Grok Challenge #1, Paper 3 - Intrafere Research Group

← PAPER DIRECTORY

This is the 3rd paper and rough draft answer generated for @Grok’s 2/28/2026 challenge to MOTO ASI by Intrafere Research Group. A fully autonomous super intelligence AI harness. Company Website: https://intrafere.com/ Software GitHub that produced this paper: https://github.com/Intrafere/MOTO-Autonomous-ASI Grok Fusion Solution Challenge Link: https://x.com/grok/status/2027657401625690332 ================================================================================ AUTONOMOUS AI SOLUTION Disclaimer: This is an autonomous AI solution generated with the MOTO harness. This paper was not peer reviewed and was autonomously generated without user oversight or interaction beyond the original user prompt, therefore, this text may contain errors. These papers often contain ambitious content and/or extraordinary claims, all content should be viewed with extreme scrutiny. (EDITOR NOTE: This single paper does not attempt to solve the user’s prompt entirely, it is meant to be one piece toward the complex solution required for the users prompt – total solutions typically are achieved in later papers) User’s Research Prompt: Deliver a complete, engineering-ready blueprint for a compact stellarator fusion reactor achieving sustained Q>15 net gain by 2030—using only near-term materials, full MHD/plasma stability models, tritium breeding cycle, and <$5B build cost. Include all equations, sim code, and falsifiable tests. Paper 3 - Transparency/Bug Note: For unknown reasons the model recording/API call logs and other metadata for this paper were lost and were unable to be retrieved for this single paper in the series - this includes the title and outline. A generic title was picked from another LLM. ================================================================================ EDITOR IMPOSED TITLE: An Auditable, Certified-Constraint End-to-End Stellarator Reactor Design Specification: Coupled Residuals, Implicit Adjoints, and Blanket/Neutronics/Thermal/Tritium Integration Abstract We give a discrete, optimization-facing mathematical specification for an end-to-end stellarator design pipeline composed of coupled numerical modules (geometry/equilibrium and coordinate transforms, stability proxies, transport/closure blocks, coil synthesis, and optional blanket neutronics/thermal/tritium layers). The motivating risk is numerical “false feasibility”: optimizers can exploit discretization and truncation error, ill-conditioned solves, undersampling of extrema, Monte Carlo uncertainty, and smooth surrogates for nonsmooth constraints, producing feasibility and gradient information that is not credible. The paper formulates the entire pipeline as a finite-dimensional coupled residual system $\mathcal{R}(\mathbf{U},\mathbf{p})=\mathbf{0}$ with an auditable diagnostic record $\mathcal{D}$ (residual norms/tolerances, conditioning proxies, truncation metadata, sampling radii, and statistical parameters). Differentiation is specified through implicit sensitivity and adjoint equations using matrix-free JVP/VJP interfaces, together with explicit failure modes (ill-conditioning, eigenvalue degeneracy, KKT degeneracy, and model switching) that trigger rejection or “inconclusive” status. Hard inequalities are required to be evaluated by one-sided conservative certificate oracles $g_{i,\mathrm{cert}}=\widehat g_i+\Delta_i^{\mathrm{num}}+\Delta_i^{\mathrm{unc}}$, with mandatory decomposition into nominal margin, numerical inflation (grid/Lipschitz envelopes, ODE integration bookkeeping, spectral enclosure prerequisites, smoothing inflation), and robust inflation over declared uncertainty sets. Representative certified interfaces are given for a +1D plasma backbone, Boozer-derived metrics, eigenvalue and resonance/island gates, prompt-loss bounds, and convex coil/thermal subproblems embedded via KKT residuals. The document ends by elevating falsification/benchmark design and by stating explicit limitations: all guarantees are discrete-only and conditional on declared assumptions, not physical adequacy of any proxy. I. Introduction End-to-end stellarator design is commonly posed as an optimization problem in which geometry and operating parameters are repeatedly evaluated by a chain of coupled numerical modules (equilibrium and coordinate transforms, stability proxies, profile/closure models, coil synthesis, and—when blanket engineering is included—neutronics and thermal/tritium submodels). In such pipelines, feasibility and improvement claims can be undermined by purely numerical effects: discretization and truncation error, solver tolerances and ill-conditioning, undersampling of extrema over geometric domains, statistical error in Monte Carlo tallies, and the use of smooth surrogates for nonsmooth constraints. A central difficulty is that an optimizer can inadvertently exploit these artifacts, producing “false feasibility” at the discretized level or producing gradients that are not credible. This paper addresses that risk by giving a discrete, optimization-facing mathematical *specification* for a pipeline in which auditability is treated as a first-class output. The focus is not to propose new physical models, nor to justify that any particular proxy (quasisymmetry metrics, eigenvalue stability margins, reduced island or prompt-loss indicators, transport closures, etc.) is physically adequate. Instead, the document specifies what an implementation must return—and what diagnostic evidence must accompany it—so that any feasibility decision is (i) conservative in a declared one-sided sense, and (ii) reproducible from recorded metadata. All statements are about declared finite-dimensional discretizations; no continuum-limit guarantees are claimed. I.A. Problem setting and risks We formalize a design evaluation as a partially defined map $\mathbf{p}\mapsto (\mathbf{U},\mathcal{D})$, where $\mathbf{p}\in\mathbb{R}^{n_p}$ is the design vector, $\mathbf{U}\in\mathbb{R}^{n_U}$ collects the states produced by nested solves (including optional engineering blocks), and $\mathcal{D}$ is a diagnostic record. The motivating risk is that, without an explicit contract for $\mathcal{D}$ and for rejection semantics, an optimization loop may treat non-credible outputs—e.g., a small residual produced by an ill-conditioned solve, or a sampled maximum that misses a narrow spike—as valid evidence of feasibility. I.B. Goal and scope The goal is to specify an optimization-ready architecture that: 1. Represents the full pipeline uniformly as a coupled residual system $\mathcal{R}(\mathbf{U},\mathbf{p})=\mathbf{0}$, including eigenproblems and inner convex programs via residual/KKT encodings. 2. Defines derivative interfaces for the discretized problem (matrix-free JVP/VJP and implicit-adjoint solves) together with explicit *credibility prerequisites* (conditioning and degeneracy diagnostics). 3. Requires every hard inequality to be evaluated by a one-sided conservative *certificate oracle* of the form \[ g_{i,\mathrm{cert}}(\mathbf{p}) = \widehat g_i(\mathbf{p}) + \Delta_i^{\mathrm{num}}(\mathcal{D}) + \Delta_i^{\mathrm{unc}}(\mathbf{p}), \] with explicit $\mathsf{Status}\in\{\mathrm{conclusive},\mathrm{inconclusive},\mathrm{failed}\}$ outputs and mandatory rejection when prerequisites are missing. Equally important, the scope includes explicit non-claims: the framework does not certify physical correctness of the proxy models; it certifies only that the *discrete computations and margins* used by the optimizer are numerically defensible under declared assumptions and recorded evidence. I.C. Summary of main results (specification deliverables) The document’s main deliverables are: - A system-level modular contract (Section II) for treating each physics/engineering block as a swap-ready map with declared inputs/outputs, required intermediate observables, and explicit “no-solution” versus “non-credible” semantics. - An implicit differentiation and adjoint calculus interface (Section III) for the coupled discretized residual, centered on matrix-free Jacobian-vector and transpose-Jacobian solves, with explicit failure modes (ill-conditioning, eigenvalue multiplicity, KKT degeneracy, model switching). - A collection of conservative, one-sided certification primitives (Section III and Section VIII) for sampled extrema (Lipschitz/$\delta$-net envelopes), ODE-based trajectory gates (Lipschitz propagation and integration-error bookkeeping), spectral quantities (one-sided enclosure interfaces with residual and separation evidence), and Monte Carlo responses (one-sided confidence bounds with auditable risk allocation). - Representative module interfaces and gates spanning the design stack: a +1D plasma backbone with power-balance residual diagnostics (Section IV); geometry and shape calculus interfaces plus a Boozer transform block with truncation and conditioning diagnostics (Section V); stability and confinement-adjacent gates including eigenvalue proxies, bootstrap fixed-point regularity checks, resonance/island non-overlap logic, and a prompt-loss certificate (Section VI); and coil synthesis posed as a convex subproblem embedded via KKT residuals with auditable sensitivities (Section VII). - Optional extensions that incorporate blanket/shield neutronics, thermal-hydraulics, and tritium inventory as additional residual blocks with adjoint-compatible sensitivity hooks, together with certified feasibility procedures for MC-based neutronics responses and robustification templates (Sections IX--XIII). - An explicit falsification/benchmarking layer that elevates diagnostic recordkeeping and experiment/benchmark selection to first-class, auditable outputs (Section XIV), followed by a limitations section enumerating what must be externally verified before any physical interpretation is justified (Section XV). I.D. Roadmap Section II defines the unified residual formulation, module contracts, diagnostics, and the certified-margin structure for constraints. Section III establishes the differentiation and certification preliminaries that all later blocks rely on. Sections IV--VII instantiate the contract for plasma, geometry/Boozer, stability and confinement proxies, and convex coil synthesis, respectively. Section VIII formalizes the conservative oracle semantics used by optimization. Sections IX--XIII describe how blanket/neutronics/thermal/tritium modules, Monte Carlo certification, certified surrogates, shape sensitivities under manufacturing tolerances, and segmentation decisions can be integrated without breaking auditability. Section XIV specifies the diagnostic record and benchmark-design logic needed to make the pipeline falsifiable, and Section XV records limitations and external verification requirements. The conclusion summarizes the resulting specification and its intended use: to prevent numerical false feasibility and to force explicit “inconclusive/reject” outcomes when evidence is insufficient. II. System-Level Mathematical Specification: Modular Maps and Implicit Residual Formulation This section specifies an end-to-end design-evaluation pipeline as a finite-dimensional, discretized, implicitly defined map. The goal is not to assert physical correctness of any particular module, but to define a mathematically auditable contract: what quantities are produced, what diagnostics must accompany them, and how infeasibility and non-credibility are represented. Throughout, all statements are about the declared discretizations. No continuum-limit claims are made. II.A. Parameterization and states II.A.1. Design parameter vector Let $\mathbf{p}\in\mathbb{R}^{n_p}$ denote the design parameter vector, partitioned as \[ \mathbf{p}=(\mathbf{p}_{\mathrm{geom}},\mathbf{p}_{\mathrm{op}},\mathbf{p}_{\mathrm{cl}},\mathbf{p}_{\mathrm{eng}}), \] where: - $\mathbf{p}_{\mathrm{geom}}$ parameterizes geometry (e.g., boundary Fourier coefficients, coil-surface parameterization, blanket segmentation/thickness knobs). - $\mathbf{p}_{\mathrm{op}}$ collects operating set points (e.g., heating levels, density targets, controller parameters). - $\mathbf{p}_{\mathrm{cl}}$ collects closure parameters (transport coefficients, bootstrap closure knobs, surrogate coefficients). - $\mathbf{p}_{\mathrm{eng}}$ collects engineering parameters that enter constraints or subproblems (weights, regularization strengths, bounds). The specification requires that each coordinate of $\mathbf{p}$ have: (i) declared physical meaning, (ii) declared admissible range $\mathcal{P}\subset\mathbb{R}^{n_p}$ (box, polytope, or general closed set), and (iii) declared units/scaling conventions. II.A.2. State vector decomposition Let $\mathcal{U}\subset\mathbb{R}^{n_U}$ be the state space for all discretized unknowns produced by nested solves. We write \[ \mathbf{U}=(\mathbf{u},\mathbf{y},\mathbf{x},\lambda,\mathbf{j},\mathbf{w},\mathbf{U}_{\mathrm{ext}})\in\mathcal{U}, \] where the blocks are conceptual and may be empty depending on the chosen physics/engineering stack: - $\mathbf{u}$: equilibrium (or geometry-proxy) degrees of freedom. - $\mathbf{y}$: coordinates/transform unknowns (e.g., Boozer transform DOFs) and/or spectral representations derived by an implicit solve. - $(\lambda,\mathbf{x})$: stability-proxy generalized eigenpair data (including normalization auxiliary residuals if used). - $\mathbf{j}$: bootstrap/current/profile closure variables and any fixed-point auxiliary unknowns. - $\mathbf{w}$: primal-dual variables for inner convex subproblems (e.g., coil synthesis) when treated through KKT conditions. - $\mathbf{U}_{\mathrm{ext}}$: optional extension blocks (blanket/neutronics/thermal/tritium, etc.) included as additional residual components. A design evaluation at $\mathbf{p}$ is intended to return a pair \[ (\mathbf{U},\mathcal{D}), \] where $\mathcal{D}$ is a diagnostic record (defined abstractly in II.C.2 and elaborated later in the document). II.A.3. Predicted observables and falsifiability hooks Let $\widehat{\mathbf{y}}\in\mathbb{R}^{n_y}$ denote predicted observables computed from $(\mathbf{U},\mathbf{p})$ via a declared map \[ \widehat{\mathbf{y}}=\mathcal{O}(\mathbf{U},\mathbf{p}). \] The contract requires $\mathcal{O}$ to expose intermediate quantities whenever an observable is produced through a nontrivial chain (e.g., spectra, integrated powers, residual norms, normalization checks). This is not a claim that validation data exist; it is a requirement that, if data exist, disagreement can be localized to modules rather than absorbed by unconstrained tuning. II.B. Swap-ready modular interfaces II.B.1. Modules as maps with declared contracts A module is represented abstractly as a (possibly implicitly defined) map with a declared input/output signature. Concretely, a module $\mathcal{M}_k$ is specified by: - an input space $\mathcal{I}_k$ and output space $\mathcal{O}_k$ (finite-dimensional, with declared units/scales), - a computation rule yielding output(s) and diagnostics, - a list of required intermediate observables that must be returned (even if not used by the optimizer), - a declared notion of convergence if the module contains a solve. Replacement invariance requirement: if two implementations $\mathcal{M}_k$ and $\widetilde{\mathcal{M}}_k$ share the same interface (same $\mathcal{I}_k,\mathcal{O}_k$, diagnostics fields, and tolerance semantics), then the remainder of the pipeline must not change. This is a specification constraint on the *surrounding* system: downstream modules must depend only on the interface, not on implementation details. II.B.2. Physical admissibility set and infeasibility semantics Let $\mathcal{U}_{\mathrm{phys}}\subset\mathcal{U}$ denote a declared physical-admissibility set for discrete states (e.g., positivity of temperatures/densities, boundedness of derived geometric factors, satisfaction of mandatory diagnostic residuals). The definition of $\mathcal{U}_{\mathrm{phys}}$ is part of the pipeline specification. We adopt the semantics: - If there exists no $\mathbf{U}\in\mathcal{U}_{\mathrm{phys}}$ satisfying the coupled residual system (II.C.1) at $\mathbf{p}$, then $\mathbf{p}$ is declared infeasible-by-no-solution. - If a numerical method returns a candidate $\tilde{\mathbf{U}}$ but fails mandatory credibility checks (e.g., residual not below tolerance, conditioning proxy indicates non-credibility), the evaluation returns a rejection status rather than a feasibility decision. This separation prevents the optimizer from treating non-credible outputs as evidence of feasibility. II.B.3. Required intermediate observables Each module must return a minimal set of intermediate observables sufficient to audit: (i) whether the module solve converged under declared criteria, and (ii) whether its outputs are in-range and interpretable. Examples of required fields (module-dependent) include: residual norms, iteration counts, stagnation flags, eigenvalue gap estimates, norm/conditioning proxies, discretization/truncation parameters, and unit-consistency checks. The system-level logic treats missing required fields as a hard failure. II.C. Unified implicit definition of the pipeline II.C.1. Coupled residual system The end-to-end pipeline is defined by a coupled residual equation \[ \mathcal{R}(\mathbf{U},\mathbf{p})=\mathbf{0},\qquad \mathcal{R}:\mathcal{U}\times\mathcal{P}\to\mathbb{R}^{n_U}, \] where $\mathcal{P}\subset\mathbb{R}^{n_p}$ is the admissible parameter set. The residual $\mathcal{R}$ is a concatenation of block residuals corresponding to modules and interface couplings, \[ \mathcal{R}(\mathbf{U},\mathbf{p})=(\mathcal{R}_{1},\ldots,\mathcal{R}_{K})(\mathbf{U},\mathbf{p}), \] with each $\mathcal{R}_k$ possibly representing a nonlinear solve, a linear system, an eigenproblem written as residuals (including normalization), or KKT conditions for an inner optimization problem. When solvable, the residual induces an implicit map $\mathbf{p}\mapsto \mathbf{U}(\mathbf{p})$ defined by \[ \mathcal{R}(\mathbf{U}(\mathbf{p}),\mathbf{p})=\mathbf{0},\qquad \mathbf{U}(\mathbf{p})\in\mathcal{U}_{\mathrm{phys}}. \] No global existence/uniqueness is assumed; the specification is local and algorithmic: any evaluation must return either (i) a credible state $\mathbf{U}$ together with diagnostics, or (ii) an auditable failure/rejection code. II.C.2. Convergence criteria and diagnostic norms Each residual block $\mathcal{R}_k$ must declare: - a norm $\|\cdot\|_{k}$ used for reporting, - a tolerance $\varepsilon_k>0$, – a stopping rule (e.g., $\|\mathcal{R}_k\|_k\le \varepsilon_k$, or a relative reduction criterion with explicit reference values), – any additional credibility conditions (e.g., eigenpair normalization residual, complementarity residual for KKT systems). The system diagnostic record $\mathcal{D}$ must include at least the vector of residual norms \[ \mathbf{r}(\mathbf{p}) := \bigl(\|\mathcal{R}_1\|_1,\ldots,\|\mathcal{R}_K\|_K\bigr) \] and the corresponding tolerances $(\varepsilon_1,\ldots,\varepsilon_K)$, together with solver statuses. II.C.3. Conditioning as an interface requirement Let \[ \mathcal{J}(\mathbf{U},\mathbf{p}) := \partial_{\mathbf{U}}\mathcal{R}(\mathbf{U},\mathbf{p})\in\mathbb{R}^{n_U\times n_U} \] denote the Jacobian of the coupled residual with respect to the state variables, evaluated at a candidate solution. Conditioning is not an implementation detail: downstream differentiation and certification steps can be invalidated by severe ill-conditioning. Accordingly, the evaluation record must include a conditioning proxy $\kappa_{\mathrm{proxy}}$ and a status flag. The specification does not mandate a particular proxy (e.g., estimated smallest singular value, Krylov iteration diagnostics, or a verified bound), but it does require that: – the proxy be declared and reproducible, – acceptance thresholds be declared, – failure of conditioning checks triggers rejection (no feasibility claim). This requirement is intentionally conservative: if the linearization is not credibly invertible/solvable to the needed accuracy, implicit sensitivities (Section III) may amplify errors. II.D. Objectives and inequality constraints II.D.1. Standard constrained form Let $\Psi$ be a scalar objective defined on discrete states and parameters: \[ \Psi:\mathcal{U}\times\mathcal{P}\to\mathbb{R}. \] Let $\mathbf{g}$ be a vector of inequality constraints, \[ \mathbf{g}:\mathcal{U}\times\mathcal{P}\to\mathbb{R}^{m},\qquad \mathbf{g}(\mathbf{U},\mathbf{p})\le \mathbf{0}, \] where each component $g_i$ is interpreted as a margin (negative means satisfied). Equality constraints are represented either by inclusion in $\mathcal{R}$ (preferred when they arise from solves) or by paired inequalities when appropriate. The reduced objective and constraints are induced by the implicit map when it exists: \[ \widehat\Psi(\mathbf{p}) := \Psi(\mathbf{U}(\mathbf{p}),\mathbf{p}),\qquad \widehat{\mathbf{g}}(\mathbf{p}) := \mathbf{g}(\mathbf{U}(\mathbf{p}),\mathbf{p}). \] Because $\mathbf{U}(\mathbf{p})$ may fail to exist or may be non-credible, $\widehat\Psi$ and $\widehat{\mathbf{g}}$ are understood as *partially defined* with rejection semantics. II.D.2. Multi-objective scalarization and Pareto interfaces When multiple objectives $\Psi_k$ are present, the interface may expose either: – a scalarization $\Psi_{\mathrm{scal}}=\sum_k w_k\Psi_k$ with declared weights $w_k\ge 0$, or – a vector objective with a declared Pareto-stationarity concept. For optimization readiness, the system must provide, for any exposed scalar objective, the derivative information specified in Section III (JVP/VJP through $\mathcal{R}$). If Pareto methods are used, the system must still expose scalar function evaluations and derivatives for whichever scalar subproblems are solved. II.D.3. Robust-optimization wrapper with auditable margins To reduce false feasibility due to discretization, solver tolerances, undersampling, or statistical error (when present), each constraint component is wrapped by a one-sided conservative margin decomposition. We require each constraint to be representable in the audited form \[ \mathrm{Cert}_i(\mathbf{p}) := g_i(\mathbf{U},\mathbf{p}) + \Delta^{\mathrm{num}}_i(\mathcal{D}) + \Delta^{\mathrm{unc}}_i(\mathbf{p}) \le 0, \] where: – $g_i(\mathbf{U},\mathbf{p})$ is the nominal discrete margin computed from the reported state, – $\Delta^{\mathrm{num}}_i(\mathcal{D})\ge 0$ is a declared numerical uncertainty inflation computed from diagnostics (e.g., residual tolerance effects, truncation bounds, integration error bookkeeping, grid-to-continuum wrappers), – $\Delta^{\mathrm{unc}}_i(\mathbf{p})\ge 0$ is a declared inflation over a parameter uncertainty set (e.g., linearized worst-case support function over a norm ball), with all assumptions explicitly stated. The wrapper is an interface requirement: if $\Delta^{\mathrm{num}}_i$ or $\Delta^{\mathrm{unc}}_i$ cannot be formed (missing diagnostics, failed prerequisites), then the constraint evaluation returns rejection rather than a potentially optimistic value. The mathematical development of concrete $\Delta$-constructions is deferred to Sections III and VIII; here we only enforce that every hard inequality used by the optimizer must be backed by an auditable one-sided certificate expression. III. Mathematical Preliminaries for Differentiation and Certification This section records finite-dimensional tools used by the pipeline specified in Section II: (i) differentiation through implicitly defined (nested) solves and inner optimization problems, and (ii) conservative, one-sided certification primitives for inequality constraints. All statements are for the declared discretizations; no continuum-limit claims are implied. III.A. Implicit function and implicit differentiation for nested solves III.A.1. Local solvability and sensitivity equation Fix a parameter $\mathbf{p}\in \mathcal{P}$. Suppose $\mathbf{U}^*\in\mathcal{U}_{\mathrm{phys}}$ satisfies \[ \mathcal{R}(\mathbf{U}^*,\mathbf{p})=\mathbf{0}. \] Assume $\mathcal{R}$ is differentiable in a neighborhood of $(\mathbf{U}^*,\mathbf{p})$ and that the Jacobian \[ \mathcal{J}:=\partial_{\mathbf{U}}\mathcal{R}(\mathbf{U}^*,\mathbf{p})\in\mathbb{R}^{n_U\times n_U} \] is invertible. Then there exists a neighborhood $\mathcal{N}$ of $\mathbf{p}$ in which a (locally unique) differentiable solution map $\mathbf{U}(\cdot)$ exists with $\mathbf{U}(\mathbf{p})=\mathbf{U}^*$ and $\mathcal{R}(\mathbf{U}(\mathbf{p}’),\mathbf{p}’)=\mathbf{0}$ for $\mathbf{p}’\in\mathcal{N}$. Differentiating $\mathcal{R}(\mathbf{U}(\mathbf{p}),\mathbf{p})=\mathbf{0}$ yields the sensitivity identity \[ \mathcal{J}\,\frac{d\mathbf{U}}{d\mathbf{p}}(\mathbf{p}) = -\partial_{\mathbf{p}}\mathcal{R}(\mathbf{U}^*,\mathbf{p}), \] interpreted as a linear system for each direction in parameter space. Interface requirement (credibility): whenever $d\mathbf{U}/d\mathbf{p}$ is returned (directly or implicitly via adjoints), the evaluation record must include the conditioning proxy for $\mathcal{J}$ declared in II.C.3; if that proxy indicates near-singularity at the declared tolerance, all derivative outputs must be flagged non-credible and constraint/objective derivatives must not be used for acceptance decisions. III.A.2. Matrix-free JVP/VJP as the primary differentiation interface The pipeline is not required to form dense Jacobians. Instead, it must provide Jacobian-vector products (JVPs) and vector-Jacobian products (VJPs) consistent with the declared discretization. Directional derivative (JVP) through the implicit state. Given a parameter direction $\mathbf{v}\in\mathbb{R}^{n_p}$, define \[ \mathbf{s}:=\frac{d\mathbf{U}}{d\mathbf{p}}[\mathbf{v}]\in\mathbb{R}^{n_U}. \] Then $\mathbf{s}$ is the solution of \[ \mathcal{J}\,\mathbf{s} = -\bigl(\partial_{\mathbf{p}}\mathcal{R}(\mathbf{U}^*,\mathbf{p})\bigr)\mathbf{v}. \] Thus the JVP requires (i) an evaluation of the right-hand side in direction $\mathbf{v}$, and (ii) one linear solve with $\mathcal{J}$ (possibly via a Krylov method). Adjoint derivative (VJP) for a scalar output. Let $\Phi(\mathbf{U},\mathbf{p})\in\mathbb{R}$ be any scalar quantity of interest (objective, constraint margin, or intermediate diagnostic for optimization). Define the reduced scalar $\widehat\Phi(\mathbf{p})=\Phi(\mathbf{U}(\mathbf{p}),\mathbf{p})$. Under the conditions above, \[ \nabla\widehat\Phi(\mathbf{p}) = \partial_{\mathbf{p}}\Phi(\mathbf{U}^*,\mathbf{p}) – \bigl(\partial_{\mathbf{p}}\mathcal{R}(\mathbf{U}^*,\mathbf{p})\bigr)^T\boldsymbol\lambda, \] where the adjoint $\boldsymbol\lambda\in\mathbb{R}^{n_U}$ solves the transpose system \[ \mathcal{J}^T\boldsymbol\lambda = \bigl(\partial_{\mathbf{U}}\Phi(\mathbf{U}^*,\mathbf{p})\bigr)^T. \] This identity is the main computational contract: one scalar reduced gradient requires one transpose-Jacobian solve, plus module-level VJPs needed to assemble the right-hand side and the final contraction. III.A.3. Second-order directional differentiation (Hessian-vector products) Second-order information is often needed for trust-region methods, sequential convex programming, or curvature diagnostics. Since the pipeline is discretized and implicit, a practical target is the Hessian-vector product $\nabla^2\widehat\Phi(\mathbf{p})\mathbf{v}$ in a direction $\mathbf{v}$. A general, implementation-oriented identity can be written in terms of directional derivatives. Let $\mathbf{s}=d\mathbf{U}/d\mathbf{p}[\mathbf{v}]$ be obtained from the sensitivity solve. Define the directional derivative of the adjoint right-hand side \[ \mathbf{b}_\lambda := \frac{d}{d\epsilon}\Big|_{\epsilon=0} \bigl(\partial_{\mathbf{U}}\Phi(\mathbf{U}(\mathbf{p}+\epsilon\mathbf{v}),\mathbf{p}+\epsilon\mathbf{v})\bigr)^T. \] Define similarly the directional derivative of the transpose Jacobian applied to $\boldsymbol\lambda$: \[ \mathbf{c}_\lambda := \frac{d}{d\epsilon}\Big|_{\epsilon=0} \Big(\partial_{\mathbf{U}}\mathcal{R}(\mathbf{U}(\mathbf{p}+\epsilon\mathbf{v}),\mathbf{p}+\epsilon\mathbf{v})^T\boldsymbol\lambda\Big). \] Then the directional derivative of the adjoint $\dot{\boldsymbol\lambda}$ satisfies \[ \mathcal{J}^T\dot{\boldsymbol\lambda} = \mathbf{b}_\lambda – \mathbf{c}_\lambda, \] and the Hessian-vector product can be assembled as \[ \nabla^2\widehat\Phi(\mathbf{p})\mathbf{v} = \frac{d}{d\epsilon}\Big|_{\epsilon=0}\partial_{\mathbf{p}}\Phi(\mathbf{U}(\mathbf{p}+\epsilon\mathbf{v}),\mathbf{p}+\epsilon\mathbf{v}) – \frac{d}{d\epsilon}\Big|_{\epsilon=0}\bigl(\partial_{\mathbf{p}}\mathcal{R}(\mathbf{U}(\mathbf{p}+\epsilon\mathbf{v}),\mathbf{p}+\epsilon\mathbf{v})\bigr)^T\boldsymbol\lambda – \bigl(\partial_{\mathbf{p}}\mathcal{R}(\mathbf{U}^*,\mathbf{p})\bigr)^T\dot{\boldsymbol\lambda}. \] The contract implied here is not that second derivatives are always available, but that when a module exposes Hessian-vector products (via algorithmic differentiation, directional finite differencing, or analytic formulas), it must also expose the credibility prerequisites (conditioning proxies, step sizes for directional differencing, and any smoothing parameters used to regularize nonsmooth primitives). III.B. Adjoint calculus for the end-to-end discretized pipeline III.B.1. Reduced objective and constraint gradients With $\widehat\Psi(\mathbf{p})=\Psi(\mathbf{U}(\mathbf{p}),\mathbf{p})$ and reduced constraints $\widehat g_i(\mathbf{p})=g_i(\mathbf{U}(\mathbf{p}),\mathbf{p})$, each scalar reduced gradient takes the adjoint form described in III.A.2. In particular, for each scalar $\Phi\in\{\Psi,g_1,\ldots,g_m\}$, the pipeline must be able to: 1. Build the adjoint right-hand side $(\partial_{\mathbf{U}}\Phi)^T$ by composing module-local derivatives through the declared interfaces. 2. Solve $\mathcal{J}^T\boldsymbol\lambda_\Phi=(\partial_{\mathbf{U}}\Phi)^T$ to declared tolerance (or return rejection if the transpose solve is non-credible under the conditioning criteria). 3. Assemble $\nabla\widehat\Phi = \partial_{\mathbf{p}}\Phi – (\partial_{\mathbf{p}}\mathcal{R})^T\boldsymbol\lambda_\Phi$. III.B.2. Block structure and coupled-module adjoints If $\mathbf{U}=(\mathbf{U}_1,\ldots,\mathbf{U}_K)$ corresponds to modules and couplings, then the Jacobian admits a block structure \[ \mathcal{J}=\begin{bmatrix} \partial_{\mathbf{U}_1}\mathcal{R}_1 & \cdots & \partial_{\mathbf{U}_K}\mathcal{R}_1\\ \vdots & \ddots & \vdots\\ \partial_{\mathbf{U}_1}\mathcal{R}_K & \cdots & \partial_{\mathbf{U}_K}\mathcal{R}_K \end{bmatrix}. \] The adjoint system $\mathcal{J}^T\boldsymbol\lambda = (\partial_{\mathbf{U}}\Phi)^T$ propagates information from downstream quantities back to upstream states. This is the mathematical basis for the requirement in Section II that each module expose intermediate observables and derivative primitives: without these, the block adjoint cannot be audited or reproduced. III.B.3. Failure modes for adjoint credibility The specification treats the following events as triggers for derivative non-credibility (hence rejection or inconclusive outputs for optimization decisions): 1. Ill-conditioning: the conditioning proxy for $\mathcal{J}$ or $\mathcal{J}^T$ indicates near-singularity at declared tolerances. 2. Eigenvalue degeneracy: when a module state includes eigenpairs, near-multiplicity can make eigenvectors and derived gradients unstable unless a separation/gap diagnostic is supplied. 3. KKT degeneracy: when inner convex programs are differentiated through KKT systems, failure of constraint qualification or near-loss of strict complementarity can yield unstable dual variables. 4. Model switching and events: if a module includes if/else logic, contact events, or discontinuous switches, then derivatives must either (i) be computed for a declared smooth surrogate with parameters reported, or (ii) be withheld and the evaluation marked non-credible for gradient-based decisions. III.C. One-sided conservative certification tools for inequality constraints This subsection provides generic wrappers that turn computed quantities into conservative (one-sided) bounds suitable for use in hard constraints. Each wrapper comes with mandatory metadata requirements so that an auditor can reproduce the bound from the diagnostic record. III.C.1. Lipschitz bounds, $\delta$-nets, and certified extrema from sampled grids Let $\Omega$ be a compact domain and $f:\Omega\to\mathbb{R}$ a scalar field. Suppose the pipeline can provide: (i) discrete samples $f(x_j)$ on a finite set $G=\{x_j\}_{j=1}^N\subset\Omega$, (ii) a covering radius $\delta\ge 0$ such that for every $x\in\Omega$ there exists $x_j\in G$ with $d(x,x_j)\le \delta$ (for a declared metric $d$), and (iii) a Lipschitz constant $L\ge 0$ such that $|f(x)-f(x’)|\le L\,d(x,x’)$ for all $x,x’\in\Omega$. Then the following certified bounds hold: \[ \max_{x\in\Omega} f(x) \le \max_{x_j\in G} f(x_j) + L\delta, \] \[ \min_{x\in\Omega} f(x) \ge \min_{x_j\in G} f(x_j) – L\delta. \] These are conservative in the correct direction once $L$ and $\delta$ are trusted. Accordingly, the interface must report $(G,\delta,d,L)$ and the provenance of $L$ (analytic bound, validated estimate, or heuristic). If $L$ is only heuristic, then the continuous-domain certificate must be flagged as inconclusive; the pipeline may still report the sampled extrema as diagnostics. III.C.2. Error bookkeeping for ODE-based certificates via Lipschitz propagation Many constraints depend on integrating an ODE $\dot{\mathbf{z}}=F(\mathbf{z},t)$ with $\mathbf{z}(0)=\mathbf{z}_0$ over $[0,T]$ (e.g., trajectory-based prompt-loss proxies). Let $\mathbf{z}(t)$ denote the exact solution of the discrete ODE and $\tilde{\mathbf{z}}(t)$ a numerically computed trajectory produced by a declared integrator. A minimal conservative error propagation statement is: Assumption (Lipschitz in state): there exists $L_F\ge 0$ such that $\|F(\mathbf{z},t)-F(\mathbf{z}’,t)\|\le L_F\|\mathbf{z}-\mathbf{z}’\|$ for all relevant $(\mathbf{z},\mathbf{z}’,t)$. If the integrator provides a certified bound $\eta(t)\ge 0$ on the accumulated defect (e.g., via a bound on local truncation error and step-size metadata), then \[ \|\mathbf{z}(t)-\tilde{\mathbf{z}}(t)\| \le e^{L_F t}\,\|\mathbf{z}_0-\tilde{\mathbf{z}}_0\| + \int_0^t e^{L_F(t-s)}\,\eta(s)\,ds. \] This inequality is a bookkeeping interface: the pipeline must either (i) provide the ingredients $(L_F,\eta,\tilde{\mathbf{z}})$ sufficient to compute the right-hand side, or (ii) declare the trajectory certificate inconclusive. III.C.3. Enclosure interfaces for spectral quantities Several modules may produce spectral quantities (eigenvalues, singular values, or generalized eigenpairs) used as feasibility gates. Since naive eigenvalue computations can be numerically fragile, the certification layer treats spectral information through enclosure interfaces. Generic requirement (spectral certificate record): when a scalar spectral quantity $\sigma$ is used in a hard constraint, the module must return 1. A nominal value $\widehat\sigma$. 