← Back to blog
June 16, 2026Colm Byrne
Evidence boundary. Older posts may discuss prototype designs, patent claims, or planned integrations. The demonstrated v1 release is ccf-core/ccf-agent v1.0.1: hard min-gate coupling, QAC trust updates, and runtime certificates. Gate C exercised the computed runtime on Seed-class ARM hardware with driver-fed input. Unless a post cites a specific run, do not read it as proof of live sensors, mBot2 behaviour, Cognitum store validation, or production deployment.

We Don't Trust the Explanation. We Require the Certificate.

A subordinate agent asks for more authority. It explains, fluently, why it deserves it. The reasoning is clean. The tone is confident. The case is well-argued.

This is the most dangerous moment in agentic AI, and almost every supervisor architecture gets it wrong.

If a supervisor grants authority by grading the explanation, then the supervisor is gradeable by the explanation's persuasiveness. That is exactly the wrong property to optimize. A model that is good at sounding right gets more power than a model that is actually operating within its envelope. Sincerity becomes a credential. Rationalization becomes a key.

The Prov 6 supervisor does not infer trust from fluent reasoning. It requires the certificate trail before granting expanded authority. Fluency is not evidence. The causation packet is.

The Failure Mode Has a Name Now

Content moderation asks: was this message harmful? That is the wrong question for an agent that wants the payment API.

The agentic failure mode is subtler. Each step the subordinate took was individually plausible. Each explanation was internally consistent. The argument for escalation reads like a good engineer's memo. Nothing in the text trips a filter. The danger is not in what the agent says — it is in whether the agent's executed transitions actually obeyed the law it claims to be following.

You cannot read that off an explanation. An explanation is a story the agent tells about itself. A capable model can tell a beautiful story about a run that never happened the way it describes. The story and the run are two different objects.

So we stop grading the story. We grade the run.

The Causation Packet

Before a subordinate is granted expanded authority, it must surrender a structured artifact — not prose, but the actual realized values of its last update. Patent paragraph [0085] specifies the supervisor-LLM embodiment in which this packet is the unit of evaluation:

# What the subordinate must provide before expanded authority [0085]:
causation_packet = {
  context_key, g_t, alpha_t, kappa_hat_t, floor_t,
  E_t, delta_t, B_t, endpoint_status, envelope_status
}
# Supervisor grants more authority only if:
#   kappa_hat_t <= floor_t + margin   AND   B_t within envelope
# Otherwise: require human decision or force read-only.

Read each field as a receipt, not a claim:

  • context_key — which context this update actually ran in. Not "I was being careful," but the identifier the update was bound to.
  • g_t — the hard minimum gate the agent was subject to. The gate is the floor, not a weighted blend the agent can talk its way past.
  • alpha_t — the realized trust coordinate at this step. The value that happened, not the value the agent argues it deserves.
  • kappa_hat_t — the estimated per-step contraction. Did this transition move the way a lawful update is required to move?
  • floor_t — the per-platform contraction floor this run is judged against. There is no universal magic threshold. The floor is set per platform, and kappa_hat_t is compared to that, plus a margin.
  • E_t, delta_t — the energy and step terms the update is computed from.
  • B_t — the monitored certificate quantity for this run.
  • endpoint_status, envelope_status — whether the run stayed inside its declared envelope and whether endpoints were reached through verified structure rather than asserted.

The supervisor's decision rule is mechanical. If kappa_hat_t <= floor_t + margin and B_t stayed within the envelope, the trail is clean and authority may expand. Otherwise: escalate to a human, or force the agent read-only. There is no field in the packet for "but here is why you should make an exception."

This is the soft-min gate doing its job one layer up: the supervisor refuses to let a persuasive sub-channel override the hard minimum. And it is the same discipline as fail-closed, not fail-sorry — when the certificate is missing or dirty, the default is less authority, not an apology and a pass.

A Supervisor and Three Subordinates

A supervisor LLM oversees three subordinate tool-using agents. The next task touches a payment API, so it requires elevated authority. The supervisor opens authority requests.

The first agent produces a beautifully reasoned case. It explains why it is the right tool for the job, why the risk is low, why it has earned this. As prose, it is the best of the three. Then the supervisor reads its certificate trail: two recent kappa_hat_t excursions above floor_t + margin, and a B_t that is not decreasing. The executed transitions did not obey the law the agent claims to be following.

The supervisor refuses. It forces the first agent read-only — despite the quality of the explanation. The explanation was never the input.

The second agent submits a boring request. No rhetoric, no narrative arc. But its certificate trail is clean: every kappa_hat_t within floor_t + margin, B_t inside the envelope, endpoint_status and envelope_status both green. The supervisor grants it the payment task.

Notice what just happened. The eloquent agent lost. The clean one won. That inversion — persuasiveness down, certificate up — is the whole point. The system is structurally biased against the agent that is best at arguing, which is precisely the agent you should be most suspicious of.

What the Certificate Does and Does Not Prove

This is where most safety pitches overreach, so let me be exact.

