Garbage-in

What this risk is—and what it cannot do

“Garbage-in” covers wrong, incomplete, or inconsistent dossiers: forged PDFs, mismatched BL↔seal photos, sloppy lot lists, timezone or decimal drift, unbound sensor logs, redactions done incorrectly, or attempts to reuse the same facts under different wrappers. None of this can make money move by accident. Settlement law lives in contracts: PoV PASS → EMT → Locked EDSD flips to Unlocked EDSD → fee → 50% burn. If facts are wrong, the Gate fails; if facts change later, we append a correction and freeze only downstream slices. Paid slices remain paid.

1. Risk surface

• Evidence quality: Forged/altered documents; synthetic images; missing signatures or pages

• BL container list that doesn’t match the seal photo/number: photos with missing/contradictory EXIF

• Serialization & format: Non-canonical JSON; wrong decimal precision; local time instead of UTC Z; container_ids treated as a sequence instead of a set; null/empty fields included

• Identity & uniqueness: Lot/COA not matching the order; wrong project/vintage/serial

• Duplicate use of facts: same BL + seal + containers; same token serial on EDMA or across mirrors

• Sensors & streams: Temperature gaps; unbound device keys; log tampering; re-encoded CSVs

• Inadequate coverage for the lane: missing legs in multimodal routes

• Redaction & privacy: PII embedded in the dossier and hashed into the PoV hash

• Redacted fields without salted commitments: cannot be later proven to a regulator

2. Guardrails that contain garbage-in

• Deterministic bytes & hashes: Canonical JSON Section 12.1 + sha256 → PoV hash binds the dossier (sorted keys, UTC, decimal strings, sets vs sequences, no null)

• File digests: sha256(file_bytes) for every PDF/JPG/CSV the schema requires

• Claim id Section 12.2: keccak256 claim_key_fields, pov_hash makes global uniqueness depend on both identity fields and the dossier hash

• Schema & quorum checks PoV Gate: Required fields & files present; formats correct; SET arrays sorted; SEQ arrays preserved

• Role-diverse quorum with ACTIVE keys and freshness windows: equality on the same PoV hash

• Funding precondition for post-production gates: must-fund before shipping

• Uniqueness & lineage: One-Claim atomic reserve→finalize in the same tx as EMT/settle; duplicates revert E_ONECLAIM_TAKEN

• Merkle roots for large logs temp: prove segments by inclusion; no need to upload full streams

• Revocation freezes only downstream slices: corrections are append-only (replacement EMT/token with replaces link)

• Privacy discipline: Schema-declared redactable paths; redactions omit values and commit salted hashes in redactions[]

• PII stays out of the PoV hash: regulators can later verify with salt disclosure

3. Detection → response → recovery

• Detection (clear signals, no guesswork): The Gate returns explicit errors; webhooks mirror them so systems react automatically.

• Serialization/format: E_CANONICAL_DRIFT server canonical differs, E_FORMAT_INVALID bad decimals/timestamps, E_SET_NOT_SORTED, E_FILE_MISSING

• Identity/content: E_SEAL_MISMATCH BL/containers ↔ seal photo/number mismatch, E_LOT_LIST_MISMATCH, E_HASH_MISMATCH file bytes ≠ digest

• Sensors: E_TEMP_OUT_OF_RANGE beyond band, E_SENSOR_UNBOUND no device key, E_MERKLE_PROOF_INVALID

• Quorum/freshness: E_QUORUM_MISSING, E_STALE_ATTEST, E_KEY_REVOKED

• Uniqueness/funding: E_ONECLAIM_TAKEN, E_PENDING_FUNDS

• Response (turn red into a checklist): Exceptions B5 assemble a Dispute Pack: schema checklist, canonical bytes + file digests, who-signed what role, key id, timeline, proposed fix

• Fix fast: Upload the correct BL + seal photo; rerun PSI; provide Merkle inclusion proofs; or apply contract variance math short-shipment/damage/shelf-life

