SSMT – Conformance, Privacy, Accessibility, and Stability (8.5–8.7)

From lab to live use: how to prove correctness, protect data, and keep outputs usable by everyone while staying inside symbolic space.

8.5 CI and conformance (must)
This is the “prove it” layer. Any serious deployment of Shunyaya Symbolic Mathematical Temperature (SSMT) MUST be able to demonstrate that the math and the emitted signals behave exactly as declared in the manifest.

Tier S1 tests.
Your CI MUST continuously validate the core behaviors below. These tests use deterministic inputs (not live data) and MUST pass before each release or firmware/pipeline change:

  • Unit invariance.
    Converting 35 C, 95 F, or 308.15 K must all land on the same Kelvin value and then map to the same e_T.
    Example expected behavior: e_T := ln( T_K / T_ref ) MUST return the same e_T no matter which unit the input started in.
  • Lens zero / monotonicity.
    For any selected lens, at T_K == T_ref, e_T MUST be 0.
    If T1 < T2, then e_T(T2) MUST be greater than e_T(T1) for that lens.
    This confirms that the contrast dial is stable and ordered.
  • Domain guards.
    Each lens MUST only run inside its declared numeric domain.
    The following checks MUST all be in CI: log / beta: require T_K > 0 and T_ref > 0 linear: require DeltaT > 0 kBT: require E_unit > 0 hybrid: require tau > 0 (plus the branch guards of linear/log) qlog: require T_ref > 0 and alpha > 0 If a guard is violated, the system MUST either raise a health flag (for example, health.sensor_ok = false) or refuse to emit that symbol.
  • Clamps.
    Bounded dials MUST be enforced. In CI you MUST verify: |a_T| <= 1 - eps_a |a_phase| <= 1 - eps_a with 0 < eps_a <= 1e-3, and that eps_a is published in the manifest.
  • Phase symmetry.
    For any declared pivot T_m, the phase dial a_phase := tanh( c_m * ( (T_K - T_m) / DeltaT_m ) ) MUST:
    • Be negative below T_m
    • Be positive above T_m
    • Return 0 at T_m
    • Stay bounded strictly inside (-1,+1) after clamp
    CI MUST also test multi-pivot fusion (if used) to confirm that symmetric points across multiple pivots average back toward 0 after fusion.
  • Soft hysteresis evolution.
    When using soft hysteresis memory: p_side := 0.5 * ( 1 + tanh( k_side * ( T_K - T_m ) ) ) Q_phase := rho * Q_prev + (1 - rho) * clip(p_side, 0, 1) CI MUST prove:
    • rho is in (0,1)
    • k_side > 0
    • Q_phase moves smoothly, without violent oscillation when T_K jitters around T_m
  • Validity / saturation.
    When a reading falls outside T_valid_range_K = [T_min, T_max], CI MUST confirm: T_K_eff := min( max( T_K , T_min ) , T_max ) oor := "below_min" | "above_max" health.range_ok := false In other words: we stabilize the math using T_K_eff, but we do NOT pretend it was normal. The out-of-range flag MUST survive.
  • Pooling bounds (if pooling is enabled).
    CI MUST verify that pooling using rapidity-style fusion never escapes bounds. A typical safe form is: a_pool := tanh( mean( atanh(a_i) ) ) CI MUST prove:
    • Associativity (changing grouping order does NOT change a_pool beyond a tiny tolerance).
    • |a_pool| < 1.
  • Kelvin floor.
    CI MUST verify that all paths apply: T_K := max( T_K , eps_TK ) and that non-default eps_TK is published.
  • Hybrid/qlog safety.
    If hybrid or qlog is in use, CI MUST explicitly test:
    • Branch selection for hybrid (smooth changeover governed by tau).
    • Zero-at-anchor and monotonicity for qlog.
    • Proper parameter publication (tau, alpha).

