Specification · Section 5 of 13
Tables, variables, and referenced artifacts
Specifies how contracts reference external variables and lookup tables as hash-addressed, versioned artifacts that carry their own governed update rules and trust anchors.
This generalizes something already in the design: the fixings block WAS this pattern’s special case. An SCB index series is just an externally published lookup table with a trusted publisher. Promote the mechanism:
5.1 The artifact model
- Variable: a named, typed value (
hourly rate,index cap,payment-days). Lives inline or resolves from a table. - Lookup table: a keyed artifact - rate table (role -> rate), price list (article -> price), tier table (volume -> discount), calendar (working days -
cadenceanddue withinsilently depend on one!), attest table (attestordning), index series (SCB). One mechanism for all of them. - Reference, don’t inline: the contract binds
art:kb-it-rates-2027by content hash (git/IPFS-style addressing). Artifact versions are append-only, effective-dated, and resolve exactly like contract versions: every event evaluates against the artifact version in force at its effective date. Replay stays sacred. - Binding modes:
pin v2(updates reach THIS contract only via amendment) ortrack latest-approved(updates flow automatically IF they passed the artifact’s own update rules AND the referencing contract’s declared bounds).
5.2 Self-governing updates (the “self-referencing thing”)
The refinement that makes it sound: an artifact carries its own update contract. Its header declares who may propose, who approves, the cadence (at-most 1 per year, window January), and the bounds (within index-clause cap). Which means an artifact IS a minimal mechanical contract whose single port is update.publish - same signatures, same receipts, same cadence machinery, same replay. Self-referencing, but bounded: artifact headers do not reference further artifacts’ governance (one level of turtles; boring wins).
The payoff of governed updates: an update that violates cadence or bounds cannot become a version - it is rejected with a receipt like any other malformed event. “The supplier quietly raised the rate table in March” stops being a forensics finding (the drift thesis: an update-time rejection instead of an invoice-time one) and becomes a door that does not open.
5.3 Shared artifacts - the network effect in data form
One rate table referenced by MANY contracts is the Adda reality: a national ramavtal’s prisbilaga as ONE artifact, referenced by hundreds of kommuners’ call-off contracts. The center updates it once, under its declared governance; every referencing contract picks up the version per its own binding mode and bounds. The Adda-corpus moat becomes literal shared infrastructure - and whoever hosts the artifact registry sits at the middle of it.
5.4 Prior art (grounded against existing sources)
- Legal: incorporation by reference is ancient practice - standardavtal (AB 04), the ISDA Definitions booklets (versioned external artifacts entire markets reference), every prisbilaga ever attached. Contracts have always referenced external tables; none carry a hash, none govern their own updates at runtime.
- Swedish e-commerce: SFTI’s original- och ersättningsprislista + Peppol Catalogue - electronic price-list updates are already standardized here. The gap is exact: catalogues update the buyer’s ERP, not the agreement - nothing machine-checks an incoming price update against what the contract permits (cadence, window, bounds, approval). We close that loop.
- Finance: rate fixings publication (SCB series, the LIBOR->SOFR apparatus) - trusted-publisher tables with governance, the strongest cultural precedent for “a table whose updates follow declared rules”.
- Tech: content-addressed storage (git, IPFS) and reference-data/master-data management. Solved plumbing, consumed as-is.
The novel bit, once more, is the closing of the loop: the table is governed BY the contract that consumes it - update cadence, bounds, and approval as signed, executable terms.
5.5 Trust anchors: how a referenced artifact is believed
A signature on the data itself is better still - the two are not alternatives, they are a hierarchy, and only one of them survives replay:
- Data-level signature (the goal). The publisher signs the artifact ITSELF - an eIDAS qualified seal on the price list, the index series, the register (XAdES for XML, JAdES for JSON payloads). The signature travels with the data: it survives mirroring, caching, re-hosting, and decades of archival, and verification is offline and deterministic. This is the only trust model compatible with the replay covenant - a TLS session cannot be re-verified in 2035; a sealed document can.
- Transport-level + ingest attestation (the fallback, today’s reality). Where the publisher does not seal (SCB does not seal its series downloads), the platform fetches over HTTPS with certificate pinning and appends a signed ingest attestation event: fetched series X from URL Y at time T, TLS certificate Z, content hash H - trust shifts to the platform’s ingest process, explicitly and auditably. Weaker, named as weaker.
- Unsigned, unpinned = a declared risk. A contract MAY reference an unattested source, but the linter flags it and the reference carries
trust: nonevisibly. No silent trust.
Rule of the log: store artifacts + their signatures, never URLs alone. A URL is a place; an artifact is a hash. And the ecosystem push follows: the artifact registry should require publisher seals for public publications - “the publisher-signed price list” is to tables what Peppol was to invoices, and the sealing burden is one signature at publish time.
5.6 Artifact classes (public list vs contract bilaga - both, distinctly)
| Class | Example | Signed by | Governance |
|---|---|---|---|
| Public publication | SCB index series, F-skatt register, sanction lists | the publisher (seal) - or ingest-attested (5.5) | publisher’s own; contracts consume as fact-source (the fixings case) |
| Contract appendix (bilaga) | prisbilaga, SLA annex, rate table | the CONTRACT’s parties - part of the Ricardian bundle, hashed with the prose | the update contract of §5.2 (cadence, bounds, approval) |
| Shared framework artifact | Adda ramavtal price appendix | the framework holder (central purchasing body) | framework’s governance; hundreds of call-off contracts pin/track it (§5.3) |
| Party-maintained register | attestordning (buyer’s), approved-subcontractor list (supplier’s) | the maintaining party | declared in its header; counterparty gets a receipt on every change |
Same reference mechanics for all four (hash, versions, effective dates); what differs is who signs and whose rules govern updates. A contract’s artifacts: block states the class of each reference, so trust is readable off the manifest - just like capabilities are readable off the ports.