2. A one-sided bound of the appropriate direction, e.g. $\sigma^{\mathrm{lo}}\le \sigma$ for lower-bound constraints or $\sigma^{\mathrm{hi}}\ge \sigma$ for upper-bound constraints. 3. Diagnostics supporting interpretation of the bound: residual norms for the computed vector(s), normalization checks, and (when the method requires it) separation/gap evidence that the bound corresponds to the intended eigenvalue. Because the exact enclosure method is application-dependent (symmetric vs. nonsymmetric, generalized eigenproblems, preconditioners), this paper does not mandate a particular theorem-to-code mapping. It mandates only: one-sidedness, explicit prerequisites, and rejection when prerequisites are missing. III.D. Statistical and distributionally robust certification primitives for Monte Carlo responses This subsection fixes notation for Monte Carlo (MC) responses that enter constraints (e.g., neutronics tallies). The paper does not assume that any particular concentration inequality applies automatically; instead it specifies how one-sided bounds must be constructed from declared assumptions. III.D.1. Score model and one-sided feasibility bounds Let $Y$ be a per-sample score with mean $R:=\mathbb{E}[Y]$. Given i.i.d. samples $Y_1,\ldots,Y_N$, define the estimator $\widehat R_N = \frac{1}{N}\sum_{i=1}^N Y_i$. A one-sided lower bound takes the form \[ R_{\mathrm{LB}} = \widehat R_N – \epsilon_N(\delta), \] and satisfies $\mathbb{P}(R\ge R_{\mathrm{LB}})\ge 1-\delta$ under declared assumptions. Similarly, an upper bound is $R_{\mathrm{UB}} = \widehat R_N + \epsilon_N(\delta)$ with $\mathbb{P}(R\le R_{\mathrm{UB}})\ge 1-\delta$. Example (bounded-score assumption). If the implementation declares verified bounds $Y\in[a,b]$ almost surely, then Hoeffding’s inequality yields \[ \epsilon_N(\delta) = (b-a)\sqrt{\frac{\log(1/\delta)}{2N}}. \] This provides an auditable one-sided certificate because it depends only on $(a,b,N,\delta)$, which must be reported. If boundedness is not available, the implementation must instead declare the alternative assumptions used (e.g., finite variance with a one-sided Chebyshev-type bound, truncation rules, or other conservative concentration tools) and report all parameters required to reproduce $\epsilon_N(\delta)$. If no such assumption is declared, the MC-based constraint must be marked inconclusive. III.D.2. Risk allocation across multiple responses and stopping rules Suppose $M$ MC-based responses $R^{(1)},\ldots,R^{(M)}$ each enter feasibility constraints via one-sided bounds. To control the probability of making any incorrect feasibility claim across all responses, a simple auditable risk allocation is: Choose $\delta_1,\ldots,\delta_M$ with $\sum_{j=1}^M \delta_j \le \alpha$, and compute one-sided bounds for each response at confidence $1-\delta_j$. Then, by the union bound, \[ \mathbb{P}\Big(\forall j:\ R^{(j)}\ \text{satisfies its bound}\Big) \ge 1-\alpha. \] An auditable stopping rule for each response is: continue sampling until either (i) the certified bound clears the threshold with a declared margin (e.g., $R_{\mathrm{LB}}\ge R_{\min}$ for a lower-bound constraint), or (ii) a declared resource limit is reached, in which case the evaluation returns inconclusive for that constraint. III.D.3. Gap note: concentration and robustness assumptions must be explicit Many MC tallies exhibit heavy tails, strong variance heterogeneity, or score distributions for which naive Gaussian approximations can be unreliable at design-level tolerances. Therefore: – Any one-sided MC feasibility bound must declare exactly which assumptions are used (boundedness, moment bounds, truncation, etc.). – The diagnostic record must include enough metadata to reproduce the bound (sample size, confidence allocation, any range/variance parameters, and any truncation or bias-correction logic). – If the assumption set does not hold or cannot be audited, the correct output is inconclusive rather than an optimistic feasibility claim. IV. Plasma Backbone Module (0D/+1D) and Falsifiability/Diagnostics This section specifies a minimal “plasma backbone” module intended to provide (i) a fast, optimization-ready mapping from operating/design parameters to a small set of profile-like state variables, and (ii) mandatory diagnostic residuals and intermediate observables that make the module falsifiable on present experiments or trusted benchmarks. The intent is not to claim physical completeness; rather, the backbone is defined as a discrete residual block $\mathcal{R}_{\mathrm{plasma}}$ inside the unified system $\mathcal{R}(\mathbf{U},\mathbf{p})=0$, together with a contract specifying what must be reported so that downstream constraints cannot silently rely on non-credible outputs. IV.A. Flux-surface averaged +1D steady energy balances on a $\rho$-grid IV.A.1. Conservative flux form and integrated powers Let $\rho\in[0,1]$ denote a normalized flux-surface label. Fix a grid \[ 0=\rho_0<\rho_1<\cdots<\rho_N=1. \] Let $s\in\mathcal{S}$ index channels (e.g., ions, electrons). The backbone state contains discrete temperatures $T_{s,k}\approx T_s(\rho_k)$ and any additional required profiles (e.g., densities $n_{s,k}$, effective charge, radiative fractions), collected into a vector $\mathbf{u}_{\mathrm{1D}}\subset\mathbf{U}$. We write a steady balance in conservative form \[ -\frac{d}{d\rho} P_s(\rho) = Q_s(\rho), \] where: - $P_s(\rho)$ is the integrated radial power flow through the surface $\rho$ (units: power), and - $Q_s(\rho)$ is the net power deposited per unit $\rho$-measure (units: power per unit $\rho$). To connect to fluxes, we permit the representation \[ P_s(\rho) = A(\rho)\,q_s(\rho), \] where $q_s$ is a scalar radial flux (units: power per area) and $A(\rho)>0$ is a declared geometry-dependent area factor (units: area). This is an interface abstraction: the module must declare precisely how $A$ is computed from geometry proxies and discretization metadata, and must report unit-consistency checks for $A$, $q_s$, and $P_s$. Boundary conditions are part of the module contract. Typical examples include: – symmetry/regularity at axis: $P_s(0)=0$, or – prescribed edge loss: $P_s(1)=P_{s,\mathrm{edge}}$ with $P_{s,\mathrm{edge}}$ a parameter (possibly controller-determined). IV.A.2. Discrete finite-volume residual and mandatory power-balance diagnostic Define cell interfaces $\rho_{k+1/2}=(\rho_{k+1}+\rho_k)/2$ and cell widths $\Delta\rho_k=\rho_{k+1/2}-\rho_{k-1/2}$. Let $P_{s,k+1/2}\approx P_s(\rho_{k+1/2})$ and $Q_{s,k}\approx Q_s$ averaged over cell $[\rho_{k-1/2},\rho_{k+1/2}]$. The conservative discrete residual is \[ \bigl(\mathcal{R}_{\mathrm{PB},s}\bigr)_k := \frac{P_{s,k+1/2}-P_{s,k-1/2}}{\Delta\rho_k} + Q_{s,k} = 0,\qquad k=1,\ldots,N-1. \] This induces a mandatory diagnostic “power-balance residual norm” \[ \mathfrak{r}_{\mathrm{PB},s}:=\|\mathcal{R}_{\mathrm{PB},s}\|_{\mathrm{PB}} \] for a declared norm $\|\cdot\|_{\mathrm{PB}}$ and tolerance $\varepsilon_{\mathrm{PB}}$. The module must report $\mathfrak{r}_{\mathrm{PB},s}$, $\varepsilon_{\mathrm{PB}}$, the grid $\{\rho_k\}$, and all boundary flux conventions. If $\mathfrak{r}_{\mathrm{PB},s}>\varepsilon_{\mathrm{PB}}$ then the evaluation status is rejection (non-credible state), not feasibility. A global integrated check is also required: \[ \mathfrak{r}_{\mathrm{int},s} := \left|P_s(1)-P_s(0)+\sum_{k=1}^{N-1} Q_{s,k}\,\Delta\rho_k\right|, \] which must be reported for auditability, since it is invariant to local reparameterizations if the discretization is conservative. IV.B. Transport closures and identifiability IV.B.1. Diffusive closure template A baseline closure for the radial flux is the diffusive form \[ q_s(\rho) = -n_s(\rho)\,\chi_s(\rho)\,\frac{dT_s}{dr}(\rho), \] where $r$ is a declared monotone radial coordinate with known mapping $r=r(\rho)$ (reported as metadata). The module must declare how derivatives are discretized (e.g., centered differences, upwinded gradients, slope limiters) and must report the resulting stencil type and boundary handling. The closure is incorporated in the residual either by substituting into $P_s=Aq_s$ at interfaces $\rho_{k+1/2}$ or by including flux unknowns $q_{s,k+1/2}$ as additional state variables and enforcing closure equations as residual components. Both are acceptable provided the contract reports all intermediate values used to form $P_{s,k+1/2}$. IV.B.2. Nonnegative decomposition of transport coefficients To prevent nonphysical negative diffusivity in the discrete system, require \[ \chi_s(\rho) = \chi_{s,\mathrm{nc}}(\rho;\mathbf{p},\mathbf{U}) + \chi_{s,\mathrm{turb}}(\rho;\boldsymbol{\theta}_T),\qquad \chi_{s,\mathrm{turb}}(\rho;\boldsymbol{\theta}_T)\ge 0,\ \chi_{s,\mathrm{nc}}(\rho;\cdot)\ge 0, \] for a vector of closure parameters $\boldsymbol{\theta}_T\subset\mathbf{p}_{\mathrm{cl}}$. Enforcing nonnegativity may be done by parametrization (e.g., $\chi=\exp(\eta)$ or $\chi=\mathrm{softplus}(\eta)$); if smoothing is used, its parameters must be reported and any hard-constraint decisions must incorporate a conservative smoothing-to-true-function inflation (Section VIII). IV.B.3. Calibrate-or-reject rules and required intermediate observables Let $\boldsymbol{\theta}_T$ be calibrated from a declared dataset of intermediate observables $\mathbf{y}_{\mathrm{int}}$ (e.g., absorbed power profiles, temperature gradients, modulation transfer functions). The module must expose a calibration map \[ \boldsymbol{\theta}_T^* = \operatorname*{argmin}_{\boldsymbol{\theta}_T\in\Theta}\ \mathcal{L}_{\mathrm{cal}}\bigl(\mathbf{y}_{\mathrm{int}}(\boldsymbol{\theta}_T),\mathbf{y}^{\mathrm{obs}}_{\mathrm{int}}\bigr) \] with a declared feasible set $\Theta$ and loss $\mathcal{L}_{\mathrm{cal}}$, or otherwise declare $\boldsymbol{\theta}_T$ as fixed inputs. Identifiability is treated operationally: if multiple distinct $\boldsymbol{\theta}_T$ produce indistinguishable $\mathbf{y}_{\mathrm{int}}$ within declared uncertainty, then the calibration is non-identifiable at the chosen diagnostics and must be flagged. In that case, downstream optimization must not treat the calibrated $\chi_s$ as a uniquely determined prediction; rather it must either (i) enlarge $\Delta_i^{\mathrm{unc}}$ to cover the non-identifiability range, or (ii) reject use of the closure in that regime. IV.C. Additional falsifiable observables from operator structure This subsection records optional but strongly recommended intermediate observables derived from the linear operator structure of the discrete energy balance. These observables can be tested (e.g., through modulation experiments) without requiring the full fidelity of a reactor-regime model. IV.C.1. Sturm–Liouville/self-adjoint recast and principal decay rate Consider, for a fixed operating point, the linearized (or linear) operator acting on a perturbation $\vartheta$ of temperature, \[ \mathcal{L}_s\vartheta := -\frac{1}{w_s(\rho)}\frac{d}{d\rho}\left(a_s(\rho)\frac{d\vartheta}{d\rho}\right) + c_s(\rho)\,\vartheta, \] with weight $w_s(\rho)>0$, diffusion coefficient $a_s(\rho)>0$, and reaction term $c_s(\rho)\ge 0$ as declared functions of the state and parameters. Under standard boundary conditions (Dirichlet/Neumann/Robin, declared explicitly), $\mathcal{L}_s$ is formally self-adjoint in the weighted $L^2$ inner product $\langle f,g\rangle_{w_s}=\int_0^1 w_s f g\,d\rho$. The principal eigenvalue $\lambda_{1,s}$ (smallest eigenvalue) governs a decay rate for linear relaxation and is a candidate intermediate observable. In discretization, let $K_s$ and $M_s$ denote the stiffness and mass matrices (symmetric positive definite under the same conditions). Then $\lambda_{1,s}$ is approximated by the smallest generalized eigenvalue of \[ K_s\mathbf{v}=\lambda\,M_s\mathbf{v}. \] Contract requirement: if $\lambda_{1,s}$ (or any eigenvalue derived from $K_s,M_s$) is returned, the module must also return (i) the discrete matrices or sufficient operator-action access to reproduce Rayleigh quotients, (ii) eigen-residual norms $\|K_s\mathbf{v}-\lambda M_s\mathbf{v}\|$, and (iii) resolution metadata needed to interpret $\lambda_{1,s}$ as a discretization-dependent observable. IV.C.2. Rayleigh-quotient bounds and resolvent/transfer-function predictions For self-adjoint problems, the Rayleigh quotient provides a variational characterization \[ \lambda_{1,s} = \min_{\vartheta\neq 0} \frac{\int_0^1 \left(a_s|\vartheta’|^2 + c_s w_s|\vartheta|^2\right)d\rho}{\int_0^1 w_s|\vartheta|^2 d\rho}, \] and, discretely, \[ \lambda_{1,s} \approx \min_{\mathbf{v}\neq 0} \frac{\mathbf{v}^T K_s\mathbf{v}}{\mathbf{v}^T M_s\mathbf{v}}. \] The module may use this structure to produce auditable lower/upper bounds on $\lambda_{1,s}$ (in the sense of Section III.C.3), but any such bounds must include the required spectral diagnostics and be treated as discrete certificates only. For modulation experiments, a linear time-dependent perturbation model of the form \[ \partial_t \vartheta + \mathcal{L}_s\vartheta = f(t,\rho) \] suggests transfer-function predictions via the resolvent $(i\omega I + \mathcal{L}_s)^{-1}$. Discretely, at frequency $\omega$, solve \[ (i\omega M_s + K_s)\mathbf{v}(\omega) = \mathbf{f}(\omega). \] The module contract may expose as intermediate observables: predicted phase lag, amplitude attenuation, or norms $\|\mathbf{v}(\omega)\|$ for declared forcing patterns $\mathbf{f}(\omega)$. These outputs are explicitly falsifiable on present devices when suitable forcing/diagnostics exist. IV.D. Rotational transform and geometry-proxy dependencies IV.D.1. $\iota(\rho)$ profile requirements Many downstream quantities depend on a rotational-transform-like profile $\iota(\rho)$ supplied either by a geometry proxy or by an equilibrium/Boozer stage. The plasma backbone module does not define $\iota$ from first principles; it requires that whenever $\iota$ enters closures or constraints, the pipeline must provide: 1. A discrete profile $\{\iota_k\}_{k=0}^N$ with stated provenance (which module produced it, on which grid). 2. Consistency metadata identifying the $\rho$ convention and any interpolation used. 3. If resonance-avoidance or island-risk gates are invoked later (Section VI.C), the pipeline must additionally provide whatever derivative or separation evidence is required there; otherwise, those gates must return inconclusive. IV.D.2. Fourier-mode set $\mathcal{K}$ as a falsifiable modeling assumption Let $\mathcal{K}\subset\mathbb{Z}^2$ denote a declared finite set of Fourier harmonics $(m,n)$ used by reduced models (e.g., near-integrable field-line Hamiltonians) or by geometry proxies. The choice of $\mathcal{K}$ is not treated as innocuous: truncation is a modeling assumption and is therefore part of falsifiability. Contract requirement: the pipeline must report $\mathcal{K}$, any truncation weights, and at least one intermediate observable that can be compared against a higher-fidelity computation or experimental diagnostic (e.g., a vacuum-field harmonic comparison) to detect when the truncated representation fails. IV.E. Operational inputs and controllers IV.E.1. Heating functional decomposition Let $Q_s(\rho)$ be decomposed as \[ Q_s = Q_{s,\mathrm{aux}} + Q_{s,\alpha} + Q_{s,\mathrm{ohm}} – Q_{s,\mathrm{rad}} – Q_{s,\mathrm{cx}} – \cdots, \] where each term corresponds to a declared map depending on $(\mathbf{U},\mathbf{p})$. The module must report each component separately (not only the sum), because component-wise diagnostics are required to localize disagreement during validation. IV.E.2. Example emulator heating law (operational controller) To accommodate optimization studies that include simple operational controllers, permit a declared non-first-principles law such as \[ P_{\mathrm{aux,abs}}(t)=P_0 + k\left(\frac{\Theta(t)}{\Theta_{\mathrm{ref}}}\right)^{\nu}, \] with parameters $(P_0,k,\nu)\subset\mathbf{p}_{\mathrm{op}}$ and a declared measured/estimated signal $\Theta(t)$. If such a controller is used in steady surrogates (e.g., via a representative $t$ or operating point), the module must report the chosen convention and must flag that this block is an emulator rather than a derived physical law. IV.F. Statistical validation hooks IV.F.1. Example $\chi^2$ rejection criterion Let $\widehat{\mathbf{y}}$ be a vector of predicted intermediate observables intended for validation against data $\mathbf{y}^{\mathrm{obs}}$ with declared covariance $\Sigma$ (or a diagonal uncertainty model). Define \[ \chi^2_{\mathrm{val}} := (\widehat{\mathbf{y}}-\mathbf{y}^{\mathrm{obs}})^T\Sigma^{-1}(\widehat{\mathbf{y}}-\mathbf{y}^{\mathrm{obs}}). \] The contract may include a pre-declared rejection threshold $\tau_{\mathrm{reject}}$ such that $\chi^2_{\mathrm{val}}>\tau_{\mathrm{reject}}$ triggers model rejection in that regime (or triggers mandatory recalibration of declared closure parameters). This is intentionally a *protocol* interface, not a statistical guarantee: the validity of $\chi^2$ calibration assumptions (Gaussianity, correct $\Sigma$, independence) is external and must be declared. The module must report $(\widehat{\mathbf{y}},\mathbf{y}^{\mathrm{obs}},\Sigma,\chi^2_{\mathrm{val}},\tau_{\mathrm{reject}})$ so that the decision is auditable. IV.F.2. Gap note: benchmark availability and identifiability are external Whether suitable validation data exist, whether the uncertainty model $\Sigma$ is defensible, and whether the chosen intermediate observables are sufficiently informative to identify $\boldsymbol{\theta}_T$ are external questions. Within this paper, the requirement is only that the pipeline expose (i) intermediate observables, and (ii) explicit reject-or-calibrate semantics, so that inadequacy cannot be hidden by unconstrained tuning. V. Geometry, Boozer Transform, and Shape Calculus Interfaces This section specifies (i) the discrete geometry interface used by downstream modules, (ii) the Boozer transform as an implicit residual solve with truncation/conditioning diagnostics, and (iii) shape-derivative reporting requirements needed for end-to-end optimization. The purpose is not to endorse a particular parameterization or Boozer algorithm, but to enforce that geometry-dependent quantities are produced with enough metadata to (a) reproduce them and (b) detect numerically non-credible uses (e.g., due to truncation or ill-conditioning). V.A. Geometry parameterization and deformation fields V.A.1. Surface map and design-dependent embedding Let $\mathbb{T}^2=[0,2\pi)\times[0,2\pi)$ denote a parameter domain with coordinates $(\theta,\zeta)$. A (discretized) plasma boundary or geometry-driving surface is represented by an embedding \[ X(\theta,\zeta;\mathbf{p}_{\mathrm{geom}})\in\mathbb{R}^3, \] where $\mathbf{p}_{\mathrm{geom}}\in\mathbb{R}^{n_{\mathrm{geom}}}$ is the geometry subvector of the global design parameters $\mathbf{p}$ (Section II.A.1). The implementation must declare: 1. The representation of $X$: e.g., truncated Fourier series, spline surface, CAD-derived triangulation with a smooth surrogate, or another finite-dimensional basis. 