Verified controller zoo

One source → every target — proved, simulated, and (where it exists) measured.

Each card below was produced by one command (make all) from a single EML source. From that one source Forge emits every target it can — general-purpose software, GPU shaders, LLVM IR, machine-checked proofs (Lean / Coq / Isabelle), safety-critical (Ada / SPARK, AUTOSAR, AADL, ROS2), a smart contract, a zk circuit, and — for the RC filter, which is an actual circuit — a SPICE netlist, a KiCad schematic, and a JLCPCB fab bundle. Alongside the code sits a contract proof whose axiom footprint is clean of sorryAx, a simulation whose measured quantity satisfies the proved bound, and links to the raw evidence. This page is a generated view of that evidence — nothing is hand-authored; a proof that weren't clean, or a sim check that didn't hold, would show in red. (FPGA RTL — Verilog/VHDL/Chisel — is honestly absent: it needs an @target(fpga) clock annotation these scalar sources don't carry. The tool skips what it can't emit rather than fake it.)

Reproduction tiers: LOCAL one command, no heavy toolchain · TOOLCHAIN re-derive with Lean / Vivado · REPLAY captured on real hardware, replayed from evidence. 4 controllers · 119 target emissions from 4 sources · 2 with real-hardware evidence.

Saturating clamp (output bounded to [-1, 1])

examples/clamp_bounded.eml · sha256 602c87f60a2a9b9b
29 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
proof ✓ cleansim ✓ holds

sim plot

The same claim, two ways. The theorem clamp_in_unit_interval proves clamp_unit(x) is always within [-1, 1] for every input x; the sim shows 1.0 ≤ 1.0 (clamp band [-1.0, 1.0]).

PID controller (output clamped to actuator range)

examples/pid_controller.eml · sha256 4d51cd9248714388
29 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
proof ✓ cleansim ✓ holdshardware replay

sim plot

The same claim, three ways. The theorem pid_output_clamped proves the control output is always within the actuator band [OUT_MIN, OUT_MAX] = [-1, 1]; the sim shows 1.0 ≤ 1.0 (actuator band [-1.0, 1.0]); and the same behavior was measured on real hardware.

RC low-pass filter (τ = R·C, step response)

examples/rc_filter.eml · sha256 ed5acb7a4025d3f1
32 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
circuit/fabjlcpcbkicadspice
proof ✓ cleansim ✓ holdshardware replay

sim plot

The same claim, three ways. The theorem rc_time_constant_def proves the filter time constant is exactly τ = R·C; the sim shows 0.0068 ≤ 0.01 (settles to Vin within 5τ); and the same behavior was measured on real hardware.

Bounded sine oscillator (|output| ≤ amplitude)

examples/sine_oscillator.eml · sha256 73837d61bea80a15
29 targets from one source
softwareccppcsharpgdscriptgojavajavascriptkotlinluaumatlabpythonrustswiftwasm
gpu shaderglslglsl-eshlslmetalwgsl
compiler IRllvm
proofcoqisabellelean
safety-criticalaadlada/sparkautosarros2
blockchainsolidityzkproof
proof ✓ cleansim ✓ holds

sim plot

The same claim, two ways. The theorem sine_oscillator_amplitude_bound proves |A·sin(ωt)| ≤ A for A ∈ [0,1], ω ∈ [0, 1e4], t ≥ 0; the sim shows 0.8 ≤ 0.8 (amplitude bound |·| ≤ 0.8).