What does the SSTV Decoder Agent do?

Given a presented SSTV (slow-scan-television) audio recording — a base64-encoded WAV file or raw PCM samples — the agent identifies the SSTV mode from the VIS header, demodulates the audio into the encoded image, and returns a self-authenticating receipt bundle. The bundle contains the Knox anchor record (Bitcoin-rolled via OpenTimestamps), a C2PA-aligned envelope (subset of C2PA 1.4 for an image-creation event), and an FRE 902(13)/(14)-shape affidavit. The audio bytes themselves are not retained — only the SHA-256 fingerprint and the decoded image are anchored. The receipt is independently verifiable without contacting Bonis Systems.

What is SSTV and where does it come from?

SSTV is an analog amateur-radio mode that transmits still images as audio frequencies. A picture is encoded line-by-line as a frequency-modulated tone in the 1500-2300 Hz band, framed by a VIS (Vertical Interval Signaling) header that names the mode. SSTV is in active use across the amateur HF bands and is a regular mode for ARISS SSTV events from the International Space Station. WebSDR receivers across the world stream live SSTV traffic; ham operators and educators record and share captures.

Which SSTV modes are supported?

Phase 1 supports Martin M1 (VIS code 0x2C / 44 dec, 320×256 RGB). Other VIS codes — Robot 36 (0x08), Robot 72 (0x0C), Martin M2-M4 (0x28/0x24/0x20), Scottie S1/S2/DX (0x3C/0x38/0x4C), the PD family (PD50/90/120/160/180/240/290 = 0x5D/0x63/0x5F/0x62/0x60/0x61/0x5E), Wraase SC2-180 (0x37) — are detected, named where canonical, and returned as 'unsupported_mode' with their hex VIS code. The agent never falsely claims a decode it could not actually perform. Phase 2 will add Scottie S1 and Robot 36, the next two most-common public-band modes.

Where does the audio come from?

The audio must be presented by the caller. The agent never opens a microphone, never accesses any operator audio device, and never accepts authorization to capture audio on its own. The intended audio sources are (a) public WebSDR recordings any internet user can listen to, (b) customer-controlled SDR or radio captures the customer chooses to submit, or (c) audio the caller owns. The capture-context object accepts an optional source URL, capture timestamp, operator claim, and callsign claim; the source URL is hashed (SHA-256) before anchoring so the URL itself is never written to the chain.

Does the agent verify the callsign or the operator?

No. A callsign claim, when provided, is recorded as a claim only. The agent does not verify the binding between a callsign and the operator who actually transmitted; it does not query an FCC ULS or any equivalent national licensing database; it does not vouch for the truth of operator identity. The receipt records what was presented, exactly. Whether and how that record is admitted in any matter is the determination of the presiding authority.

Is the audio retained?

No. Only the SHA-256 fingerprint of the audio bytes is anchored. The audio buffer is processed in-memory during the decode and is not written to durable storage. The agent does not log, persist, or transmit the underlying audio content beyond what is required to compute the decode in the request itself.

What happens if the audio is not SSTV?

The agent looks for a sustained 1900 Hz VIS leader (≥100ms continuous tone). If no such leader is found, the result is reason = 'no_vis_header' — the audio was not recognized as SSTV. If a leader is found but the VIS bits do not satisfy the parity check, the same 'no_vis_header' verdict is returned: parity failure indicates the apparent leader was probably noise that flukily matched the template. If a leader and parity both pass but the resulting VIS code is not in the supported set, the result is 'unsupported_mode' with the detected hex code so the caller knows what was on-air. Every attempt — successful or not — is anchored, so the on-chain history reflects what was presented to the agent.

What does the agent NOT do?

It does not capture audio. It does not retain audio bytes after decode. It does not transmit any signal. It does not adjudicate authorship of the underlying transmission. It does not verify callsign-to-operator binding. It does not assert ownership in the decoded image. It does not access any third-party radio service, database, or registry without authorization. It does not undertake any disruption, sabotage, or counter-action against any party. The agent's surface is limited to: read presented audio, demodulate, anchor, return.