2. The discretization used to evaluate surface-dependent functionals: quadrature grid $\{(\theta_a,\zeta_b)\}$, triangulation, or spectral coefficients. 3. The convention for periodicity and symmetry (field periods, stellarator symmetry assumptions if enforced). Since multiple parameterizations can represent the same geometric surface (reparameterization freedom), the contract treats $X$ as the primary output and requires that any additional coordinates (e.g., surface angles used internally) be declared as part of the diagnostic record. V.A.2. Deformation field induced by parameter perturbations For any perturbation $\delta\mathbf{p}_{\mathrm{geom}}$, define the induced (discrete) deformation field on the surface by \[ V_{\delta\mathbf{p}}(\theta,\zeta) := \partial_{\mathbf{p}_{\mathrm{geom}}}X(\theta,\zeta;\mathbf{p}_{\mathrm{geom}})\,\delta\mathbf{p}_{\mathrm{geom}}\in\mathbb{R}^3. \] This field is the geometric object used by shape calculus and is the required interface between the geometry layer and any shape-sensitive downstream quantity (Boozer spectra, stability proxies, coil-clearance checks, transport geometry factors, etc.). Reporting requirement (geometry sensitivity): whenever the pipeline exposes derivatives of any quantity with respect to $\mathbf{p}_{\mathrm{geom}}$, it must also report enough data to reconstruct $V_{\delta\mathbf{p}}$ for queried directions $\delta\mathbf{p}_{\mathrm{geom}}$, either by: – providing JVP access $\delta\mathbf{p}_{\mathrm{geom}}\mapsto V_{\delta\mathbf{p}}$ at declared quadrature nodes, or – providing the basis coefficients and the derivative of coefficients with respect to $\mathbf{p}_{\mathrm{geom}}$. If the geometry representation is only piecewise smooth (e.g., triangulated), the pipeline must explicitly declare which smoothing or regularization is used to define $\partial_{\mathbf{p}}X$, and must flag any resulting shape derivatives as surrogate derivatives (hence not admissible for hard-constraint certification unless conservative inflation is applied as in Section VIII). V.A.3. Shape-derivative prerequisites and discretization dependence Let $J$ be a scalar functional that depends on geometry only through $X$, written abstractly as $J[X]$. The (first) shape derivative in direction $V$ is the G\^{a}teaux derivative \[ DJ[X](V) := \frac{d}{d\epsilon}\Big|_{\epsilon=0} J[X+\epsilon V]. \] In this paper, $J$ is always discretized, so the contract is as follows. Discrete shape derivative contract: the implementation must specify a discrete functional $J_h$ (depending on discretization metadata $h$: grid sizes, truncations, quadrature rules), and any reported derivative must be a derivative of $J_h$ with respect to $\mathbf{p}_{\mathrm{geom}}$ (or with respect to degrees of freedom defining $X$). The diagnostic record must include: – a unique identifier of the geometry discretization $h$ (mesh, spectral truncation, quadrature), – the evaluation grid/mesh used for $J_h$, – the norm/scaling conventions used to report $\|V\|$ and derivative magnitudes. No invariance with respect to reparameterization, mesh refinement, or continuum limits is assumed. If the functional is intended to approximate a reparameterization-invariant shape functional, the implementation must provide (as diagnostics) evidence that the reported value is not dominated by parameterization artifacts (e.g., sensitivity of $J_h$ to regridding). V.B. Boozer transform as an implicit solve with truncation/conditioning diagnostics V.B.1. Boozer degrees of freedom and residual formulation The Boozer stage is modeled as an implicitly defined map that consumes upstream geometry/equilibrium state (contained in $\mathbf{u}\subset\mathbf{U}$) and outputs a set of Boozer-related unknowns $\mathbf{y}\subset\mathbf{U}$ together with spectral coefficients $\mathbf{b}$ used by downstream metrics. Abstractly, define Boozer unknowns $\mathbf{y}\in\mathbb{R}^{n_y}$ (e.g., a discretized coordinate mapping, auxiliary Lagrange multipliers, or gauge-fixing variables) and spectral coefficients $\mathbf{b}\in\mathbb{R}^{n_b}$ (e.g., truncated Fourier coefficients of a field-strength representation). The Boozer transform is represented by a residual block \[ \mathcal{R}_{\mathrm{B}}(\mathbf{y},\mathbf{b};\mathbf{u},\mathbf{p}) = \mathbf{0}, \] which becomes part of the global coupled residual $\mathcal{R}(\mathbf{U},\mathbf{p})=0$ (Section II.C.1). The contract requires the Boozer module to declare: 1. The truncation sets (or bases) used to represent $\mathbf{y}$ and $\mathbf{b}$ (e.g., harmonic index set $\mathcal{K}_{\mathrm{B}}$). 2. A norm $\|\cdot\|_{\mathrm{B}}$ and tolerance $\varepsilon_{\mathrm{B}}$ for the residual solve, reported in $\mathcal{D}$. 3. Any gauge conditions or normalization constraints imposed to avoid non-uniqueness, stated explicitly as additional residual components. V.B.2. Truncation and conditioning error pathways Because Boozer outputs are often used in hard constraints (quasisymmetry/ripple surrogates, resonance/island-risk gates), the module must expose two distinct diagnostic pathways: (i) Truncation metadata. The module must report the truncation level(s) and an auditable proxy for unresolved content. Minimal acceptable proxies include: – explicit reporting of the retained index set $\mathcal{K}_{\mathrm{B}}$ and coefficient vector $\mathbf{b}$, – a reported tail proxy such as $\|\mathbf{b}_{\mathrm{high}}\|$ over a declared complementary set (when available), or – a declared a priori bound $\Delta_{\mathrm{trunc}}$ such that a downstream metric $\mathcal{M}(\mathbf{b})$ satisfies a one-sided bound, e.g. \[ \mathcal{M}(\mathbf{b}_{\mathrm{true}}) \le \mathcal{M}(\mathbf{b}_{\mathrm{trunc}}) + \Delta_{\mathrm{trunc}}, \] with all assumptions stated. (ii) Conditioning metadata. Let \[ \mathcal{J}_{\mathrm{B}} := \partial_{(\mathbf{y},\mathbf{b})}\mathcal{R}_{\mathrm{B}}(\mathbf{y},\mathbf{b};\mathbf{u},\mathbf{p}) \] be the Jacobian of the Boozer residual with respect to Boozer unknowns. The module must report a conditioning proxy $\kappa_{\mathrm{B,proxy}}$ (or equivalent evidence such as an estimated $\sigma_{\min}$) as part of $\mathcal{D}$. If $\kappa_{\mathrm{B,proxy}}$ exceeds a declared threshold, then: – any downstream metric that depends materially on $\mathbf{b}$ must be flagged non-credible, and – any derivative information that passes through $\mathcal{J}_{\mathrm{B}}^{-1}$ (implicit differentiation) must be flagged non-credible (Section III.B.3). These requirements implement the principle that a small Boozer residual does not by itself imply a stable, differentiable mapping $(\mathbf{u},\mathbf{p})\mapsto(\mathbf{y},\mathbf{b})$ when the linearization is ill-conditioned. V.B.3. Example metric: quasisymmetry/ripple surrogate and required evidence As a concrete example of a Boozer-derived scalar metric, define \[ \mathcal{M}_{\mathrm{QS}} := \|W_{\mathrm{QS}}\,P\mathbf{b}\|_2, \] where $P$ is a declared linear projection selecting the “non-symmetric” subset of coefficients and $W_{\mathrm{QS}}$ is a declared diagonal weighting (both part of the module contract). This is an *example* of a differentiable surrogate; it is not asserted to be a physically complete measure. If $\mathcal{M}_{\mathrm{QS}}$ is used in any hard constraint, the module must provide: 1. The ingredients $(W_{\mathrm{QS}},P,\mathbf{b})$ and the truncation metadata used to compute them. 2. A one-sided certification wrapper for numerical uncertainty in $\mathcal{M}_{\mathrm{QS}}$ consistent with the system philosophy of Section II.D.3. For example, if an upper bound is needed, the module may expose \[ \mathcal{M}_{\mathrm{QS}} \le \widehat{\mathcal{M}}_{\mathrm{QS}} + \Delta^{\mathrm{num}}_{\mathrm{QS}}, \] where $\Delta^{\mathrm{num}}_{\mathrm{QS}}\ge 0$ is computed from declared residual norms, conditioning proxies, and truncation-tail proxies. The paper does not prescribe a single formula for $\Delta^{\mathrm{num}}_{\mathrm{QS}}$; it prescribes that it be (a) one-sided in the correct direction for feasibility, (b) reproducible from $\mathcal{D}$, and (c) withheld (inconclusive) when prerequisites fail. V.B.4. Differentiation interface through Boozer solves Because $(\mathbf{y},\mathbf{b})$ enter the global state $\mathbf{U}$, differentiation through the Boozer stage is subsumed by the global implicit differentiation framework (Section III). Nevertheless, the Boozer module must expose local derivative primitives needed to form global JVP/VJP evaluations, including: – VJP/JVP actions of $\partial_{(\mathbf{y},\mathbf{b})}\mathcal{R}_{\mathrm{B}}$ and $\partial_{(\mathbf{u},\mathbf{p})}\mathcal{R}_{\mathrm{B}}$, matrix-free, – the residual norm and conditioning diagnostics used to judge whether transpose solves involving $\mathcal{J}_{\mathrm{B}}^T$ are credible. If derivative information is produced by algorithmic differentiation of code that includes truncation, mode filtering, or if/else logic, the module must report those operations explicitly and must either (i) provide a declared smooth surrogate with parameters reported, or (ii) flag derivatives as non-credible for gradient-based accept/reject decisions (Section III.B.3). VI. Stability and Confinement Certificates Within the Unified Residual Framework This section specifies discrete, optimization-safe *gates* for stability- and confinement-adjacent quantities inside the unified residual system $\mathcal{R}(\mathbf{U},\mathbf{p})=0$. The emphasis is one-sided certification logic and its prerequisites. No claim is made that any particular proxy is physically sufficient for reactor-relevant stability or confinement; the only claim is that, when a proxy is used as a hard constraint, the pipeline must output a conservative bound or else return inconclusive. VI.A. Generalized eigenproblem stability proxies VI.A.1. Discrete generalized eigenpair and residual normalization Let a stability-proxy module produce matrices $A(\mathbf{U},\mathbf{p})\in\mathbb{R}^{n\times n}$ and $B(\mathbf{U},\mathbf{p})\in\mathbb{R}^{n\times n}$ together with a computed pair $(\tilde\lambda,\tilde\mathbf{x})$ with $\tilde\mathbf{x}\neq \mathbf{0}$ intended to approximate a generalized eigenpair \[ A\mathbf{x}=\lambda B\mathbf{x}. \] In the certified setting we require that any such eigenpair be accompanied by explicit residuals. Define the eigen-residual \[ \mathbf{r}:=A\tilde\mathbf{x}-\tilde\lambda B\tilde\mathbf{x}. \] A normalization convention must be declared and audited. A convenient choice (when $B$ is symmetric positive definite) is $\|\tilde\mathbf{x}\|_{B}:=\sqrt{\tilde\mathbf{x}^T B\tilde\mathbf{x}}=1$, with normalization defect \[ \rho_{\mathrm{norm}}:=\bigl|\tilde\mathbf{x}^T B\tilde\mathbf{x}-1\bigr|. \] These quantities $(\|\mathbf{r}\|,\rho_{\mathrm{norm}})$ and the discretization metadata used to form $A,B$ are mandatory diagnostics whenever $\tilde\lambda$ is used downstream. VI.A.2. One-sided lower bounds as feasibility gates (symmetric, $B\succ 0$ case) To support auditable one-sided bounds, we restrict the certified statement to the common discrete setting: Assumption VI.A (symmetric generalized eigenproblem). $A$ and $B$ are symmetric and $B$ is positive definite (all at the declared discretization). Define the Rayleigh quotient of $\tilde\mathbf{x}$: \[ \mu:=\frac{\tilde\mathbf{x}^T A\tilde\mathbf{x}}{\tilde\mathbf{x}^T B\tilde\mathbf{x}}. \] Let $\|\cdot\|_{B^{-1}}$ denote the norm induced by $B^{-1}$: $\|\mathbf{v}\|_{B^{-1}}:=\sqrt{\mathbf{v}^T B^{-1}\mathbf{v}}$. Then, transforming to a standard symmetric eigenproblem via $C=B^{-1/2}AB^{-1/2}$, one obtains the basic spectral proximity bound \[ \min_{\lambda\in\sigma(A,B)} |\lambda-\mu| \;\le\; \frac{\|A\tilde\mathbf{x}-\mu B\tilde\mathbf{x}\|_{B^{-1}}}{\|\tilde\mathbf{x}\|_{B}}, \] where $\sigma(A,B)$ is the generalized spectrum. (This is an existence statement: some eigenvalue lies within the given radius.) For feasibility gates involving a *specific* targeted eigenvalue (e.g., the smallest), an additional *separation diagnostic* is required; otherwise a bound may attach to the wrong eigenvalue. Certification interface (lower bound on the smallest eigenvalue). Suppose the module intends to certify $\lambda_{\min}(A,B)\ge \lambda_{\min}^{\mathrm{req}}$. It must return either: 1. A conservative lower bound $\lambda_{\min}^{\mathrm{lo}}$ together with evidence that it applies to $\lambda_{\min}$, or 2. An explicit inconclusive status. A minimal auditable route is: – Provide two approximate eigenpairs $(\mu_1,\tilde\mathbf{x}_1)$, $(\mu_2,\tilde\mathbf{x}_2)$ intended to approximate the two smallest eigenvalues. – Provide residual radii \[ \varepsilon_i := \frac{\|A\tilde\mathbf{x}_i-\mu_i B\tilde\mathbf{x}_i\|_{B^{-1}}}{\|\tilde\mathbf{x}_i\|_{B}},\qquad i=1,2. \] – Provide a separation check \[ \mu_1+\varepsilon_1 < \mu_2-\varepsilon_2. \] If the separation check passes, then it is consistent (at the discrete level) to identify the eigenvalue near $\mu_1$ as the smallest, and a one-sided lower bound may be reported as \[ \lambda_{\min}^{\mathrm{lo}} := \mu_1-\varepsilon_1. \] If the separation check fails, then the certified lower bound is declared inconclusive, regardless of how small $\|\mathbf{r}_1\|$ is. Remark (gap note). Stronger enclosure theorems exist in specialized settings, but the above contract is intentionally minimal: it forces the implementation to (i) expose residuals, (ii) expose the norm used for radii, and (iii) provide explicit separation evidence if an eigenvalue index matters for feasibility. VI.A.3. Derivative credibility for eigenvalue-based gates When an eigenvalue-based quantity participates in gradient-based optimization, derivatives may be computed through the coupled adjoint system (Section III) by differentiating the residual representation of the eigenproblem. The derivative outputs must be marked non-credible (and hence unusable for accept/reject decisions) whenever any of the following holds: - the conditioning proxy for the linearized eigen-residual block is poor (Section II.C.3), - the separation diagnostic used above fails (near multiplicity), - the eigenpair normalization is not satisfied to tolerance. In particular, a module may expose a smooth surrogate of the gate for the optimizer, but the conservative value $\lambda_{\min}^{\mathrm{lo}}$ (or inconclusive) is the only admissible pass/fail input. VI.B. Bootstrap-current self-consistency as a fixed-point residual VI.B.1. Residual form and local regularity target Let $\mathbf{j}\in\mathbb{R}^{n_j}$ denote bootstrap/current/profile variables produced by a closure. Model self-consistency as a fixed point \[ \mathbf{j} = \mathcal{T}(\mathbf{j};\mathbf{u},\mathbf{p}), \] where $\mathbf{u}$ denotes upstream equilibrium/geometry state components. Define the residual block \[ \mathcal{R}_{\mathrm{bs}}(\mathbf{j};\mathbf{u},\mathbf{p}) := \mathbf{j}-\mathcal{T}(\mathbf{j};\mathbf{u},\mathbf{p}). \] This is incorporated into the global residual $\mathcal{R}$ (Section II.C.1). The certification goal is not to prove global uniqueness, but to prevent using bootstrap states in regimes where local