ccf-core/ccf-agent v1.0.1: hard min-gate coupling, QAC trust updates, and runtime certificates. Gate C exercised the computed runtime on Seed-class ARM hardware with driver-fed input. Unless a post cites a specific run, do not read it as proof of live sensors, mBot2 behaviour, Cognitum store validation, or production deployment.The Normalization Is Not the Trust: Why Sinkhorn-Knopp Is Gauge, Not the Causal Law
I owe a correction to an earlier post on this site.
In Sinkhorn-Knopp for Trust, I framed the doubly stochastic projection onto the Birkhoff polytope as the trust mechanism -- the algebraic object that makes trust transfer safe. That post is still useful for understanding conservation and the spectral bound. But the framing was wrong in one precise way, and the way it was wrong turns out to be the most defensible idea in the whole CCF portfolio.
Sinkhorn-Knopp is not the trust dynamic. It is a choice of presentation. It is gauge.
The causal trust-transfer content -- the thing that actually moves, the thing a certificate can falsify -- is what survives when you strip the presentation away. That invariant is the quotient state, and the law that acts on it is the quotient-affine contraction (QAC). This is the cleanest line separating CCF from the entire matrix-homeostatic-control (mHC) family, and patent US 64/092,485 is built around it [0007], [0099]-[0101].
What the mHC Family Optimizes -- and Why It Is the Wrong Object
The mHC family (DeepSeek mHC, sHC, go-mHC, mhc-lite) treats the Sinkhorn projection onto the Birkhoff polytope as the object being optimized. The doubly stochastic matrix is the target. You measure how close you are to it, and you iterate until you are close enough.
Prov 6 makes the opposite move. Positive diagonal normalization -- row-normalize, column-normalize, Sinkhorn-scale -- is a rescaling of the same underlying trust content. It changes how the matrix looks. It does not change what the matrix means. And the certificate that governs CCF behavior, the contraction factor kappa_t, is computed after the normalization is removed.
So the doubly stochastic matrix is not the answer. It is one of infinitely many equivalent presentations of the answer.
The Equation That Removes the Gauge
Here is the formal statement [0040]-[0042], [0100]:
# Gauge equivalence: B = L A C for positive diagonal L, C => same trust content
# (left/right positive-diagonal rescaling is the gauge group)
#
# Quotient coordinate removes the gauge:
Theta([A]) = H (log A) H, H = I - (1/n) 11^T (the centering projector)
#
# Why H kills the gauge: log(L A C) = log A + log L (rows) + log C (cols)
# The diagonal-gauge terms are constant along rows / along columns.
# H removes the row-mean and the column-mean, so:
# H (log L + log A + log C) H = H (log A) H
#
# Therefore: row-norm, column-norm, Sinkhorn-Knopp, identity gauge
# ALL give the SAME Theta([A])
# => kappa_t is INVARIANT to the normalization chosen [0100]
#
# The causal step is the quotient-affine contraction (QAC) on [A],
# NOT the normalization. [0099]-[0101]
The mechanism is the projector H = I - (1/n)11^T. Take the elementwise logarithm of the trust matrix. A positive diagonal gauge L A C adds a term that is constant along each row (from L) and a term constant along each column (from C). The double centering H(·)H subtracts the row means and the column means. Those gauge contributions are exactly row-constant and column-constant, so they vanish. What remains, H(log A)H, is the same regardless of which normalization you applied first. That is the gauge-invariance point, and it is the load-bearing line of this post.
The state CCF reasons about is [A], the equivalence class of A under positive diagonal rescaling. The causal update is a contraction on that class -- quotient-affine because it is affine in the quotient coordinate Theta([A]). The contraction factor kappa_t is read off the quotient, never off the raw matrix. This is why no normalization choice can change it.
Four Gauges, One Trust Content
Stating gauge invariance is not the same as showing it. So take one trust matrix and present it four ways.
# Raw affinity matrix A (3 contexts):
A = [ 0.60 0.30 0.10 ]
[ 0.20 0.50 0.30 ]
[ 0.10 0.40 0.50 ]
# Gauge 1 -- identity (raw): A
# Gauge 2 -- row-normalized: L A (L = diag(1/rowsum))
# Gauge 3 -- column-normalized: A C (C = diag(1/colsum))
# Gauge 4 -- Sinkhorn-Knopp scaled: L* A C* (alternating row/col, 20 iters)
# Compute Theta([·]) = H (log ·) H for each:
Theta(Gauge 1) = Theta(Gauge 2) = Theta(Gauge 3) = Theta(Gauge 4) # IDENTICAL
# Read the certificate off the quotient:
kappa_t(Gauge 1) = kappa_t(Gauge 2) = kappa_t(Gauge 3) = kappa_t(Gauge 4) # IDENTICAL
All four presentations collapse to the same Theta([A]), because each gauge differs from the others only by a positive diagonal left/right factor, and H(·)H annihilates exactly those factors. The certificate kappa_t is therefore identical across all four. Sinkhorn-Knopp is one row in this table. It is not privileged. It is not the dynamic. It is presentation.
Now change the trust content for real:
# Non-diagonal substitution -- a genuine change to who-trusts-whom:
A' = A but with A'[1][3] : 0.10 -> 0.45 (context 1 now trusts context 3 far more)
# This is NOT a positive-diagonal rescaling. It cannot be written as L A C.
Theta([A']) != Theta([A]) # the quotient coordinate moves
kappa_t(A') != kappa_t(A) # the certificate moves
A non-diagonal edit -- a real change in the trust relationships -- is not a gauge transformation. It cannot be absorbed into L or C. So it moves Theta and it moves kappa_t. The reader sees the distinction directly: rescalings are invisible to the certificate, substantive changes are not. That is precisely what you want from a trust law, and precisely what an object that optimizes toward the Birkhoff polytope cannot give you, because it has already discarded the distinction by treating one presentation as the goal.