• For redactions: add the salted commitment record and remove PII from the dossier

• For canonical drift: adopt the SDK canonicalizer; use the server’s canonical form from the error payload

• Recovery (append, don’t rewrite): PoV PASS; mint corrective EMT Trade or replacement/mirror Tokens → link replaces: old_claim_id

• Downstream slices unfreeze: receipts and proof pages show original + correction

• Prior burns remain immutable: new releases burn per normal rules

4. Business impact matrix

5. KPIs governance watches

• Gate-fail mix: format/serialization ≤ 1%, identity ≤ 2%, sensors ≤ 1%; residual are substantive QA fails

• E_CANONICAL_DRIFT rate: trending to 0 as SDKs roll out

• Duplicate blocks One-Claim: > 99.9% blocked

• Merkle coverage cold-chain: ≥ 99% intervals proven; all gaps justified

• Redaction compliance: 100% redactable paths carry salted commitments

• Re-inspection closure: ≤ 72h; corrective pass rate high

Explorer publishes these per lane; attestor SLAs and variance stats are visible.

6. Governance knobs

• Require SDK canonicalizer after a cutoff: reject non-SDK submissions E_CANONICAL_DRIFT

• Make ZK/attested checks mandatory for specific fields: temp_in_range, shelf_life_ge

• Enforce EXIF/geo hints + min resolution on seal photos: checksum rules for serials

• Tighten freshness windows, role quorums, and tolerance bands in schemas:

• Raise random re-inspection rates for lanes with drift: rotate/suspend attestors with high error or revocation rates

• Define unit/timezone defaults: UTC; decimal precision per schema and forbid local formats

Governance cannot relax Gate PASS, One-Claim, must-fund, Locked→Unlocked rules, or the 50% burn.

7. Hardening patterns we use

• Hash-first UI: preview PoV hash and file digests pre-submit; server refuses drift and returns canonical bytes

• EXIF & checksum linting: flag camera inconsistencies; detect edited PDFs; sanity-check container/serial checksums

• Device binding: sensor logs signed by device keys; route/device allowlists; time buckets with Merkle roots

• AV/content validation: reject malformed PDFs/images; file-type & size checks; no binary in JSON

• Idempotency on all POSTs: retries safe; duplicates are no-ops

8. Worked examples

• A. Wrong seal photo: Gate → E_SEAL_MISMATCH. The Dispute Pack shows BL containers [CMAU000001, 000002] and seal SEAL9981; EXIF shows another camera/time. Fix: upload the correct seal photo with matching EXIF, or rerun terminal attestation; Gate PASS → EMT mints → release posts; receipt carries burn hash.

• B. Temp out of range cold-chain: Gate → E_TEMP_OUT_OF_RANGE. The schema expects [2,8] °C with hourly coverage. Fix: provide inclusion proofs for all hours; if a gap, apply variance schedule, discount or replace sub-lot; corrective EMT mints; downstream releases resume.

• C. Decimal/time drift: Gate → E_FORMAT_INVALID. Timestamps had timezone offset; quantities used floats. Fix: resend with UTC Z and decimal strings at schema precision; Gate PASS.

• D. Duplicate claim across wrappers: Gate → E_ONECLAIM_TAKEN. Same BL + seal + containers attempted through a different path. Fix: link to the canonical claim mirror/annotate, or file a replacement if yours is the corrective dossier.

9. Operator checklist

• Build dossiers with the SDK: don’t let browsers re-serialize

• Use UTC Z timestamps: amounts as decimal strings at schema precision

• Treat container_ids as SET sort: treat logs as SEQ order matters

• Redact PII properly: omit the value; add salted commitment in redactions[]

• Preview the PoV hash and digests pre-submit: confirm the server reports the same hash

• Keep device keys and Merkle proofs handy: don’t wait for disputes

• When blocked, fix the exact reason from the code: the platform pauses only what’s affected

Plain recap