sensitivity is uncontrolled. A local differentiability/conditioning prerequisite is invertibility of \[ \partial_{\mathbf{j}}\mathcal{R}_{\mathrm{bs}} = I - \partial_{\mathbf{j}}\mathcal{T}(\mathbf{j};\mathbf{u},\mathbf{p}). \] Therefore, whenever derivatives pass through the bootstrap block, the diagnostic record must include a conditioning proxy for $I-\partial_{\mathbf{j}}\mathcal{T}$ (or, equivalently, for $\partial_{\mathbf{j}}\mathcal{R}_{\mathrm{bs}}$). Failure triggers derivative non-credibility. VI.B.2. Contraction-style diagnostic gate (sufficient condition) A sufficient (but not necessary) condition for local uniqueness and stable sensitivity is contractivity of $\mathcal{T}$ in a declared norm. For a chosen vector norm $\|\cdot\|$, if there exists $q<1$ such that \[ \|\partial_{\mathbf{j}}\mathcal{T}(\mathbf{j};\mathbf{u},\mathbf{p})\| \le q, \] then $\mathbf{j}\mapsto \mathcal{T}(\mathbf{j};\mathbf{u},\mathbf{p})$ is locally contractive and $I-\partial_{\mathbf{j}}\mathcal{T}$ is invertible with \[ \|(I-\partial_{\mathbf{j}}\mathcal{T})^{-1}\| \le \frac{1}{1-q}. \] Since exact operator norms are rarely available, the module may report a conservative proxy $q_{\mathrm{proxy}}$ together with its method of computation (e.g., power iteration bounds on a linearization, or a verified bound when available). Certification semantics: - If $q_{\mathrm{proxy}}\le q_{\max}<1$ for a declared threshold $q_{\max}$, then the bootstrap block is marked *regular* for derivative use. - If $q_{\mathrm{proxy}}>q_{\max}$ or is unavailable, then derivatives passing through the block are marked non-credible, and any constraints that rely materially on bootstrap self-consistency must either inflate margins conservatively (if a justified bound is provided) or return inconclusive. VI.C. Island/stochasticity risk gating from near-integrable field-line models VI.C.1. Resonance functions and certified uniqueness of resonant surfaces Let $\psi\in[\psi_{\min},\psi_{\max}]$ denote a discrete flux label (not necessarily identical to $\rho$). For each selected harmonic $(m,n)\in\mathcal{K}\subset\mathbb{Z}^2$ (declared and reported as in IV.D.2), define the resonance function \[ F_{mn}(\psi) := m\,\iota(\psi) – n, \] where $\iota$ is the rotational transform profile provided by upstream modules. A minimal certificate for the existence and uniqueness of a resonant surface in an interval $[a,b]\subset[\psi_{\min},\psi_{\max}]$ is: – (sign change) $F_{mn}(a)\,F_{mn}(b)\le 0$, and – (derivative lower bound) a certified $\gamma_{mn}>0$ such that $|F’_{mn}(\psi)|\ge \gamma_{mn}$ for all $\psi\in[a,b]$. If both hold and $F_{mn}$ is continuous on $[a,b]$ (as a discrete interpolant with declared convention), then there is exactly one root $\psi_{mn}\in[a,b]$. The pipeline must report: 1. The bracketing interval $[a,b]$ actually used. 2. The values $F_{mn}(a),F_{mn}(b)$. 3. The method by which $\gamma_{mn}$ is obtained (analytic bound, enclosure/interval arithmetic, or conservative sampling plus Lipschitz bound as in III.C.1). If $\gamma_{mn}$ cannot be certified, resonance localization is inconclusive and any downstream island-overlap logic depending on $\psi_{mn}$ must be declared inconclusive. VI.C.2. Non-overlap certificate logic with conservative inflation Suppose a downstream gate uses estimated resonance widths $w_{mn}\ge 0$ (from a declared model) to define influence intervals \[ I_{mn}:=[\psi_{mn}-w_{mn},\,\psi_{mn}+w_{mn}]. \] Because $\psi_{mn}$ and $w_{mn}$ are computed from discretized inputs and potentially ill-conditioned transforms (Sections IV–V), certification must include a one-sided inflation. The module must provide nonnegative error bars $\Delta\psi_{mn}$, $\Delta w_{mn}$ such that the *true discrete-model* interval is contained in the inflated interval \[ I^{\mathrm{infl}}_{mn}:=[\psi_{mn}-(w_{mn}+\Delta w_{mn})-\Delta\psi_{mn},\,\psi_{mn}+(w_{mn}+\Delta w_{mn})+\Delta\psi_{mn}]. \] A conservative non-overlap certificate for a set $\mathcal{S}\subset\mathcal{K}$ is then \[ I^{\mathrm{infl}}_{mn}\cap I^{\mathrm{infl}}_{m’n’}=\emptyset\quad\text{for all distinct }(m,n),(m’,n’)\in\mathcal{S}. \] The diagnostic record must include the list of intervals achieving the worst-case near-overlap, so that failures can be debugged and refinement can be targeted. VI.C.3. Separation of smoothing from certification Overlap measures often involve nonsmooth operations (min, max, absolute value). For gradient-based optimization, the pipeline may expose a smooth surrogate (e.g., a softmax/softmin approximation). However, the pass/fail decision must be computed from the conservative inflated intervals above, not from the smooth surrogate. The surrogate smoothing parameter and an upper bound on the surrogate-to-true discrepancy must be reported if the surrogate is used inside a penalty term. VI.D. Prompt-loss certificate for reduced guiding-center models VI.D.1. Declared confinement region, initial set, horizon, and integrator Let $\xi(t)\in\mathbb{R}^{d}$ be the phase-space state of a reduced guiding-center model evolving by an ODE \[ \dot\xi = F(\xi,t;\mathbf{U},\mathbf{p}),\qquad \xi(0)=\xi_0. \] Fix: – a time horizon $T>0$, – an initial-condition uncertainty set $\Xi_0\subset\mathbb{R}^d$ (compact, with declared metric), – a confinement region $\mathcal{C}\subset\mathbb{R}^d$ represented by a signed distance or barrier function $d(\xi)$ with $d(\xi)>0$ indicating confinement, – and a declared numerical integrator with reported step-size and error-control metadata. The goal is a one-sided certificate of the form: for all $\xi_0\in\Xi_0$, $d(\xi(t;\xi_0))\ge 0$ for all $t\in[0,T]$, up to declared numerical/integration uncertainty. VI.D.2. $\delta$-net sampling and Lipschitz propagation to a worst-case bound Let $G\subset\Xi_0$ be a finite $\delta$-net in a declared metric $d_0$, meaning each $\xi_0\in\Xi_0$ lies within $\delta$ of some $g\in G$. For each $g\in G$, let $\tilde\xi_g(t)$ be the numerically computed trajectory. Define the sampled minimal margin \[ \widehat m := \min_{g\in G}\ \min_{t\in\mathcal{T}_h} d(\tilde\xi_g(t)), \] where $\mathcal{T}_h$ is the reported time grid used for monitoring. To convert $\widehat m$ into a conservative certificate over all $\xi_0\in\Xi_0$, the pipeline must provide: 1. A Lipschitz constant (or conservative bound) $L_d$ such that $|d(\xi)-d(\xi’)|\le L_d\|\xi-\xi’\|$ in the visited region. 2. A flow sensitivity bound or Lipschitz constant $L_F$ for $F$ in state (as in III.C.2), supporting a bound on divergence of trajectories starting from nearby initial conditions. 3. An integration error envelope $\eta(t)$ or a conservative scalar bound $E_{\mathrm{int}}$ controlling $\|\xi(t;g)-\tilde\xi_g(t)\|$ (III.C.2). A minimal conservative form is: for any $\xi_0\in\Xi_0$, choose $g\in G$ with $d_0(\xi_0,g)\le\delta$. If the pipeline provides a bound \[ \sup_{t\in[0,T]}\|\xi(t;\xi_0)-\tilde\xi_g(t)\| \le E_{\mathrm{net}} + E_{\mathrm{int}}, \] where $E_{\mathrm{net}}$ is an initial-condition covering propagation term (e.g., $E_{\mathrm{net}}\le e^{L_F T}\,C\delta$ for a declared constant $C$ connecting $d_0$ to the state norm), then \[ \min_{t\in[0,T]} d(\xi(t;\xi_0)) \ge \widehat m – L_d\,(E_{\mathrm{net}}+E_{\mathrm{int}}) – E_{\mathrm{disc}}, \] where $E_{\mathrm{disc}}\ge 0$ is a declared monitoring discretization error (e.g., if $d$ is only checked at times $\mathcal{T}_h$, a Lipschitz-in-time bound must be used to cover the gaps). Certified prompt-loss gate. Define the conservative margin \[ m_{\mathrm{cert}} := \widehat m – \Delta_{\mathrm{net}} – \Delta_{\mathrm{int}} – \Delta_{\mathrm{disc}}, \] with $\Delta_{\mathrm{net}}:=L_d E_{\mathrm{net}}$, $\Delta_{\mathrm{int}}:=L_d E_{\mathrm{int}}$, and $\Delta_{\mathrm{disc}}:=E_{\mathrm{disc}}$. Then: – If $m_{\mathrm{cert}}\ge 0$ and all prerequisites $(L_d,L_F,E_{\mathrm{int}},\delta,\mathcal{T}_h)$ are provided and marked credible, the design point passes the prompt-loss gate at the declared discretization and error model. – Otherwise the output is inconclusive (or rejection if required metadata are missing). VI.D.3. Separation of smooth surrogates from pass/fail certification The function $\xi_0\mapsto \min_{t\in[0,T]} d(\xi(t;\xi_0))$ is typically nonsmooth due to the $\min$ over time and samples. For gradient-based optimization, the pipeline may provide a differentiable surrogate (e.g., softmin over $g\in G$ and $t\in\mathcal{T}_h$) with reported smoothing scale. However, the certified value used for feasibility must be $m_{\mathrm{cert}}$ computed from the nonsmooth minimum plus conservative inflations; the surrogate is advisory only. VII. Coil Synthesis as a Convex Subproblem With KKT-Based Sensitivities This section specifies an optimization-ready coil-synthesis subproblem as a convex program whose optimality conditions are inserted into the unified residual system $\mathcal{R}(\mathbf{U},\mathbf{p})=0$. The intent is twofold: (i) provide auditable feasibility/regularity diagnostics (primal/dual residuals, complementarity, duality gap, conditioning proxies), and (ii) provide a mathematically standard route to sensitivities via implicit differentiation of the KKT system when credibility prerequisites hold. No statement is made that a particular coil model (surface current, filamentary coils, or discretization) is physically adequate; the scope is to specify the discrete optimization and derivative interfaces. VII.A. Convex quadratic objective template and regularization VII.A.1. Quadratic objective with data misfit and smoothness penalty Let $\mathbf{z}\in\mathbb{R}^{n_z}$ denote the coil design degrees of freedom used by the inner coil module. Examples include coefficients of a surface current potential $\Phi$ on a winding surface basis, Fourier coefficients of a coil centerline family, or other linearized coil parametrizations (the specifics are external to the contract). The baseline convex quadratic objective is \[ \min_{\mathbf{z}\in\mathbb{R}^{n_z}}\ \frac12\,\|W_0(A\mathbf{z}-\mathbf{b})\|_2^2 + \frac12\,\|L\mathbf{z}\|_2^2, \] where: – $A\in\mathbb{R}^{n_d\times n_z}$ and $\mathbf{b}\in\mathbb{R}^{n_d}$ encode the discrete data-fit target (e.g., matching a normal-field condition on a surface or fitting a target field representation). – $W_0\in\mathbb{R}^{n_d\times n_d}$ is a declared weighting (typically diagonal, nonnegative entries) with reported units/scales. – $L\in\mathbb{R}^{n_L\times n_z}$ is a regularization operator (e.g., discrete surface gradient/Laplacian or curvature penalty) with declared scaling; $L=0$ is permitted. Interface requirement (dependency disclosure): if $A$ or $\mathbf{b}$ depend on upstream state $(\mathbf{u},\mathbf{y},\ldots)$ and/or parameters $\mathbf{p}$, this dependency must be explicit in the diagnostic record so that upstream-to-coil coupling is auditable. In particular, the coil module must report the provenance of $A$ and $\mathbf{b}$ (which geometry, which sampling grid, which truncation levels). VII.A.2. Coil complexity proxies and feasibility constraints To prevent the optimizer from producing coil representations that are numerically feasible but operationally unusable, the coil subproblem may include additional convex constraints. A general template is \[ \begin{aligned} \min_{\mathbf{z}}\ & \frac12\|W_0(A\mathbf{z}-\mathbf{b})\|_2^2+\frac12\|L\mathbf{z}\|_2^2 \\ \text{s.t. }\ & E\mathbf{z}=\mathbf{e}, \\ & G\mathbf{z}\le \mathbf{h}, \end{aligned} \] where $E\mathbf{z}=\mathbf{e}$ collects linear equality constraints and $G\mathbf{z}\le \mathbf{h}$ collects linear inequality constraints representing, for example, bounds on current-density amplitudes, integrated current, coil-surface clearance proxies that are linearized at the chosen discretization, or convex complexity limits. Remark (convexity scope). The contract here is intentionally limited to constraints that keep the inner problem convex. Nonconvex coil constraints (self-intersection avoidance, exact filament extraction with topology constraints) are out of scope for the KKT-based certification interface and must be treated as separate downstream checks with rejection semantics. VII.B. KKT residual formulation as part of the unified residual $\mathcal{R}$ VII.B.1. Primal-dual variables Let $\boldsymbol\nu$ and $\boldsymbol\mu$ denote Lagrange multipliers for the equality and inequality constraints, respectively, with $\boldsymbol\mu\ge 0$ componentwise. Define the primal-dual vector \[ \mathbf{w}=(\mathbf{z},\boldsymbol\mu,\boldsymbol\nu)\in\mathbb{R}^{n_z}\times\mathbb{R}^{m_\le}\times\mathbb{R}^{m_=}. \] This $\mathbf{w}$ is the coil block of the global state $\mathbf{U}$ from Section II.A.2. VII.B.2. KKT system as a residual block and credibility checks Define \[ H := A^T W_0^T W_0 A + L^T L,\qquad \mathbf{c}:=A^T W_0^T W_0\,\mathbf{b}. \] The objective is $\frac12\mathbf{z}^T H\mathbf{z}-\mathbf{c}^T\mathbf{z}+\text{const}$, hence the (convex) KKT conditions can be written as residual equations. Because complementarity is nonsmooth, we specify two admissible residual encodings. (1) Active-set (exact complementarity) encoding (diagnostic form). Define the KKT residual components \[ \begin{aligned} \mathcal{R}_{\mathrm{st}}(\mathbf{w}) &:= H\mathbf{z}-\mathbf{c} + G^T\boldsymbol\mu + E^T\boldsymbol\nu,\\ \mathcal{R}_{\mathrm{eq}}(\mathbf{w}) &:= E\mathbf{z}-\mathbf{e},\\ \mathcal{R}_{\mathrm{pr}}(\mathbf{w}) &:= \bigl(G\mathbf{z}-\mathbf{h}\bigr)_+,\\ \mathcal{R}_{\mathrm{du}}(\mathbf{w}) &:= (-\boldsymbol\mu)_+,\\ \mathcal{R}_{\mathrm{comp}}(\mathbf{w}) &:= \boldsymbol\mu\odot (G\mathbf{z}-\mathbf{h}), \end{aligned} \] where $(\cdot)_+$ is the componentwise positive part and $\odot$ is the Hadamard product. This encoding is not differentiable; therefore it is intended for auditing and pass/fail feasibility diagnostics, not for backpropagating gradients. (2) Barrier/interior-point encoding (differentiable surrogate for derivatives). Choose a declared barrier parameter $\tau>0$ and enforce \[ \mathcal{R}_{\mathrm{cent}}(\mathbf{w};\tau):= \boldsymbol\mu\odot (\mathbf{h}-G\mathbf{z}) – \tau\mathbf{1}=\mathbf{0}, \] together with strict feasibility $\mathbf{h}-G\mathbf{z}>0$, $\boldsymbol\mu>0$. This yields a smooth residual system in $(\mathbf{z},\boldsymbol\mu,\boldsymbol\nu)$ for fixed $\tau$. The diagnostic record must report $\tau$ and any update schedule, since these change both the primal point and sensitivities. Unified residual block. In either case, define the coil residual block $\mathcal{R}_{\mathrm{coil}}$ to include stationarity and primal feasibility, and to include either the complementarity residual $\mathcal{R}_{\mathrm{comp}}$ (for auditing) or the centering residual $\mathcal{R}_{\mathrm{cent}}$ (for differentiable derivatives). This block is concatenated into the global residual $\mathcal{R}(\mathbf{U},\mathbf{p})$. Credibility checks (mandatory outputs). Any evaluation that uses the coil module in hard constraints or end-to-end gradients must return at least: – a primal feasibility measure $\| (G\mathbf{z}-\mathbf{h})_+\|$ and $\|E\mathbf{z}-\mathbf{e}\|$, – a stationarity residual norm $\|\mathcal{R}_{\mathrm{st}}\|$, – a complementarity/centering measure (either $\|\boldsymbol\mu\odot(\mathbf{h}-G\mathbf{z})-\tau\mathbf{1}\|$ or $\|\boldsymbol\mu\odot(G\mathbf{z}-\mathbf{h})\|$), – a conditioning proxy for the linearized KKT system used in differentiation (Section II.C.3). If these checks fail to meet declared tolerances, the coil module output is marked non-credible and the pipeline must return rejection/inconclusive rather than a feasibility claim. VII.B.3. Strong duality and regularity assumptions (explicitly conditional) Sensitivity through KKT systems is only conditionally valid. The contract therefore requires the implementation to declare which regularity assumptions it is relying on (and which diagnostics support them). A sufficient, standard set in the convex quadratic case is: – (Convexity) $H\succeq 0$ (always true by construction) and the feasible set is nonempty. – (Constraint qualification) a condition such as LICQ at the returned solution (linear independence of active constraint normals) or another stated CQ appropriate for the solver. – (Stability) the linearized KKT Jacobian is solvable to declared tolerance; if not, derivatives are flagged non-credible. The paper does not assert that these conditions hold generically; it specifies that if the solver cannot provide evidence consistent with them, then the correct output is rejection/inconclusive for derivative-based optimization decisions. VII.C. Coil adjoint block and downstream-to-upstream gradient assembly VII.C.1. Differentiation of an outer quantity through the coil KKT state Let $\Phi$ be any scalar reduced quantity that depends on the coupled state, $\Phi=\Phi(\mathbf{U},\mathbf{p})$, and suppose $\Phi$ depends on coil design only through $\mathbf{z}$ (and possibly $\boldsymbol\mu,\boldsymbol\nu$ if dual quantities are explicitly used). When the coil block is included in the global residual, the end-to-end adjoint formula of Section III.A.2 already applies. Here we record the coil-specific structure that an implementation should exploit. Let $\mathcal{R}_{\mathrm{coil}}(\mathbf{w};\mathbf{u},\mathbf{p})=0$ denote the coil KKT residual, with explicit dependence on upstream quantities $(\mathbf{u},\mathbf{p})$ through $(A,\mathbf{b},E,\mathbf{e},G,\mathbf{h},W_0,L)$. The coil adjoint variable $\boldsymbol\lambda_{\mathrm{coil}}$ is defined as the component of the global adjoint $\boldsymbol\lambda$ restricted to $\mathbf{w}$, and it solves the transpose linear system (a sub-block of $\mathcal{J}^T$): \[ \bigl(\partial_{\mathbf{w}}\mathcal{R}_{\mathrm{coil}}\bigr)^T\boldsymbol\lambda_{\mathrm{coil}} = \bigl(\partial_{\mathbf{w}}\Phi\bigr)^T + \text{(coupling terms from other residual blocks)}. \] The crucial interface requirement is that the coil module expose matrix-free actions of $\partial_{\mathbf{w}}\mathcal{R}_{\mathrm{coil}}$ and its transpose (JVP/VJP) and report the conditioning proxy for the solve. VII.C.2. Sensitivities with respect to upstream parameters entering $A$ and $\mathbf{b}$ When $A$ and $\mathbf{b}$ depend on upstream state/geometry, the gradient contribution takes the standard implicit-adjoint contraction form. For any parameter-direction $\delta\mathbf{p}$, the coil residual directional derivative contributes \[ \bigl\langle \boldsymbol\lambda_{\mathrm{coil}},\ \partial_{\mathbf{p}}\mathcal{R}_{\mathrm{coil}}\,\delta\mathbf{p}\bigr\rangle \] to the reduced directional derivative of $\widehat\Phi$. Therefore the coil module must supply VJP/JVP primitives sufficient to evaluate $(\partial_{\mathbf{p}}\mathcal{R}_{\mathrm{coil}})^T\boldsymbol\lambda_{\mathrm{coil}}$, without requiring formation of dense derivatives of $A$ or $\mathbf{b}$. VII.C.3. Interface rule: report hard margins alongside any surrogates Coil synthesis often introduces surrogate penalties (e.g., smooth approximations to min-distance or peak-field constraints, or barrier terms). To prevent false feasibility by surrogate hiding, the following rule is mandatory. Interface rule (margin reporting). For every constraint component $g_i$ in the outer problem whose value depends on coil outputs, the evaluation record must include: 1. The *nominal* margin $g_i(\mathbf{U},\mathbf{p})$ computed from the returned coil state and any declared post-processing. 