SSM-NET — Security, Privacy, and Ethics (9D–9F)

Human-first obligations, reproducible time anchors, operational hardening

9D. Ethical ground rules (humans before metrics)

The overlay is not just technical; it encodes responsibility. Posture exists to inform action, not to excuse neglect or to mislabel people.

  • Clarity over cosmetics.
    Do not “soften” a band to look better. Bands are safety signals, not brand signals.
  • Escalation honesty.
    If the band implies an obligation (review, pause, human check), then: obligation must be executed OR a stamped override must be published (append-only) Quiet non-action is not allowed.
  • No identity drag.
    Bands describe system/content posture, not people.
    Never infer identity, intent, or character from a posture.
  • Audit equity.
    Rulebooks must be publicly discoverable: GET /.well-known/ssmnet/manifest/<manifest_id> GET /.well-known/ssmnet/checkpoint GET /.well-known/ssmnet/evidence so independent verification does not require permission or trust agreements.
  • Bounded interpretation.
    A band is a bounded operational signal. It is not a psychological, political, or personal label — and must never be presented as such.

9E. Time, clocks, and anchors

Continuity in SSM-NET does not depend on a perfect wall clock — it depends on a verifiable chain.

  • UTC only for stamps. YYYY-MM-DDThh:mm:ssZ Fractional seconds appear only if declared in the manifest (e.g., prec_ms=true) and must then appear everywhere consistently.
  • Monotonic ordering by chain, not timestamp. stamp := "SSMCLOCK1|<UTC_ISO>|nonce=<...>|sha256=<HEAD>|prev=<HEX or NONE>" The prev link defines real ordering.
  • Clock skew tolerance.
    Deployments should declare: allowed_skew_s = <integer_seconds> Receivers MAY accept stamps within that window; outside window → quarantine without rewriting history.
  • Epoch / (U,W) boundary awareness.
    If (U,W) accumulation resets periodically:
    • Emit a stamped rollover note
    • Keep replay deterministic
    • Never overwrite previous chain segments
  • Drift recovery principle.
    When clocks diverge or repair occurs: append a stamped correction note do not edit past stamps

9F. Operational hardening (recommended practices)

These are not new rules — they are running posture for robust deployments.

  • Transport security.
    SSM-NET does not replace TLS or key management. Use appropriate encryption/auth per environment.
  • Checksum discipline.
    Always hash the byte-exact declared fields: sha256( serialize(subset_fields) [+ raw_body_bytes_if_declared] ) Serializers must be documented to avoid ambiguity.
  • Red-team continuity.
    Periodically test:
    • Digest mismatch (flip any byte → must fail deterministically)
    • Chain fork (ensure forks are quarantined)
    • Replay parity (offline reproduce ALL CHECKS PASSED)
  • Scope hygiene.
    Keep scope names stable (e.g., default, orders, feed-alpha).
    Document rollover procedures in evidence bundles.
  • Operator surface clarity.
    UI should display posture in compact non-identity labels, e.g.: [ A0 • nominal ] [ CRITICAL • human review required ] Not:
    • Not user scores
    • Not personality ratings
    • Not skill classifications

Navigation
Previous: SSM-NET — Security, Privacy, and Ethics (9.0–9C)
Next: SSM-NET — Security, Privacy, and Ethics (9G–9I)