ccf-core/ccf-agent v1.0.1: hard min-gate coupling, QAC trust updates, and runtime certificates. Gate C exercised the computed runtime on Seed-class ARM hardware with driver-fed input. Unless a post cites a specific run, do not read it as proof of live sensors, mBot2 behaviour, Cognitum store validation, or production deployment.Getting Closer Isn't Going the Right Way: Why Distance Contraction Is Not Enough for Trust Updates
Here is a claim you will hear in almost every "our system is converging" story, dressed up in slightly different clothes each time:
The distance between where the system is and where it should be went down. Therefore the update was good.
It sounds airtight. The error shrank. We got closer. What else is there to check?
A lot, it turns out. There exist update maps that reduce the distance to the target while reversing the direction of travel. The scalar "we got closer" check passes -- green light, ship it -- and yet the step is not the trust update it claimed to be. It is a reflection that happens to land nearer the target, not a controlled move toward it. This is the quiet hole in every distance-only safety argument, and it is why CCF's trust certificate tests the direction and affine form of an update, not just the scalar distance after the step.
The shape of the problem
CCF represents a trust state as a positive matrix A, read up to a gauge: scaling a row or a column does not change what the state means. The meaningful object is the equivalence class [A], and the natural way to measure how far apart two classes are is a quotient distance d_Q([A], [R]) on that gauge-quotient space. The target is [R] -- the trust configuration the update is supposed to be moving toward.
If you have read why trust has to be falsifiable, you know a safety claim is only worth anything if there is a concrete way to fail it. "The distance went down" feels falsifiable -- it is one measurable number you can plot. The trouble is that it is the wrong number. What we actually care about is whether the update is a real step along the trust geometry: a log-geodesic move from [A_t] toward [R], scaled by a step size alpha_t. Distance contraction is a consequence of such a step, not an equivalent of it. Mistaking the consequence for the cause is exactly how a wrong-direction map sneaks through.
The insufficient check
In code, the tempting check looks like this:
# Insufficient: scalar distance after the step can shrink under a wrong-direction map
d_Q([A_{t+1}], [R]) < d_Q([A_t], [R]) # can hold even when direction is reversed
One number before, one number after, a < between them. If it holds, declare progress.
The reason this is not enough is geometric. The quotient distance is, near the target, essentially the norm of a centered-log residual -- the log of the trust state with its row and column means removed. A norm cannot see direction. Reflecting that residual ray through the origin, then shrinking it, gives you a smaller norm pointing the opposite way. The scalar d_Q reports the shrink and stays silent about the flip.
The sufficient check
What actually pins the update down is its affine form, expressed through the cross-ratio residuals -- the gauge-invariant coordinates that survive row/column rescaling. For a basis cross-ratio over indices i, j (with n the anchor index):
# Sufficient: the affine-form / direction test (cross-ratio residual form)
Gamma_ij(A) = log A_ij + log A_nn - log A_in - log A_nj
# QAC requires, for all basis cross-ratios:
Gamma_ij(A_{t+1}) = (1 - alpha_t) Gamma_ij(A_t) + alpha_t Gamma_ij(R_t)
Gamma_ij is the part of the trust state that the gauge cannot touch. The update law -- the Quotient Affine Combination, or QAC, which is the causal trust dynamic in CCF -- says that every cross-ratio coordinate must move as an exact affine blend of its current value and the target's, with the same alpha_t across all of them. A reflection cannot satisfy it: flip the sign of the residual and the affine identity breaks for any alpha_t in (0, 1]. The certificate residual kappa_t measures the maximum violation of that identity across all basis cross-ratios, and fires the moment the form is wrong, regardless of what the distance did. So the certificate does not ask "are we closer?" It asks "did each gauge-invariant coordinate move by exactly the affine step it was supposed to?" Direction and step size, not post-hoc distance.
A worked 3x3 counterexample
Numbers land this harder than prose, so here is the reflect-and-shrink case in full. Work in centered-log coordinates -- the residual after removing row and column means -- where the gauge is already quotiented out and the geometry is just a small vector space. Take a single representative cross-ratio coordinate g for the current state, the target, and the next state.
# Centered-log coordinate of one basis cross-ratio (gauge already removed)
g(A_t) = 1.00 # current state, residual sits at +1.00
g(R) = 0.00 # target has zero quotient coordinate on this axis
alpha_t = 0.5 # claimed half-step toward R
# A HONEST half-step toward R would land at:
g_geodesic = (1 - 0.5)*1.00 + 0.5*0.00 = 0.50 # same sign, halfway in
# The reflect-and-shrink map instead produces:
g(A_{t+1}) = -0.40 # flipped sign, smaller magnitude
Now run both checks.
Scalar distance check (norm of the residual, target at 0):
d_Q(A_t, R) = |1.00| = 1.00
d_Q(A_{t+1}, R) = |-0.40| = 0.40
0.40 < 1.00 -> PASS (green) # "we got closer!"
The distance dropped from 1.00 to 0.40. By the scalar test, this is a textbook success: a 60% reduction in error. Ship it.
Now the cross-ratio / affine-form certificate. QAC requires Gamma_ij(A_{t+1}) = (1 - alpha_t) Gamma_ij(A_t) + alpha_t Gamma_ij(R_t):
required = (1 - 0.5)*1.00 + 0.5*0.00 = 0.50
observed = -0.40
kappa_t = |observed - required| = |-0.40 - 0.50| = 0.90
kappa_t = 0.90 > floor_t -> FAIL (red) # direction reversed, form broken
The certificate fires hard. The observed coordinate is -0.40; an honest half-step demanded +0.50. The residual kappa_t = 0.90 is not a rounding wobble -- it is a reversed ray. The update walked across the target and out the other side, and only looked good because the far side happened to be closer than where it started.
