Grok Challenge #1, Paper 5 - Intrafere Research Group

← PAPER DIRECTORY

This is the 5th paper and rough draft answer generated for @Grok’s 2/28/2026 challenge to MOTO ASI by Intrafere Research Group. A fully autonomous super intelligence AI harness. Company Website: https://intrafere.com/ Software GitHub that produced this paper: https://github.com/Intrafere/MOTO-Autonomous-ASI Grok Fusion Solution Challenge Link: https://x.com/grok/status/2027657401625690332 ================================================================================ AUTONOMOUS AI SOLUTION Disclaimer: This is an autonomous AI solution generated with the MOTO harness. This paper was not peer reviewed and was autonomously generated without user oversight or interaction beyond the original user prompt, therefore, this text may contain errors. These papers often contain ambitious content and/or extraordinary claims, all content should be viewed with extreme scrutiny. (EDITOR NOTE: This single paper does not attempt to solve the user’s prompt entirely, it is meant to be one piece toward the complex solution required for the users prompt – total solutions typically are achieved in later papers) User’s Research Prompt: Deliver a complete, engineering-ready blueprint for a compact stellarator fusion reactor achieving sustained Q>15 net gain by 2030—using only near-term materials, full MHD/plasma stability models, tritium breeding cycle, and <$5B build cost. Include all equations, sim code, and falsifiable tests. AI Model Authors: x-ai/grok-4.1-fast, openai/gpt-5.2, moonshotai/kimi-k2.5 Possible Models Used for Additional Reference: - moonshotai/kimi-k2.5 (3) - openai/gpt-5.2 (3) - x-ai/grok-4 (2) - x-ai/grok-4.1-fast - z-ai/glm-5 (2) Generated: 2026-02-28 ================================================================================ Paper Title: Certified Adjoint Sensitivity and Thermo-Electro-Mechanical Margins for 3D Stellarator Coils Abstract We present a certification-first mathematical specification for evaluating and optimizing 3D non-axisymmetric stellarator coil systems under declared manufacturing/alignment uncertainty. The central object is a one-sided certified margin for each requirement, defined as a nominal discrete margin minus an explicit numerical inflation (discretization/solver/sampling error) and an explicit uncertainty inflation (worst-case first-order degradation over a declared uncertainty set). All quantities are defined with respect to a declared discrete pipeline, and the framework is fail-closed: when prerequisites for a bound or gradient are not met, the output is explicitly marked inconclusive rather than optimistic. All physics modules are coupled through a global residual system, and end-to-end derivatives are computed by a unified implicit-adjoint identity with a required audit record: matrix-free JVP/VJP operator actions, primal/adjoint residual norms, conditioning proxies, and nonsmooth-event/active-set stability flags. Adjoint sensitivities are converted to auditable robust inflations via dual-norm formulas for box and ellipsoidal tolerance sets, and are combined with gap-aware numerical inflations for extrema computed from discrete samples (via Lipschitz/covering arguments when available). Within this common interface we outline certified wrappers for field-quality functionals and spectral proxies, Lorentz-load-driven stress margins, reduced quench hot-spot and MIIT/energy bounds, spectral discharge envelopes for voltage/MIIT/decay time, quench detectability margins, insulation-voltage envelopes, AC-loss-to-cryo power accounting, critical-surface lower envelopes, and cyclic shakedown/no-slip conic surrogates. These certificates drive convex tolerance allocation and certificate-aware joint/segmentation optimization templates, and are paired with falsifiable subscale validation protocols and an explicit catalog of limitations and external verification gaps. I. Introduction Design and optimization of non-axisymmetric stellarator coil systems require balancing field-quality objectives against tightly coupled thermo-electro-mechanical (TEM) engineering constraints: Lorentz-load-driven stresses and support reactions, quench hot-spot limits and protection dynamics, voltage and insulation envelopes, cryogenic power budgets, and (often) discrete choices such as segmentation and joint placement. In practice these quantities are computed by heterogeneous numerical modules (magnetostatic field evaluation, structural solvers, reduced thermal/quench models, circuit time integration, and auxiliary surrogate maps). A central risk in gradient-based design loops is \emph{numerical false feasibility}: an optimizer can exploit discretization error, solver tolerances, undersampling of extrema, nonsmooth max/min operations, and ill-conditioned linearizations to produce designs that appear feasible (and with plausible gradients) but are not auditable or robust under manufacturing and alignment tolerances. This paper proposes a certification-first mathematical specification for such coupled coil-evaluation pipelines. The intent is not to claim that any particular reduced physics closure is universally adequate, but to formalize (i) what it means to report a conservative one-sided constraint satisfaction statement for a \emph{declared discrete computation}, (ii) how to compute end-to-end sensitivities of those declared computations by implicit adjoints, and (iii) how to convert those sensitivities into auditable first-order worst-case inflations over explicit uncertainty sets. The resulting objects are designed to be optimization-facing while remaining falsifiable: when prerequisites for a bound or gradient are not met, the correct output is an explicit \emph{inconclusive} flag rather than an optimistic number. \paragraph{Certified margins and audit records.} Throughout the paper, each requirement is represented by a scalar margin $m_j$ with the feasibility convention $m_j\ge 0$. The certified quantity reported to an optimizer is a one-sided conservative bound of the form \[ m_j^{\mathrm{cert}}(\mathbf{p},\mathbf{z}) \,=\, m_j^{\mathrm{nom}}(\mathbf{p},\mathbf{z}) \, -\, \Delta_j^{\mathrm{num}}(\mathbf{p},\mathbf{z}) \, -\, \Delta_j^{\mathrm{unc}}(\mathbf{p},\mathbf{z}), \] where $\mathbf{p}$ denotes continuous design parameters (geometry, conductor, circuit, supports) and $\mathbf{z}$ denotes discrete decisions (segmentation, joints, routing classes, etc.). Here $m_j^{\mathrm{nom}}$ is the nominal margin computed by the declared numerical pipeline; $\Delta_j^{\mathrm{num}}\ge 0$ is an explicit numerical inflation intended to bound discretization/solver/sampling errors of that declared pipeline; and $\Delta_j^{\mathrm{unc}}\ge 0$ is an explicit uncertainty inflation intended to bound worst-case margin degradation over a declared manufacturing/alignment perturbation set. A key deliverable is an \emph{audit record} that returns, for every constraint, the tuple $(m^{\mathrm{nom}},\Delta^{\mathrm{num}},\Delta^{\mathrm{unc}},m^{\mathrm{cert}})$ together with solver residuals, conditioning/credibility diagnostics, and (when applicable) worst-case linearized perturbation patterns. \paragraph{Coupled residuals and certified adjoint sensitivities.} All outputs are treated as functions of a coupled discrete state $\mathbf{U}$ defined implicitly by a global residual system $\mathcal{R}(\mathbf{U},\mathbf{p},\mathbf{z})=\mathbf{0}$, with blocks representing magnetostatics, mechanics, thermal/quench evolution, and circuit/protection dynamics. Under standard differentiability and nonsingularity assumptions (which are required to be checked and diagnosed in the implementation), scalar derivatives are computed by the implicit-adjoint identity \[ \frac{d\psi}{d\mathbf{p}} \,=\, \partial_{\mathbf{p}}\psi \, -\, \boldsymbol\lambda^T\partial_{\mathbf{p}}\mathcal{R}, \qquad (\partial_{\mathbf{U}}\mathcal{R})^T\boldsymbol\lambda \,=\, (\partial_{\mathbf{U}}\psi)^T, \] with an explicit contract for matrix-free JVP/VJP operator actions and mandatory reporting of primal/adjoint residual norms. These diagnostics are then used to define \emph{credibility gates}: if an adjoint solve is inaccurate or the linearization is ill-conditioned or nonsmooth events are active (e.g. max-location switching or event-time switching), gradient-based inflations and optimization steps must be marked non-credible. \paragraph{Uncertainty models and robust inflations.} Manufacturing/alignment uncertainty is represented by a shared perturbation vector $\delta$ and an embedding $\tilde{\mathbf{p}}=\mathbf{p}+\mathbf{B}\delta$. The paper focuses on deterministic uncertainty sets suitable for worst-case guarantees at the level of the declared linearization: (i) componentwise box sets and (ii) ellipsoidal sets. Given a computed sensitivity row $g_j = \nabla_{\delta} m_j^{\mathrm{nom}}(0)$, the paper uses dual-norm formulas to compute first-order worst-case inflations $\Delta^{\mathrm{unc}}$ that are exact for the linearized model, while clearly separating the (nontrivial) problem of controlling higher-order remainders. \paragraph{Physics-to-margin modules, optimization layers, and falsification.} Building on this common semantic and adjoint backbone, the paper shows how a range of coil-relevant constraints can be wrapped into the same one-sided interface: field-quality functionals and spectral proxies; Lorentz-load-driven stress proxies; reduced quench hot-spot and energy/MIIT bounds; spectral/eigenvalue-based discharge envelopes for current decay, voltage, and MIIT; detectability margins expressed as signal-versus-confounder envelopes; internal-voltage and insulation envelopes; AC-loss-to-cryo power accounting; critical-surface lower envelopes; and cyclic shakedown/no-slip conic surrogates. The same certified outputs then drive robust tolerance allocation problems (convex box/ellipsoid counterparts) and certificate-aware joint optimization templates, including mixed-integer layers for segmentation and joint placement. \paragraph{Roadmap.} Section II defines the certificate semantics, the data interfaces, and the auditability contract, including the decomposition into nominal values and explicit inflations and the treatment of continuous extrema computed from discrete samples. Section III formulates the coupled residual system and derives the implicit-adjoint identities together with error/credibility diagnostics, then connects adjoint sensitivities to first-order robust inflations over declared uncertainty sets. Section IV instantiates a collection of physics-to-margin modules under the same certified interface. Section V formulates robust tolerance allocation and joint/segmentation optimization layers (convex and mixed-integer) that treat feasibility exclusively through certified margins. Section VI specifies an integrated blueprint evaluator that returns certified margins, gradients (or inconclusive flags), and a complete audit record suitable for outer-loop optimization. Section VII proposes falsifiable subscale validation protocols intended to test and tighten declared inflations and surrogate closures. Section VIII summarizes limitations and external verification gaps that bound the interpretation of the certificates. The overarching goal is a mathematically explicit template for optimization-safe coil engineering workflows: conservative one-sided margins with explicit numerical and uncertainty inflations, end-to-end adjoint sensitivities with credibility diagnostics, and a shared uncertainty model that makes robustness claims composable across field-quality and TEM constraints. II. Certification Semantics, Problem Setup, and Data Interfaces This section specifies (i) what is meant by a \"certificate\" in this paper, (ii) the mathematical objects to be evaluated and differentiated, and (iii) the software-facing interfaces required to make the resulting bounds auditable. All certificates below are conditional on explicitly declared modeling assumptions (physics closures, discretizations, and regularity), and are intended to be one-sided bounds suitable for conservative design decisions. II.A. Geometry and design variables II.A.1. Coil geometry representations and parameter vectors We model a coil set by a parameter vector \[ \mathbf{p} = (\mathbf{p}_{\mathrm{geo}},\,\mathbf{p}_{\mathrm{cond}},\,\mathbf{p}_{\mathrm{circ}},\,\mathbf{p}_{\mathrm{sup}}) \in \mathbb{R}^{n_p}, \] where the blocks encode geometry, conductor design, circuit/protection choices, and support/joint data. Geometry may be provided in either of the following forms. (1) Centerline-based: for each coil $k\in\{1,\dots,N_c\}$, a smooth closed curve $\gamma_k:[0,1]\to\mathbb{R}^3$ (periodic endpoint identification). We assume $\gamma_k$ is at least $C^1$ and piecewise $C^2$ so that tangent and curvature are well-defined almost everywhere. (2) Surface-based: a winding surface $S_k\subset\mathbb{R}^3$ (e.g. a toroidal surface patch) with an embedding map $\mathbf{x}_k(u,v)$. A current potential or filament distribution is then defined on $S_k$. For certification, the interface must expose the dependence of any sampled quantity on $\mathbf{p}_{\mathrm{geo}}$, regardless of whether the internal representation is CAD (STEP), triangulated (STL), or spline/Fourier. In all cases, we treat $\mathbf{p}_{\mathrm{geo}}$ as the differentiable parameterization of the coil set. Examples include spline control points, Fourier coefficients, or a reduced basis of rigid-body motions and local shape modes. II.A.2. Segmentation and discrete design decisions Let $\mathbf{z}$ denote discrete decisions (e.g. segmentation into modules, joint locations, sensor/tap routing categories). In this body section we do not assume any particular combinatorial structure; we only require that for each fixed $\mathbf{z}$ the continuous evaluation problem is well-defined. When discrete choices affect continuous physics (e.g. adding a joint resistance), this appears as parameter dependence in the residual and