docs/convergence-io/CCF.md

CCF — Capability Claim Format

Module: src/convergence_io/ccf.py · Principle: P4 (Capability Constraints) · Consumed by: P5 (Boundary), P8 (Vendor Chain), P10 (Supply Chain) · Tests: tests/test_pcsf_ccf.py Status: Implemented + unit-tested. Python reference contract; not on the live JS path (see README).

What it is

An agent must prove at action time that it has the capability it claims — capability is not assumed from identity or config. A CapabilityClaim is the runtime record of what an agent can actually do right now; a CapabilityGate checks claims before letting an action proceed. This is the enforcement of "no overclaiming" (the Σ₀ External Reality Rule) at the action boundary.

Core types / API

  • CapabilityClaim — what an agent asserts it can do:
    • verify() — validate the claim (returns the verified claim).
    • is_expired() — claims are time-boxed; a stale claim is not a live capability.
    • has_capability(cap) — does this claim cover a specific capability?
    • to_dict().
  • HonestyTracker — measures claim-vs-reality drift per agent:
    • record_result(agent_id, expected_caps, actual_caps) — log what was claimed vs what actually happened.
    • score(agent_id, window=20) — rolling honesty score over the last N actions.
    • snapshot().
  • CapabilityGate — the checkpoint:
    • CapabilityGate(honesty_floor=0.5, pcsf_registry=None) — wires to PCSF so capability

can depend on a live provider, and refuses agents below the honesty floor.

  • register_claim(claim) · check(agent_id, required, boundary=None, ...) → GateResult.
  • snapshot().
  • GateResult{allowed, reason, ...}.

How it composes

CCF sits after DCF and NAP, with PCSF: DCF classifies the data, NAP can hard-deny, then CCF asks "does this agent provably hold the required capability for this data class — and is it honest enough (≥ honesty_floor) and is its provider live (via pcsf_registry)?" P5/P8/P10 (boundary, vendor chain, supply chain) read these claims to reason about who and what is in the loop.

Status & gaps

  • Implemented with time-boxed claims, an honesty floor, a PCSF link, and a gate result contract;

directly unit-tested in tests/test_pcsf_ccf.py.

  • The honesty signal is only as good as what callers feed record_result — it's a runtime

feedback contract, not an oracle; nothing auto-populates it on the live path yet.