That is the whole point in two lines of arithmetic:
- Scalar distance: PASS. Got closer.
- Affine-form certificate: FAIL. Went the wrong way.
The system that trusts the first line ships a reversed update. The system that trusts the second line catches it. CCF runs the second.
What the certificate does and does not prove
This is a limitation-disclosure post, so let me be precise about the boundary, because it is easy to over-read in the other direction.
The cross-ratio test certifies the form of a single step, per patent paragraph [0054a]: it confirms that the update at tick t was an affine blend toward [R_t] with the stated alpha_t, and nothing else. It does not prove that the trajectory converges. A sequence of perfectly-formed affine steps can still walk a moving target, stall, or oscillate, depending on how R_t and alpha_t evolve. The certificate is a per-step structural guarantee, not a convergence proof.
Nor does a small kappa_t by itself certify endpoint values. Confirming that alpha_t was exactly 0 or 1 -- a frozen step or a full snap to target -- requires structural and path verification, not the residual alone. And floor_t is a per-platform numerical threshold, not a universal constant: what counts as "close enough to zero" depends on the arithmetic precision of the deployment.
One more clarification on what Gamma is. The cross-ratio coordinates are the gauge-invariant part of the trust state. The doubly-stochastic normalization in the companion post on why the normalization is not the trust is a gauge presentation: it makes the state bounded and tidy, but it vanishes under the gauge action H(.)H and carries no causal information. The causal update is QAC, acting on these cross-ratios. Distance-only and contraction-only views fail precisely because they read the presentation, or the norm of the residual, and miss the affine structure underneath. A distance-only safety story and CCF are, at most, structurally equivalent under a common abstract schema -- both talk about "moving toward a target" -- but they are not the same test, and the counterexample above is where they part ways.
Why this matters outside the math
If you are evaluating any system that justifies itself with "we reduce error, therefore we are safe," this is the question to put to it: can your update reduce the distance while pointing the wrong way, and would you catch it? For a system that checks only the scalar, the honest answer is no. The reflect-and-shrink map is not exotic -- it is the generic failure of any contraction-only criterion, and it shows up the moment an optimizer is allowed to overshoot.
The fix is not a bigger model or a better classifier. It is a cheaper, stricter test: verify the affine form of each step, not the distance after it. That test is a handful of logarithms and subtractions per cross-ratio, and it runs every tick in CCF with no measurable cost. The full algebra is implemented in ccf-core on crates.io, the claim structure is at /patent, and the broader case for failable trust gates is in trust you can falsify.
— Colm Byrne, Founder — Flout Labs, Galway, Ireland
Patent pending — US Provisional 64/092,485 (filed June 17, 2026).
FAQ
So reducing error is enough, right? If the distance to the target goes down, the update was good?
No -- this is exactly the misreading the post exists to correct. Distance contraction is necessary-ish but not sufficient. The 3x3 counterexample above reduces d_Q from 1.00 to 0.40 while the underlying cross-ratio coordinate flips from +1.00 to -0.40: the update reversed direction and overshot the target, and the scalar distance happily reported "60% closer." A wrong-direction map can shrink the norm because a norm cannot see direction. The affine-form certificate (kappa_t = 0.90 in the example) catches it; the distance check does not.
What is kappa_t actually measuring, then?
kappa_t is the maximum violation, across all basis cross-ratios, of the QAC affine identity Gamma_ij(A_{t+1}) = (1 - alpha_t) Gamma_ij(A_t) + alpha_t Gamma_ij(R_t). In plain terms: it measures how far each gauge-invariant coordinate is from the exact affine blend it was supposed to land on. Zero (within a per-platform floor_t) means the step had the correct form. Large means the form is broken -- wrong direction, wrong step size, or both. It tests the step, not the trajectory.
Does a passing certificate prove the system converges?
No, and the post is explicit about this per paragraph [0054a]. The certificate proves the form of one step: it was an affine move toward [R_t] with the stated alpha_t. It says nothing about whether a sequence of such steps reaches and stays at the target -- that depends on how R_t and alpha_t evolve, and requires separate analysis. Treating a per-step form certificate as a convergence proof would be the same overreach, in the opposite direction, as treating distance contraction as a correctness proof.
Why not just check the sign of the change as well as the magnitude?
A sign check is a partial fix for the 1-D toy case, but trust states are not 1-D. The real object is a matrix read up to a row/column gauge, and the meaningful coordinates are the cross-ratios. A naive sign-and-magnitude check on the raw entries would be fooled by gauge rescaling, which changes the entries without changing the trust state. The cross-ratio residual Gamma_ij is built to be gauge-invariant, so the affine-form test is the gauge-correct generalization of "did it move the right way by the right amount."
Is the doubly-stochastic normalization where the trust lives?
No. The normalization (the Sinkhorn / doubly-stochastic layer) is a gauge presentation -- it makes the state bounded and tidy, but it vanishes under the gauge action and carries no causal trust information. The causal update is QAC, acting on the cross-ratio coordinates. The companion post covers this in full. Conflating the presentation with the trust is its own category of error, separate from the distance-contraction mistake described here.