Is the agent defensive only?

Yes. The agent reads what the caller presents (the audio bytes; the SHA-256 fingerprint plus decoded image are anchored, and the audio bytes themselves are not retained) and produces an anchored receipt. It does not transmit, does not access third-party systems, does not generate or modify content beyond the decoded image, and does not undertake any active operation outside its own anchoring chain. The Knox primitive itself is a record-only layer — no actuation, no enforcement, no offensive function. The defensive-only doctrine binds this agent the same way it binds the rest of Bonis AAM.

Knox · SSTV decoder

Anchored image extraction from a slow-scan-television signal.

Q: What is in the C2PA-aligned envelope?

The envelope is a subset of the C2PA 1.4 specification — the parts that map cleanly onto a single image-creation event from a captured signal. It contains a claim block (title, instance ID bound to the Knox anchor, claim_generator metadata, format = image/png), a list of assertions (c2pa.created with digital_source_type 'digitalCapture'; c2pa.capture with the SSTV capture method, VIS code, decoded dimensions, and any provided capture context; c2pa.hash.data with the decoded image SHA-256; bonis.audio_source with the audio fingerprint), and a Knox binding (anchor ID, payload hash, sequence number, timestamp, verify URL). Full C2PA support — manifest store, ingredient hashes, signing-cert chain — is deferred to a follow-up build; this is honestly labeled 'subset' and is C2PA-compatible at the level a verifier can compare claim hashes to the Knox anchor.

POST a presented SSTV audio recording. Get back the decoded image, the audio fingerprint, a Knox anchor, a C2PA-aligned envelope, and an FRE 902(13)/(14)-shape affidavit. The agent does not capture audio on its own — the audio must be presented by the caller (a public WebSDR recording, a customer-controlled SDR capture, or audio the caller owns). Audio bytes are not retained; only the SHA-256 fingerprint and the decoded image are anchored. Phase 1 supports Martin M1.

SHA-256 fingerprintKnox event chainBitcoin / OpenTimestampsC2PA-aligned envelopeFRE 902(13)/(14) architectural fitMCP-callableAudio not retainedPhase 1: Martin M1

TL;DR

Closed-loop attribution for radio-band image transmissions.

Presented audio only. Bonis never opens a microphone, never accesses operator audio devices, never captures audio on its own. The audio must be presented by the caller.
Audio bytes are not retained. Only the SHA-256 fingerprint and the decoded image hash are anchored. The audio buffer is processed in-memory during the decode and never written to durable storage.
Defensive only. The agent does not transmit, does not adjudicate authorship of the underlying transmission, does not vouch for any callsign claim, and does not access any third-party radio service or registry.
Phase 1 = Martin M1. VIS code 0x2C, 320×256 RGB. Other VIS codes are detected, named where canonical (Robot 36, Robot 72, Scottie S1/S2/DX, the PD family, Wraase), and returned as unsupported_mode with the detected hex.
Honest decode-fail handling. Non-SSTV audio returns no_vis_header. A leader that fails parity is also rejected as noise. Every attempt — successful or not — is anchored, so on-chain history reflects what was presented to the agent.
C2PA-aligned, not C2PA-replacing. Output envelope is a subset of the C2PA 1.4 spec — compatible at the level a verifier can compare claim hashes to the Knox anchor. Adds Bitcoin-block-header durability on top of any C2PA signer.

Endpoints

Two ways to call. Same primitive.

HTTP REST: POST https://bonissystems.com/api/knox/agents/sstv-decoder. Body is JSON with name, audioBase64, optional audioFormat (wav default or pcm16-mono), sampleRate (required for pcm16-mono), and an optional capture object (source URL, captured-at, operator claim, callsign claim).

MCP server: POST https://bonissystems.com/api/knox/agents/sstv-decoder/mcp. JSON-RPC 2.0 over Streamable HTTP per MCP specification 2025-03-26. Tools: decode_sstv, verify_sstv_decode. Standard methods: initialize, ping, tools/list, tools/call.