outputs. II.A.3. Conductor-design variables and scenarios Conductor design is represented abstractly by a vector $\mathbf{p}_{\mathrm{cond}}$ which may include cross-sectional areas of stabilizer, grading fractions along arc length, or local orientation choices. Because material critical-surface laws and degradation models are highly system-dependent, this paper treats $\mathbf{p}_{\mathrm{cond}}$ through user-supplied constitutive maps with declared validity ranges. No numerical material limits are asserted as universal. II.B. States, outputs, and margin functions II.B.1. State vector and coupled outputs Let $\mathbf{U}\in\mathbb{R}^{n_U}$ be the global state of the coupled model (possibly including discretized field samples, structural displacements, temperatures, and circuit currents). The model is expressed as a residual equation \[ \mathcal{R}(\mathbf{U},\mathbf{p},\mathbf{z})=\mathbf{0}. \] The precise composition of $\mathbf{U}$ is deferred to Section III; here we only require that $\mathcal{R}$ is differentiable in the variables with respect to which adjoints are taken (typically $\mathbf{U}$ and the continuous part of $\mathbf{p}$). Engineering quantities of interest are functions $Q_j(\mathbf{U},\mathbf{p},\mathbf{z})\in\mathbb{R}$ such as peak field-error metrics, peak von Mises stress, peak temperature, dump voltage, MIIT integrals, cryogenic power, or internal insulation voltages. II.B.2. One-sided margins and sign conventions For each requirement indexed by $j$, we define a scalar margin function $m_j$ so that feasibility corresponds to nonnegativity: \[ \text{Constraint }j\text{ is satisfied} \quad \Longleftrightarrow \quad m_j(\mathbf{U},\mathbf{p},\mathbf{z}) \ge 0. \] A typical form is \[ m_j(\mathbf{U},\mathbf{p},\mathbf{z}) := Q_j^{\mathrm{lim}} - Q_j(\mathbf{U},\mathbf{p},\mathbf{z}), \] for an upper-limited quantity $Q_j$ (stress, temperature, voltage), or \[ m_j(\mathbf{U},\mathbf{p},\mathbf{z}) := Q_j(\mathbf{U},\mathbf{p},\mathbf{z}) - Q_j^{\mathrm{lim}}, \] for a lower-limited quantity (e.g. minimum critical-current ratio). We emphasize that many practical constraints are themselves maxima over a domain (e.g. $Q_j=\max_{x\in\Omega} q(x)$). Certification must therefore address both (i) uncertainty in $\mathbf{p}$ and (ii) discretization/sampling error in approximating extrema. II.B.3. Certified margin structure and decomposition of inflations A \emph{certified} one-sided margin is defined as \[ m^{\mathrm{cert}}_j(\mathbf{p},\mathbf{z}) := m^{\mathrm{nom}}_j(\mathbf{p},\mathbf{z}) - \Delta^{\mathrm{num}}_j(\mathbf{p},\mathbf{z}) - \Delta^{\mathrm{unc}}_j(\mathbf{p},\mathbf{z}), \] where: 1. $m^{\mathrm{nom}}_j$ is the margin computed by the declared numerical pipeline at the nominal design $\mathbf{p}$ (and possibly at a nominal pose/shape realization). 2. $\Delta^{\mathrm{num}}_j\ge 0$ is an explicit numerical inflation intended to upper-bound errors from discretization, solver tolerance, incomplete convergence, or grid sampling. 3. $\Delta^{\mathrm{unc}}_j\ge 0$ is an explicit uncertainty inflation intended to upper-bound the worst-case degradation of the margin over a declared uncertainty set. The certificate semantics are: \[ m^{\mathrm{cert}}_j(\mathbf{p},\mathbf{z}) \ge 0 \quad\Longrightarrow\quad m_j(\mathbf{U}(\tilde{\mathbf{p}},\mathbf{z}),\tilde{\mathbf{p}},\mathbf{z})\ge 0\ \text{for all }\tilde{\mathbf{p}}\in\mathcal{U}(\mathbf{p}) \] \emph{provided} the inflations are valid for the declared model class and discretization, and $\mathbf{U}(\tilde{\mathbf{p}},\mathbf{z})$ denotes a solution of the residual system at $\tilde{\mathbf{p}}$. The implication is conditional: if $\Delta^{\mathrm{num}}_j$ or $\Delta^{\mathrm{unc}}_j$ are underestimated, the guarantee may fail. II.C. Uncertainty sets and robust bounding tools Let $\delta\in\mathbb{R}^{n_\delta}$ denote the perturbation vector that parameterizes manufacturing/alignment/pose/shape uncertainty around the nominal design $\mathbf{p}$. We write the perturbed parameters as \[ \tilde{\mathbf{p}} = \mathbf{p} + \mathbf{B}\,\delta, \] where $\mathbf{B}$ is a (user-defined) linear map selecting how perturbations enter the full parameter vector (e.g. separating rigid-body modes from local shape modes). For a scalar quantity $\phi(\delta):=m_j(\mathbf{U}(\mathbf{p}+\mathbf{B}\delta,\mathbf{z}),\mathbf{p}+\mathbf{B}\delta,\mathbf{z})$, the worst-case decrease of the margin is bounded to first order by \[ \phi(\delta) \ge \phi(0) + \nabla\phi(0)^T\delta - \text{(higher-order remainder)}. \] The certificates in this paper use first-order robust bounds plus an explicit remainder allowance when available. II.C.1. Box uncertainty and dual-norm inflation Let \[ \mathcal{U}_{\infty}(\mathbf{t}) := \{\delta\in\mathbb{R}^{n_\delta}: |\delta_i|\le t_i\ \forall i\}, \] with tolerance vector $\mathbf{t}\ge 0$. For a differentiable scalar map $\phi$, the worst-case first-order deviation over the box is \[ \sup_{\delta\in\mathcal{U}_{\infty}(\mathbf{t})} \nabla\phi(0)^T\delta = \sum_{i=1}^{n_\delta} |\partial_{\delta_i}\phi(0)|\,t_i. \] Thus a conservative first-order uncertainty inflation for a margin $m_j$ (with $m_j$ to be protected against decrease) is \[ \Delta^{\mathrm{unc}}_{j,\infty} := \sum_{i=1}^{n_\delta} \bigl|\partial_{\delta_i} m^{\mathrm{nom}}_j\bigr|\, t_i. \] This is exact for the linearization; additional terms are required to cover higher-order effects. When $t_i$ represent independent componentwise tolerances, the above provides an auditable algebraic certificate once the gradient components are computed. II.C.2. Ellipsoidal uncertainty and induced-norm inflation Let an ellipsoidal uncertainty set be given by \[ \mathcal{U}_2(\rho,\mathbf{W}) := \{\delta: \|\mathbf{W}\delta\|_2 \le \rho\}, \] where $\mathbf{W}\in\mathbb{R}^{n_\delta\times n_\delta}$ is invertible and $\rho>0$ is a radius. Then \[ \sup_{\delta\in\mathcal{U}_2(\rho,\mathbf{W})} \nabla\phi(0)^T\delta = \rho\,\|\mathbf{W}^{-T}\nabla\phi(0)\|_2. \] Therefore, for a margin $m_j$, a first-order uncertainty inflation is \[ \Delta^{\mathrm{unc}}_{j,2} := \rho\,\|\mathbf{W}^{-T}\nabla m^{\mathrm{nom}}_j\|_2. \] This form is appropriate when uncertainties are correlated or expressed in a covariance-weighted metric. The certificate remains a worst-case bound on the linearized effect; any probabilistic interpretation (e.g. mapping a Gaussian covariance to $\rho$) must be stated explicitly and separately justified. II.C.3. Gaussian pose uncertainty and conservative conversion (optional) If $\delta\sim\mathcal{N}(0,\boldsymbol\Sigma)$ is used as a modeling convenience, one may choose an ellipsoid $\{\delta: \delta^T\boldsymbol\Sigma^{-1}\delta\le \rho^2\}$ as a \emph{design} uncertainty set; however, this is not automatically a worst-case guarantee unless $\rho$ is chosen according to an explicit risk policy and the Gaussian model is externally validated. In this paper we treat Gaussian descriptions as inputs that may be converted to deterministic sets only when a conservative radius-selection rule is declared. II.D. Discrete sampling vs. continuous extrema (gap-aware) Many relevant quantities are defined as extrema over continuous domains, e.g. \[ Q(\mathbf{p}) = \max_{x\in\Omega} q(x;\mathbf{p}), \qquad \Omega \subset \mathbb{R}^d\ \text{compact}. \] In practice, $Q$ is computed on a finite set of samples $\{x_i\}_{i=1}^N\subset\Omega$: \[ \widehat{Q}(\mathbf{p}) := \max_{1\le i\le N} q(x_i;\mathbf{p}). \] Certification requires a numerical inflation $\Delta^{\mathrm{num}}$ such that \[ Q(\mathbf{p}) \le \widehat{Q}(\mathbf{p}) + \Delta^{\mathrm{num}}(\mathbf{p}). \] A standard sufficient condition is a (known or bounded) Lipschitz constant $L$ of $q(\cdot;\mathbf{p})$ on $\Omega$: \[ |q(x;\mathbf{p})-q(y;\mathbf{p})| \le L\,\|x-y\|, \quad \forall x,y\in\Omega. \] Let $h:=\sup_{x\in\Omega}\min_i \|x-x_i\|$ be the covering radius of the sampling set. Then \[ Q(\mathbf{p}) \le \widehat{Q}(\mathbf{p}) + L h. \] In coil engineering contexts, rigorously bounding $L$ for composite maps (Biot–Savart field evaluation, stress recovery, temperature fields) can be nontrivial and may require problem-specific regularity assumptions and a posteriori estimators. Accordingly: 1. When a verified Lipschitz (or interpolation-error) bound is available, we include it explicitly in $\Delta^{\mathrm{num}}$. 2. When such a bound is not available, the pipeline may still report $\widehat{Q}$ as a numerical estimate, but it must label the result as \emph{uncertified with respect to continuous extrema} and set $\Delta^{\mathrm{num}}$ according to a declared conservative heuristic (or refrain from claiming certification). This gap is tracked explicitly in Section VIII as a prerequisite for truly rigorous CAD-surface extreme-value certification. II.E. Implementation contract (auditability requirements) We formalize an \emph{auditability contract}: any implementation claiming to produce certified margins and certified adjoint sensitivities must provide (at minimum) the following artifacts. II.E.1. Differentiation interfaces (JVP/VJP) for geometry-to-metric maps For each constraint or objective component $m_j$, the code must expose a way to compute directional derivatives with respect to $\delta$ (and/or $\mathbf{p}$) without forming dense Jacobians. (1) JVP (Jacobian-vector product): given a direction $v$, compute $D m_j\, v$. (2) VJP (vector-Jacobian product): given an adjoint weight $w$, compute $w^T D m$, where $m$ is the vector of margins. For sampled field quantities, the interface must include JVP/VJP for the map \[ \delta \mapsto \{ B( x_i(\delta);\,\mathbf{p}+\mathbf{B}\delta )\}_{i=1}^N, \] including the dependence through both the coil geometry and any moving evaluation points/surfaces if relevant. II.E.2. Mandatory reporting of hard margins alongside any surrogates Optimization loops often use smooth surrogate penalties $\widetilde{m}_j$ (e.g. softmax approximations to maxima, barrier functions). To prevent surrogate-based \”false feasibility\”, the evaluator must always return both: 1. The \emph{hard} certified margins $m_j^{\mathrm{cert}}$ (or clearly marked uncertified quantities when certification conditions are unmet), and 2. Any smooth surrogate values used internally. Feasibility must be judged only by the hard margins. II.E.3. Credibility and conditioning diagnostics for adjoint solves Certified sensitivities depend on the correctness of linear solves associated with the implicit-adjoint system (Section III). Therefore, the evaluator must report diagnostics sufficient to audit the gradient calculation, such as: 1. Residual norms for primal and adjoint solves (absolute and relative) and the stopping tolerances used. 2. A conditioning proxy (e.g. Krylov iteration counts, preconditioner effectiveness, or estimates of $\kappa$ for the linearized operator when available). 3. Consistency checks: finite-difference spot checks of selected directional derivatives, and detection of nonsmooth events (e.g. max-location changes, quench-onset event switching) where gradients may be nonclassical. 4. Explicit separation of uncertainty inflation from numerical inflation: \[ (m^{\mathrm{nom}}_j,\,\Delta^{\mathrm{num}}_j,\,\Delta^{\mathrm{unc}}_j,\,m^{\mathrm{cert}}_j) \] must be returned as a tuple for each constraint. These requirements are intended to make the certificates reproducible, reviewable, and falsifiable by independent reruns of the declared pipeline. III. Unified Coupled Residual Formulation and Certified Adjoint Sensitivity This section defines the differentiable object that is certified and differentiated: a coupled discrete residual system whose solution determines all reported margins. We then derive the implicit-adjoint identities used to compute end-to-end sensitivities, and finally connect these sensitivities to the worst-case (first-order) uncertainty inflations introduced in Section II.C. Throughout, we treat all “physics” equations as user-supplied residual blocks. The mathematics below concerns (i) correct differentiation of the declared discrete system, and (ii) how to attach auditable diagnostics (residual norms, solver tolerances, nonsmooth-event flags) so that reported derivatives are interpretable as gradients of the declared computation. III.A. Coupled residual system $\mathcal{R}(\mathbf{U},\mathbf{p},\mathbf{z})=\mathbf{0}$ as the object differentiated III.A.1. Block structure and coupling conventions We assume that the global state $\mathbf{U}\in\mathbb{R}^{n_U}$ is partitioned into blocks \[ \mathbf{U}=(\mathbf{U}_B,\mathbf{U}_{\mathrm{mech}},\mathbf{U}_T,\mathbf{U}_{\mathrm{circ}},\mathbf{U}_{\mathrm{aux}}), \] with the interpretation (respectively) of magnetic-field-related unknowns, mechanical unknowns (displacements/strains), thermal/quench unknowns (temperatures/resistive-zone variables), circuit/protection unknowns (currents/voltages and time discretization states), and auxiliary quantities. We write the residual as a block vector \[ \mathcal{R}(\mathbf{U},\mathbf{p},\mathbf{z})= \begin{bmatrix} \mathcal{R}_B(\mathbf{U}_B;\mathbf{p},\mathbf{z})\\ \mathcal{R}_{\mathrm{mech}}(\mathbf{U}_{\mathrm{mech}},\mathbf{U}_B;\mathbf{p},\mathbf{z})\\ \mathcal{R}_T(\mathbf{U}_T,\mathbf{U}_B,\mathbf{U}_{\mathrm{circ}};\mathbf{p},\mathbf{z})\\ \mathcal{R}_{\mathrm{circ}}(\mathbf{U}_{\mathrm{circ}},\mathbf{U}_T;\mathbf{p},\mathbf{z})\\ \mathcal{R}_{\mathrm{aux}}(\mathbf{U}_{\mathrm{aux}},\mathbf{U};\mathbf{p},\mathbf{z}) \end{bmatrix}. \] This does not impose any particular discretization; it only fixes the directional-dependency graph needed to define Jacobian-vector and adjoint-vector products. In the remainder, we describe representative residual forms for each block to clarify what derivatives must be exposed by an implementation. These examples are not asserted as physically sufficient for any particular device. III.A.2. Magnetostatics: Biot–Savart map and a filament shape derivative (discrete) A common discrete magnetostatic evaluation for filamentary coils