← Back to blog
June 12, 2026Colm Byrne

Shadow Simulation: How a Robot Reasons About What It Would Do Without Actually Doing It

A robot in a primary school classroom has been working with the same group of children for three weeks. It knows the room. It knows the routine. It has earned enough trust through daily interaction that it can initiate simple activities -- reading exercises, counting games, structured play. Its effective coherence in this classroom context is 0.67, well into Phase II.

A new child joins the class. The teacher asks the robot: "Can you work with the new group arrangement?"

The robot needs to answer this question before acting. Not by guessing. Not by extrapolating from language model training data. By actually simulating what its trust state would look like with the new configuration -- and doing so without contaminating the trust state it has spent three weeks building.

This is counterfactual reasoning. And in most autonomous systems, it does not exist. The system either acts and sees what happens, or it does not act and learns nothing. CCF introduces a third option: the shadow-state simulator, described in [E3-0010] through [E3-0011] and Claim AE of US Provisional 64/039,655.

The Problem: Thinking About Trust Must Not Create Trust

The core constraint of the CCF architecture is that trust is earned through interaction, never created from nothing. The doubly stochastic mixing matrix (Claims 19-23) guarantees that trust cannot be amplified through transfer. The floor mechanism (Claims 2-5) ensures that trust accumulates slowly and resists disruption. The minimum gate C_eff = min(C_inst, C_ctx) ensures that momentary stability cannot substitute for accumulated context trust.

For a detailed treatment of why trust transfer cannot amplify trust, see the Sinkhorn-Knopp for trust post.

These guarantees hold for real interactions. But what about imagined interactions? If the robot simulates "what would happen if I approached the new child" and the simulation updates the accumulator, the robot has just earned trust by thinking about earning trust. The simulation becomes a trust-laundering mechanism. Imagine more interactions, accumulate more simulated trust, report higher entitlement.

This is not an edge case. Any system that uses internal simulation for planning faces this problem. Reinforcement learning systems with model-based planning explicitly update value functions from imagined trajectories -- that is the point of Dyna-Q, MuZero, and similar architectures. In those systems, imagined experience and real experience are treated identically. The value function cannot distinguish between "I did this" and "I imagined doing this."

CCF cannot afford this ambiguity. Trust that was not earned through real environmental interaction is not trust. It is confabulation.

The Shadow-State Architecture

The shadow-state simulator works by creating a disposable copy of the CCF state and running hypothetical scenarios against it.

shadow_state = deep_copy(live_coherence_field)
shadow_state.simulate(hypothetical_events)
result = shadow_state.evaluate()
discard(shadow_state)

The critical properties:

Deep copy, not reference. The shadow state is a complete, independent copy of every accumulator, every floor, every context key, every partition, every mixing-matrix entry. It shares no memory with the live state. Changes to the shadow state cannot propagate to the live state through aliased references, shared pointers, or mutable borrows. In Rust, the borrow checker enforces this statically -- you cannot hold a mutable reference to the shadow state and the live state simultaneously. In C or C++, this is a discipline problem. In CCF, it is a type-system guarantee.

Simulation runs against the copy. The robot can inject hypothetical events into the shadow state: "What if the new child triggered a high-tension event?" The shadow state updates its accumulators, recalculates phases, reruns the minimum gate. The shadow state now reflects a counterfactual world where the tension event occurred.

Results are extracted, then the copy is destroyed. The robot reads the shadow state's self-model vector, phase classifications, entitlement levels, and uncertainty values. These readings inform the robot's decision. Then the shadow state is deallocated. Nothing persists.

No trust earned in imagination. The live coherence field is unchanged. The robot's real accumulators, real floors, real familiarity values are exactly what they were before the simulation. The simulation informed a decision. It did not modify the trust state.