Verification: GET https://bonissystems.com/api/knox/verify?hash=<payload_hash>. Public. No authentication. Returns the anchor record, predecessor hash, and the OpenTimestamps proof reference.

Authentication: an auto-seeded public-demo Knox API key is provisioned on first call. No customer account required at the demo tier. Bearer Knox keys are honored on the Authorization header for tier upgrades. Audio payload size limit: ~25 MB base64 (~18 MB raw). Audio duration limit: 180 seconds (Martin M1 full image ≈ 114 seconds).

What the bundle contains

Knox anchor + C2PA envelope + affidavit. All three from one call.

Knox anchor record

id, hash (SHA-256 payload commitment binding the audio fingerprint, decoded image hash, mode, VIS code, dimensions, and capture-context hashes), previousHash, sequence number, timestamp (UTC), and a verifyUrl at /api/knox/verify?hash=…. The payload hash is rolled into Knox's hourly Merkle aggregation and submitted to the Bitcoin blockchain via OpenTimestamps. Independently verifiable.

Decode result

On success: detected mode (e.g., Martin M1), VIS code + hex, image dimensions (320×256 for Martin M1), the decoded image as a base64 PNG plus its SHA-256, the audio fingerprint SHA-256, and the decode time in milliseconds. On failure: a structured reason (no_vis_header, unsupported_mode, audio_too_long, audio_too_short, audio_format_unsupported, invalid_input) with a human-readable detail.

C2PA-aligned envelope (subset of C2PA 1.4)

A claim block (title, instance ID bound to the Knox anchor, claim_generator metadata, format = image/png), assertions (c2pa.created with digital_source_type=digitalCapture; c2pa.capture with capture method, VIS code, decoded dimensions, and any provided capture context; c2pa.hash.data with the decoded image SHA-256; bonis.audio_source with the audio fingerprint), and a Knox binding. Full C2PA — manifest store, ingredient hashes, signing-cert chain — is deferred to a follow-up build.

FRE 902(13)/(14)-shape affidavit

Plain-English affidavit declaring the recording name, audio fingerprint, detected VIS, decoded mode, image dimensions and hash, anchor identifiers, predecessor hash, sequence, and verify URL. Includes the explicit disclaimer that Bonis Systems does not capture the underlying radio signal, does not retain audio bytes, does not adjudicate authorship, and does not vouch for any callsign claim. Architected to satisfy FRE 902(13) / 902(14) self-authentication — admissibility in any given matter remains a determination of the presiding court.

Posture

Anchor what was presented. Don't adjudicate, don't enforce, don't spy.

The agent reads audio that the caller presents and produces an anchored receipt. It does not capture audio, does not retain audio bytes, does not transmit any signal, does not access any third-party radio service or registry without authorization, and does not assign rights in the decoded image. Whether the audio represents a lawful transmission, whether the claimed callsign matches the operator, whether the decoded image represents a true creator's work — these are determinations reserved to lawful authority. Bonis Systems is the evidence layer underneath them, not in place of them.

Closed-loop attribution

The SSTV Decoder is the detection-side mirror of the Bonis Content Provenance Agent. A creator anchors their work at creation time (content-provenance); when that work appears in a radio-band transmission, the SSTV Decoder anchors the detection event and the decoded image hash. If the decoded image hash matches a prior content- provenance anchor, that match is independently verifiable: same SHA-256, two anchored timestamps, one creator-side and one detection- side. No central registry. No trusted intermediary. Both anchors live on the Bitcoin blockchain via OpenTimestamps and survive any individual operator going offline.

Defensive only

The Knox primitive itself is a record-only layer — no actuation, no enforcement, no offensive function. The defensive-only doctrine binds this agent the same way it binds the rest of Bonis AAM. The agent does not undertake any disruption, sabotage, or counter-action against any party. Its surface is limited to: read presented audio, demodulate, anchor, return.