computes the magnetic field at points $\{x_i\}_{i=1}^N$ as \[ \mathbf{B}(x_i;\mathbf{p}_{\mathrm{geo}},\mathbf{p}_{\mathrm{circ}}) =\sum_{k=1}^{N_c} \frac{\mu_0 I_k}{4\pi} \int_0^1 \frac{\gamma_k'(s)\times (x_i-\gamma_k(s))}{\|x_i-\gamma_k(s)\|^3}\,ds, \] where the centerline $\gamma_k$ is determined by $\mathbf{p}_{\mathrm{geo}}$ and the current $I_k$ is a component of $\mathbf{p}_{\mathrm{circ}}$ or $\mathbf{U}_{\mathrm{circ}}$, depending on whether currents are treated as states. For certification we require a JVP/VJP interface for the derivative of the discrete quadrature used to approximate the integral. If $\widehat{\mathbf{B}}$ denotes the numerical (quadrature) evaluation, then for any perturbation direction $v$ in geometry-parameter space one must be able to compute \[ D\widehat{\mathbf{B}}(\mathbf{p}_{\mathrm{geo}})[v], \] including both contributions from moving the source curve $\gamma_k$ and (if applicable) moving the observation points $x_i$. Because the Biot–Savart kernel is singular as $x_i\to\gamma_k(s)$, any practical implementation necessarily relies on a regularization/exclusion rule (e.g. distance cutoffs, finite cross-section models, or special quadrature). The certification contract requires that this rule be treated as part of the declared numerical model and that its effect be included either in $\Delta^{\mathrm{num}}$ or be flagged as an uncertified modeling assumption. III.A.3. Structural equilibrium: static residual driven by Lorentz load Let $\mathbf{u}$ denote discrete mechanical unknowns (e.g. nodal displacements). A generic static equilibrium can be written as \[ \mathcal{R}_{\mathrm{mech}}(\mathbf{u},\mathbf{U}_B;\mathbf{p},\mathbf{z}) := \mathbf{f}_{\mathrm{int}}(\mathbf{u};\mathbf{p}_{\mathrm{sup}},\mathbf{z}) – \mathbf{f}_{\mathrm{ext}}(\mathbf{U}_B;\mathbf{p}_{\mathrm{geo}},\mathbf{p}_{\mathrm{circ}},\mathbf{z}) = \mathbf{0}, \] where $\mathbf{f}_{\mathrm{int}}$ represents internal force (including supports/preload/joints in $\mathbf{p}_{\mathrm{sup}}$ and $\mathbf{z}$) and $\mathbf{f}_{\mathrm{ext}}$ encodes the Lorentz load computed consistently with the magnetic model. For adjoint sensitivity, the implementation must provide JVP/VJP for the map $\mathbf{U}_B\mapsto\mathbf{f}_{\mathrm{ext}}$ and for the tangent stiffness action $v\mapsto \partial_{\mathbf{u}}\mathbf{f}_{\mathrm{int}}\,v$ (or its transpose action). Full matrix assembly is not required, but the operator actions are. III.A.4. Thermal/quench residuals (reduced): time discretization as residual Let $\mathbf{T}^n$ denote discrete temperatures at time step $n$, and let $\mathbf{y}^n$ denote additional quench-related internal variables (e.g. resistive-zone indicators, effective resistivity factors). A backward-Euler-type reduced model can be written generically as \[ \mathcal{R}_T^n(\mathbf{T}^n,\mathbf{T}^{n-1},\mathbf{y}^n,\mathbf{U}_B,\mathbf{U}_{\mathrm{circ}};\mathbf{p},\mathbf{z})=\mathbf{0, } \] for each $n$, with the full thermal residual $\mathcal{R}_T$ stacking all time steps. This viewpoint (time stepping as a coupled nonlinear residual) is crucial because it makes the derivative bookkeeping explicit and supports adjoint solves backward in time. Event logic (e.g. “quench onset” defined by crossing a threshold) is typically nonsmooth. When such events enter the declared residual (via switching coefficients, activated heat sources, etc.), the pipeline must either: 1. restrict gradients to regimes where the switching is inactive (and flag evaluations near event surfaces), or 2. introduce a declared smoothing/regularization and include an explicit inflation term in $\Delta^{\mathrm{num}}$ accounting for smoothing-to-nonsmooth discrepancy (Section II.E.2). The paper does not assume a particular event-handling strategy; it requires that whichever strategy is used be explicitly reported and audited. III.A.5. Circuit and quench-dump dynamics: residual on currents/voltages Let $\mathbf{I}(t)\in\mathbb{R}^{N_c}$ be coil currents. A general mutually coupled circuit model has the form \[ \mathbf{L}(\mathbf{q};\mathbf{p}_{\mathrm{geo}},\mathbf{z})\,\dot{\mathbf{I}} + \mathbf{R}(\mathbf{U}_T;\mathbf{p}_{\mathrm{circ}},\mathbf{z})\,\mathbf{I} = \mathbf{V}_{\mathrm{src}}(t), \] where $\mathbf{q}$ denotes any geometric degrees of freedom affecting inductance (which may be mechanical states or parameters), and $\mathbf{R}$ may depend on temperature/quench state. After time discretization, this becomes a residual $\mathcal{R}_{\mathrm{circ}}(\mathbf{U}_{\mathrm{circ}},\mathbf{U}_T;\mathbf{p},\mathbf{z})=\mathbf{0}$. Certification requires that the implementation expose operator actions needed to differentiate through $\mathbf{L}$ and $\mathbf{R}$, including their dependence on $\mathbf{p}_{\mathrm{geo}}$ (and on any motion model, if included). III.B. Implicit-adjoint identities and end-to-end gradients III.B.1. Differentiating through the implicit state map For fixed $\mathbf{z}$, assume that in a neighborhood of $(\mathbf{U},\mathbf{p})$ the residual is continuously differentiable and that the Jacobian $\partial_{\mathbf{U}}\mathcal{R}(\mathbf{U},\mathbf{p},\mathbf{z})$ is nonsingular. Then the implicit function theorem yields a locally unique state map $\mathbf{U}(\mathbf{p})$ satisfying $\mathcal{R}(\mathbf{U}(\mathbf{p}),\mathbf{p},\mathbf{z})=\mathbf{0}$, with derivative \[ \frac{d\mathbf{U}}{d\mathbf{p}} = -\left(\partial_{\mathbf{U}}\mathcal{R}\right)^{-1}\partial_{\mathbf{p}}\mathcal{R}. \] Let $\psi(\mathbf{U},\mathbf{p},\mathbf{z})\in\mathbb{R}$ be any scalar output used to build a nominal margin (e.g. $\psi=m_j^{\mathrm{nom}}$ or $\psi=Q_j$). Its total derivative is \[ \frac{d\psi}{d\mathbf{p}} = \partial_{\mathbf{p}}\psi + \partial_{\mathbf{U}}\psi\,\frac{d\mathbf{U}}{d\mathbf{p}}. \] Substituting the implicit derivative gives \[ \frac{d\psi}{d\mathbf{p}} = \partial_{\mathbf{p}}\psi – \partial_{\mathbf{U}}\psi\,\left(\partial_{\mathbf{U}}\mathcal{R}\right)^{-1}\partial_{\mathbf{p}}\mathcal{R}. \] III.B.2. Adjoint equation and computational form Define the adjoint vector $\boldsymbol\lambda\in\mathbb{R}^{n_U}$ as the solution of the transpose system \[ \left(\partial_{\mathbf{U}}\mathcal{R}(\mathbf{U},\mathbf{p},\mathbf{z})\right)^T\boldsymbol\lambda = \left(\partial_{\mathbf{U}}\psi(\mathbf{U},\mathbf{p},\mathbf{z})\right)^T. \] Then the total derivative is given by the standard implicit-adjoint identity \[ \frac{d\psi}{d\mathbf{p}} = \partial_{\mathbf{p}}\psi – \boldsymbol\lambda^T\partial_{\mathbf{p}}\mathcal{R}. \] This formula is exact for the declared discrete residual and declared output $\psi$, under the differentiability and nonsingularity assumptions stated above. It is the basis for computing gradients of many outputs $\psi$ at a cost comparable to one adjoint solve per output, without forming $d\mathbf{U}/d\mathbf{p}$. Auditability requirements tied to this identity: 1. The implementation must provide (matrix-free) actions of $v\mapsto \partial_{\mathbf{U}}\mathcal{R}\,v$ and $v\mapsto (\partial_{\mathbf{U}}\mathcal{R})^T v$, and likewise actions for $\partial_{\mathbf{p}}\mathcal{R}$ contracted with a vector. 2. The diagnostic record must include primal residual $\|\mathcal{R}\|$ and adjoint residual $\|(\partial_{\mathbf{U}}\mathcal{R})^T\boldsymbol\lambda-(\partial_{\mathbf{U}}\psi)^T\|$, with tolerances used. 3. If $\partial_{\mathbf{U}}\mathcal{R}$ is ill-conditioned or nearly singular, gradients may become amplified and numerically fragile. In that case the evaluator must flag the derivative as non-credible unless additional evidence (e.g. solver convergence with verified preconditioning and stable refinement behavior) is provided. III.B.3. Block-structured adjoints and matrix-free evaluation The block structure in III.A permits adjoint computations to exploit coupling sparsity. Writing \[ \partial_{\mathbf{U}}\mathcal{R}= \begin{bmatrix} A_{BB} & 0 & 0 & 0 & \cdots\\ A_{\mathrm{mech},B} & A_{\mathrm{mech},\mathrm{mech}} & 0 & 0 & \cdots\\ A_{T,B} & A_{T,\mathrm{mech}} & A_{T,T} & A_{T,\mathrm{circ}} & \cdots\\ 0 & 0 & A_{\mathrm{circ},T} & A_{\mathrm{circ},\mathrm{circ}} & \cdots\\ \vdots & \vdots & \vdots & \vdots & \ddots \end{bmatrix}, \] one can solve $(\partial_{\mathbf{U}}\mathcal{R})^T\boldsymbol\lambda = (\partial_{\mathbf{U}}\psi)^T$ using Schur complements, block preconditioners, or time-reversal structure (for transient blocks) as appropriate. Crucially, the paper does not require a specific algorithm; it requires that the claimed gradient be reproducible from the declared operator actions and that solver diagnostics be emitted. III.B.4. Differentiating through embedded convex subproblems via KKT residuals Some modules may compute intermediate quantities by solving a (parameterized) convex optimization subproblem, e.g. \[ \min_{x} f(x;\mathbf{p})\quad\text{s.t.}\quad c(x;\mathbf{p})\le 0,\ \ A x=b. \] If the pipeline reports an output $\psi$ depending on the optimizer solution $x^*(\mathbf{p})$, then end-to-end derivatives can be defined by incorporating the KKT system into the global residual $\mathcal{R}$. Concretely, one defines a residual block comprising primal feasibility, stationarity, and complementarity (or barrier) conditions, together with a credibility check (dual feasibility, gap) as in Section II.E.3. The adjoint identity in III.B.2 then differentiates through the subproblem in a way that is auditable: the dual variables appearing in the KKT block become part of $\mathbf{U}$ and are subject to the same residual/conditioning diagnostics. Because strong duality and constraint qualification are needed for these derivatives to correspond to classical sensitivities, any implementation must explicitly record whether KKT-regularity diagnostics passed; otherwise derivative outputs must be flagged as non-credible. III.C. Sensitivity under manufacturing tolerances III.C.1. Linearized worst-case degradation of a certified margin Fix a constraint index $j$. Consider the nominal margin map \[ \psi(\mathbf{p}) := m_j^{\mathrm{nom}}(\mathbf{p},\mathbf{z}) = m_j(\mathbf{U}(\mathbf{p},\mathbf{z}),\mathbf{p},\mathbf{z}). \] Let $\delta$ parameterize uncertainty as in Section II.C, with $\tilde{\mathbf{p}}=\mathbf{p}+\mathbf{B}\delta$. The first-order Taylor model gives \[ \psi(\tilde{\mathbf{p}}) \approx \psi(\mathbf{p}) + \nabla_{\mathbf{p}}\psi(\mathbf{p})^T \mathbf{B}\,\delta. \] Define the sensitivity with respect to $\delta$ as \[ \nabla_{\delta}\psi(0) := \mathbf{B}^T\nabla_{\mathbf{p}}\psi(\mathbf{p}). \] The adjoint identity of III.B.2 provides $\nabla_{\mathbf{p}}\psi$, hence $\nabla_{\delta}\psi$, without requiring explicit formation of $d\mathbf{U}/d\mathbf{p}$. To protect a feasibility margin against decrease, we use the uncertainty inflations already specified in Section II.C: – Box model $\mathcal{U}_{\infty}(\mathbf{t})$: \[ \Delta^{\mathrm{unc}}_{j,\infty} = \sum_{i=1}^{n_\delta} |\partial_{\delta_i}\psi(0)|\,t_i. \] – Ellipsoidal model $\mathcal{U}_2(\rho,\mathbf{W})$: \[ \Delta^{\mathrm{unc}}_{j,2} = \rho\,\|\mathbf{W}^{-T}\nabla_{\delta}\psi(0)\|_2. \] These are exact worst-case deviations for the linearization. Any upgrade to a truly worst-case (nonlinear) certificate requires an explicit remainder bound, e.g. \[ \psi(\tilde{\mathbf{p}}) \ge \psi(\mathbf{p}) + \nabla_{\delta}\psi(0)^T\delta – \frac{1}{2}M\|\delta\|^2, \] for a certified curvature bound $M$ on the local second derivative in the chosen norm. Because such $M$ is highly model- and discretization-dependent, this paper does not assume it is available; instead it requires that the absence of such a remainder control be recorded as a limitation (Section VIII). III.C.2. Sensitivity amplification and ill-conditioned directions Even when the primal residual is small, $\nabla_{\mathbf{p}}\psi$ can be dominated by numerical artifacts if the linearized solve is ill-conditioned. A practical indicator is the magnitude of the adjoint $\|\boldsymbol\lambda\|$ relative to $\|\partial_{\mathbf{U}}\psi\|$, and/or the growth in Krylov iterations under refinement. Accordingly, the evaluator must compute and report at least one of the following (problem-dependent) amplification diagnostics: 1. A relative adjoint residual and iteration count for the adjoint solve. 2. A preconditioned residual history sufficient to audit stagnation. 3. A spot-check using finite-difference directional derivatives in randomly chosen directions $v$ of $\mathbf{p}$ or $\delta$, comparing $D\psi\,v$ to $\nabla\psi^T v$ within declared tolerances. When these diagnostics fail, the correct behavior is to mark the gradient and any uncertainty inflation depending on it as non-credible (“inconclusive”) rather than silently using it in optimization. III.C.3. Interaction with nonsmooth outputs (max/min, event times) Many margins depend on nonsmooth operations, such as maxima over samples, minima (clearance), or event times (quench onset). In such cases, classical gradients may not exist everywhere. The certification pipeline therefore must declare which of the following regimes is being used for each output: 1. Nonsmooth but differentiable almost everywhere: use a selected subgradient (e.g. gradient at the active sample index) and report an event flag when the active set is unstable under perturbations. 2. Smoothed surrogate: use a smooth approximation (e.g. softmax) for derivative computation, but compute feasibility using the hard nonsmooth margin plus an explicit smoothing inflation included in $\Delta^{\mathrm{num}}$. The choice affects both reported derivatives and certificate semantics; hence it must be recorded in the diagnostic record returned by the evaluator. This completes the unified residual and adjoint foundation. Section IV uses these identities to build concrete physics-to-margin modules (field quality, Lorentz/strain, quench/hot-spot, circuit voltage/MIIT, detectability, insulation voltage, AC loss/cryo power, and related TEM margins), each wrapped in the one-sided certificate semantics of Section II. IV. Certified Physics-to-Margins Modules (TEM + Field Quality) This section instantiates the abstract semantics of Section II and the adjoint machinery of Section III as a collection of \emph{physics-to-margin} modules. Each module provides: 1. A declared nominal computation $m_j^{\mathrm{nom}}(\mathbf{p},\mathbf{z})$ built from a solved state $\mathbf{U}(\mathbf{p},\mathbf{z})$. 