.DEMO"
Why these fields matter (quick map).
bands,cutpoints,boundary_inclusivity→ ensure deterministic band decisions.eps_a,eps_w,weight_rule→ keep math parity between sender and receiver.disclosure→ defines privacy posture (label-first vs full).cmp_tolerance,text_norm→ eliminate off-by-one and encoding drift.epoch_policy→ allows(U,W)resets without ambiguity.evidence_links→ speed audit and catch-up.
3C. Rotation principle (critical invariant)
If any band meaning, threshold, inclusivity, or obligation changes, the manifest rotates:
# rotation rule
if policy_changes == true:
manifest_id := NEW_ID # mint new identifier
publish(manifest_id) # publish new immutable rulebook
start_using(manifest_id) # future envelopes reference NEW_ID
# never edit old manifest text
Why rotation is non-negotiable.
- No rewrites in place. Past envelopes keep the band meanings that applied when they were produced.
- Fair audits. Reviewers replay exactly the same rulebook the sender used.
- Policy clarity. Any change is visible as a new
manifest_id, not an undetected edit.
Practical checklist (senders & publishers).
- Treat manifest text as immutable per manifest_id. - Version by rotation (new manifest_id), not by editing. - Keep old manifests online for replay (long TTL; stable bytes). - Announce effective-from timestamps in release notes (non-normative).
Navigation
Previous: SSM-NET — Epochs & Scope Lifecycle (2H)
Next: SSM-NET — Publication & discovery (3D)