The School Scenario: Working Through It

Back to the classroom. The robot has three weeks of accumulated trust. The teacher asks if it can handle the new group arrangement. The robot runs three shadow simulations:

Shadow 1: New child, no sponsor present. The shadow state introduces a context key for the new child's presence. Since the new child has never been encountered, the shadow accumulator starts at zero. The shadow self-model reports: l_t = 0.0 for new-child contexts, u_t spikes from 0.12 to 0.41 due to partition ambiguity (the new child creates a context key that does not fit cleanly into existing groups). Phase classification drops from Phase II to Phase I for contexts involving the new child. Entitlement drops from 0.67 to 0.28.

Shadow 2: New child, teacher as sponsor. Same setup, but the shadow state includes a sponsor bridge from the teacher. The bridge temporarily elevates entitlement in the new-child context: b_t rises from 0.0 to 0.35, which partially compensates for the low l_t. Phase classification for new-child contexts: Phase I with bridge-assisted action space. Entitlement: 0.48. Not as high as the established classroom, but workable for structured activities.

Shadow 3: Group rearranged, old children redistributed. The robot checks whether rearranging existing children into new groupings disrupts its established trust. Shadow state shows: l_t for individual children remains unchanged (the robot knows them), but l_t for the group-context composite keys shifts because the specific combination of children + seating + time-of-day produces new context keys. Some routines (h_t) remain available. Others drop below confidence threshold because they were compiled for the old arrangement.

The robot synthesises the results:

"I can work with the new arrangement if you stay in the room for the first few sessions. I know the returning children but the groupings are new to me. The new child is completely unfamiliar -- I would stay cautious with them until I have at least a week of direct interaction."

Every clause is grounded in a shadow simulation result. The recommendation is not a guess. It is a consequence of measured state run through hypothetical scenarios.

For how uncertainty drives disclosure in these situations, see the uncertainty disclosure post.

Why Deep Copy Matters: The Trust Laundering Attack

Consider what happens without the shadow-state architecture. A system that simulates hypotheticals against its live state -- even temporarily -- risks trust contamination.

Suppose the robot "temporarily" updates its live accumulators during simulation, planning to roll them back afterward. During the simulation, the accumulator for the new-child context gets 100 simulated interactions. The floor mechanism kicks in: after enough interactions, a permanent floor is established. The rollback undoes the accumulator value but the floor calculation has already fired. The robot now has a non-zero floor for a context it has never actually experienced.

Or: the simulation runs for 500 ticks. During tick 247, the operating system interrupts the robot for a real event. The interrupt handler reads the live accumulator, which is mid-simulation. The robot makes a real decision based on simulated state.

Or: the simulation triggers a phase transition in the live state. Phase transitions have hysteresis (the Schmitt trigger described in Claims 14-18 and the observable hesitation post). The rollback undoes the accumulator value but the phase boundary has shifted by the hysteresis deadband. The robot's real phase classification is now different from what it was before the simulation.

Each of these failure modes -- floor contamination, interrupt aliasing, hysteresis drift -- is avoided by the deep copy architecture. The live state is never modified. Not temporarily. Not "with rollback." Not at all.

Implementation in ccf-core

The ccf-core on crates.io crate provides the CoherenceField structure that the shadow simulator copies. The Clone trait implementation performs a full deep copy of all accumulators, context keys, and mixing-matrix entries. In no_std mode (for embedded deployment on ARM Cortex-M), the deep copy uses stack allocation up to MAX_CONTEXTS (64 by default), avoiding heap allocation entirely.

The shadow simulation is an integration pattern, not a crate feature. The crate provides the data structures; the deployment system provides the simulation loop. This is deliberate: the simulation scenarios are deployment-specific (school robot vs. hospital robot vs. eldercare robot), but the trust-conservation guarantee is universal.

// Pseudocode for shadow simulation
let live_field: CoherenceField = robot.get_field();
let mut shadow: CoherenceField = live_field.clone();

// Inject hypothetical events
shadow.positive_interaction(&new_child_key, &personality, tick, false);
shadow.report_context_with_key(&new_child_key, &all_keys);

// Read shadow self-model
let shadow_entitlement = shadow.effective_coherence(0.9, &new_child_key);
let shadow_phase = shadow.social_phase(&new_child_key);

// Decision: shadow_entitlement is 0.28, Phase I
// Recommendation: wait for sponsor

// shadow goes out of scope, memory freed
// live_field unchanged

Scenario: The Hospital Ward at Night

A hospital robot is stationed in the ICU. During the day shift, it operates with sponsor bridges from three nurses. At 23:00, the night shift begins. Only one nurse is on duty, and she is unfamiliar -- she has been covering from another ward for two nights.