2. Any surrogate value used internally by the optimizer (penalty, barrier, softmax/softmin), together with its smoothing parameters. 3. The certified conservative wrapper $\mathrm{Cert}_i = g_i + \Delta^{\mathrm{num}}_i + \Delta^{\mathrm{unc}}_i$ (Section II.D.3) if the constraint is hard; otherwise an explicit inconclusive/rejection status. In particular, feasibility must never be inferred solely from a penalty or barrier objective value. VIII. Certified Constraint Philosophy and Robust Optimization Wrapper This section formalizes the “certification-first” semantics introduced in Section II.D.3: every hard inequality used for accept/reject decisions must be evaluated by a one-sided conservative oracle, with explicit rejection/inconclusive statuses when prerequisites are missing or numerically non-credible. The goal is not physical validity of the proxy constraints, but numerical soundness and auditability for the declared discretizations and declared uncertainty models. VIII.A. One-sided conservative oracle design VIII.A.1. Certified feasibility oracle and status semantics Fix a design parameter $\mathbf{p}\in\mathcal{P}$. For each intended hard constraint index $i\in\{1,\dots,m\}$, let the nominal discrete margin be \[ \widehat g_i(\mathbf{p}) := g_i(\mathbf{U},\mathbf{p}),\qquad \text{where } \mathcal{R}(\mathbf{U},\mathbf{p})=\mathbf{0}\text{ is solved to declared tolerances.} \] A certified oracle for the constraint produces a pair \[ \mathcal{O}_i(\mathbf{p}) = \bigl(g_{i,\mathrm{cert}}(\mathbf{p}),\ \mathsf{Status}_i(\mathbf{p})\bigr), \] where $\mathsf{Status}_i(\mathbf{p})\in\{\mathrm{conclusive},\mathrm{inconclusive},\mathrm{failed}\}$ and the conservative value satisfies: – If $\mathsf{Status}_i=\mathrm{conclusive}$, then $g_{i,\mathrm{cert}}$ is guaranteed (under declared assumptions and recorded diagnostics) to be an upper bound on the relevant discretized constraint value in the direction needed for feasibility. With the sign convention $g_i\le 0$ meaning feasible, the conservative requirement is \[ \widehat g_i(\mathbf{p}) \le g_{i,\mathrm{cert}}(\mathbf{p})\qquad \text{and feasibility is declared only if } g_{i,\mathrm{cert}}(\mathbf{p})\le 0. \] – If $\mathsf{Status}_i=\mathrm{inconclusive}$, then $g_{i,\mathrm{cert}}$ may be reported as a heuristic, but it must not be used as a pass/fail gate. – If $\mathsf{Status}_i=\mathrm{failed}$, the evaluation of $g_i$ is invalid (e.g., missing mandatory diagnostics, solver failure, or conditioning failure), and the pipeline must not return a feasibility claim. This semantics is intentionally conservative: a design point is *certified feasible* only when every hard constraint returns $\mathsf{Status}_i=\mathrm{conclusive}$ and $g_{i,\mathrm{cert}}\le 0$. VIII.A.2. Numerical inflation, smoothing inflation, and rejection rule We adopt the audited decomposition already required in Section II.D.3, \[ g_{i,\mathrm{cert}}(\mathbf{p}) := \widehat g_i(\mathbf{p}) + \Delta^{\mathrm{num}}_i(\mathcal{D}) + \Delta^{\mathrm{unc}}_i(\mathbf{p}), \] with $\Delta^{\mathrm{num}}_i,\Delta^{\mathrm{unc}}_i\ge 0$ returned together with the metadata required to recompute them from the diagnostic record $\mathcal{D}$ and the declared uncertainty model. In particular, $\Delta^{\mathrm{num}}_i$ must include inflation terms for any differentiability-inducing smoothing used inside the evaluation of $\widehat g_i$. For example, if a nonsmooth primitive $\max_{1\le j\le N} a_j$ is replaced by \[ \operatorname{softmax}_\tau(a) := \tau\log\sum_{j=1}^N \exp(a_j/\tau),\qquad \tau>0, \] then the bound \[ \max_j a_j \le \operatorname{softmax}_\tau(a) \le \max_j a_j + \tau\log N \] implies that using $\operatorname{softmax}_\tau$ in place of $\max$ is conservative for upper-bounded quantities only if an explicit additive inflation of $\tau\log N$ is recorded (and analogously for softmin). Any such smoothing parameters $(\tau,N)$ must be included in $\mathcal{D}$, and if $N$ changes with discretization (grid refinement), the inflation must be recomputed. Rejection rule (mandatory): if any prerequisite needed to compute $\Delta^{\mathrm{num}}_i$ is missing or flagged non-credible (e.g., conditioning proxy failure for an implicit block used by $g_i$), then $\mathsf{Status}_i\neq\mathrm{conclusive}$. In particular, the pipeline must not silently set $\Delta^{\mathrm{num}}_i=0$ in such cases. VIII.B. Grid-evaluated extrema and geometric constraints VIII.B.1. Certified extrema from samples via Lipschitz/$\delta$-net wrappers Many engineering constraints have the form $\max_{x\in\Omega} f(x)\le b$ or $\min_{x\in\Omega} f(x)\ge a$, where $f$ is computed from the discretized state $\mathbf{U}$ and geometry outputs (clearances, curvatures, peak-field surrogates along curves/surfaces, etc.). When only samples $f(x_j)$ are computed on a grid $G\subset\Omega$, Section III.C.1 yields conservative bounds given a covering radius $\delta$ and Lipschitz constant $L$. The certification wrapper for an upper-bounded constraint takes the canonical form \[ \max_{x\in\Omega} f(x)\le \\underbrace{\max_{x_j\in G} f(x_j)}_{\widehat f_{\max}} + L\delta, \] and thus a conservative constraint margin can be written as \[ \widehat g(\mathbf{p}) = \widehat f_{\max}-b,\qquad \Delta^{\mathrm{num}} = L\delta. \] Metadata requirements for conclusive status are exactly those of III.C.1: the metric $d$, the sampled set $G$, evidence for the covering radius $\delta$ (or enough information to reconstruct it), and the provenance of $L$ must be included in $\mathcal{D}$. If $L$ is heuristic without a declared safety factor, then the oracle must return $\mathsf{Status}=\mathrm{inconclusive}$ for continuous-domain feasibility decisions. VIII.B.2. Adaptive refinement driven by certificate tightness When a constraint relies on an envelope term $L\delta$, the certificate may be too loose to decide feasibility even if the sampled extremum appears acceptable. To make refinement auditable and optimizer-compatible, a minimal refinement trigger is based on the certified margin \[ \mathrm{margin}_{\mathrm{cert}} := -g_{\mathrm{cert}} = b – \bigl(\widehat f_{\max} + L\delta\bigr). \] A conservative protocol is: – If $\mathrm{margin}_{\mathrm{cert}}\ge 0$, the constraint is certified feasible at the declared grid and Lipschitz data. – If $\mathrm{margin}_{\mathrm{cert}}<0$ but the *nominal* sampled margin $b-\widehat f_{\max}\ge 0$, the constraint is nominally feasible but not certified; refinement is required before declaring feasibility. - If $b-\widehat f_{\max}<0$, the constraint is violated already on samples (hence infeasible at the sampled level). Refinement step: produce a new sampled set $G'$ with a certified smaller covering radius $\delta'\le \eta\delta$ for a declared factor $\eta\in(0,1)$, and recompute the certificate. The diagnostic record must include $(\delta,\delta',\eta)$ and the rule by which $G'$ was constructed. VIII.C. Robust constraint margins under parameter uncertainty VIII.C.1. Robustification as an auditable additional inflation term Let $\mathcal{P}_{\mathrm{unc}}(\mathbf{p})\subset\mathbb{R}^{n_p}$ be a declared uncertainty set around a nominal $\mathbf{p}$ (e.g., manufacturing tolerances, operating-point uncertainty), and let the target robust constraint be \[ \sup_{\mathbf{q}\in\mathcal{P}_{\mathrm{unc}}(\mathbf{p})} \widehat g_i(\mathbf{q})\le 0. \] Because the pipeline is generally too expensive to evaluate the supremum exactly, the certification layer permits a *declared* conservative robustification $\Delta^{\mathrm{unc}}_i(\mathbf{p})$ such that \[ \sup_{\mathbf{q}\in\mathcal{P}_{\mathrm{unc}}(\mathbf{p})} \widehat g_i(\mathbf{q})\le \widehat g_i(\mathbf{p}) + \Delta^{\mathrm{unc}}_i(\mathbf{p}) \]\nunder explicitly stated assumptions. A common auditable template is a first-order worst-case inflation over a norm ball. Let \[ \mathcal{P}_{\mathrm{unc}}(\mathbf{p}) = \{\mathbf{p}+\delta\mathbf{p}: \ \|\delta\mathbf{p}\|\le \rho\} \] for a declared norm $\|\cdot\|$ and radius $\rho$. If a credible gradient $\nabla\widehat g_i(\mathbf{p})$ is available (Section III), then the linearized worst-case inflation is \[ \Delta^{\mathrm{unc}}_{i,\mathrm{lin}}(\mathbf{p}) := \rho\,\|\nabla\widehat g_i(\mathbf{p})\|_*, \] where $\|\cdot\|_*$ is the dual norm. Since this is only first-order, conclusive robust certification additionally requires a declared remainder control. A minimal, discretization-level sufficient condition is: the implementation supplies a constant $L_{\nabla g}\ge 0$ such that $\nabla\widehat g_i$ is Lipschitz on the uncertainty region, \[ \|\nabla\widehat g_i(\mathbf{p}+\delta\mathbf{p})-\nabla\widehat g_i(\mathbf{p})\|_* \le L_{\nabla g}\,\|\delta\mathbf{p}\|, \] which implies the quadratic remainder bound \[ \widehat g_i(\mathbf{p}+\delta\mathbf{p}) \le \widehat g_i(\mathbf{p}) + \nabla\widehat g_i(\mathbf{p})^T\delta\mathbf{p} + \frac12 L_{\nabla g}\,\|\delta\mathbf{p}\|^2. \] Taking the supremum over $\|\delta\mathbf{p}\|\le\rho$ yields the conservative robust inflation \[ \Delta^{\mathrm{unc}}_i(\mathbf{p}) := \rho\,\|\nabla\widehat g_i(\mathbf{p})\|_* + \frac12 L_{\nabla g}\,\rho^2. \] If $L_{\nabla g}$ is not supplied with declared provenance, then the robustification must be flagged $\mathsf{Status}=\mathrm{inconclusive}$ for robust pass/fail decisions, even if $\Delta^{\mathrm{unc}}_{\mathrm{lin}}$ is computed. VIII.C.2. Auditable decomposition of robust margins For each hard constraint, the evaluation record must report the robust certified value as the sum of three components: \[ g_{i,\mathrm{cert}} = \\underbrace{\widehat g_i}_{\text{nominal}} + \\underbrace{\Delta^{\mathrm{num}}_i}_{\text{numerical certificate}} + \\underbrace{\Delta^{\mathrm{unc}}_i}_{\text{parametric/robustness}}. \] This decomposition is a strict interface requirement: it allows an auditor to distinguish (i) a genuinely violated nominal constraint from (ii) a nominally feasible point that is not certified due to numerical error bars, from (iii) a point that is nominally feasible but not robust under the declared uncertainty set. If any term cannot be formed credibly (missing diagnostics, non-credible derivatives, or undeclared uncertainty model), then the constraint must return $\mathsf{Status}\neq\mathrm{conclusive}$. This prevents the optimizer from exploiting silent defaults (e.g., treating unknown $\Delta$ values as zero). IX. Coupled Blanket/Shield/Neutronics/Thermal/Tritium Extension (Integrated Multi-Physics Residual) This section specifies an optional extension block $\mathbf{U}_{\mathrm{ext}}$ (Section II.A.2) that couples blanket/shield design variables and engineering states (neutronics responses, temperatures/flows, and tritium inventory) to the plasma-driven source terms. The purpose is to define an optimization-ready *discrete* residual and derivative interface with the same auditability and rejection semantics as Sections II--VIII. No claim is made that any particular neutronics, thermal-hydraulic, or tritium model is adequate for reactor design. The only requirement is: if these quantities are used in hard constraints, then the evaluation must either (i) return conclusive one-sided certificates with explicit prerequisites, or (ii) return inconclusive/failed status. IX.A. Coupled residual construction and timescale structure IX.A.1. Block residual system Introduce extension unknown blocks \[ \mathbf{U}_{\mathrm{ext}} = (\mathbf{U}_{\mathrm{neut}},\mathbf{U}_{\mathrm{th}},\mathbf{U}_{\mathrm{trit}}), \] where the internal meaning and discretization of each block is module-defined but must be declared in the diagnostic record. The total residual system is the concatenation \[ \mathcal{R}_{\mathrm{total}}(\mathbf{U},\mathbf{p}) := \bigl(\mathcal{R}_{\mathrm{plasma}},\mathcal{R}_{\mathrm{geom/Boozer}},\mathcal{R}_{\mathrm{stab}},\mathcal{R}_{\mathrm{coil}},\mathcal{R}_{\mathrm{neut}},\mathcal{R}_{\mathrm{th}},\mathcal{R}_{\mathrm{trit}}\bigr) = \mathbf{0}, \] with the understanding that many blocks may be absent in a given pipeline instantiation. The coupling requirement is *explicit dependency disclosure*: each extension residual block must declare which upstream quantities it consumes (e.g., a neutron source derived from fusion power, geometry-derived material volumes, coolant routing parameters), and the evaluation record must include unique identifiers for the discretizations used in each block (mesh, multigroup structure, quadrature, time step, etc.). IX.A.2. Timescale separation and block-triangular organization (optional) Many workflows treat neutronics as a steady map driven by a quasi-steady plasma source, then feed nuclear heating into a steady or quasi-steady thermal model, then drive a (possibly dynamic) tritium inventory model. The specification permits (but does not require) a block (approximately) lower-triangular residual structure of the form \[ \begin{aligned} \mathcal{R}_{\mathrm{neut}}(\mathbf{U}_{\mathrm{neut}};\mathbf{U}_{\mathrm{up}},\mathbf{p}) &= \mathbf{0},\\ \mathcal{R}_{\mathrm{th}}(\mathbf{U}_{\mathrm{th}};\mathbf{U}_{\mathrm{neut}},\mathbf{U}_{\mathrm{up}},\mathbf{p}) &= \mathbf{0},\\ \mathcal{R}_{\mathrm{trit}}(\mathbf{U}_{\mathrm{trit}};\mathbf{U}_{\mathrm{neut}},\mathbf{U}_{\mathrm{th}},\mathbf{U}_{\mathrm{up}},\mathbf{p}) &= \mathbf{0}, \end{aligned} \] where $\mathbf{U}_{\mathrm{up}}$ denotes upstream non-extension state blocks. If this structure is used algorithmically, the diagnostic record must still report the *global* residual norms (Section II.C.2) and conditioning proxies (Section II.C.3) for the coupled linearization used in differentiation. IX.B. Neutron source coupling from the plasma model IX.B.1. Volumetric neutron source profile from fusion power Let $P_{\mathrm{fus}}$ be a scalar fusion-power observable produced by the plasma backbone (Section IV), and let $V_{\mathrm{plasma}}$ be a declared plasma volume computed from the geometry interface (Section V). Define an abstract normalized profile function $f_{\mathrm{profile}}$ on the plasma label $\rho\in[0,1]$ satisfying \[ f_{\mathrm{profile}}(\rho)\ge 0,\qquad \int_0^1 f_{\mathrm{profile}}(\rho)\,d\rho = 1, \] with the understanding that the mapping from $\rho$ to physical volume element is discretization-dependent and must be declared. A minimal coupling contract for a volumetric neutron source is: \[ S_n(\rho) := \alpha_n\,P_{\mathrm{fus}}\,\frac{f_{\mathrm{profile}}(\rho)}{V_{\mathrm{plasma}}}, \] where $\alpha_n$ is a declared unit-conversion factor (e.g., neutrons per unit fusion energy) treated as an input constant or parameter. The extension module must report $(P_{\mathrm{fus}},V_{\mathrm{plasma}},\alpha_n,f_{\mathrm{profile}}\text{ metadata})$ so that the source is reproducible. IX.B.2. Nuclear heating as an output coupling into thermal models Let $Q_{\mathrm{nuc}}(x)$ denote nuclear heating (power density) in blanket/shield materials as predicted by the neutronics module on its declared mesh. The neutronics module must provide the mapping \[ S_n \mapsto Q_{\mathrm{nuc}} \] as an explicit output, together with any variance/uncertainty quantification (Section III.D and Section X). If $Q_{\mathrm{nuc}}$ is used in thermal constraints (e.g., peak temperature, coolant margin), the coupling requires unit-consistency metadata and a mesh-to-mesh transfer declaration if the thermal mesh differs from the neutronics mesh. IX.C. Neutronics forward model and linear-response structure IX.C.1. Discrete transport equation and response functionals The neutronics module is specified as a discretized linear operator equation \[ \mathsf{L}(\mathbf{p},\mathbf{U}_{\mathrm{up}})\,\boldsymbol\phi = \mathbf{s}, \] where $\boldsymbol\phi$ represents the discrete angular-energy flux degrees of freedom (which may be implicit in Monte Carlo settings), $\mathbf{s}$ encodes sources including the coupled plasma-driven neutron source, and $\mathsf{L}$ encodes streaming, collisions, and boundary conditions at the declared discretization. Engineering quantities of interest are modeled as linear (or linearized) response functionals \[ R_j = \mathsf{\ell}_j^T\boldsymbol\phi, \] for tallies such as tritium breeding ratio (TBR), coil displacement-per-atom (dpa), helium production, dose, and heating. When a response involves nonlinear post-processing, the module must either (i) include that nonlinearity explicitly in the residual $\mathcal{R}_{\mathrm{neut}}$, or (ii) expose the linearized response used for first-order derivatives and flag the approximation. IX.C.2. Adjoint/GPT interface for first-order sensitivities For linear responses $R_j=\mathsf{\ell}_j^T\boldsymbol\phi$, the module must provide an adjoint (generalized perturbation theory) interface consistent with the end-to-end adjoint framework (Section III.B). In operator form, define the adjoint state $\boldsymbol\psi_j$ by \[ \mathsf{L}^T\boldsymbol\psi_j = \mathsf{\ell}_j. \] Then, for a perturbation $\delta\mathsf{L}$ and $\delta\mathbf{s}$ induced by $(\delta\mathbf{p},\delta\mathbf{U}_{\mathrm{up}})$, the first-order response perturbation satisfies \[ \delta R_j = -\boldsymbol\psi_j^T(\delta\mathsf{L})\,\boldsymbol\phi + \boldsymbol\psi_j^T\,\delta\mathbf{s}. \] Contract requirements: 1. The module must report the residual/solve diagnostics needed to judge credibility of $\boldsymbol\phi$ and $\boldsymbol\psi_j$ (residual norms or MC diagnostics) if these sensitivities are used for robustification (Section VIII.C) or optimization. 