Technical overview

This is math, not design

CCF v1 publishes the trust-update and runtime-certificate core: a hard min-gate, a QAC matrix update, and a computed certificate that fails closed when the update is not enforceable.

The pipeline

Runtime input matrices
    │
    ▼  C_eff = min(C_inst, C_ctx)
Hard min-gate coupling
    │
    ▼  alpha_t = rho(C_eff)
Trust-update rate
    │
    ▼  qac_update_3x3(...)
Strict-positive QAC update
    │
    ▼  certify_update(...)
kappa_hat_t + E_t + dynamic floor + threshold
    │
    ▼  fail-closed status
Runtime certificate
    │
    ▼  ccf-agent /state + /certificate
Gate C verifies computed, evolving, cross-consistent values
PRIMITIVE 01

QAC update matrices

The published core does not ask the reader to trust a narrative about social behaviour. It computes strict-positive matrix updates. Given A_t, R_t, gauges, and alpha_t, qac_update_3x3 produces the realized A_(t+1) matrix.

This is the public v1 kernel. Sensor ingestion, robot behaviours, and device store integration sit outside this release until they are exercised by their own evidence.

RUST · ccf-core
// Canonical QAC update
let realized_a_next = qac_update_3x3(
    &QacInputs3 {
        prior_a_t,
        reference_r_t,
        left_l_t,
        right_c_t,
        alpha_t,
        epsilon_floor,
    },
)?;
GATE CONDITION
// Hard min-gate: weaker reading wins
C_eff = min(C_inst, C_ctx)
alpha_t = rho(C_eff)

// If the path is forbidden or
// non-canonical, reject instead
// of fabricating a valid update.
PRIMITIVE 02

The minimum gate

The gate acts as a hard coupling between instantaneous and contextual evidence. The update cannot use the stronger side alone; the weaker side determines the effective coupling.

That bounded coupling is the part v1 publishes and tests. Claims about a robot changing social phase or earning trust require separate hardware integration evidence.

PRIMITIVE 03

Runtime certificate

After the QAC update, the core recomputes the certificate from the update matrices: kappa_hat_t, E_t, the dynamic floor, the threshold, and the fail-closed status.

The public hardware evidence is bounded: the computed runtime path was exercised on real Seed-class armv7l hardware through Gate C with driver-fed input. It does not prove live sensor ingestion, live Cognitum store validation, or completed mBot2 behaviour.

Architecture

The seven pillars of CCF

1
Hard min-gate
The effective coupling is C_eff = min(C_inst, C_ctx). The weaker reading wins before the trust-update rate is derived.
2
QAC trust update
ccf-core updates strict-positive 3x3 matrices through the published QAC log-geodesic primitive under the selected alpha_t.
3
Runtime certificate
The crate computes kappa_hat_t, E_t, dynamic floor, threshold, and fail-closed status from the actual update matrices.
4
Conservative presentation
Sinkhorn-style presentation remains a gauge/normalization surface. The causal claim is the min-gate plus QAC plus certificate check.
5
Fail-closed policy
Forbidden or non-canonical paths reject rather than inventing successful update evidence.
6
no_std core
ccf-core is #![no_std] and forbids unsafe code. The ccf-agent binary is the std runtime wrapper used for Gate C checks.
7
Bounded hardware evidence
The computed runtime path was exercised on Seed-class armv7l hardware with driver-fed input. v1 does not claim live sensors or mBot2 trust behaviour yet.