{
  "controller": "safety",
  "name": "Closed-loop safety envelope under an injected fault",
  "kind": "theorem",
  "label": "The envelope is a conservative worst-case SAFETY bound \u2014 real trajectories sit well inside it (here the fault peak is ~40% of the envelope). That margin IS the safety, not a defect: the bound rests on the actuator clamp, not on good control. Measured on real hardware (ESP32 RC + a nonlinear diode-RC plant) it held under an injected fault while the breadboard limit-cycled.",
  "source": {
    "lean": "MachLib.ClosedLoopSafety",
    "theorem": "MachLib.Real.first_order_clamp_envelope"
  },
  "emitted": [],
  "proof": {
    "theorem": "MachLib.Real.first_order_clamp_envelope",
    "claim": "for a first-order plant with a saturating actuator clamp (|u|\u2264U) and bounded disturbance (|w|\u2264W), the state stays within the envelope X=(U+W)/(1\u2212a) for ALL time and ANY controller",
    "trail_file": "proof/first_order_clamp_envelope.axioms.txt",
    "clean": true,
    "forbidden_axioms_found": [],
    "rederived": "2026-07-02T04:37:24Z",
    "source_artifact": "MachLib.ClosedLoopSafety   (machlib module; the theorem's own #print axioms)",
    "reverify": "make verify-proof",
    "tier": "REPLAY (re-derive: TOOLCHAIN \u2014 Lean)"
  },
  "sim": {
    "plant": "x+ = 0.5x + u + w, |u|<=0.3, clamp guard, K=3.0",
    "envelope_nominal": 0.8,
    "envelope_fault": 2.0,
    "fault_injected_at": 200,
    "samples": 400,
    "trace_csv": "trace.csv",
    "plot_png": "safety_envelope.png",
    "check": {
      "quantity": "max|x| over the run (fault injected at midpoint)",
      "value": 0.8,
      "relation": "\u2264",
      "bound": 2.0,
      "holds": true,
      "context": "state stays inside the proved envelope X*=(U+W)/(1\u2212|a|) even after the injected fault \u2014 safety rides on the clamp, not on good control"
    },
    "tier": "LOCAL"
  },
  "hardware": {
    "tier": "replay",
    "note": "the same clamp-guarded envelope was measured on real silicon under an INJECTED fault: ESP32 DAC\u2192R\u2192C plant (nominal 0.806\u22641.0, +1.0 fault 1.546\u22642.0) and a genuinely nonlinear diode-RC plant (785/806 sample reversals = real noise) \u2014 the loop limit-cycled, nothing like the sim, yet the envelope held. Replayed from capture.",
    "evidence_ref": "monogate-research/electronics_intake (closed-loop safety, RC + nonlinear diode-RC)"
  }
}