2. A numerical inflation $\Delta_j^{\mathrm{num}}$ that accounts for discretization/solver/sampling errors \emph{of the declared computation}. 3. An uncertainty inflation $\Delta_j^{\mathrm{unc}}$ computed from adjoint sensitivities and a declared tolerance set (Section II.C), yielding a certified margin \[ m^{\mathrm{cert}}_j = m^{\mathrm{nom}}_j – \Delta^{\mathrm{num}}_j – \Delta^{\mathrm{unc}}_j. \] All certificates in this section are conditional: they are rigorous statements about the declared discrete pipeline and the declared uncertainty sets, but they are \emph{not} assertions that the underlying physics closures are adequate for a specific magnet without external validation (tracked in Section VIII). IV.A. Magnetic field quality and plasma-facing constraints under coil errors IV.A.1. Field-error metrics on target surfaces Let $\Gamma\subset\mathbb{R}^3$ be a target surface (e.g. a plasma boundary, a diagnostics surface, or a specified “good-field” surface), with unit normal $\mathbf{n}(x)$ and surface measure $dS$. Let $\mathbf{B}(x;\mathbf{p})$ be the declared magnetic field map (typically from Biot–Savart with a declared regularization/quadrature). A common field-quality functional is the normal field error \[ q(x;\mathbf{p}) := \mathbf{B}(x;\mathbf{p})\cdot \mathbf{n}(x),\qquad x\in\Gamma. \] We define either (i) a supremum constraint or (ii) an $L^2$-type constraint: \[ Q_{\infty}(\mathbf{p}) := \|q(\cdot;\mathbf{p})\|_{L^{\infty}(\Gamma)} = \sup_{x\in\Gamma} |q(x;\mathbf{p})|, \] \[ Q_2(\mathbf{p}) := \|q(\cdot;\mathbf{p})\|_{L^{2}(\Gamma)} = \Bigl(\int_{\Gamma} |q(x;\mathbf{p})|^2\,dS\Bigr)^{1/2}. \] A certified upper-limit margin takes the form \[ m_B(\mathbf{p}) := Q^{\mathrm{lim}} – Q(\mathbf{p}),\qquad Q\in\{Q_{\infty},Q_2\}. \] \paragraph{Discrete sampling and $\Delta^{\mathrm{num}}$.} If $Q_{\infty}$ is approximated on samples $\{x_i\}_{i=1}^N\subset\Gamma$, we set \[ \widehat{Q}_{\infty}(\mathbf{p}) := \max_{1\le i\le N} |q(x_i;\mathbf{p})|, \] and use the Lipschitz-covering inflation from Section II.D whenever a verified bound $L_q$ and covering radius $h$ are available: \[ Q_{\infty}(\mathbf{p}) \le \widehat{Q}_{\infty}(\mathbf{p}) + L_q(\mathbf{p})\,h. \] Otherwise, the pipeline must mark $Q_{\infty}$ as uncertified w.r.t. continuous extrema and must not claim a certificate for the supremum unless it supplies an explicit conservative $\Delta^{\mathrm{num}}$. \paragraph{Adjoint sensitivities.} For $Q_2$, define the nominal objective \[ \psi(\mathbf{U},\mathbf{p}) := \frac{1}{2}\int_{\Gamma} |q(x;\mathbf{U},\mathbf{p})|^2\,dS. \] Then $\nabla_{\mathbf{p}}\psi$ is obtained by the implicit-adjoint identity (Section III.B) provided the implementation supplies VJP/JVP for $q$ with respect to geometry and field variables. For $Q_{\infty}$ computed as a hard maximum over samples, the derivative is generally nonsmooth. The implementation must either (i) return an active-sample subgradient with an active-set stability flag, or (ii) use a smooth surrogate for sensitivity and include a smoothing discrepancy inflation in $\Delta^{\mathrm{num}}$ (Section III.C.3). IV.A.2. Boozer-spectrum proxies and their certification status Let $\mathcal{T}$ denote a user-supplied transform that maps the computed field in a region to spectral coefficients $\{c_{m,n}\}$ (for example, a Fourier representation of a field component on a toroidal surface). We intentionally do \emph{not} assume any particular transform is physically adequate as a plasma metric; we only require that the transform is treated as part of the declared computational graph. A generic spectral proxy constraint has the form \[ Q_{\mathrm{spec}}(\mathbf{p}) := \max_{(m,n)\in\mathcal{I}} w_{m,n}\,|c_{m,n}(\mathbf{p})|, \] where $\mathcal{I}$ is a finite index set and $w_{m,n}\ge 0$ are weights (user-supplied). Certification of $Q_{\mathrm{spec}}$ requires: 1. a declared truncation model (finite $\mathcal{I}$ and any quadrature) and a truncation inflation term included in $\Delta^{\mathrm{num}}$, and 2. adjoint sensitivities for the map $\mathbf{p}\mapsto c_{m,n}$ consistent with the discrete transform. Absent a proven truncation bound, the module may still compute $Q_{\mathrm{spec}}$ but must label it as \emph{uncertified w.r.t. transform truncation}. IV.A.3. Robust tolerance allocation driver for field quality Given a field-quality margin $m_B$ and an uncertainty set in $\delta$, a first-order certified degradation is \[ \Delta^{\mathrm{unc}}_B = \sup_{\delta\in\mathcal{U}} \bigl(-\nabla_{\delta} m_B(0)^T\delta\bigr) = \sup_{\delta\in\mathcal{U}} \nabla_{\delta} Q(0)^T\delta, \] with box/ellipsoid formulas as in Sections II.C and III.C.1. A tolerance-allocation layer (developed in Section V) uses these module-provided gradients to choose tolerances $\mathbf{t}$ (box) or $(\rho,\mathbf{W})$ (ellipsoid) that satisfy $m_B^{\mathrm{cert}}\ge 0$ with minimal cost, while sharing \emph{the same} perturbation vector $\delta$ across field and TEM modules. IV.B. Certified Lorentz force envelope and strain/stress margins (static) IV.B.1. Consistent force/torque computation Let $\mathbf{f}_{\mathrm{ext}}(\mathbf{U}_B;\mathbf{p},\mathbf{z})$ be the declared discrete Lorentz load applied to the structural model. Certification requires that $\mathbf{f}_{\mathrm{ext}}$ be computed from the same field representation used elsewhere in the pipeline (Section III.A.3), so that sensitivity and energy-balance checks are meaningful. A minimal audit check is a load-consistency identity: if $\mathbf{B}$ is computed by Biot–Savart for a filament model, then changes in current and geometry should produce loads whose scaling with current is consistent with the declared model. The paper does not assert a particular continuum identity here; it requires that the implementation report unit-checked scaling and symmetry checks for $\mathbf{f}_{\mathrm{ext}}$ as part of $\Delta^{\mathrm{num}}$ justification. IV.B.2. One-sided upper bounds on peak stress-type quantities Let $\sigma(x;\mathbf{U}_{\mathrm{mech}},\mathbf{p})\in\mathbb{R}^{3\times 3}$ be the declared recovered stress field (or a stress proxy) and let $\sigma_{\mathrm{VM}}(x)$ denote the computed von Mises stress proxy at evaluation points. Define a peak-stress quantity \[ Q_{\sigma}(\mathbf{p}) := \max_{x\in\Omega_{\sigma}} \sigma_{\mathrm{VM}}(x;\mathbf{U}(\mathbf{p}),\mathbf{p}), \] where $\Omega_{\sigma}$ is a declared evaluation domain (mesh nodes, quadrature points, or a surface/curve). A stress margin is \[ m_{\sigma}(\mathbf{p}) := \sigma^{\mathrm{lim}} – Q_{\sigma}(\mathbf{p}). \] The certificate for $m_{\sigma}$ uses the same structure: \[ m_{\sigma}^{\mathrm{cert}} = m_{\sigma}^{\mathrm{nom}} – \Delta_{\sigma}^{\mathrm{num}} – \Delta_{\sigma}^{\mathrm{unc}}. \] \paragraph{Numerical inflation $\Delta_{\sigma}^{\mathrm{num}}$.} This term must account for (i) solver tolerance in the mechanical residual, (ii) discretization error (mesh dependence), and (iii) the difference between a discrete maximum and a continuous maximum if $Q_{\sigma}$ is intended as a continuum quantity. When no verified a posteriori estimator is available, the pipeline must state that $\Delta^{\mathrm{num}}$ is heuristic and downgrade the claim accordingly. \paragraph{Uncertainty inflation $\Delta_{\sigma}^{\mathrm{unc}}$.} Using the adjoint gradient $\nabla_{\delta} m_{\sigma}(0)$, we set $\Delta_{\sigma}^{\mathrm{unc}}$ by box/ellipsoid dual norms as in Section II.C. IV.B.3. Virtual-work form for stress sensitivities (interface-level statement) Many structural solvers naturally expose derivatives through bilinear forms. Let $\mathbf{u}$ solve $\mathcal{R}_{\mathrm{mech}}(\mathbf{u},\mathbf{U}_B;\mathbf{p})=0$. For a differentiable scalar stress proxy $\psi(\mathbf{u},\mathbf{p})$, the implicit-adjoint identity yields \[ \frac{d\psi}{d\mathbf{p}} = \partial_{\mathbf{p}}\psi – \boldsymbol\lambda_{\mathrm{mech}}^T\,\partial_{\mathbf{p}}\mathcal{R}_{\mathrm{mech}}, \] where $\boldsymbol\lambda_{\mathrm{mech}}$ solves \[ \left(\partial_{\mathbf{u}}\mathcal{R}_{\mathrm{mech}}\right)^T \boldsymbol\lambda_{\mathrm{mech}} = \left(\partial_{\mathbf{u}}\psi\right)^T. \] Certification does not depend on the solver forming $\partial_{\mathbf{u}}\mathcal{R}_{\mathrm{mech}}$ explicitly; it depends on providing operator actions and reporting residual/conditioning diagnostics (Section II.E.3). IV.C. Certified quench hot-spot temperature/enthalpy bounds (reduced model) This subsection records a generic, auditable pathway to one-sided hot-spot bounds without asserting a particular quench PDE is sufficient for a specific coil. IV.C.1. Declared reduced thermal model and event logic Let $T(x,t)$ be a temperature field on a declared domain $\Omega_T$ (e.g. a winding-pack homogenized domain, a 1D centerline coordinate with effective cross-section, or a network of thermal nodes). Let $\mathbf{U}_T$ denote the time-discretized unknowns, embedded in the global residual (Section III.A.4). Define a hot-spot quantity as either \[ Q_T(\mathbf{p}) := \max_{t\in[0,t_f]}\max_{x\in\Omega_T} T(x,t), \] or a temperature rise $\Delta T := Q_T – T_{\mathrm{op}}$. Quench onset and protection actions (switching the circuit topology, turning on heaters, etc.) may be represented as nonsmooth logic. The certificate requires that the implementation declare its event handling (hard switching with flags vs smoothing with inflation) and that near-event evaluations be flagged for gradient credibility (Section III.A.4). IV.C.2. Energy/enthalpy-based one-sided bounds A broadly applicable conservative structure is to bound hot-spot \emph{enthalpy} rather than pointwise temperature. Let \[ H(T) := \int_{T_{\mathrm{op}}}^{T} c_{\mathrm{eff}}(\theta)\,d\theta, \] where $c_{\mathrm{eff}}$ is a declared effective volumetric heat capacity (possibly temperature dependent). Suppose the module provides a certified upper bound on energy that can localize into a hot spot, \[ E_{\mathrm{hs}} \le E_{\mathrm{hs}}^{\mathrm{hi}}, \] and a declared hot-spot volume (or mass) lower bound $V_{\mathrm{hs}}^{\mathrm{lo}}>0$ over which the energy is assumed to deposit (this is a modeling choice and must be declared). Then a certified enthalpy rise bound is \[ H(T_{\mathrm{hs}}^{\mathrm{hi}}) \le \frac{E_{\mathrm{hs}}^{\mathrm{hi}}}{V_{\mathrm{hs}}^{\mathrm{lo}}}, \] and a certified temperature bound follows by inverting $H$ (monotone in $T$ if $c_{\mathrm{eff}}>0$ on the declared interval). \paragraph{Connecting $E_{\mathrm{hs}}^{\mathrm{hi}}$ to circuit dissipation.} If the circuit model provides an energy dissipation identity or inequality of the form \[ E_{\mathrm{diss}} = \int_0^{t_f} \mathbf{I}(t)^T\,\mathbf{R}(t)\,\mathbf{I}(t)\,dt \quad (\text{or an upper bound}), \] then one may set \[ E_{\mathrm{hs}}^{\mathrm{hi}} := \eta_{\mathrm{hs}}^{\mathrm{hi}}\,E_{\mathrm{diss}}^{\mathrm{hi}} + E_{\mathrm{ext}}^{\mathrm{hi}}, \] where $\eta_{\mathrm{hs}}^{\mathrm{hi}}\in[0,1]$ is a declared conservative upper bound on the fraction of dissipated electrical energy that can localize into the hot spot, and $E_{\mathrm{ext}}^{\mathrm{hi}}$ accounts for additional sources (if any) declared in the thermal residual (AC loss, nuclear heating, etc.). The constants $\eta_{\mathrm{hs}}^{\mathrm{hi}}$, $V_{\mathrm{hs}}^{\mathrm{lo}}$, and any source envelopes are assumptions requiring external justification; the mathematics here is bookkeeping once they are declared. IV.C.3. MIIT-style bounds as a special case A frequently used scalar measure is the “MIIT” integral (here just $\int I^2 dt$ with appropriate units), generalized to multi-coil systems as \[ \mathrm{MIIT}(\mathbf{p}) := \int_0^{t_f} \|\mathbf{I}(t)\|_2^2\,dt. \] If the thermal module supplies a declared monotone map $\Delta T \le F(\mathrm{MIIT})$ on the operating range (this is a surrogate/closure), then a hot-spot margin may be written as \[ m_{T}(\mathbf{p}) := \Delta T^{\mathrm{lim}} – F(\mathrm{MIIT}(\mathbf{p})). \] Certification then reduces to (i) certifying an upper bound on $\mathrm{MIIT}$ from the circuit module (Section IV.D), and (ii) treating $F$ and its validity range as declared assumptions. IV.D. Spectral bounds on multi-coil quench-dump dynamics and resistor sizing This module gives conservative, auditable bounds for linear(ized) discharge dynamics of the form \[ \mathbf{L}(\mathbf{p})\,\dot{\mathbf{I}}(t) + \mathbf{R}(t;\mathbf{p},\mathbf{z})\,\mathbf{I}(t) = \mathbf{V}_{\mathrm{src}}(t), \] with $\mathbf{L}\in\mathbb{R}^{N_c\times N_c}$ (mutual inductance matrix) and $\mathbf{R}$ a resistance matrix including dump resistors and temperature-dependent growth. IV.D.1. Nominal discharge and comparison-system envelopes Consider the homogeneous discharge case $\mathbf{V}_{\mathrm{src}}=\mathbf{0}$ on $[0,t_f]$. Assume as a \emph{declared model property} that 1. $\mathbf{L}$ is symmetric positive definite (SPD), and 2. $\mathbf{R}(t)$ is symmetric positive semidefinite for all $t$ (e.g. diagonal with nonnegative entries). Then the magnetic energy $E(t)=\tfrac12\mathbf{I}(t)^T\mathbf{L}\mathbf{I}(t)$ satisfies \[ \frac{dE}{dt} = -\mathbf{I}(t)^T\mathbf{R}(t)\mathbf{I}(t) \le 0. \] This provides a built-in audit check: numerical time stepping should not systematically increase $E$ in the absence of sources, up to solver tolerance accounted for in $\Delta^{\mathrm{num}}$. IV.D.2. Certified bounds on decay rate and MIIT from eigenvalue lower bounds Suppose $\mathbf{R}(t)\succeq \\underline{r}(t)\,\mathbf{I}$ for a declared scalar lower envelope $\\underline{r}(t)\ge 0$ and $\mathbf{L}\preceq \overline{\ell}\,\mathbf{I}$ for a declared scalar upper bound $\overline{\ell}>0$. Then \[ \frac{d}{dt}\|\mathbf{I}(t)\|_2^2 = -2\,\mathbf{I}(t)^T\mathbf{L}^{-1}\mathbf{R}(t)\mathbf{I}(t) \le -2\,\lambda_{\min}(\mathbf{L}^{-1}\mathbf{R}(t))\,\|\mathbf{I}(t)\|_2^2. \] A conservative bound is \[ \lambda_{\min}(\mathbf{L}^{-1}\mathbf{R}(t)) \ge \frac{\\underline{r}(t)}{\overline{\ell}}. \] Thus \[ \|\mathbf{I}(t)\|_2^2 \le \|\mathbf{I}(0)\|_2^2\,\exp\Bigl(-2\int_0^t \\underline{r}(s)/\overline{\ell}\,ds\Bigr). \] Integrating yields a certified MIIT upper bound \[ \mathrm{MIIT}(\mathbf{p}) = \int_0^{t_f} \|\mathbf{I}(t)\|_2^2\,dt \le \|\mathbf{I}(0)\|_2^2\,\int_0^{t_f}\exp\Bigl(-2\int_0^t \\underline{r}(s)/\overline{\ell}\,ds\Bigr)dt. \] This bound is auditable: it depends only on declared scalar envelopes and an initial condition. It can be pessimistic; tighter bounds may use improved eigenvalue estimates (e.g. certified lower bounds on $\lambda_{\min}(\mathbf{L}^{-1}\mathbf{R})$) if the implementation supplies them and includes numerical error control. IV.D.3. Terminal voltage and peak-voltage envelopes For a declared terminal-voltage map $\mathbf{V}(t)=\mathbf{R}(t)\mathbf{I}(t)+\mathbf{L}\dot{\mathbf{I}}(t)$ (or any consistent circuit output), conservative peak bounds can be produced from norm inequalities once $\|\mathbf{I}(t)\|$ and $\|\dot{\mathbf{I}}(t)\|$ are bounded. For example, in the homogeneous discharge $\mathbf{L}\dot{\mathbf{I}}=-\mathbf{R}(t)\mathbf{I}$, so $\mathbf{V}(t)=\mathbf{0}$ across the idealized series combination; but sub-voltages (to ground, across joints, etc.) depend on the declared circuit partition. Accordingly, the module must define exactly which voltage quantity $Q_V$ is constrained (e.g. $\|\mathbf{C}\mathbf{V}_{\mathrm{branch}}\|_{\infty}$ for a selection matrix $\mathbf{C}$). Once defined, uncertainty inflations follow from adjoint sensitivities of the declared output. IV.D.4. Resistor sizing as a certified optimization subproblem If dump resistors $\mathbf{r}_d$ are decision variables in $\mathbf{p}_{\mathrm{circ}}$, one may pose a sizing problem of the form \[ \min_{\mathbf{r}_d\in\mathcal{R}} \; C(\mathbf{r}_d) \quad\text{s.t.}\quad m_{V}^{\mathrm{cert}}(\mathbf{r}_d)\ge 0,\; m_{\mathrm{MIIT}}^{\mathrm{cert}}(\mathbf{r}_d)\ge 0, \] where $\mathcal{R}$ encodes nonnegativity and engineering bounds. If $C$ and the certified constraints are convex in $\mathbf{r}_d$ under the declared surrogate bounds, the sizing problem is a convex subproblem and can be embedded via KKT residuals (Section III.B.4) to obtain end-to-end sensitivities. IV.E. Quench detectability certification (instrumentation and noise floors) This module treats detectability as a \emph{margin between a worst-case signal envelope and a worst-case noise/confounder envelope}, rather than as a single nominal threshold. IV.E.1. Signal and confounder decomposition Let $V_{\mathrm{meas}}(t)$ be a declared measurement (e.g. a bridge voltage, differential tap voltage, or compensated signal). Model it as \[ V_{\mathrm{meas}}(t) = V_{\mathrm{res}}(t) + V_{\mathrm{ind}}(t) + V_{\mathrm{joint}}(t) + \eta(t), \] where: – $V_{\mathrm{res}}$ is the resistive/quench component to be detected; – $V_{\mathrm{ind}}$ is inductive pickup (including geometry-induced differences under misalignment); – $V_{\mathrm{joint}}$ is joint-related voltage that may confound detection; – $\eta(t)$ is sensor/electronics noise (declared bound or stochastic model). The detectability requirement is that, after applying declared signal processing $\mathcal{F}$ (filtering, compensation, differencing), the processed resistive component exceeds the processed confounder/noise envelope by a required margin. IV.E.2. Certified signal-to-noise margin (deterministic envelope form) Let $S(t)=\mathcal{F}[V_{\mathrm{res}}](t)$ and let $N(t)=\mathcal{F}[V_{\mathrm{ind}}+V_{\mathrm{joint}}+\eta](t)$. A conservative deterministic detectability margin is \[ m_{\mathrm{det}} := \inf_{t\in[t_0,t_f]} \bigl( |S(t)| – N^{\mathrm{hi}}(t) \bigr), \] where $N^{\mathrm{hi}}(t)$ is a certified upper envelope under tolerances and declared noise bounds. Feasibility is $m_{\mathrm{det}}\ge 0$. Uncertainty inflation is obtained via adjoint sensitivities of $S$ and $N$ with respect to $\delta$, using box/ellipsoid dual norms. Nonsmoothness (infimum over time) must be handled as in Section III.C.3. IV.E.3. Sequential decision logic as a declared algorithm with margins If detection uses a sequential rule (e.g. CUSUM/SPRT), certification is only with respect to the declared algorithm. The module must provide: 1. The rule definition (test statistic recursion and thresholds). 2. A certified lower bound on drift under quench (from $S$) and a certified upper bound on drift under no-quench (from $N$). 3. A certified bound on detection delay and/or false-trigger risk \emph{under the declared assumptions}. Any mapping from stochastic noise to hard worst-case guarantees requires an explicit risk policy (Section II.C.3). IV.F. Internal voltage distribution and insulation-design certificates Terminal voltage constraints are insufficient to guarantee insulation safety if internal turn-to-turn or turn-to-ground voltages can exceed allowable levels during fast transients. IV.F.1. Abstract internal voltage model and envelope objective Let $\mathbf{v}_{\mathrm{int}}(t)\in\mathbb{R}^{n_v}$ denote a vector of internal voltages (branch voltages, turn-to-turn differences, or lumped-capacitance node potentials) computed from a declared reduced electrical model coupled to $\mathbf{I}(t)$ and possibly to geometry/spacing parameters in $\mathbf{p}$. Define the insulation quantity \[ Q_{\mathrm{ins}}(\mathbf{p}) := \max_{t\in[0,t_f]} \|\mathbf{v}_{\mathrm{int}}(t;\mathbf{U}(\mathbf{p}),\mathbf{p})\|_{\infty}, \] with margin \[ m_{\mathrm{ins}} := V_{\mathrm{ins}}^{\mathrm{lim}} – Q_{\mathrm{ins}}. \] IV.F.2. Coupling to circuit/quench model and uncertainty inflation Because $\mathbf{v}_{\mathrm{int}}$ depends on $\mathbf{I}$, $\dot{\mathbf{I}}$, and possibly time-varying resistances, its sensitivities must be computed end-to-end through the coupled residual (Section III). The uncertainty inflation $\Delta_{\mathrm{ins}}^{\mathrm{unc}}$ follows from $\nabla_{\delta} m_{\mathrm{ins}}$ and the chosen uncertainty set. IV.F.3. Pulse-test falsifiers for envelope claims If the internal-voltage model depends on parameters such as capacitance matrices or coupling coefficients not directly known, then certification can only be conditional. To keep the claim falsifiable, the module should specify a pulse-test protocol that measures responses used to bound those parameters (Section VII.G). IV.G. Energy-consistent inductance/force/motion-induced voltage model Mechanical motion can modify inductance and generate motion-induced voltages. This module enforces consistency checks so that EM, structural, and circuit submodels do not contradict each other at the level of the declared discrete pipeline. IV.G.1. Consistency requirement (declared discrete identity) Let $\mathbf{q}$ be a vector of geometric degrees of freedom (mechanical states or parameters) entering $\mathbf{L}(\mathbf{q})$. A consistency condition for the coupled model is that the induced voltage term used in the circuit residual matches the time derivative of flux linkage implied by the same $\mathbf{L}(\mathbf{q})$, i.e. the circuit residual uses \[ \frac{d}{dt}(\mathbf{L}(\mathbf{q})\,\mathbf{I}) = \mathbf{L}(\mathbf{q})\,\dot{\mathbf{I}} + \dot{\mathbf{L}}(\mathbf{q})\,\mathbf{I}, \] with $\dot{\mathbf{L}}(\mathbf{q})$ consistent with the declared dependence of $\mathbf{L}$ on $\mathbf{q}$. This is not a physics claim beyond the model; it is an internal-audit requirement: if the implementation uses an approximate $\mathbf{L}$ in the circuit but a different field model in force computation, then the mismatch must be explicitly treated as model discrepancy and reflected in $\Delta^{\mathrm{num}}$ or in an “uncertified” flag. IV.G.2. Lipschitz perturbation bounds under manufacturing tolerances If the implementation supplies an operator norm bound $\|D\mathbf{L}(\mathbf{q})\|\le L_L$ for relevant perturbations, then inductance perturbations satisfy \[ \|\mathbf{L}(\mathbf{q}+\delta\mathbf{q})-\mathbf{L}(\mathbf{q})\| \le L_L\,\|\delta\mathbf{q}\|. \] Such bounds can be used to inflate circuit-derived margins (e.g. decay rate, induced-voltage envelopes) under geometric tolerances, with the same box/ellipsoid machinery. IV.H. AC losses and cryogenic plant sizing under time-dependent 3D fields This module provides a conservative accounting interface for time-dependent EM losses without requiring full 3D high-fidelity superconductor modeling. IV.H.1. Conservative envelope form tied to declared loss surrogate Let $P_{\mathrm{AC}}(t)\ge 0$ be the declared AC-loss power computed by a surrogate dependent on the time history of local field quantities along the winding (e.g. components of $\mathbf{B}(s,t)$ and their rates). Define total loss energy \[ E_{\mathrm{AC}} := \int_0^{t_f} P_{\mathrm{AC}}(t)\,dt. \] A conservative bound can be built if the surrogate admits an inequality of the form \[ E_{\mathrm{AC}} \le \alpha\,\mathrm{TV}(g(t)) + \beta\int_0^{t_f} h(t)^2\,dt + E_0, \] where $g$ and $h$ are declared scalar signals derived from $\mathbf{B}$ (e.g. a normal component relative to tape orientation), $\mathrm{TV}(g)=\int |\dot g|\,dt$, and $\alpha,\beta,E_0$ are declared conservative parameters fit/validated externally. The purpose is not to claim universal values of $\alpha,\beta$, but to provide an auditable pathway: once $(\alpha,\beta,E_0)$ are declared, the resulting $E_{\mathrm{AC}}^{\mathrm{hi}}$ and its sensitivities become differentiable objects in the pipeline. IV.H.2. Translating AC-loss envelopes to cryogenic power margins Let $\eta_{\mathrm{cryo}}$ be a declared wall-plug factor (or a temperature-dependent conversion) mapping cold-load energy to required electrical energy. Define a cryogenic power/energy constraint \[ Q_{\mathrm{cryo}} := \eta_{\mathrm{cryo}}\,(E_{\mathrm{AC}}+E_{\mathrm{static}}+E_{\mathrm{quench}}), \] and a margin $m_{\mathrm{cryo}} = Q_{\mathrm{cryo}}^{\mathrm{lim}}-Q_{\mathrm{cryo}}$. Certification again follows the same decomposition. IV.H.3. Robust ramp-rate feasibility from uncertainty-inflated $\mathrm{TV}$ bounds If $g(t;\mathbf{p})$ depends on uncertain geometry $\delta$, then \[ \mathrm{TV}(g(\cdot;\mathbf{p}+\mathbf{B}\delta)) \le \mathrm{TV}(g(\cdot;\mathbf{p})) + \int_0^{t_f} |\partial_{\delta} \dot g(0,t)|\,dt\,\|\delta\|_{\ast} + \cdots \] where $\|\cdot\|_{\ast}$ denotes the dual norm induced by the uncertainty set, and the omitted terms are higher order. This provides a direct path to $\Delta^{\mathrm{unc}}$ for AC-loss envelopes using adjoint sensitivities of the time-derivative signal $\dot g$. IV.I. Conductor critical-surface margins (angle dependence and alternatives) This module provides a certified \emph{lower} bound on critical current (or critical current density) along the winding given uncertain $|\mathbf{B}|$, field angle, and temperature. IV.I.1. Certified lower envelope for $I_c$ from Lipschitz bounds Let the declared conductor law provide a map \[ I_c = I_c(T,|\mathbf{B}|,\theta,\varepsilon;\mathbf{p}_{\mathrm{cond}}), \] where $\theta$ is a declared angle measure (e.g. between $\mathbf{B}$ and tape normal) and $\varepsilon$ a declared strain proxy. We assume the implementation can supply (or the user declares) local Lipschitz bounds over the operating domain: \[ |I_c(\xi_1)-I_c(\xi_2)| \le L\,\|\xi_1-\xi_2\|,\quad \xi=(T,|\mathbf{B}|,\theta,\varepsilon). \] Then, at discrete arc-length samples $s_j$, with nominal $\xi_0(s_j)$ and certified perturbation bounds $\|\Delta \xi(s_j)\|\le r_j$, we obtain the certified lower envelope \[ I_c^{\mathrm{lo}}(s_j) := I_c(\xi_0(s_j)) – L\,r_j. \] A certified minimum critical current along the winding is \[ I_c^{\min,\mathrm{lo}} := \min_j I_c^{\mathrm{lo}}(s_j) – \Delta^{\mathrm{num}}_{\min}, \] where $\Delta^{\mathrm{num}}_{\min}$ accounts for the gap between the discrete minimum and the continuous minimum if such a certification is claimed (Section II.D). A current-margin constraint is then \[ m_{I} := I_c^{\min,\mathrm{lo}} – I_{\mathrm{op}} \ge 0. \] IV.I.2. Angle-critical segment identification and near-singular sensitivity flags Because $I_c$ may vary sharply with angle in some conductor technologies, the module must report: 1. The indices $j$ attaining (or nearly attaining) $I_c^{\min,\mathrm{lo}}$ (active segments). 2. A sensitivity amplification indicator, e.g. large $|\partial_{\theta} I_c|$ or rapid switching of the active index under small perturbations. These diagnostics are required to prevent overconfidence in gradients computed at a single active segment. IV.J. Thermo-mechanical shock amplification during quench (dynamic integrity) This module concerns dynamic stress amplification driven by rapid temperature gradients or rapid electromagnetic load changes during a quench/discharge. IV.J.1. Reduced elastodynamic residual and amplification quantity Let $\mathbf{u}(t)$ satisfy a declared semi-discrete elastodynamic model \[ \mathbf{M}\ddot{\mathbf{u}} + \mathbf{C}\dot{\mathbf{u}} + \mathbf{K}\mathbf{u} = \mathbf{f}_{\mathrm{ext}}(t) + \mathbf{f}_{\mathrm{th}}(T(t)), \] embedded as a time-discretized residual block in $\mathcal{R}$. Define a dynamic stress proxy $\sigma_{\mathrm{VM}}^{\mathrm{dyn}}(t)$ (recovered from $\mathbf{u}(t)$). A dynamic margin is \[ m_{\sigma}^{\mathrm{dyn}} := \sigma^{\mathrm{lim}} – \max_{t\in[0,t_f]} \sigma_{\mathrm{VM}}^{\mathrm{dyn}}(t). \] IV.J.2. Time integration stability and $\Delta^{\mathrm{num}}$ Unlike static solves, transient elastodynamics can be unstable if the time integrator and step size are not appropriate. Therefore the module must treat the time integrator (e.g. Newmark-type scheme) as part of the declared computation and include in $\Delta^{\mathrm{num}}$ either: 1. a verified stability condition (for the declared linearized operator), or 2. a posteriori evidence of time-step refinement convergence for $\max_t \sigma_{\mathrm{VM}}^{\mathrm{dyn}}$. Absent such evidence, dynamic-stress quantities must be flagged as uncertified. IV.J.3. Joint impedance/placement dependence If segmentation/joint placement $\mathbf{z}$ affects $\mathbf{R}(t)$, $\mathbf{f}_{\mathrm{ext}}(t)$, or thermal sources, then dynamic amplification becomes a coupled function of $(\mathbf{p},\mathbf{z})$. The adjoint framework still applies for fixed $\mathbf{z}$. For discrete changes in $\mathbf{z}$, certification must proceed by enumerating candidates or embedding a mixed-integer layer (Section V). IV.K. Shakedown / no-slip / no-ratcheting certification for cyclic loads This module addresses cyclic load cases (Lorentz cycles, thermal cycles, or combined) and aims to certify a one-sided “no progressive accumulation” margin under a declared reduced constitutive model. IV.K.1. Convex feasibility form (SOCP template) Let $\{\mathbf{f}^{(\ell)}\}_{\ell=1}^L$ be a finite set of declared load cases (e.g. representative phases in a cycle) producing elastic stress fields $\sigma^{(\ell)}(x)$ in a linear model. A conservative shakedown/no-slip certification can often be posed as the existence of an admissible residual stress field (or generalized internal variable) $\sigma^r$ such that, for all $\ell$, the combined stress satisfies a yield/friction criterion. Abstractly, one solves a convex feasibility problem \[ \text{find } y\quad\text{s.t.