Verified controller zoo

One source → every target — proved, simulated, and (where it exists) measured.

Each card below was produced by one command (make all) from a single EML source. From that one source Forge emits every target it can — general-purpose software, GPU shaders, LLVM IR, machine-checked proofs (Lean / Coq / Isabelle), safety-critical (Ada / SPARK, AUTOSAR, AADL, ROS2), a smart contract, a zk circuit, and — for the RC filter, which is an actual circuit — a SPICE netlist, a KiCad schematic, and a JLCPCB fab bundle. Alongside the code sits a contract proof whose axiom footprint is clean of sorryAx, a simulation whose measured quantity satisfies the proved bound, and links to the raw evidence. This page is a generated view of that evidence — nothing is hand-authored; a proof that weren't clean, or a sim check that didn't hold, would show in red. (FPGA RTL — Verilog/VHDL/Chisel — is honestly absent: it needs an @target(fpga) clock annotation these scalar sources don't carry. The tool skips what it can't emit rather than fake it.)

A few cards are proof-first kernels rather than emitted controllers: a closed-loop safety envelope, a pure-math finiteness theorem (iterated-exponential Khovanskii), and two verified finance kernels — an amortization schedule that reconciles to the penny and a 30E/360 day-count whose coupon periods compose exactly, both in exact integers. They earn a place because the same discipline carries beyond control code: a machine-checked contract (clean of sorryAx) paired with a runtime witness that satisfies it.

Reproduction tiers: LOCAL one command, no heavy toolchain · TOOLCHAIN re-derive with Lean / Vivado · REPLAY captured on real hardware, replayed from evidence. 5 controllers + 4 theorems · 151 target emissions · 4 with real-hardware evidence.

Aerospace actuator band guard (FPGA — Arty A7)

examples/actuator_guard.eml · sha256 adaa434e2a58679c
32 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
fpga rtlchiselverilogvhdl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
proof ✓ cleansim ✓ holdshardware replay
proof footprint re-derived 2026-07-02T04:37:24Z from the emitted Lean (not a hand-written probe) · axiom trail

sim plot

The same claim, three ways. The theorem actuator_command_within_band proves the guarded actuator command is always within the certified flight-envelope band [u_min, u_max], for any controller inputs; the sim shows 0 = 0 (the raw command peaks at ±4.53 (well past the band) yet the guarded output never leaves [-1.0,1.0] — the clamp the theorem proves and the RTL/silicon runs); and the same behavior was measured on real hardware.

Amortization schedule — reconciles to the penny (finance)

machlib · MachLib.Finance.amortization_reconciles
a machine-checked result — a proof, not a codegen kernel
proof ✓ cleansim ✓ holds
proof footprint re-derived 2026-07-02T08:43:32Z from the machlib module · axiom trail

sim plot

The same claim, two ways. The theorem MachLib.Finance.amortization_reconciles proves a fixed-rate amortization schedule's principal payments sum to EXACTLY the loan amount and the balance closes to exactly $0.00 — in integer cents, for ANY per-period interest rounding; the sim shows 0 = 0 (schedule reconciles to the penny (final balance $0.00, Σprincipal = $250,000.00, exact integer cents, never float) — AND the rounded balance provably never leaves the certified envelope around exact arithmetic: measured max drift $0.05 ≤ certified cap $5.02 = c·(gᴺ−1)/(g−1)).
Reconciliation is proven EXACT and rounding-mode-independent (Σ principal = loan, balance closes to exactly $0.00; the final payment absorbs the accumulated rounding). Banker's rounding is separately proven correct to ½¢ per period (roundHalfEven_half_ulp). And the accumulated rounding is now bounded END-TO-END: MachLib.Real.amortization_drift_within_envelope proves the rounded balance never leaves the certified envelope cap_N = c·(gᴺ−1)/(g−1) (c=½¢) around exact arithmetic — the expansion dual of the closed-loop safety envelope. Here the worst-case cap is $5.02 while the measured drift is only ~$0.05 (real roundings mostly cancel — the margin is the point, as in the safety card). Everything is INTEGER CENTS — the reconciliation proof never touches a float; all four finance theorems are sorryAx-free and registered in the claim auditor. Honest scope: this certifies the schedule's reconciliation + rounding + drift envelope, NOT a general decimal library, and it is NOT an audit certification.

Saturating clamp (output bounded to [-1, 1])

examples/clamp_bounded.eml · sha256 602c87f60a2a9b9b
29 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
proof ✓ cleansim ✓ holds
proof footprint re-derived 2026-07-02T04:37:24Z from the emitted Lean (not a hand-written probe) · axiom trail

sim plot

The same claim, two ways. The theorem clamp_in_unit_interval proves clamp_unit(x) is always within [-1, 1] for every input x; the sim shows 1.0 ≤ 1.0 (clamp band [-1.0, 1.0]).