The robot runs a shadow simulation: "What if the unfamiliar nurse calls me to assist with a patient transfer in Room 7?"

Shadow result: b_t from the unfamiliar nurse is low (she has not been in the robot's field long enough to establish a strong sponsor bridge). Room 7 has moderate l_t (the robot has been there during day shifts). The combination -- low sponsor bridge + moderate familiarity -- produces an entitlement of 0.31. The compiled routine for patient transfer requires an entitlement of 0.55.

The robot's conclusion, from the shadow simulation: it can enter Room 7 but cannot execute the patient transfer routine autonomously. It would need to operate deliberatively, step by step, with the nurse confirming each action.

This conclusion was reached without entering Room 7. Without interacting with the unfamiliar nurse. Without disrupting its live trust state. The shadow simulation provided the information. The live state preserved its integrity.

For the broader context of how trust gates behaviour in high-stakes environments, see the Gavalas escalation loop analysis and the privacy paradox post.

The Philosophical Distinction

There is a deep distinction between systems that learn from imagined experience and systems that reason about imagined experience without learning from it.

Model-based reinforcement learning is in the first category. The agent imagines trajectories and updates its value function. The imagination is productive: it produces learning. This is powerful for optimisation but dangerous for trust, because the agent cannot distinguish earned competence from imagined competence.

CCF shadow simulation is in the second category. The robot imagines trajectories and evaluates them. The imagination is informative: it produces decisions. But it produces no learning. No trust. No earned competence. The robot that ran a thousand shadow simulations of Room 7 is exactly as untrusted in Room 7 as a robot that ran zero. The only thing that builds trust is real interaction in real environments under real conditions.

This is the architectural expression of a simple principle: you cannot think your way into trustworthiness. You have to show up. You have to do the work. And no amount of internal rehearsal substitutes for the real thing.

The emergent safe haven post illustrates the flip side -- how real, repeated interaction builds trust so deep that complex behaviours emerge without any planning at all. Shadow simulation and emergent trust accumulation are complementary mechanisms: one for reasoning about the future, the other for building the past.

FAQ

Can shadow simulations be chained to evaluate multi-step plans?

Yes. The shadow state can be advanced through multiple hypothetical events in sequence: "First the new child arrives, then the teacher leaves, then a loud noise occurs." Each event updates the shadow state, and the final self-model reflects the cumulative effect. The key constraint remains: the live state is unmodified regardless of how many steps the shadow simulation runs.

How expensive is the deep copy?

For a 64-context field (the default MAX_CONTEXTS in ccf-core), the deep copy involves copying 64 accumulators, the mixing matrix (64x64 = 4096 f32 values), and associated metadata. Total: approximately 20KB. On an ARM Cortex-M4 at 168MHz, this takes under 1ms. On more capable hardware, it is negligible. The cost is dominated by the simulation steps, not the copy.

Could a sufficiently advanced system find a way to launder trust through shadow simulation?

Not through the shadow state itself, which is destroyed after use. The potential attack vector is the decision pathway: if the robot's planning system trusts shadow simulation results as evidence of competence rather than as predictions of counterfactual state, the planner could over-credit the robot. The CCF architecture addresses this by keeping the shadow results purely informational -- they influence decisions but never update accumulators, floors, or phase classifications in the live state.

Does the shadow simulator account for other robots in the environment?

The current specification simulates single-robot counterfactuals. Multi-robot shadow simulation -- "What if Robot B were also in Room 7?" -- requires modelling the other robot's CCF state, which the current robot does not have access to (by design, for privacy). Fleet-level counterfactual reasoning is a coordination-layer concern, not a single-robot concern.

Patent pending. US Provisional 64/039,655.

-- Colm Byrne, Founder -- Flout Labs, Galway, Ireland