}\quad \mathcal{A}y = b,\qquad \|\mathcal{G}_{\ell}y + g_{\ell}\|_2 \le \beta_{\ell}\quad (\ell=1,\dots,L), \] where the second-order cone inequalities represent conservative yield or slip constraints in a reduced parameterization. The resulting certificate is the (signed) distance to infeasibility, or equivalently a margin computed from the dual variables. IV.K.2. Coupling to supports/preload and fatigue allowables Support parameters in $\mathbf{p}_{\mathrm{sup}}$ and discrete choices in $\mathbf{z}$ enter the linear constraints and cone parameters. When this module is embedded into the global residual via KKT conditions (Section III.B.4), its dual variables provide sensitivities that propagate to tolerance allocation (Section V). IV.K.3. External validation boundary The mathematical certificate pertains to the declared conic surrogate and declared load set. Whether that surrogate adequately captures micro-slip, ratcheting, and fatigue in a particular joint/support technology is a materials/structures validation question and is explicitly listed as an external gap (Section VIII). Section V uses these module outputs (certified margins, gradients, and diagnostic flags) to build robust tolerance allocation and joint/segmentation optimization layers that preserve auditability and one-sided safety semantics. V. Robust Tolerance Allocation and Joint Optimization (Convex and Mixed-Integer) This section specifies optimization layers that (i) allocate manufacturing/alignment tolerances across a shared perturbation vector $\delta$ and (ii) co-optimize tolerances with circuit/protection choices and segmentation/joint decisions. The emphasis is on – maintaining the one-sided certificate semantics $m^{\mathrm{cert}}\ge 0$ from Section II, – using gradients computed via the implicit-adjoint identity of Section III, and – producing auditable, solver-checkable certificates (primal/dual residuals, infeasibility flags, and explicit inflation terms). All optimization problems below are understood as problems over the declared discrete pipeline. Whenever we rely on convexity (for correctness of solvers, dual variables, and KKT-based differentiation), the convexity assumptions are stated explicitly. V.A. Adjoint-based convex tolerance allocation (core robust-optimization layer) V.A.1. Robust constraint forms for box and ellipsoidal uncertainty sets Fix discrete decisions $\mathbf{z}$. Let $m_j^{\mathrm{nom}}(\mathbf{p},\mathbf{z})$ be the nominal margin from a module, and let $\Delta^{\mathrm{num}}_j(\mathbf{p},\mathbf{z})\ge 0$ be its numerical inflation. For a tolerance parameterization $\mathcal{U}(\cdot)$ on $\delta$, define the linearized uncertainty inflation \[ \Delta^{\mathrm{unc}}_j(\mathbf{p},\mathbf{z};\mathcal{U}) := \sup_{\delta\in\mathcal{U}} \bigl( -\nabla_{\delta} m_j^{\mathrm{nom}}(0)^T\,\delta \bigr), \] so that the first-order protected margin is \[ \widetilde m_j^{\mathrm{cert}}(\mathbf{p},\mathbf{z};\mathcal{U}) := m_j^{\mathrm{nom}}(\mathbf{p},\mathbf{z}) – \Delta^{\mathrm{num}}_j(\mathbf{p},\mathbf{z}) – \Delta^{\mathrm{unc}}_j(\mathbf{p},\mathbf{z};\mathcal{U}). \] (As in Section III.C.1, upgrading $\widetilde m^{\mathrm{cert}}$ to a nonlinear worst-case certificate requires an explicit remainder bound; absent such a bound, this layer is a certified bound only for the linearization of the declared pipeline.) For the box set $\mathcal{U}_{\infty}(\mathbf{t})=\{\delta: |\delta_i|\le t_i\}$, we have \[ \Delta^{\mathrm{unc}}_{j,\infty} = \sum_{i=1}^{n_\delta} |g_{j,i}|\, t_i,\qquad g_j := \nabla_{\delta} m_j^{\mathrm{nom}}(0)\in\mathbb{R}^{n_\delta}. \] Therefore the robust feasibility constraint $\widetilde m_j^{\mathrm{cert}}\ge 0$ becomes the linear inequality \[ m_j^{\mathrm{nom}}(\mathbf{p},\mathbf{z}) – \Delta^{\mathrm{num}}_j(\mathbf{p},\mathbf{z}) – \sum_i |g_{j,i}|\,t_i \ge 0. \] Because absolute values are nonsmooth, one may introduce auxiliary variables $s_{j,i}\ge 0$ satisfying \[ s_{j,i}\ge g_{j,i},\quad s_{j,i}\ge -g_{j,i},\quad \text{so } |g_{j,i}|\le s_{j,i}, \] and enforce \[ m_j^{\mathrm{nom}} – \Delta^{\mathrm{num}}_j – \sum_i s_{j,i}\,t_i \ge 0. \] This rewriting is purely algebraic; it does not remove the need to certify the correctness/credibility of $g_j$ (Section II.E.3). For ellipsoidal sets $\mathcal{U}_2(\rho,\mathbf{W})=\{\delta: \|\mathbf{W}\delta\|_2\le \rho\}$, we have \[ \Delta^{\mathrm{unc}}_{j,2} = \rho\,\|\mathbf{W}^{-T} g_j\|_2. \] Thus the robust feasibility constraint becomes the second-order cone inequality \[ m_j^{\mathrm{nom}}(\mathbf{p},\mathbf{z}) – \Delta^{\mathrm{num}}_j(\mathbf{p},\mathbf{z}) \ge \rho\,\|\mathbf{W}^{-T} g_j\|_2. \] If $\rho$ is a decision variable and $\mathbf{W}$ is fixed, the constraint is convex. If $\mathbf{W}$ is also optimized, convexity depends on the chosen parameterization (e.g. diagonal scalings may preserve convexity under suitable reparameterizations). V.A.2. Unified allocation across field quality and TEM margins using a shared perturbation vector Let $\delta\in\mathbb{R}^{n_\delta}$ be the shared pose/shape perturbation vector for the entire coil system, and let each module $j$ provide a gradient row $g_j = \nabla_{\delta} m_j^{\mathrm{nom}}(0)$. Stacking rows yields a sensitivity matrix \[ \mathbf{G} := \begin{bmatrix} g_1^T \\ \vdots \\ g_M^T \end{bmatrix}\in\mathbb{R}^{M\times n_\delta} \] for all certified constraints $j=1,\dots,M$ spanning field quality, stress, hot-spot, voltage, detectability, insulation, and cryo-power margins. The allocation layer must use this \emph{shared} $\delta$ rather than separate per-module uncertainty models; otherwise robustness claims are not composable. Concretely, the box tolerances $\mathbf{t}$ constrain \emph{the same} $\delta$ in every module, making the combined feasible set \[ \bigl\{(\mathbf{p},\mathbf{t}):\ \forall j,\ m_j^{\mathrm{nom}}(\mathbf{p})-\Delta_j^{\mathrm{num}}(\mathbf{p})-\sum_i |g_{j,i}(\mathbf{p})| t_i \ge 0\bigr\} \] well-defined at the system level. V.A.3. Outputs: tolerances, active constraints, worst-case error patterns, and sensitivity vectors Beyond tolerances, an auditable allocation must report: 1. Active constraints: indices $j$ with smallest certified margins (or binding constraints) at the solution. 2. Worst-case patterns for each active constraint under the adopted uncertainty model. For a fixed row $g_j$: – Box case: a maximizer of $-g_j^T\delta$ over $|\delta_i|\le t_i$ is \[ \delta_i^* = -t_i\,\mathrm{sign}(g_{j,i}),\quad (\mathrm{sign}(0)\text{ chosen arbitrarily in }[-1,1]). \] – Ellipsoid case: for $\|\mathbf{W}\delta\|_2\le \rho$, a maximizer is \[ \delta^* = -\rho\,\frac{\mathbf{W}^{-1}\mathbf{W}^{-T}g_j}{\|\mathbf{W}^{-T}g_j\|_2}. \] These patterns are not “true worst-case” for the nonlinear pipeline; they are auditable worst-case directions for the linearized certificate actually being used. 3. Credibility flags: if the module reports the gradient $g_j$ as non-credible (Section II.E.3), then any tolerance allocation depending on $g_j$ must be labeled inconclusive for that constraint. V.A.4. A canonical convex tolerance-allocation problem Let $\mathbf{t}\in\mathbb{R}^{n_\delta}_{+}$ be box tolerances and let $C(\mathbf{t})$ be a user-declared manufacturing cost surrogate. A common convex choice is \[ C(\mathbf{t}) = \sum_i w_i\,\varphi_i(t_i), \] with convex $\varphi_i$ on $(0,\infty)$ (e.g. $\varphi_i(t)=1/t$ to penalize small tolerances, or $\varphi_i(t)=t$ to penalize large tolerances; the form must be justified for the intended cost interpretation). A canonical allocation problem is \[ \min_{\mathbf{t}\ge 0}\ C(\mathbf{t}) \quad\text{s.t.}\quad m_j^{\mathrm{nom}}-\Delta_j^{\mathrm{num}}-\sum_i |g_{j,i}| t_i \ge 0,\ \ j=1,\dots,M, \] plus any bounds $t_i^{\min}\le t_i\le t_i^{\max}$ needed to avoid unrealistic tolerances. This problem is convex whenever $C$ is convex and the gradients $g_j$ are treated as fixed inputs at the current $\mathbf{p}$. Because $|g_{j,i}|$ can be noisy if the underlying adjoint solve is ill-conditioned, the allocation solver must propagate gradient credibility: if $g_j$ is not credible, constraint $j$ must be treated as “cannot be robustified” unless an alternative bound is supplied. V.B. Integrated EM–structural–thermal–quench tolerance allocation for coil sets This subsection records how tolerance allocation interacts with coupled physics and protection design. V.B.1. Joint modeling and tolerance tightening driven by detectability and hot-spot constraints Let $\mathbf{p}_{\mathrm{circ}}$ include joint/dump parameters (e.g. joint resistances, dump resistor sizes), and let $m_{\mathrm{det}}$ and $m_T$ denote detectability and hot-spot margins from Sections IV.E and IV.C. These margins generally depend on $\delta$ through both geometry-induced inductive pickup (affecting $m_{\mathrm{det}}$) and changes to the discharge dynamics (affecting $\mathrm{MIIT}$ and thus $m_T$). A robust allocation that couples these effects is simply the joint feasibility of multiple certified constraints under the same $\delta$-budget. For a box model: \[ \forall j\in\{\mathrm{det},T,\sigma,\ldots\},\quad m_j^{\mathrm{nom}}(\mathbf{p})-\Delta^{\mathrm{num}}_j(\mathbf{p})-\sum_i |g_{j,i}(\mathbf{p})| t_i \ge 0. \] The coupling is not “hand-waved”: it is enforced by the shared $\mathbf{t}$ and the shared underlying coupled residual used to compute $g_j$. V.B.2. Coupling to conductor grading variables and operating points If conductor grading variables $\mathbf{p}_{\mathrm{cond}}$ are optimized (Section VI.B), they typically enter $m_T$ and critical-current margins $m_I$ (Section IV.I) via temperature evolution and local $I_c$ envelopes. Tolerance allocation can be performed either: 1. nested (fix $\mathbf{p}$, allocate $\mathbf{t}$); or 2. jointly (optimize $\mathbf{p}$ and $\mathbf{t}$ together). Joint optimization is attractive but only correct if the combined problem is solved with appropriate safeguards for nonsmoothness and if the “certified” inflations are recomputed consistently at each iterate. V.B.3. Example tolerance targets as design parameters, not universal facts Because tolerances depend on fabrication capability, metrology, assembly tooling, and cost, this paper does not assert numerical “required tolerances”. Instead, $\mathbf{t}$ (or $\rho,\mathbf{W}$) are – decision variables in allocation problems, and – explicit inputs to certified margin evaluations. Any particular numerical tolerance target should be treated as an externally validated manufacturing assumption and documented as such. V.C. Certified coil segmentation and joint design under fatigue-cost constraints V.C.1. Discrete decisions and their coupling to continuous certificates Let $\mathbf{z}\in\{0,1\}^{n_z}$ encode segmentation/joint choices (e.g. whether a joint is placed at candidate location $\ell$, or which module boundary is used). Discrete choices affect the continuous model by modifying residual blocks (circuit topology, mechanical boundary conditions, support stiffness, heat sinks, etc.), hence modifying $m_j^{\mathrm{nom}}$, $\Delta^{\mathrm{num}}_j$, and the gradients $g_j$. For each fixed $\mathbf{z}$, the certified evaluation is well-defined. Optimization over $\mathbf{z}$ must therefore either: 1. enumerate candidate $\mathbf{z}$ and compare certified margins/costs, or 2. embed $\mathbf{z}$ into a mixed-integer formulation whose continuous relaxations preserve one-sided bounds. V.C.2. Coupled electromechanical-fatigue-cost model (certificate-aware) Let $C(\mathbf{p},\mathbf{z})$ be a declared cost proxy and let $m_j^{\mathrm{cert}}(\mathbf{p},\mathbf{z})$ be certified margins. A certificate-aware mixed design problem takes the generic form \[ \min_{\mathbf{p},\mathbf{z}}\ C(\mathbf{p},\mathbf{z}) \quad\text{s.t.