Runtime-Certified Trust Transfer
The certificate layer. Every trust update emits a per-step residual, kappa_t, that is zero (within a calibrated floor) only if the executed update obeyed the canonical trust-transfer law—and positive when it departed. A system that can be proven wrong every tick, and that an external authority can compel to do less but not quietly more.
What it is
Prov 6 is the mathematical spine under the rest of the portfolio. It specifies the actual update path of CCF as a runtime-verifiable sequence: a hard minimum gate over a set of ceilings sets the effective coherence C_eff = min(C_inst, C_ctx, …); an admissible step map produces the update step size alpha_t = rho(C_eff); and a strict-positive, ε-floored log-geodesic update (the quotient-affine contraction, QAC) moves the trust state.
The novel instrument is the per-step certificate. After each update, a single scalar residual—kappa_t—measures whether the executed step actually conformed to the canonical law or whether it silently interpolated, averaged, soft-min-smoothed, or otherwise increased effective authority. When it sits within a per-platform calibrated floor, the step is certified; when it exceeds the floor, the action envelope reduces or closes. A dynamic finite-precision floor, explicit endpoint structural checks, and a runtime envelope monitor B_t complete the loop.
Two boundaries are stated in the filing and matter here. Sinkhorn-Knopp / doubly-stochastic normalization is a gauge presentation that vanishes under the certificate operator—it is conservative bookkeeping, not the causal trust-transfer law. And the envelope monitor does not assert unconditional convergence: it certifies whether a run is currently satisfying the conditions being monitored, not that trust settles to a fixed point. Any numeric tolerance is a calibrated per-platform floor, not a universal constant.
Problems it solves
Wholesale shutdown over a narrow restriction
A directive restricts a specific class of user, but the provider cannot verify that attribute per request, so it disables the model for everyone. With a ceiling set that includes a legal ceiling, the restriction pulls one ceiling to zero for the unverified context—the action envelope closes there specifically, emits a reason, and reopens when eligibility evidence arrives. Surgical containment instead of a global outage.
The silent regression
A faulty build swaps the canonical multiplicative update for arithmetic interpolation. The trust score still moves smoothly; nothing in the logs looks wrong. But kappa_t goes positive above the floor on the first interior step, and the high-risk action classes close. The certificate catches what monitoring of the score alone cannot.
Unearned authority increase
An external instruction (or an injection) tries to make the system do more than it has earned—to expand the action envelope outside the canonical law. Because an unearned expansion produces a certificate excursion, it fails closed. The system can be compelled to do less; it cannot be quietly compelled to do more.
Compliance you can check without the weights
A regulator does not need the model's weights or training data to verify a restriction was applied. The joined causation record—context key, eligibility state, ceiling values, gate value, step size, certificate value, floor, action envelope, and fail-closed reason—shows, per step, what was refused and why.
What it covers
A 28-page specification with claim-supporting statements for a subsequent non-provisional filing.
Hard minimum gate over a ceiling set
Effective coherence is the minimum over a set of ceilings—including policy, operator, fleet, legal, sensor-integrity, and supervisor ceilings. A single ceiling at zero closes the gate; authority cannot be averaged or traded across axes.
QAC update + per-step certificate
A strict-positive, epsilon-floored log-geodesic update up to positive diagonal gauge, with a scalar residual certificate kappa_t computed for the executed update. Zero within floor iff the step obeyed the canonical law; refusal of unearned authority increase.
Finite-precision floor + endpoint posture
A dynamic, platform-calibrated finite-precision floor (no universal numeric tolerance), plus explicit structural checks at the endpoints where a value residual alone is uninformative.
Runtime envelope monitor + embodiments
An online envelope monitor B_t that certifies whether a run is inside its monitored conditions (not that it converges), and a causation record per step. Embodiments span robot action gating, LLM tool/action gating, fleet supervision, and higher-order coordination.
Applications
Licensing enquiries
CCF is released under BSL-1.1 — free for evaluation and non-commercial use. Commercial licensing is available from Flout Labs.
cbyrne@floutlabs.com