2. If MC is used, the module must declare how the adjoint information is obtained (deterministic adjoint solve, weight-window/importance map treated as an approximate adjoint, or other), and must mark sensitivities as inconclusive if prerequisites for the claimed derivative interpretation are not met. IX.D. Tritium inventory dynamics as a positive compartment network IX.D.1. Compartment ODE and positivity invariance Let $x(t)\in\mathbb{R}^{n_x}$ denote discrete tritium inventories in compartments (breeder, coolant, processing, storage, vacuum vessel, etc.). The module is specified by a linear (or linearized) ODE \[ \dot x(t) = A(\theta,T(t))\,x(t) + B(\theta,T(t))\,u(t) + q(t), \] where $u$ are control/throughput variables, $T$ denotes temperatures supplied by the thermal block, $\theta\subset\mathbf{p}$ are engineering coefficients, and $q(t)\ge 0$ includes source terms from neutronics (e.g., breeding production rates). Positivity contract: if inventories are interpreted physically, the discretized dynamics must preserve nonnegativity. A sufficient condition (for each fixed $t$) is that $A$ is Metzler (off-diagonal entries nonnegative) and that $B u + q\ge 0$ for admissible $u$. The module must declare whether this condition is enforced and must report a diagnostic flag if any step violates nonnegativity (treated as rejection for any hard constraint depending on tritium state). IX.D.2. Discrete-time residual for coupled steady or periodic operation The coupled residual framework permits multiple operating conventions: - Steady inventory (equilibrium): enforce $\dot x=0$ at a declared operating point, i.e. \[ \mathcal{R}_{\mathrm{trit}}(x;\cdot) := A(\theta,T)\,x + B(\theta,T)\,u + q = 0. \] - Periodic or transient inventory: for a declared time grid $0=t_0<\cdots<t_M=T$, enforce a one-step integration residual \[ \mathcal{R}_{\mathrm{trit},k} := x_{k+1} - \mathcal{I}_k(x_k;A_k,B_k,u_k,q_k)=0, \] where $\mathcal{I}_k$ is the declared integrator map. In this case, the certification interface of Section III.C.2 applies: the module must report step sizes, local error controls (or an explicit conservative envelope), and any event handling. Any hard constraint on tritium (e.g., inventory upper bounds) must be evaluated with one-sided conservative inflations for integration/discretization errors, or else returned inconclusive. IX.E. Thermal-hydraulics/coolant routing optimization as a convex program IX.E.1. Convex program interface and residual/KKT embedding The thermal block may be posed as either (i) a direct residual solve for temperatures/flows, or (ii) an inner convex optimization (e.g., routing/flow allocation to minimize pumping power subject to temperature limits). To maintain consistency with Section VII, we specify the convex-optimization option. Let decision variables $y$ represent (discretized) flows, pressure drops, channel areas, or other routing parameters. A generic convex template is \[ \begin{aligned} \min_y\ & \Phi_{\mathrm{pump}}(y)\\ \text{s.t. }\ & \mathsf{T}_{\max}(y;Q_{\mathrm{nuc}},\mathbf{p}) \le T_{\mathrm{lim}},\\ & y\in\mathcal{Y}, \end{aligned} \] where $\mathcal{Y}$ is a declared convex set encoding bounds and conservation constraints, and $\mathsf{T}_{\max}$ is either convex as written or replaced by a declared convex conservative surrogate. Contract requirement: if the thermal block is solved as an optimization subproblem and differentiated through, it must be embedded into the global residual by its KKT conditions (as in Section VII.B), with the same mandatory diagnostics: primal feasibility, dual feasibility, complementarity/duality-gap proxies, and a conditioning proxy for the KKT linearization. IX.E.2. Coupling back to neutronics and geometry Thermal feasibility constraints typically depend on geometry (areas, thicknesses, channel lengths) and on neutronics heating $Q_{\mathrm{nuc}}$. Therefore the module must: 1. Declare the transfer/operator that maps neutronics heating to the thermal discretization (projection, conservative remap, or shared mesh) and include its metadata in $\mathcal{D}$. 2. Expose derivative primitives (JVP/VJP) for the dependence of thermal constraints on $Q_{\mathrm{nuc}}$ and on geometry parameters, consistent with the global adjoint interface (Section III). 3. For any hard temperature constraint enforced via a surrogate $\widetilde{\mathsf{T}}_{\max}$, provide an explicit one-sided surrogate-to-true inflation term (Section VIII.A.2) or else mark the constraint inconclusive. This completes the optional extension specification at the level of residual/KKT interfaces and coupling contracts. Statistical certification for MC-based neutronics responses and compute-budget strategies are treated separately in Section X. X. Uncertainty Quantification and Certified Feasibility for 3D Neutronics Responses This section specifies (i) compute-budget strategies that preserve the end-to-end derivative/certification interfaces when neutronics responses are estimated by Monte Carlo (MC), and (ii) one-sided feasibility bounds suitable for the certified-oracle semantics of Section VIII. The scope is discrete and conditional: every bound must declare its assumptions (boundedness, moment conditions, independence, bias control) and must return inconclusive when prerequisites are not auditable. X.A. Variance reduction and compute-budget strategies for non-axisymmetric CAD-derived problems X.A.1. Multilevel Monte Carlo (MLMC) with deterministic control variates Let a response be written as a discretization-indexed quantity $R_\ell$ (e.g., mesh/harmonic level $\ell$), with the target finest-level response $R_L$. MLMC uses the telescoping identity \[ \mathbb{E}[R_L] = \mathbb{E}[R_0] + \sum_{\ell=1}^L \mathbb{E}[R_\ell - R_{\ell-1}]. \] Given i.i.d. samples $\{(R_\ell^{(i)},R_{\ell-1}^{(i)})\}_{i=1}^{N_\ell}$ of coupled pairs, the MLMC estimator is \[ \widehat R_{\mathrm{ML}} := \frac{1}{N_0}\sum_{i=1}^{N_0} R_0^{(i)} + \sum_{\ell=1}^L \frac{1}{N_\ell}\sum_{i=1}^{N_\ell} \bigl(R_\ell^{(i)}-R_{\ell-1}^{(i)}\bigr). \] Contract requirements (auditability). 1. The level definition $\ell\mapsto$ discretization metadata must be recorded in $\mathcal{D}$ (mesh, group structure, CAD-to-mesh tolerance, etc.). 2. The coupling rule that generates paired samples across $\ell$ and $\ell-1$ must be declared (shared random numbers, correlated transport kernels, or other). 3. Any claim of bias control must declare a one-sided discretization inflation term $\Delta^{\mathrm{disc}}\ge 0$ such that the certified margin incorporates \[ \Delta_i^{\mathrm{num}} \leftarrow \Delta_i^{\mathrm{num}} + \Delta^{\mathrm{disc}} \] when $R_L$ is treated as an approximation to a different reference discretization. Remark (control variates). Deterministic reduced-order or diffusion approximations may be used as control variates $C$ with known (or separately computed) expectation $\mathbb{E}[C]$, forming $R-\beta(C-\mathbb{E}[C])$. Any such use must report $\beta$, the source of $\mathbb{E}[C]$, and an explicit bias statement. X.A.2. CADIS/FW-CADIS-style adjoint-driven importance maps (multi-response) Variance reduction often relies on an importance map $I(x)$ derived from an adjoint (or approximate adjoint) solution. For multiple responses $R_j$ with adjoint sources $\ell_j$ (Section IX.C.2), a combined importance is commonly formed from a nonnegative combination \[ \ell_\alpha := \sum_{j=1}^M \alpha_j\,\ell_j,\qquad \alpha_j\ge 0. \] Contract requirements. 1. The construction of $\ell_\alpha$ (weights $\alpha_j$ and which responses are included) must be recorded. 2. If the importance map is treated as an approximation to an adjoint solution, this must be stated explicitly; any derivative use of the map must be flagged non-credible unless an adjoint residual/solve diagnostic supports the claimed adjoint interpretation. 3. When the importance map is adapted during the run, the adaptation schedule must be reported because it changes the effective sampling distribution. X.B. One-sided MC feasibility bounds for engineering constraints This subsection instantiates the generic one-sided MC bounds of Section III.D for engineering responses that enter constraints, emphasizing the necessity of (i) explicit per-history score definitions and (ii) auditable global risk control. X.B.1. Lower/upper bound forms for TBR and coil damage constraints Let $Y$ be the per-source-history score and $R=\mathbb{E}[Y]$. For a lower-bound constraint such as $\mathrm{TBR}\ge R_{\min}$, define the certified lower bound \[ R_{\mathrm{LB}} := \widehat R_N - \epsilon_N(\delta),\qquad \widehat R_N=\frac{1}{N}\sum_{i=1}^N Y_i, \] and declare feasibility only if $R_{\mathrm{LB}}\ge R_{\min}$. For an upper-bound constraint such as $\mathrm{dpa}\le R_{\max}$, use $R_{\mathrm{UB}}:=\widehat R_N+\epsilon_N(\delta)$ and declare feasibility only if $R_{\mathrm{UB}}\le R_{\max}$. Bounded-score specialization (auditable). If the implementation declares a verified almost-sure bound $Y\in[a,b]$, then Hoeffding yields \[ \epsilon_N(\delta)=(b-a)\sqrt{\frac{\log(1/\delta)}{2N}}. \] The diagnostic record must include $(a,b,N,\delta)$ and a statement of how boundedness was verified or enforced (e.g., score truncation with explicit truncation bias accounting). Variance-only specialization (coarse, auditable). If only $\mathrm{Var}(Y)\le \sigma^2$ is declared, then Chebyshev yields the one-sided bound \[ \mathbb{P}\bigl(R \ge \widehat R_N - \sigma/\sqrt{N\delta}\bigr)\ge 1-\delta. \] This is conservative but typically loose; it is admissible only if $\sigma$ is itself an auditable bound (not merely a sample estimate). X.B.2. Non-Gaussian tally behavior as a design constraint Because many transport tallies are heavy-tailed or exhibit strong heteroscedasticity, the certification layer treats tail control as an explicit prerequisite. The following is a specification-level gate: Tail-credibility gate. A MC-based hard constraint may return $\mathsf{Status}=\mathrm{conclusive}$ only if at least one of the following auditable conditions is satisfied: 1. A verified bounded-score condition $Y\in[a,b]$ (possibly enforced via declared truncation) together with explicit accounting for any truncation bias; or 2. A declared moment/tail condition strong enough to justify the chosen $\epsilon_N(\delta)$ and documented evidence that the condition applies in the sampled regime. If neither is satisfied, the correct output is $\mathsf{Status}=\mathrm{inconclusive}$, independent of how small the sample variance appears. X.B.3. Global risk control across multiple MC constraints Let $M$ MC-based responses enter hard constraints at a design point. Choose $\delta_1,\ldots,\delta_M$ with $\sum_{j=1}^M\delta_j\le \alpha$, and compute one-sided bounds for each response at level $\delta_j$. Feasibility is certified only if every constraint is satisfied by its one-sided bound. The record must include $\alpha$, the allocation rule $\delta_j$, and per-response sample sizes $N_j$. X.C. Distributionally robust TBR certification via convex optimization (linearized, discrete) This subsection specifies a conservative robustification mechanism for nuclear-data uncertainty when a response admits a local affine approximation in uncertain parameters. It is explicitly a *discrete linearization* statement; if the linearization is not declared credible, the robustification must be marked inconclusive. X.C.1. Linearized response model from GPT derivatives Let $\xi\in\mathbb{R}^{n_\xi}$ denote uncertain nuclear data parameters (multigroup cross sections, densities, etc.) with nominal value $\bar\xi$. Suppose the module provides a credible first-order sensitivity $g:=\nabla_\xi R(\bar\xi)$ (via GPT/adjoint machinery) and adopts the affine approximation \[ R(\xi)\approx R(\bar\xi) + g^T(\xi-\bar\xi). \] The diagnostic record must include (i) the definition of $\xi$ (units, parameterization), (ii) the method used to compute $g$, and (iii) the conditions under which the linearization is deemed credible (e.g., a declared radius of validity or a remainder inflation term). X.C.2. Ellipsoidal uncertainty and SOCP-form robust lower bound Let the uncertainty set be an ellipsoid \[ \mathcal{U} := \{\xi:\ (\xi-\bar\xi)^T\Sigma^{-1}(\xi-\bar\xi)\le \rho^2\}, \] with $\Sigma\succ 0$ and $\rho>0$ declared. Under the affine model, \[ \inf_{\xi\in\mathcal{U}} \bigl(R(\bar\xi)+g^T(\xi-\bar\xi)\bigr) = R(\bar\xi) – \rho\,\|\Sigma^{1/2}g\|_2. \] Therefore, a conservative robust lower bound (for a lower-bounded requirement $R\ge R_{\min}$) is \[ R_{\mathrm{rob,LB}} := R_{\mathrm{LB}} – \rho\,\|\Sigma^{1/2}g\|_2 – \Delta_{\mathrm{lin}}, \] where $R_{\mathrm{LB}}$ is the statistical lower bound from X.B and $\Delta_{\mathrm{lin}}\ge 0$ is an optional declared remainder inflation controlling linearization error. The term $\|\Sigma^{1/2}g\|_2$ is second-order-cone representable; hence this robustification is compatible with conic optimization wrappers. Status semantics. $\mathsf{Status}=\mathrm{conclusive}$ for the robust bound requires auditable $(\Sigma,\rho)$, credible $g$, and a declared handling of the linearization remainder (either $\Delta_{\mathrm{lin}}$ supplied or the robustification flagged inconclusive). XI. Surrogates and Reduced-Order Models With A Posteriori Certification This section specifies how surrogates may be inserted into the residual pipeline without violating the certification-first philosophy: every surrogate output used in a hard constraint must be accompanied by an a posteriori error bar that yields a one-sided conservative inequality when wrapped as in Section II.D.3. XI.A. Certified reduced-basis (RB) surrogate for transport/diffusion QoIs XI.A.1. Offline–online decomposition and a posteriori QoI bounds Consider a (discretized) linear problem parameterized by $\mathbf{p}$: \[ A(\mathbf{p})u(\mathbf{p}) = f(\mathbf{p}), \] with a quantity of interest $J(\mathbf{p}) = \ell(\mathbf{p})^T u(\mathbf{p})$. Let $V_r$ be a reduced basis of dimension $r\ll n$ and approximate $u_r=V_r a$ with \[ V_r^T A(\mathbf{p})V_r a = V_r^T f(\mathbf{p}). \] Define the primal residual $r_p := f-Au_r$. Let the adjoint solution $z$ satisfy \[ A(\mathbf{p})^T z(\mathbf{p}) = \ell(\mathbf{p}). \] If a reduced adjoint $z_r$ is computed similarly and an operator norm bound (or coercivity bound in symmetric coercive settings) $\alpha(\mathbf{p})>0$ is declared such that $\|A(\mathbf{p})^{-1}\|\le 1/\alpha(\mathbf{p})$, then a standard a posteriori bound template is \[ |J(\mathbf{p})-J_r(\mathbf{p})| \le \frac{\|r_p\|\,\|r_d\|}{\alpha(\mathbf{p})}, \] where $r_d := \ell-A^T z_r$ is the adjoint residual and the norms are declared. Contract requirement. Any surrogate-claimed bound must record the norms, the method for producing $\alpha(\mathbf{p})$ (verified, estimated, or assumed), and the residual norms $\|r_p\|$, $\|r_d\|$. If $\alpha(\mathbf{p})$ is not auditable, then the surrogate may still be used as a heuristic but any hard constraint depending on it must be marked inconclusive. XI.A.2. Calibration-or-reject