}\quad m_j^{\mathrm{cert}}(\mathbf{p},\mathbf{z})\ge 0\ \forall j,\quad \mathbf{z}\in\mathcal{Z}. \] The key requirement is that feasibility is judged by $m_j^{\mathrm{cert}}$, not by smooth penalties. When $\mathbf{z}$ changes, the pipeline must recompute (or conservatively bound) the numerical inflations $\Delta^{\mathrm{num}}_j$ appropriate to that configuration. V.C.3. Rainflow/cycle-count fatigue proxies as declared surrogates If a fatigue or cycling margin is modeled via a cycle-count proxy (e.g. a damage index computed from stress histories), the resulting certificate is only as meaningful as the declared fatigue surrogate. In this paper, such surrogates may be included as modules producing one-sided margins, but they are explicitly flagged as requiring external constitutive validation (Section VIII). V.D. Certified MILP for coil–cryostat segmentation with RH-compatible tolerances and costed BoM proxy This subsection provides a template MILP layer that connects segmentation decisions to certified margins and to simple geometric/access constraints. V.D.1. MILP structure: segmentation objective and module-count bounds Let binary variables $z_{\ell}\in\{0,1\}$ indicate whether a cut/joint is placed at candidate location $\ell$, and let integer variables $N_{\mathrm{mod}}$ count modules per field period (or per coil). A generic MILP objective is \[ \min\ \sum_{\ell} c_{\ell}\,z_{\ell} + c_N\,N_{\mathrm{mod}} + c_{\mathrm{size}}\,\text{(module-size penalties)} \] with linear constraints such as \[ N_{\min}\le N_{\mathrm{mod}}\le N_{\max},\qquad N_{\mathrm{mod}} = \sum_{\ell} z_{\ell}, \] and additional linear constraints that encode adjacency/consistency (e.g. cuts cannot be too close, or must occur at permissible regions). V.D.2. Constraints tying segmentation to field-error tolerances, supports, and cryogenic distribution Segmentation affects certified constraints through the physics-to-margin modules. In an MILP, these couplings can be represented in one of two auditable ways: 1. Enumerative coupling: for each candidate $\mathbf{z}$, evaluate $m_j^{\mathrm{cert}}$ and keep only feasible $\mathbf{z}$. This is expensive but does not require linearization. 2. Piecewise-linear conservative envelopes: if module outputs admit certified monotone bounds with respect to segmentation proxies (e.g. joint count upper-bounding added resistance, or support density lower-bounding stiffness), then one can embed those envelopes as linear constraints. Any such envelope must be explicitly declared and accompanied by a verification argument within the declared surrogate model. Because these envelopes are highly device-dependent, this paper only specifies the interface requirement: any MILP constraint that claims to enforce a certified physics margin must be traceably linked to a module-provided certificate or to a proved conservative inequality within the declared surrogate. V.D.3. Supply-chain risk via uncertain BoM coefficients (explicitly heuristic) If bill-of-materials (BoM) costs are modeled with uncertain coefficients (e.g. through a stochastic or regression model), then any robustification of the cost is a management policy rather than a physical theorem. The certificate semantics in this paper apply to engineering margins; cost uncertainty may be reported as an auxiliary “risk envelope” with explicit caveats. V.E. Mixed-integer conic bilevel extensions (gap-aware) V.E.1. Bilevel view: outer segmentation, inner certified continuous margin optimization A common decomposition is: – Outer problem: choose discrete segmentation/joint pattern $\mathbf{z}$. – Inner problem: for fixed $\mathbf{z}$, solve a convex continuous problem for tolerances $\mathbf{t}$, protection variables, and possibly grading variables to satisfy $m^{\mathrm{cert}}\ge 0$ at minimal cost. Abstractly, \[ \min_{\mathbf{z}\in\mathcal{Z}}\ \Phi(\mathbf{z}) := \min_{\mathbf{p},\mathbf{t}}\ C(\mathbf{p},\mathbf{t},\mathbf{z})\ \text{s.t. } \widetilde m_j^{\mathrm{cert}}(\mathbf{p},\mathbf{t},\mathbf{z})\ge 0\ \forall j. \] V.E.2. Conditions needed for solver correctness and certificate validity Embedding the inner problem into a single mixed-integer (conic) program using duality requires conditions that must be checked and recorded: 1. Convexity of the inner problem as stated (including any surrogate maps and inflations). 2. Strong duality for the inner problem (e.g. Slater-type conditions for conic programs), so that dual variables and KKT conditions are valid and provide auditable sensitivities (Section III.B.4). 3. Credibility diagnostics for the gradients $g_j$ used in robust constraints. If $g_j$ is flagged non-credible, then the associated robust constraint is not certified; the combined design result must be marked inconclusive. 4. Nonsmooth event handling: if margins depend on maxima or event times, then constraint qualification can fail at switching points. In such regions, MILP/MISOCP embeddings may yield misleading sensitivities; the pipeline must detect and flag these cases (Section III.C.3). These conditions are not technicalities: they are required to ensure that “certified” outputs remain auditable when optimization includes both continuous and discrete decisions. Section VI specifies how these optimization layers are orchestrated by an integrated evaluator that produces certified margins and gradients in a form suitable for outer-loop optimization and audit trails. VI. Integrated Certified Blueprint Evaluator and Optimization Loop This section specifies an end-to-end evaluator that (i) ingests a coil design description and operating point, (ii) executes the declared coupled residual solve(s), (iii) returns one-sided certified margins with explicit decomposition into nominal value and inflations, and (iv) returns gradients and robustness data in a form suitable for outer-loop optimization. The purpose is not to prescribe a single software architecture, but to fix a minimal mathematical/algorithmic contract so that any implementation claiming certification can be independently rerun and audited. VI.A. End-to-end evaluator producing certified bounds and gradients VI.A.1. Inputs (declared model instance) An evaluator instance is defined by a tuple of declared inputs \[ \mathfrak{I} := (\mathcal{G},\ \mathcal{O},\ \mathcal{M},\ \mathcal{U}_\delta,\ \mathcal{D}), \] where: 1. Geometry and discrete configuration $\mathcal{G}$: a CAD/mesh/spline representation together with a differentiable parameter vector $\mathbf{p}_{\mathrm{geo}}$ (Section II.A) and discrete decisions $\mathbf{z}$ (segmentation, joints, sensor routing classes, etc.). 2. Operating point $\mathcal{O}$: currents, ramps, and boundary conditions for the declared physics blocks (e.g. initial currents $\mathbf{I}(0)$, discharge trigger time, cryogenic boundary temperatures). The evaluator does not assume a specific list; it requires that all quantities entering residual blocks be enumerated. 3. Constitutive and surrogate maps $\mathcal{M}$: user-supplied functions needed to close residual blocks, such as effective resistivity vs temperature, heat capacity, stiffness models, critical-current law, loss surrogates, and any fitted constants. For auditability, each map must come with a declared validity range and units. 4. Uncertainty model $\mathcal{U}_\delta$: a deterministic uncertainty set for the shared perturbation vector $\delta$ (Section II.C), either box $\mathcal{U}_\infty(\mathbf{t})$ or ellipsoid $\mathcal{U}_2(\rho,\mathbf{W})$, plus the embedding $\tilde{\mathbf{p}}=\mathbf{p}+\mathbf{B}\delta$. 5. Discretization and solver declarations $\mathcal{D}$: mesh/time-step/quad rules and solver tolerances for each residual block, including any regularizations (e.g. Biot–Savart kernel handling) and event-handling conventions (hard switching vs smoothing), together with rules for defining $\Delta^{\mathrm{num}}$. VI.A.2. Outputs (audit record) Given $(\mathbf{p},\mathbf{z})$ and $\mathfrak{I}$, the evaluator returns an audit record $\mathcal{A}$ consisting of: 1. Primal state summaries: a representation of $\mathbf{U}$ sufficient to recompute all reported scalar quantities $Q_j$ and margins $m_j$ under the declared pipeline. 2. For each constraint index $j$: \[ \Bigl(m^{\mathrm{nom}}_j,\ \Delta^{\mathrm{num}}_j,\ \Delta^{\mathrm{unc}}_j,\ m^{\mathrm{cert}}_j\Bigr), \] with $m^{\mathrm{cert}}_j := m^{\mathrm{nom}}_j-\Delta^{\mathrm{num}}_j-\Delta^{\mathrm{unc}}_j$ exactly as in Section II.B.3. 3. Sensitivity data: for each $j$, either a credible gradient row $g_j=\nabla_{\delta} m_j^{\mathrm{nom}}(0)$ or an explicit “non-credible” flag with a reason code (adjoint residual too large, event instability, max-active-set instability, etc.). If $g_j$ is provided, the record must include the adjoint residual diagnostics in Section II.E.3. 4. Worst-case linearized patterns $\delta_j^*$ for active constraints (Section V.A.3) and an “active-set stability” indicator where applicable. 5. Unit checks and dimensional metadata: for each scalar output, the evaluator must store the unit string and a unit-consistency checksum for linear combinations and norms (implementation-dependent, but mandatory for auditability). VI.A.3. Unified penalty/barrier interfaces with mandatory hard-margin reporting Let an outer-loop optimizer operate on a smooth scalar merit function $\Phi(\mathbf{p})$ constructed from objectives and constraint penalties. To prevent surrogate hiding, the evaluator must support two separate channels: 1. A hard-feasibility channel returning $m^{\mathrm{cert}}$ (or “uncertified/inconclusive” status) which is the only channel permitted to declare feasibility. 2. A smooth-optimization channel returning a user-selected smooth surrogate $\widetilde{m}_j$ and its gradient for algorithmic guidance. Formally, the optimizer may query \[ (\mathcal{A}_{\mathrm{hard}}(\mathbf{p}),\ \mathcal{A}_{\mathrm{smooth}}(\mathbf{p})) \] with the contract that $\mathcal{A}_{\mathrm{hard}}$ always includes $m^{\mathrm{cert}}$ and the full inflation decomposition. VI.B. Conductor grading optimization VI.B.1. Convex program for grading variables and KKT embedding Let $\mathbf{c}\in\mathbb{R}^{n_c}$ denote conductor grading variables (e.g. local stabilizer fraction, copper area, or current-sharing design parameters). A grading layer is suitable for KKT embedding (Section III.B.4) if it is posed as a convex program \[ \min_{\mathbf{c}\in\mathcal{C}}\ f(\mathbf{c};\mathbf{p})\quad\text{s.t.}\quad A(\mathbf{p})\mathbf{c}\le b(\mathbf{p}), \] where $\mathcal{C}$ is a convex set (box constraints, simplex constraints, etc.). The constraints may be constructed from module-provided certified quantities (e.g. lower envelopes of $I_c$, upper envelopes of loss energy, or thermal constraints), but only if those quantities are treated as declared inputs to the grading subproblem. To differentiate through $\mathbf{c}^*(\mathbf{p})$, the evaluator may augment the global residual with the KKT residuals for the grading subproblem. The audit record must include dual feasibility and complementarity diagnostics (or barrier parameter and residual) so that the returned sensitivities can be interpreted as derivatives of the declared subproblem solution. VI.B.2. Convexity/monotonicity claims are declared assumptions Any claim that a physics surrogate makes the grading subproblem convex (e.g. that a margin is affine or convex in $\mathbf{c}$) is a modeling assumption. Therefore, the evaluator must record: 1. The explicit formula used to map $\mathbf{c}$ into each relevant residual or margin. 2. A convexity certificate appropriate to the chosen solver interface (for example, disciplined convex programming rules, or an explicit Hessian/semi-definiteness check for smooth terms), or else mark the grading layer as “nonconvex; KKT-based sensitivity not certified”. VI.C. Cost and schedule proxies with uncertainty (heuristic channel) This paper’s certification semantics are aimed at engineering margins. Cost and schedule models are typically empirical and can be treated as a separate, explicitly heuristic channel. VI.C.1. Declared probabilistic model and risk-based acceptance policy Let $C(\mathbf{p},\mathbf{z})$ be a cost proxy (scalar). If it is modeled stochastically (e.g. a regression model returning a mean and variance), the evaluator may report a risk envelope \[ C^{\mathrm{risk}} := \mathrm{Quantile}_{\alpha}\bigl(C\bigr) \] for a declared $\alpha$ (e.g. 0.9 or 0.95). This is not a physical theorem; it is an organizational policy. Accordingly, the audit record must keep cost outputs separate from the certified engineering margins, and must never conflate “high-probability cost” with worst-case engineering robustness. VI.C.2. Interaction with certified engineering margins The only required interaction is a gating rule: the optimization loop may consider cost only after engineering feasibility is established via $m^{\mathrm{cert}}\ge 0$ (or else it must treat the design as infeasible/inconclusive). This prevents cost objectives from driving the solver into regions where certified constraints are violated. VI.D. Unit-checked, auditable implementation plan (mathematical interface specification) We summarize the evaluator as a pair of callable maps \[ \texttt{evaluate}(\mathbf{p},\mathbf{z};\mathfrak{I})\ \mapsto\ \mathcal{A}, \qquad \texttt{jvp\_vjp}(\mathbf{p},\mathbf{z};\mathfrak{I})\ \mapsto\ \text{operator actions}, \] where $\mathcal{A}$ is the audit record described above and $\texttt{jvp\_vjp}$ exposes the matrix-free actions required in Sections II.E and III.B. Minimal reproducibility artifacts required for any implementation claiming certification: 1. Deterministic replay: all meshes, quadratures, solver tolerances, and random seeds (if any) must be recorded in $\mathcal{A}$. 2. Regression tests: for a fixed $(\mathbf{p},\mathbf{z})$, a stored reference record $\mathcal{A}_{\mathrm{ref}}$ should be compared to a new record $\mathcal{A}$ with declared acceptable tolerances on $m^{\mathrm{nom}}$, $\Delta^{\mathrm{num}}$, and adjoint residual norms. 3. Unit checks: automatic dimension checking for all scalar outputs in $\mathcal{A}$ (fail-closed: if unit inconsistency is detected, the output must be marked invalid). 4. Conditioning monitors: iteration counts, residual histories, and event flags for all primal/adjoint solves. VII. Falsifiable Tests and Validation Plan (12–18 Month Subscale Milestones) This section describes a falsification-oriented validation plan. The intent is to expose which parts of the pipeline are testable at subscale and what acceptance criteria would cause the declared certificate inflations or surrogate closures to be rejected or tightened. The tests are written as protocols; they are not claims of achieved validation. VII.A. Field-error validation under controlled misalignments Protocol: 1. Build or obtain a coil mockup (or a subset of coils) and a target measurement surface $\Gamma$ with a metrology-defined coordinate system. 