The Truthfulness Boundary, Stated Plainly
This is the post where the claim discipline matters most, so let me state it without hedging.
Sinkhorn-Knopp is gauge presentation. It is not the causal trust dynamic [0099]-[0101]. Doubly stochasticity is a convenient normal form. It makes conservation easy to see and the spectral bound easy to state. It is genuinely useful for exposition. But it vanishes under H(·)H, and anything that vanishes under the quotient cannot be the thing that causes trust to move. The causal law is the quotient-affine contraction on [A].
Any earlier CCF copy -- including my own Sinkhorn-Knopp for Trust post -- that implied the doubly stochastic projection is the trust mechanism is superseded by this framing. Use that post for the conservation and spectral intuitions. Use this one for what is actually causal.
A few guardrails I hold myself to, so the math stays honest:
- The minimum gate certifies monitored conditions (the certificate
B_tattests to what was checked), not convergence. Min-gating alone does not prove the system converges. kappa_tis a per-platform floor, not a universal magic number. There is no universalkappa_t < 1e-9; each platform has its ownfloor_t.- Endpoint values (an
alpha_tpinned to 0 or 1) are not certified bykappa_talone. Pinned-zero and support-strata behavior is open work, not solved math. - The cleanest defensible claim is that these presentations are structurally equivalent under a common abstract schema -- not "formally isomorphic." The quotient gives equivalence of trust content; it does not claim every property of every presentation lines up.
Why This Is the Differentiator
Two architectures can run the identical Sinkhorn iteration and arrive at the identical matrix, and still differ at the level that matters. The mHC family says: the doubly stochastic matrix is the trust object. CCF says: the doubly stochastic matrix is one presentation of a trust object that lives in the quotient, and the law -- the contraction that produces the falsifiable kappa_t -- acts there.
That distinction is not cosmetic. It is the difference between a certificate you can falsify and a normalization you can only inspect. A certificate is not an explanation, and trust you can falsify is the whole point of the architecture. It is also why distance contraction is not enough on its own: contraction in the wrong coordinate -- the raw, gauge-dependent one -- tells you nothing stable, because a rescaling could have produced it. Contraction in the quotient coordinate is invariant, and that is what H(log A)H buys you. For the deeper reading of what H(log A)H actually computes, see what H log A H actually does.
The implementation lives in ccf-core on crates.io, a no_std Rust crate. The Sinkhorn projector is still in there -- because a normal form is useful -- but it is plumbing, not the law. The full claim structure, including the quotient and the gauge-invariance argument, is in the patent [0028], [0040]-[0042], [0099]-[0101].
-- Colm Byrne, Founder -- Flout Labs, Galway, Ireland
Patent pending -- US Provisional 64/092,485 (filed June 17, 2026).
FAQ
Isn't the doubly stochastic projection the whole point? Doesn't Sinkhorn-Knopp prove the trust is safe?
No -- and this is the misreading I want to correct directly, including from my own earlier writing. The doubly stochastic projection is a presentation: a convenient normal form that makes conservation and the spectral bound easy to state. But it is a positive-diagonal rescaling of the underlying matrix, and every such rescaling vanishes under the quotient coordinate Theta([A]) = H(log A)H. The certificate kappa_t is computed on the quotient, so it does not depend on whether you Sinkhorn-scaled, row-normalized, column-normalized, or did nothing. Anything that disappears when you remove the gauge cannot be the causal mechanism. Sinkhorn-Knopp does not prove the trust is safe; the quotient-affine contraction is what produces the falsifiable certificate [0099]-[0101].
If the normalization does not matter, why compute it at all?
Because a normal form is genuinely useful for exposition, debugging, and intuition. Doubly stochasticity makes "trust is conserved, not amplified" easy to see and easy to check by eye. It is the difference between a tidy coordinate system and a messy one -- both describe the same physics. CCF still ships a Sinkhorn projector in ccf-core for exactly this reason. But it is plumbing. The law that moves trust is the contraction on the quotient state, and the certificate is read there.
What is the difference between "gauge" and "content" in concrete terms?
Gauge is anything you can change by a positive-diagonal left/right rescaling B = L A C -- it leaves the trust content untouched and is invisible to kappa_t. Content is anything you cannot write that way -- a non-diagonal change to who-trusts-whom. In the worked example above, switching between raw, row-normalized, column-normalized, and Sinkhorn presentations leaves Theta([A]) and kappa_t identical (gauge). Bumping a single off-diagonal entry from 0.10 to 0.45 moves both (content). The certificate is engineered to be blind to the first and sensitive to the second.
Does this mean the conservation and spectral arguments from the earlier post were wrong?
The arguments were correct; the framing around them was not. Conservation holds and the spectral norm bound holds for the doubly stochastic presentation -- those are real properties of that normal form. What was wrong was treating that presentation as the trust mechanism itself. It is one gauge among many. The causal content is the quotient state, and the safety story is the contraction on it, not the normalization that produced any one presentation [0040]-[0042].
Is the claim that all these presentations are "the same"?
Carefully: they are structurally equivalent under a common abstract schema -- they share the same quotient state Theta([A]) and therefore the same certificate kappa_t. That is a precise, bounded claim. It is not a claim that the presentations are formally isomorphic in every respect, and it is not a claim that kappa_t is a universal constant -- kappa_t is a per-platform floor, not a single magic threshold. The equivalence is at the level of trust content, which is exactly the level the certificate operates on.