Day-count & accrual — coupon periods compose exactly (finance)

machlib · MachLib.Finance.days30E360_additive
a machine-checked result — a proof, not a codegen kernel
proof ✓ cleansim ✓ holds
proof footprint re-derived 2026-07-02T08:57:45Z from the machlib module · axiom trail

sim plot

The same claim, two ways. The theorem MachLib.Finance.days30E360_additive proves the 30E/360 day-count is additive — splitting a coupon period at ANY intermediate date preserves the total day-count, so accrued interest composes exactly (no interest created or destroyed by moving an accrual boundary); the sim shows 0 = 0 (the 20 semiannual periods each count exactly 180 days and sum to 3600 = the direct issue→maturity count — 30E/360 is additive, so accrued interest composes exactly (total accrued $500,000.00). Honest contrast on 2020-01-15→02-28 split at 01-31: 30E/360 adds (43=43) but US 30/360 does NOT (44≠43) — why the additive convention is the right one).
The headline (days30E360_additive) is EXACT: splitting a coupon period at any intermediate date preserves the total day-count, so accrued interest composes exactly (accrual_additive) — no interest is manufactured by moving an accrual boundary, the day-count analogue of amortization's telescoping reconciliation. Plus regularity (equal calendar spacing ⇒ equal day-count ⇒ equal coupons) and a full year = 360. Honest domain point: this uses 30E/360 (Eurobond) precisely BECAUSE it's additive — the US 30/360 'bond basis' is NOT (its end-of-month rule depends on the other endpoint; the sim exhibits a case where US gives 44≠43 while 30E/360 gives 43=43). All pure INTEGER arithmetic — #print axioms is propext + Quot.sound only, not even Classical.choice — and registered in the claim auditor. Honest scope: certifies the day-count convention's algebra, NOT a full calendar/business-day library, and NOT an audit certification.

Iterated-exponential Khovanskii finiteness (depth 2)

machlib · MachLib.ChainExp2NoZeros.chain2_khovanskii_bound_unconditional
a machine-checked result — a proof, not a codegen kernel
proof ✓ cleansim ✓ holds
proof footprint re-derived 2026-07-02T04:37:24Z from the machlib module · axiom trail

sim plot

The same claim, two ways. The theorem MachLib.ChainExp2NoZeros.chain2_khovanskii_bound_unconditional proves a polynomial in the tower (x, eˣ, e^{eˣ}) that is nonzero at even one interior point has only FINITELY many zeros on (a,b) — the count derived from Rolle's theorem, not cited from Khovanskii; the sim shows 3 = 3 (count stable under 100× grid refinement ⇒ finite; e^(e^x) never vanishes so adds no zeros — consistent with the machine-checked bound).
Depth-2 shown here (proof + zero-count witness). Depth-3 is ALSO proven clean (MachLib.IterExpDepth3Bound.chain3_khovanskii_bound_unconditional); the ∀N generalization is in progress (lemma-1 + the reduce seam are done, machine-checked). General-depth PfaffianFunction.zero_bound STILL cites the classical Khovanskii axiom — only depths 1–3 are counted, not quoted.

PID controller (output clamped to actuator range)

examples/pid_controller.eml · sha256 4d51cd9248714388
29 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
proof ✓ cleansim ✓ holdshardware replay
proof footprint re-derived 2026-07-02T04:37:24Z from the emitted Lean (not a hand-written probe) · axiom trail

sim plot

The same claim, three ways. The theorem pid_output_clamped proves the control output is always within the actuator band [OUT_MIN, OUT_MAX] = [-1, 1]; the sim shows 1.0 ≤ 1.0 (actuator band [-1.0, 1.0]); and the same behavior was measured on real hardware.

RC low-pass filter (τ = R·C, step response)

examples/rc_filter.eml · sha256 ed5acb7a4025d3f1
32 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
circuit/fabjlcpcbkicadspice
proof ✓ cleansim ✓ holdshardware replay
proof footprint re-derived 2026-07-02T04:37:24Z from the emitted Lean (not a hand-written probe) · axiom trail

sim plot

The same claim, three ways. The theorem rc_time_constant_def proves the filter time constant is exactly τ = R·C; the sim shows 0.0068 ≤ 0.01 (settles to Vin within 5τ); and the same behavior was measured on real hardware.

Closed-loop safety envelope under an injected fault

machlib · MachLib.Real.first_order_clamp_envelope
a machine-checked result — a proof, not a codegen kernel
proof ✓ cleansim ✓ holdshardware replay
proof footprint re-derived 2026-07-02T04:37:24Z from the machlib module · axiom trail

sim plot

The same claim, three ways. The theorem MachLib.Real.first_order_clamp_envelope proves for a first-order plant with a saturating actuator clamp (|u|≤U) and bounded disturbance (|w|≤W), the state stays within the envelope X=(U+W)/(1−a) for ALL time and ANY controller; the sim shows 0.8 ≤ 2.0 (state stays inside the proved envelope X*=(U+W)/(1−|a|) even after the injected fault — safety rides on the clamp, not on good control); and the same behavior was measured on real hardware.
The envelope is a conservative worst-case SAFETY bound — real trajectories sit well inside it (here the fault peak is ~40% of the envelope). That margin IS the safety, not a defect: the bound rests on the actuator clamp, not on good control. Measured on real hardware (ESP32 RC + a nonlinear diode-RC plant) it held under an injected fault while the breadboard limit-cycled.

Bounded sine oscillator (|output| ≤ amplitude)

examples/sine_oscillator.eml · sha256 73837d61bea80a15
29 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
proof ✓ cleansim ✓ holds
proof footprint re-derived 2026-07-02T04:37:24Z from the emitted Lean (not a hand-written probe) · axiom trail

sim plot

The same claim, two ways. The theorem sine_oscillator_amplitude_bound proves |A·sin(ωt)| ≤ A for A ∈ [0,1], ω ∈ [0, 1e4], t ≥ 0; the sim shows 0.8 ≤ 0.8 (amplitude bound |·| ≤ 0.8).