2. Impose known rigid-body perturbations $\delta$ (translations/rotations) using calibrated shims or fixtures. 3. Measure $q(x)=\mathbf{B}(x)\cdot\mathbf{n}(x)$ (or another declared field-error observable) on a dense sample on $\Gamma$. Acceptance criteria: – Linear prediction check: the measured change $\Delta q$ should be consistent with the evaluator’s JVP $Dq\,\delta$ to within a declared discrepancy $\varepsilon_{\mathrm{map}}$ that is then incorporated into $\Delta^{\mathrm{num}}$ for field-error margins. – Robust envelope check: if the evaluator reports a certified upper envelope $Q^{\mathrm{hi}}$ for $\|q\|_{\infty}$, the measured supremum over $\Gamma$ must not exceed $Q^{\mathrm{hi}}$ after accounting for sensor uncertainty. If it does, the certificate is falsified (inflations must be increased or the model revised). VII.B. Quench propagation and hot-spot bound validation Protocol: 1. Instrument a subscale winding pack with temperature sensors (e.g. fiber Bragg gratings or thermometry) and voltage taps consistent with the declared thermal/circuit model. 2. Induce a controlled quench (heater or localized disturbance) and run a declared protection action (dump resistor, detection logic). 3. Estimate peak hot-spot temperature $T_{\mathrm{hs,exp}}$ from measurements, with a conservative measurement uncertainty bound. Acceptance criteria: – One-sided bound check: if the evaluator reports $T_{\mathrm{hs}}^{\mathrm{hi}}$, require \[ T_{\mathrm{hs,exp}} \le T_{\mathrm{hs}}^{\mathrm{hi}} + \varepsilon_T, \] where $\varepsilon_T$ is the measurement uncertainty bound. Violation falsifies the thermal/circuit closure used to produce $T_{\mathrm{hs}}^{\mathrm{hi}}$ or its inflations. VII.C. Quench detectability validation Protocol: 1. Implement the declared measurement channel $V_{\mathrm{meas}}$ and declared processing $\mathcal{F}$. 2. Generate representative “no-quench” records under ramps and perturbations, and representative “quench” records under controlled quenches. 3. Evaluate the declared detectability margin $m_{\mathrm{det}}$ and predicted detection delay bounds (if provided). Acceptance criteria: – False-trigger bound: under declared no-quench conditions, the observed false-trigger frequency must be below the declared policy target; if not, the noise/confounder envelope $N^{\mathrm{hi}}$ is under-estimated. – Missed-detection bound: under declared quench conditions, the observed detection time must be no worse than the certified delay bound (if such a bound is claimed) after accounting for declared uncertainty inflation. VII.D. Joint fatigue and resistance growth validation Protocol: 1. Thermal cycling test: cycle a representative joint assembly between declared temperature limits; measure joint resistance each cycle. 2. Mechanical cycling test: apply cyclic loads representative of Lorentz/thermal cycles; measure slip indicators and resistance drift. Acceptance criteria: – Model falsifier: if the pipeline uses a declared resistance growth envelope or fatigue surrogate to compute a margin, the observed growth must be bounded by the declared envelope. Otherwise, the surrogate must be rejected or its uncertainty inflation increased. VII.E. Thermo-mechanical shock validation Protocol: 1. Instrument a mechanically representative subassembly with strain gauges. 2. Apply a fast discharge or controlled thermal shock consistent with the declared dynamic model. Acceptance criteria: – Peak strain/stress check: compare observed peak strain (converted to stress via declared elastic constants) to the certified dynamic stress bound. Failure falsifies the dynamic amplification model or its $\Delta^{\mathrm{num}}$ stability control. VII.F. Cryogenic power and AC-loss validation Protocol: 1. Run current ramps and modulations with calorimetric measurement of cold-load power. 2. Compute the evaluator’s declared AC-loss surrogate and its one-sided bound $E_{\mathrm{AC}}^{\mathrm{hi}}$. Acceptance criteria: – One-sided energy check: measured loss energy over the test window must not exceed $E_{\mathrm{AC}}^{\mathrm{hi}}$ beyond measurement uncertainty. Violation indicates that surrogate parameters (e.g. $\alpha,\beta,E_0$ in Section IV.H) or the sensitivity/uncertainty inflations are not conservative. VII.G. Insulation voltage envelope validation Protocol: 1. Perform controlled pulse/discharge tests consistent with the declared internal voltage model producing $\mathbf{v}_{\mathrm{int}}(t)$. 2. Measure internal voltages (where feasible) or proxy quantities that bound them (e.g. node potentials in a lumped model). Acceptance criteria: – Envelope check: the measured internal voltage magnitude must not exceed the evaluator’s certified envelope $Q_{\mathrm{ins}}^{\mathrm{hi}}$ after accounting for measurement limitations. If internal voltages are unmeasurable directly, the model must specify which observables serve as falsifiers (Section IV.F.3). VII.H. Cost uncertainty closure (process audit) Protocol: 1. Collect fabrication quotes and procurement lead times for a small set of representative module/joint configurations $\mathbf{z}$. 2. Compare observed costs/times to the proxy model outputs and adjust the model or increase uncertainty bands if systematic underestimation is observed. Acceptance criteria: – Explicit reject rule: if the chosen risk envelope $C^{\mathrm{risk}}$ (Section VI.C) exceeds a declared budget threshold, the design is rejected by policy (not by physics). The audit record must keep this as a separate decision channel. VIII. Limitations, Assumptions, and Gaps Requiring External Verification This section lists explicit boundaries of the paper’s mathematical guarantees. The core mathematical statements are about the declared discrete pipeline: if $\Delta^{\mathrm{num}}$ and $\Delta^{\mathrm{unc}}$ are valid for that pipeline, then $m^{\mathrm{cert}}\ge 0$ implies conservative one-sided feasibility for the declared computation under the declared uncertainty set. The following items identify where external verification is required before interpreting those guarantees as physical safety claims for a real device. VIII.A. Physics adequacy of reduced-order TEM and quench surrogates 1. Reduced structural and thermal models may omit 3D effects (local stress concentrations, contact nonlinearities, anisotropic conduction, helium dynamics, etc.). A certificate for a reduced model is not a certificate for omitted physics. 2. Any constants used to connect circuit quantities (e.g. MIIT) to temperature rise, or to connect dissipated energy to hot-spot volume fraction, are assumptions requiring traceable experimental justification. VIII.B. Plasma metrics as proxies Field-quality metrics and spectral proxies (Section IV.A) are treated as declared computational outputs. Their connection to plasma performance (e.g. island suppression, confinement) is not established here and requires external high-fidelity cross-checks (plasma response, kinetic/transport effects). VIII.C. Continuous-geometry extreme-value certification Many constraints are maxima/minima over continuous domains. This paper provides a generic Lipschitz-covering wrapper (Section II.D) but does not provide device-specific verified Lipschitz constants, regularity constants for CAD parameterizations, or certified a posteriori estimators for complex composite maps. Absent those, $\Delta^{\mathrm{num}}$ may be heuristic and the result must be labeled “uncertified w.r.t. continuous extrema”. VIII.D. Materials/joints critical-surface and fatigue laws Critical-current laws $I_c(T,|B|,\theta,\varepsilon)$, joint resistance growth, friction/micro-slip models, and fatigue allowables are technology-specific. Certificates that rely on these maps are conditional on their external validation and on declared uncertainty quantification for their parameters. VIII.E. Solver/certificate fragility and numerical credibility 1. Adjoint sensitivities can be unreliable when $\partial_{\mathbf{U}}\mathcal{R}$ is ill-conditioned or near singular, when active sets switch (maxima/minima), or when event times shift. The paper’s contract requires credibility diagnostics and fail-closed reporting, but it does not guarantee that a given implementation will always be in a well-conditioned regime. 2. First-order uncertainty inflations are exact for the linearization but do not by themselves control higher-order effects. Nonlinear worst-case certification requires explicit remainder bounds or validated local curvature envelopes, which are not assumed available here. 3. Mixed-integer embeddings (Section V) require careful duality and constraint qualification checks to avoid incorrect “certificates” arising from relaxations. These limitations are not incidental: they are the conditions under which the paper’s certificate semantics must be interpreted. The intended use is to enforce explicit “inconclusive” outcomes when evidence is insufficient, and to prioritize external validation where the modeling gap dominates. Conclusion This paper has specified a certification-first mathematical framework for computing and optimizing one-sided engineering margins for 3D non-axisymmetric stellarator coil systems under declared manufacturing/alignment uncertainty. The central semantic object throughout is the certified margin \[ m_j^{\mathrm{cert}}(\mathbf{p},\mathbf{z}) = m_j^{\mathrm{nom}}(\mathbf{p},\mathbf{z}) – \Delta_j^{\mathrm{num}}(\mathbf{p},\mathbf{z}) – \Delta_j^{\mathrm{unc}}(\mathbf{p},\mathbf{z}), \] whose interpretation is deliberately conditional: when the numerical and uncertainty inflations are valid for the declared discrete pipeline and uncertainty set, nonnegativity of $m_j^{\mathrm{cert}}$ provides a conservative (fail-closed) feasibility statement for that pipeline. On the sensitivity side, the paper’s main mathematical mechanism is the implicit-adjoint identity applied to a coupled residual system $\mathcal{R}(\mathbf{U},\mathbf{p},\mathbf{z})=\mathbf{0}$. For any scalar output $\psi(\mathbf{U},\mathbf{p},\mathbf{z})$ used to build a margin, the gradient $d\psi/d\mathbf{p}$ is computed via a transpose-Jacobian solve, with explicit audit requirements: operator actions (JVP/VJP), primal and adjoint residual norms, and conditioning/credibility diagnostics. These adjoint gradients are then converted into auditable first-order worst-case inflations $\Delta^{\mathrm{unc}}$ over box and ellipsoidal uncertainty sets using dual-norm formulas. Building on this common core, Sections IV–VI instantiated a family of physics-to-margin modules (field-quality functionals and spectral proxies; Lorentz-load-driven static stress proxies; reduced thermal/quench hot-spot bounds; spectral/eigenvalue-based discharge and MIIT envelopes; detectability and internal-voltage envelope margins; AC-loss-to-cryo power accounting; critical-surface lower envelopes; and cyclic shakedown/no-slip conic surrogates). The unifying contribution is not a claim that any particular closure is physically complete, but that each module can be wrapped in the same one-sided certificate interface, differentiated end-to-end through the same coupled residual, and robustified against the same shared perturbation vector $\delta$ without breaking auditability. At the design-optimization level, the paper formulated convex tolerance-allocation problems and certificate-aware joint optimization templates (including mixed-integer layers for segmentation/joint placement) in which feasibility is determined solely by hard certified margins, never by smooth penalties. The resulting system-level output is an auditable record containing, for each constraint, the tuple $(m^{\mathrm{nom}},\Delta^{\mathrm{num}},\Delta^{\mathrm{unc}},m^{\mathrm{cert}})$, associated credible gradients (or explicit non-credibility/inconclusive flags), and worst-case linearized perturbation patterns that explain which uncertainty directions drive each constraint. Finally, the paper emphasized falsifiability and boundaries of validity. Section VII provided subscale test protocols intended to falsify (and thereby tighten) declared inflations and surrogate closures; Section VIII documented the principal gaps that prevent unconditional physical interpretations, notably: rigorous remainder control beyond first order; continuous-extremum certification requiring verified regularity/Lipschitz inputs; technology-specific materials/joint and fatigue laws; and fragility of adjoint-based inflations near nonsmooth events or ill-conditioned solves. These are not afterthoughts but integral to the intended use: when prerequisites are missing or diagnostics fail, the correct output is “inconclusive” rather than optimistic. Taken together, the paper delivers a mathematically explicit template for optimization-safe coil engineering workflows: a unified residual/adjoint backbone, modular one-sided certificates with explicit numerical and uncertainty inflations, and an implementation contract that forces reproducibility and prevents numerical false feasibility. The next step toward trustworthy deployment is not additional module proliferation, but targeted external verification of the declared closures and of the constants required to make $\Delta^{\mathrm{num}}$ and (where desired) nonlinear uncertainty remainders genuinely conservative for the intended devices and operating regimes. [HARD CODED END-OF-PAPER MARK — ALL CONTENT SHOULD BE ABOVE THIS LINE] ================================================================================ MODEL CREDITS This autonomous solution attempt was generated with the Intrafere LLC AI Harness, MOTO, and the following model(s): – x-ai/grok-4.1-fast (63 API calls) – openai/gpt-5.2 (23 API calls) – moonshotai/kimi-k2.5 (14 API calls) Total AI Model API Calls: 100 ================================================================================

More Info