Saturating clamp (output bounded to [-1, 1])

clamp_in_unit_interval proves clamp_unit(x) is always within [-1, 1] for every input x; the sim shows 1.0 ≤ 1.0 (clamp band [-1.0, 1.0]).One source → every target — proved, simulated, and (where it exists) measured.
Each card below was produced by one command (make all) from a single EML
source. From that one source Forge emits every target it can — general-purpose software,
GPU shaders, LLVM IR, machine-checked proofs (Lean / Coq / Isabelle), safety-critical
(Ada / SPARK, AUTOSAR, AADL, ROS2), a smart contract, a zk circuit, and — for the RC
filter, which is an actual circuit — a SPICE netlist, a KiCad schematic, and a JLCPCB fab bundle.
Alongside the code sits a contract proof whose axiom footprint is clean of sorryAx, a
simulation whose measured quantity satisfies the proved bound, and links to the raw evidence.
This page is a generated view of that evidence — nothing is hand-authored; a proof that
weren't clean, or a sim check that didn't hold, would show in red. (FPGA RTL — Verilog/VHDL/Chisel —
is honestly absent: it needs an @target(fpga) clock annotation these scalar
sources don't carry. The tool skips what it can't emit rather than fake it.)
Reproduction tiers: LOCAL one command, no heavy toolchain · TOOLCHAIN re-derive with Lean / Vivado · REPLAY captured on real hardware, replayed from evidence. 4 controllers + 2 theorems · 119 target emissions · 3 with real-hardware evidence.

clamp_in_unit_interval proves clamp_unit(x) is always within [-1, 1] for every input x; the sim shows 1.0 ≤ 1.0 (clamp band [-1.0, 1.0]).MachLib.ChainExp2NoZeros.chain2_khovanskii_bound_unconditional
MachLib.ChainExp2NoZeros.chain2_khovanskii_bound_unconditional proves a polynomial in the tower (x, eˣ, e^{eˣ}) that is nonzero at even one interior point has only FINITELY many zeros on (a,b) — the count derived from Rolle's theorem, not cited from Khovanskii; the sim shows 3 = 3 (count stable under 100× grid refinement ⇒ finite; e^(e^x) never vanishes so adds no zeros — consistent with the machine-checked bound).
pid_output_clamped proves the control output is always within the actuator band [OUT_MIN, OUT_MAX] = [-1, 1]; the sim shows 1.0 ≤ 1.0 (actuator band [-1.0, 1.0]); and the same behavior was measured on real hardware.
rc_time_constant_def proves the filter time constant is exactly τ = R·C; the sim shows 0.0068 ≤ 0.01 (settles to Vin within 5τ); and the same behavior was measured on real hardware.MachLib.Real.first_order_clamp_envelope
MachLib.Real.first_order_clamp_envelope proves for a first-order plant with a saturating actuator clamp (|u|≤U) and bounded disturbance (|w|≤W), the state stays within the envelope X=(U+W)/(1−a) for ALL time and ANY controller; the sim shows 0.8 ≤ 2.0 (state stays inside the proved envelope X*=(U+W)/(1−|a|) even after the injected fault — safety rides on the clamp, not on good control); and the same behavior was measured on real hardware.
sine_oscillator_amplitude_bound proves |A·sin(ωt)| ≤ A for A ∈ [0,1], ω ∈ [0, 1e4], t ≥ 0; the sim shows 0.8 ≤ 0.8 (amplitude bound |·| ≤ 0.8).