Golden vectors.
Golden vectors are small, frozen input/output bundles. The system MUST store reference cases (for example, “35 C -> e_T = 0.03298996…”) and MUST fail CI if outputs drift beyond declared tolerances:

tol_abs   = 1e-6       # numeric equality in symbol space
tol_pool  = 1e-12      # associativity of pooled a values

Static checks.
Before deployment, every manifest MUST pass a schema validator. At minimum:

  • Exactly one resolved_lens
  • Published T_ref, DeltaT or E_unit if needed
  • Declared T_valid_range_K
  • Declared clamps (eps_a, eps_TK)
  • Declared pivots if a_phase is emitted
  • Declared compliance level (S1 / S2 / S3)

8.5.1 Tolerances (normative, copy-ready)
These tolerances SHOULD be applied in CI, dashboards, and audit replay. They are strict enough to catch drift, but loose enough to allow normal float behavior.

tol_abs   = 1e-6     # value comparisons in symbol space
tol_pool  = 1e-12    # pooling associativity checks

tol_abs is used for checks like “does encode_eT still return the same e_T for the same Kelvin input and lens parameters?”
tol_pool is used for checks like “does regrouping multiple a_T streams yield the same a_pool after tanh/atanh fusion?”

These tolerances MUST be published (for example in internal QA notes) so that any later investigation can prove that alerts were driven by stable math, not by floating-point noise.

8.6 Security, privacy, and data handling

The mission here is: be auditable, be honest, but do not leak more than you have to. SSMT is not a secrecy layer by itself — and it MUST NOT be sold as one.

No personal data in manifest_id.
manifest_id MUST NOT contain personal names, addresses, or anything that ties the symbol stream to an identifiable person.
It SHOULD read like an internal technical tag that maps to a manifest recipe, not an identity label.

Kelvin first, symbols forward.
On the device (or at the edge), raw input is converted to Kelvin:

T_K = to_kelvin(T_raw, unit_raw)
T_K = max( T_K , eps_TK )

From there you generate:

e_T      := ln( T_K / T_ref )                 # log lens example
a_phase  := tanh( c_m * ( (T_K - T_m) / DeltaT_m ) )
Q_phase  := rho * Q_prev + (1 - rho) * clip(p_side, 0, 1)
a_T      := tanh( c_T * e_T )

Machine logic SHOULD consume only these symbols plus health flags (health.sensor_ok, health.range_ok, health.drift) and oor.
Human-facing dashboards MAY still show °C/°F, but that is presentation only.

Invertibility notice.
Important truth: e_T is monotone with respect to T_K if the lens and anchors (T_ref, etc.) are known.

For example, with the log lens:

e_T := ln( T_K / T_ref )

you can rearrange:

T_K := T_ref * exp( e_T )

That means e_T is not anonymous. If you publish e_T plus the exact anchors, someone can approximately reconstruct the original Kelvin. This MUST be openly stated in policy. SSMT is not “privacy by default.”

How to reduce reconstruction when needed.
If temperature itself is sensitive (for example, you’re exposing only a risk dial, not the exact thermal state), you MAY:

  • Quantize or bucket e_T before sharing externally.
  • Omit exact anchors and instead publish only ranges (“T_ref in band A”, “DeltaT in band B”).
  • Publish only bounded dials like a_phase or a_phase_fused instead of raw e_T.
  • Add a declared bias or noise term to create a public-facing e_pub.

If you do this, you MUST clearly mark that stream as “obfuscated / bucketed / privacy-shifted.” You MUST NOT claim full auditability for that shared stream, because you have weakened direct replay.

Time integrity.
Every record MUST include:

timestamp_utc    # ISO-8601, Z
manifest_id
e_T
(optional) a_phase / Q_phase / a_T
health { range_ok, sensor_ok, drift }
oor?

Clocks MUST be synchronized (for example with a disciplined reference). Symbol streams without trustworthy time are weaker for audit, root-cause analysis, and legal review.

Transport and binding.
Symbol telemetry SHOULD be signed and SHOULD travel over an authenticated, encrypted channel.
Consumers SHOULD verify:

  • Signature
  • manifest_id
  • (if provided) manifest_hash

This creates a binding between “what we measured” and “the declared math that produced it.”

8.6.1 Privacy note (normative)
Three direct statements MUST appear anywhere SSMT is deployed in environments that care about privacy or regulated data:

  1. e_T is auditable and intentionally reconstructable if anchors are public.
    It is not encryption.
  2. You MUST NOT market SSMT as “privacy by default.”
    SSMT is a shared symbolic language, not an anonymizer.
  3. If you export obfuscated or bucketed signals (for example, rounded e_T or only a_phase bands), you MUST label those streams accordingly and accept that external reviewers cannot fully replay true physical temperature from them.

Also required:

  • All timestamps MUST be UTC in ISO-8601 with Z.
  • All decimals MUST use dot notation.
  • Human-readable dashboards MAY localize units, but machine logic MUST remain in symbol space.

