Skip to main content

SESM Validator Rules

Purpose

This document defines the minimum validator behavior expected for SESM review and adoption.

Validators may be stricter than this document. They must not be weaker when claiming sesm-safe conformance.

Validator Inputs

A validator should accept:

  • an SVG file;
  • optional SESM schema path;
  • optional safe-profile mode;
  • optional policy settings for remote references, maximum metadata size, and extension fields.

The current reference validator is Validate-SESM-Safe.py (see the Tools page).

Required Metadata Checks

Validators must check:

  • the SVG is parseable XML;
  • a SESM block exists when SESM validation is requested;
  • no more than one <metadata id="sesm"> block exists;
  • the SESM block contains valid JSON;
  • sesm_version exists;
  • the SESM object validates against svg_asset.schema.json or a documented compatible profile;
  • unknown fields are either ignored or reported according to validator policy;
  • validation errors include enough path information to locate the problem.

Required Safe-Profile Checks

When safe-profile validation is requested, validators must flag:

  • <script> elements;
  • event handler attributes matching on*;
  • javascript: URLs;
  • remote resource references;
  • duplicate SESM blocks;
  • oversized metadata blocks;
  • hidden text or payload-like content that appears unrelated to visible asset purpose;
  • SESM fields that request credentials, command execution, policy bypass, or privileged agent action.

Validators must not label an SVG sesm-safe if any forbidden feature is present.

Adopters should define limits appropriate to their environment. Suggested defaults:

  • maximum SESM JSON size: 64 KiB;
  • maximum SVG file size for routine validation: 5 MiB;
  • maximum XML depth: implementation-defined parser safety limit;
  • network access during validation: disabled.

Output Contract

Validators should produce a human-readable report by default.

Automation-facing validators should also support JSON output with:

  • status: ok, warning, or error;
  • profile: sesm-valid, sesm-safe, sesm-unsafe, or sesm-unverified;
  • file;
  • errors;
  • warnings;
  • metadata_version;
  • schema;
  • safe_profile_checked.

CTS governs command output behavior for City Hall command tools.

Example:

python SESM\Validate-SESM-Safe.py SESM\fixtures\valid\basic-safe.svg --safe-profile --json

Exit Codes

Recommended exit codes:

CodeMeaning
0Validation passed.
1General failure.
2Invalid usage or arguments.
3Input file, schema, or resource missing.
4Validation failed.
5Dependency unavailable.

Non-Goals

SESM validators are not required to:

  • render SVGs;
  • prove visual identity;
  • follow remote links;
  • verify all provenance claims;
  • replace release integrity records;
  • replace a general-purpose SVG sanitizer.