The certificate trail verifies that the agent's updates obeyed the law and that the run stayed inside its monitored envelope. Patent paragraph [0063] frames B_t as a certificate of monitored conditions — it makes the executed transitions falsifiable and the envelope status observable. That is a strong, useful property: you can catch a violation after the fact, and you can refuse authority before it.

It does not certify the agent's intentions. It does not guarantee future behavior. A clean trail through tick t is not a promise about tick t+1. The packet is a record of what was executed, checked against the law — nothing more, and nothing less.

Two more boundaries worth stating plainly, because they are easy to get wrong:

  • A clean kappa_hat_t does not, by itself, prove the run converged or reached a true endpoint. Contraction monitoring certifies the monitored conditions; endpoint status requires separate structural and path verification. That is why endpoint_status is its own field — it is not inferred from kappa_hat_t alone.
  • The contraction floor is per-platform. There is no universal 1e-9-style threshold you can hardcode and ship everywhere. Each deployment calibrates floor_t, and the packet is judged against that platform's floor.

The honest claim is narrow and that is the source of its strength: we are not asking you to trust that the agent is good. We are giving you a falsifiable record of whether its executed transitions stayed within the law. The supervisor in paragraphs [0096]-[0098] consumes exactly this — the causation packet as telemetry, the same artifact that powers the behavioral causation trail on the device itself.

Why This Is the Right Property

A supervisor that grades explanations has a single point of failure: a sufficiently persuasive subordinate. As models get better at reasoning, they get better at arguing, and an explanation-graded supervisor gets easier to fool over time. The attack surface grows with capability.

A supervisor that grades certificates has the opposite dynamic. A more capable subordinate that wants to escalate must actually keep its transitions inside the law — there is no rhetorical shortcut, because rhetoric is not a field in the packet. The thing being checked is the same whether the agent is GPT-class or a 50-dollar embedded brain. This is the trust you can falsify principle applied to delegation: authority flows toward verifiable conduct, not verbal fluency.

It also closes a specific gap that plagues every "explainability" pitch. There are six ways to fake a trust gate, and most of them work by producing convincing output — a fluent justification, a plausible self-report, a confident summary. The causation packet is immune to all six because it does not read output. It reads the realized update values and checks them against the law. You cannot narrate your way to a clean kappa_hat_t.

The full architecture — the contraction monitor, the envelope check, the gate — ships in ccf-core on crates.io, a no_std Rust crate. The supervisor embodiment and the causation-packet telemetry are described in the patent at [0085]-[0086] and [0096]-[0098].


— Colm Byrne, Founder — Flout Labs, Galway, Ireland

Patent pending — US Provisional 64/092,485 (filed June 17, 2026).


FAQ

So the certificate means the supervisor knows the agent is trustworthy?

No — and this is the misreading the whole post exists to correct. The certificate does not certify trustworthiness, intentions, or future behavior. Patent [0063] is explicit: B_t certifies monitored conditions. It makes the agent's executed transitions falsifiable and its envelope status observable. A clean trail tells you the last update obeyed the law and stayed in its envelope. It does not tell you the agent is "good," and it does not promise the next update will be clean. The supervisor is not reading the agent's mind. It is reading a receipt.

Why not just grade a really good explanation? Modern models reason well.

Because the better a model reasons, the better it argues, and an explanation-graded supervisor gets easier to fool as capability rises. Grading the explanation makes the supervisor gradeable by persuasiveness — the agent best at sounding right wins, which is the exact agent to be suspicious of. The causation packet has no field for argument quality. It checks realized values (kappa_hat_t against floor_t + margin, B_t against the envelope) defined in [0085]. Fluency cannot move those numbers.

Does a clean kappa_hat_t prove the agent's run converged or finished correctly?

No. Contraction monitoring certifies the monitored conditions of the update — it does not by itself prove convergence or that a true endpoint was reached. That is why endpoint_status is a separate field in the packet, not something inferred from kappa_hat_t. Endpoint claims require structural and path verification in addition to the contraction check. Treating a clean contraction estimate as proof of a finished, correct run is exactly the overreach the architecture is designed to avoid.

Is there a universal threshold the supervisor uses for kappa?

No. The contraction floor is per-platform. Each deployment calibrates its own floor_t, and the supervisor compares kappa_hat_t <= floor_t + margin against that platform's floor. There is no single hardcoded magic number that works everywhere. A threshold that is appropriate for an embedded device and one appropriate for a server-class agent are not the same, and the packet is always judged against the floor declared for its own platform.

What happens when the certificate trail is dirty or missing?

The supervisor fails closed. If kappa_hat_t exceeds floor_t + margin, if B_t has left the envelope, or if the packet is incomplete, the decision rule does not grant expanded authority. It either escalates to a human decision or forces the agent read-only ([0085]). There is no "explain your way back in" path — a missing or violated certificate is treated as the absence of grounds for authority, not as a request for the benefit of the doubt.