8.6.2 Data retention (recommended)
This is how to store evidence without hoarding sensitive raw data forever.

Raw Kelvin (T_K).
Keep raw Kelvin only as long as required:

  • Calibration proof
  • Regulatory reporting
  • Human-safety documentation

After that retention window, purge raw Kelvin values.

Symbol stream.
Keep the symbolic stream — and the manifest that explains it — for the full review window:

{ timestamp_utc,
  e_T,
  a_phase?,
  a_phase_fused?,
  a_T?,
  Q_phase?,
  health:{ range_ok, sensor_ok, drift },
  oor?,
  manifest_id }

Plus the manifest itself (anchors, pivots, clamps, ranges, declared lens, declared eps_TK, declared eps_a).
This is enough to prove what happened, when it happened, and whether policy was respected.

Why this matters.
Auditors, investigators, and safety reviewers should be able to answer “Did we violate the declared safe band? For how long?” without needing a live dump of historical °C/°F streams.

8.6.3 Accessibility & inclusion (non-normative)
SSMT is designed to be understood in plain ASCII. That is deliberate. Everyone — auditors, operators, safety reviewers, regulators, engineers, and people using assistive technology — should be able to read the same truth.

Speakable formulas.
Always define the dial, then show the ASCII, then say what positive / negative / zero mean.

For example:

e_T := ln( T_K / T_ref )

Speakable cue:
“e underscore T equals natural log of T sub K over T sub ref.”
Meaning:
Positive e_T means hotter than the declared anchor.
Negative e_T means colder than the anchor.
Zero means “at anchor.”

Another core dial:

a_phase := tanh( c_m * ( (T_K - T_m) / DeltaT_m ) )

Speakable cue:
“a underscore phase equals tanh of c sub m times open parenthesis T sub K minus T sub m close parenthesis divided by Delta T sub m.”
Meaning:
a_phase < 0 means “on the cold side of the pivot,”
a_phase > 0 means “on the warm side,”
and values are always between -1 and +1 after clamps.

Charts must not rely on color alone.
If you draw a band, label it numerically:

a_phase = -0.7  # cold-side risk
a_phase = +0.8  # hot-side risk

And include alt-text that restates what matters in words.

Timestamps and numbers.

  • Always UTC.
  • Always ISO-8601 with Z.
  • Always dot decimals.
  • Always show at least 6 decimal places for symbolic quantities (e_T, a_phase, etc.) if they feed policy.

Accessibility checklist before release.
You SHOULD ship a short checklist (for each dashboard / report / alerting channel) confirming:

  • ASCII formulas are present and speakable.
  • Alt-text and numeric keys are provided with each figure.
  • Safety states are not color-only.
  • Timestamps use ISO-8601 UTC with Z.
  • Variables (T_K, e_T, a_phase, a_phase_fused, Q_phase, rho, etc.) match exactly across spec, dashboard, and policy.

This prevents “secret math.” Anyone reading the output — including someone with no visual access to charts — can still audit what happened.

8.7 Simplicity and anti over-engineering
SSMT is intentionally layered. The safest rollout path is always: start simple, then upgrade only when the added dial actually solves a real problem.

Start S1.
Emit e_T, manifest_id, and health flags. That alone already gives:

  • A unitless contrast dial.
  • A fixed anchor (T_ref) that travels across devices.
  • A replayable audit trail.

Move to S2 only when you truly need phase behavior.
Adopt a_phase / a_phase_fused and Q_phase when freeze / melt / softening / deformation / structural stress / biological safety bands actually matter.
S2 is for “which side of the pivot are we on, and how long have we been there?”

Move to S3 only when you need bounded fleet dashboards, pooled KPIs, or automated gating.
Adopt a_T (the bounded alignment channel derived from e_T) and pooling.
S3 is for “how do I summarize many sensors into one dial without losing control, and how do I drive gating or throttling decisions at scale?”

Every upgrade MUST carry a one-line rationale in the manifest notes.
Example (good):

"Upgrade from S1 to S2:
freeze damage in storage is now a top risk.
We added a_phase + Q_phase to capture dwell below phase pivot."

Example (bad):

"Added all fields because more data is better."

The manifest becomes the living record of why complexity was introduced.

Navigation
Previous: SSMT – Governance, Compliance Levels, and Numeric Safety Rules (8.1–8.4.1)
Next: SSMT – Disaster-Prevention Playbook (9.0–9.4)

Directory of Pages
SSMT – Table of Contents