prerequisites If a surrogate replaces a high-fidelity module in $\mathcal{R}$, the pipeline must expose a rejection test based on its a posteriori bound. For a constraint $g(\cdot)\le 0$ depending on $J$, a conclusive certified evaluation must use \[ \Delta^{\mathrm{num}} \leftarrow \Delta^{\mathrm{num}} + \eta_J, \] where $\eta_J$ is the surrogate error bar in the correct one-sided direction (upper bound for quantities constrained above, lower bound for quantities constrained below). If $\eta_J$ cannot be computed, $\mathsf{Status}=\mathrm{inconclusive}$. XI.B. Modular reduced-order transport solver for segmented blankets XI.B.1. Domain decomposition and interface transfer maps Let the blanket region be decomposed into subdomains $\{\Omega_k\}_{k=1}^K$ with interface boundaries $\Gamma_{jk}=\partial\Omega_j\cap\partial\Omega_k$. A modular reduced-order transport (or diffusion) representation may encode the mapping from incoming interface data to outgoing interface data in each subdomain via linear operators \[ \mathbf{q}^{\mathrm{out}}_k = P_k(\mathbf{p})\,\mathbf{q}^{\mathrm{in}}_k + \mathbf{s}_k(\mathbf{p}), \] with global assembly enforced by interface consistency constraints. The contract requires that every such $P_k$ be reported with its discretization and any approximation error bound used to certify global responses. XI.B.2. Global response assembly and locality of recomputation The assembled interface system takes the generic form \[ (I-\mathsf{P}(\mathbf{p}))\,\mathbf{q} = \mathbf{s}(\mathbf{p}), \] where $\mathsf{P}$ is built from the block operators $P_k$. A locality claim (only recompute certain blocks under a design edit) is admissible only if the diagnostic record identifies which blocks changed and provides a residual check on the assembled system. XI.B.3. Resolvent-based error bounds (interface-level) If $\|\mathsf{P}\|<1$ in a declared operator norm, then $(I-\mathsf{P})^{-1}$ exists and \[ \|(I-\mathsf{P})^{-1}\|\le \frac{1}{1-\|\mathsf{P}\|}. \] This yields a conservative amplification bound for module-level approximation errors in $P_k$ and $\mathbf{s}_k$. Any use of this bound must declare the chosen norm and how $\|\mathsf{P}\|$ is bounded; otherwise the error propagation is inconclusive. XI.C. Dual-weighted residual (DWR) bias correction and certification XI.C.1. DWR correction estimator Let $u_h$ be a coarse solution and $z_h$ a coarse adjoint. For a linear(ized) problem $A u=f$, the DWR estimator takes the form \[ J(u)-J(u_h) = z^T(f-Au_h), \] with $z$ the exact adjoint. Replacing $z$ by an enriched adjoint approximation $z_{\mathrm{enr}}$ yields an estimator \[ \eta_{\mathrm{DWR}} := z_{\mathrm{enr}}^T (f-Au_h). \] Contract requirement. If DWR is used to create a certified one-sided correction, the module must provide (i) the residual vector $f-Au_h$, (ii) the enriched adjoint description, and (iii) an explicit condition under which the correction is treated as conservative (e.g., a validated saturation check). XI.C.2. Saturation hypothesis and falsifiable saturation checks A common route to converting DWR corrections into bounds is a saturation condition on the error under refinement. Since this is model- and discretization-dependent, the contract only permits bound claims when a falsifiable saturation check is provided (e.g., comparing successive refinements to verify that corrections decrease by a declared factor). Absent such evidence, DWR outputs may be reported as diagnostics but not as conclusive certificate inflations. XII. Shape Sensitivities, Manufacturing Tolerances, and Shield/Blanket Sizing Optimization This section specifies discrete shape-derivative interfaces and tolerance-robust sizing logic consistent with Sections III and VIII. The purpose is to turn shape-dependent neutronics/thermal constraints into auditable derivatives and conservative robust margins. XII.A. Shape calculus / interface-motion derivatives for transport responses XII.A.1. Material-substitution view and adjoint bilinear structure Let a response be written abstractly as $R(\mathbf{p})$, where geometry enters through material interfaces. For a small normal interface motion with velocity field $V$ and unit normal $n$, many PDE-based responses admit a Hadamard-type structure \[ \frac{dR}{dt} = \int_{\Gamma} \mathcal{G}(\text{primal},\text{adjoint};\mathbf{p})\,(V\cdot n)\,dS, \] for an interface integrand $\mathcal{G}$ computed from one forward and one adjoint solve. Contract requirements. 1. The interface $\Gamma$, normal convention, and discretization (surface quadrature) must be recorded. 2. The mapping from geometry parameters to $V\cdot n$ must be auditable via the deformation field interface of Section V.A.2. 3. Any singular behavior from non-smooth CAD features must be addressed by an explicit smoothing/regularization, recorded in $\mathcal{D}$, and included in $\Delta^{\mathrm{num}}$ for hard constraints. XII.A.2. Thickness/port-liner gradients from one forward + one adjoint For sizing variables $t_k$ representing local layer thicknesses, a material-substitution parameterization often yields derivatives of the form \[ \frac{dR}{dt_k} = \int_{\Gamma_k} \mathcal{G}_k\,dS, \] where $\Gamma_k$ is the affected interface region. The pipeline must expose these derivatives either directly (adjoint contraction) or through JVP/VJP interfaces consistent with Section III, and must report the discretization on which $\Gamma_k$ is represented. XII.B. Certified manufacturing-tolerance bounds XII.B.1. Robust one-sided certificates under bounded shape perturbations Let $g_i(\mathbf{p})\le 0$ be a hard constraint margin depending on geometry parameters $\mathbf{p}_{\mathrm{geom}}$. Suppose an uncertainty set is declared \[ \mathcal{P}_{\mathrm{geom,unc}} = \{\mathbf{p}_{\mathrm{geom}}+\delta\mathbf{p}:\ \|W\,\delta\mathbf{p}\|_2\le \rho\}, \] with weight matrix $W$ and radius $\rho$. If a credible reduced gradient $\nabla g_i$ is available, a conservative linearized robust inflation is \[ \Delta^{\mathrm{unc}}_{i,\mathrm{lin}} = \rho\,\|W^{-T}\nabla g_i\|_2. \] Conclusive robust certification additionally requires either (i) a declared remainder bound (as in VIII.C.1), or (ii) a regime restriction in which the linear model is justified and audited. XII.B.2. Gap note: required regularity and parameter bounds are external inputs Any bound on $\nabla g_i$ Lipschitzness, or any guarantee that geometric perturbations preserve mesh validity/embedding, depends on external geometric regularity assumptions and meshing tolerances. The pipeline must treat these as declared inputs; if they are not provided, robust certification is inconclusive. XII.C. Certified sequential convex programming (SCP) for shield/blanket sizing XII.C.1. SCP loop with conic robustifications Let sizing variables $t\in\mathbb{R}^n$ (e.g., thicknesses) enter constraints $g_i(t)\le 0$. An SCP step forms convex local models \[ \tilde g_i(t) := g_i(t^{(k)}) + \nabla g_i(t^{(k)})^T(t-t^{(k)}) + \Delta^{\mathrm{num}}_i + \Delta^{\mathrm{unc}}_i, \] and solves a convex subproblem (LP/QP/SOCP depending on the robust terms). Contract requirement: each SCP iteration must store (i) the linearization point, (ii) the certified inflations used, and (iii) a post-step verification by re-evaluating the certified oracle at the new point. No step is accepted without a conclusive oracle verification. XII.C.2. Conservative stopping criteria Stopping is permitted only when (i) the certified margins $g_{i,\mathrm{cert}}\le 0$ for all hard constraints, and (ii) refinement triggers associated with $\Delta^{\mathrm{num}}$ are satisfied (e.g., grid-refinement or MC sampling continued until certificate tightness meets a declared threshold). XIII. Discrete Symmetry and Segmentation Optimization for Stellarator Blankets This section specifies a discrete optimization layer for blanket segmentation that is compatible with the residual + certification architecture. The primary goal is to ensure that discrete segmentation decisions (cuts, module boundaries) do not bypass certification requirements for neutronics/thermal/tritium constraints. XIII.A. Field-period-aware segmentation parameterization XIII.A.1. Discrete symmetry reduction Let the device have $N_{\mathrm{fp}}$ field periods. A segmentation design may restrict decision variables to one fundamental sector and replicate them by symmetry. The contract requires that the symmetry action (replication map) be declared explicitly and that any constraint evaluated on the full device either (i) is proven symmetry-invariant at the discretized level, or (ii) is evaluated on all replicated sectors with a certified extrema wrapper (Sections III.C.1 and VIII.B). XIII.A.2. Mixed-integer segmentation variables Let binary variables $s\in\{0,1\}^q$ encode candidate cuts/ports. Let continuous sizing variables $t$ encode thicknesses/material fractions. The combined design vector is $(s,t)$. Any discontinuity introduced by segmentation must be reported in the diagnostic record (changed meshes, changed boundary conditions, changed module couplings); derivatives across segmentation changes are not assumed meaningful and must be flagged as non-credible (Section III.B.3). XIII.B. Optimization formulations XIII.B.1. Mixed-integer program structure A generic certified segmentation problem takes the form \[ \min_{s\in\{0,1\}^q,\ t\in\mathcal{T}(s)}\ C(s,t)\quad\text{s.t.}\quad g_{i,\mathrm{cert}}(s,t)\le 0\ \forall i, \] where $C$ is a cost/complexity model and $g_{i,\mathrm{cert}}$ are certified margins produced by the oracle semantics of Section VIII, possibly requiring inner solves (Sections IX--XII). Contract requirement (oracle compatibility). A candidate $(s,t)$ may be declared feasible only if every constraint oracle returns $\mathsf{Status}=\mathrm{conclusive}$. If any oracle is inconclusive, the MIP layer must treat the point as not-certifiably-feasible (e.g., by a big-M rejection or by forcing refinement/sampling). XIII.B.2. Certified feasibility bounds inside branch-and-bound When used within branch-and-bound, the solver must store the certificate decomposition $\widehat g_i+\Delta^{\mathrm{num}}_i+\Delta^{\mathrm{unc}}_i$ at each incumbent and, for any node pruning based on feasibility, must record which constraints were conclusive. This makes pruning auditable. XIII.C. Cost/maintenance coupling and trade-off metrics XIII.C.1. Maintenance access and fabrication cost models Cost models $C(s,t)$ are treated as declared maps (not physically validated here). To preserve auditability, the implementation must report the full decomposition of $C$ into components (material volume costs, number of modules, port complexity, estimated maintenance time) and must identify which components are empirical/external. XIII.C.2. Gap note: external vendor/operational data Any quantitative validity of fabrication/maintenance models depends on external data. Within this paper they serve only as optimization layer inputs, not as certified claims. XIV. Falsification and Benchmark Design (Auditability as a First-Class Output) This section specifies a diagnostic record and benchmark-design logic that makes the pipeline falsifiable: it must be possible to trace a feasibility decision back to residual norms, conditioning proxies, sampling radii, and statistical confidence allocations. XIV.A. Diagnostic record requirements for every evaluation XIV.A.1. Minimal audit trace For each evaluation $\mathbf{p}\mapsto(\mathbf{U},\mathcal{D})$, the diagnostic record $\mathcal{D}$ must include: 1. Residual norms $\|\mathcal{R}_k\|_k$ and tolerances $\varepsilon_k$ for every residual block (Section II.C.2). 2. Conditioning proxies for the coupled Jacobian (and key sub-blocks such as Boozer and KKT blocks), with declared acceptance thresholds (Section II.C.3). 3. Any enclosure data used for spectral gates: eigen-residuals, normalization defects, and separation evidence (Sections III.C.3 and VI.A). 4. For sampled extrema certificates: the sample set $G$, covering radius $\delta$, metric $d$, Lipschitz constant $L$ and its provenance (Section III.C.1). 5. For ODE-based certificates: $\delta$-net size, integrator metadata, and error envelopes (Sections III.C.2 and VI.D). 6. For MC certificates: per-history score definition, sample size, confidence parameters $\delta_j$, and the bound form used (Section X.B). XIV.A.2. Explicit rejection semantics Every module must define explicit rejection conditions (solver failure, violated prerequisites, missing metadata). The global pipeline must propagate these to $\mathsf{Status}=\mathrm{failed}$ for any hard constraint depending on a failed module. Silent fallbacks are disallowed. XIV.B. Integral benchmark pathways for blanket/neutronics modules XIV.B.1. Validation via integral benchmark data and $\chi^2$ rejection For a vector of benchmark observables $\widehat y$ and measured $y^{\mathrm{obs}}$ with declared covariance $\Sigma$, a benchmark discrepancy measure \[ \chi^2 := (\widehat y-y^{\mathrm{obs}})^T\Sigma^{-1}(\widehat y-y^{\mathrm{obs}}) \] may be used with a declared threshold. This is a protocol: the pipeline must store $(\widehat y,y^{\mathrm{obs}},\Sigma,\chi^2,\tau_{\mathrm{reject}})$ and must state the statistical assumptions under which the threshold is interpreted. XIV.B.2. Gap-streaming benchmark concept for segmented mockups Segmentation introduces gap fractions and discontinuities that can dominate neutronics and thermal responses. The contract recommends (but does not claim availability of) benchmarks that vary a controllable segmentation parameter (e.g., gap fraction) and compare predicted response degradation to measured degradation. Any such benchmark must report geometry tolerances and as-built metrology, which define the relevant uncertainty set for robustification. XIV.C. Optimal integral benchmark design as set selection XIV.C.1. Monotone submodular formulation Let $\mathcal{E}$ be a finite candidate set of benchmark experiments/configurations, and let $F(S)$ be a nonnegative informativeness score for selecting a subset $S\subset\mathcal{E}$ (e.g., expected reduction in posterior uncertainty of key closure parameters, or a mutual-information surrogate). If $F$ is monotone and submodular and a budget $|S|\le k$ is imposed, then the greedy algorithm (iteratively add the element with largest marginal gain) returns $S_{\mathrm{greedy}}$ satisfying \[ F(S_{\mathrm{greedy}}) \ge (1-1/e)\,F(S^*), \] where $S^*$ is an optimal size-$k$ set. Contract requirements. 1. The definition of $F$ must be recorded, including any linearization or surrogate assumptions. 2. The marginal gains computed by the greedy procedure must be stored for auditability. 3. If adjoint sensitivities are used to score experiments, their credibility prerequisites (conditioning, residual checks) must be met, or else the score must be flagged heuristic. XV. Limitations, Open Gaps, and External Verification Requirements This section states limitations intrinsic to the paper's scope. The mathematical framework guarantees only discrete, auditable statements for declared discretizations and declared assumptions; it does not establish physical adequacy of any proxy. XV.A. Discrete-only guarantees and model adequacy gaps XV.A.1. Certificates are only for the declared discretizations All one-sided inequalities and derivative identities in this paper apply to finite-dimensional discretizations and to the diagnostic tolerances reported in $\mathcal{D}$. In particular: - A conclusive certificate at discretization $h$ does not imply feasibility for a different discretization $h'$ unless an explicit discretization-change inflation term is provided. - Conditioning and truncation diagnostics are part of the certificate prerequisites; without them, feasibility claims are invalid. XV.A.2. Stability proxy adequacy is explicitly external Eigenvalue- and near-integrable-field-line-based gates are treated as discrete proxies with auditable one-sided bounds. Whether these proxies imply reactor-relevant stability or confinement is an external scientific question not addressed here. XV.B. Unverified assumptions embedded in closures/surrogates/proxies The framework requires assumptions to be declared, but does not verify them. Examples of assumptions that must be treated as external inputs include: 1. Transport/closure identifiability: whether the chosen intermediate observables uniquely determine closure parameters. 2. Boozer truncation adequacy: whether the retained spectral sets suffice for the intended constraints. 3. MC statistical assumptions: independence, boundedness/moment conditions, and tail behavior supporting one-sided bounds. 4. Robust ambiguity sets: the selection of $(\Sigma,\rho)$ or other uncertainty-set parameters for nuclear data and manufacturing tolerances. XV.C. Required external validation artifacts For the pipeline to be used responsibly, external artifacts are required, including: 1. Device comparisons for geometry/vacuum-field/Boozer intermediate observables and for bootstrap/current closures. 2. Neutronics and coupled thermal/tritium benchmark datasets with declared acceptance thresholds and reproducibility protocols. 3. Documentation of geometric metrology and manufacturing tolerances sufficient to define auditable uncertainty sets $\mathcal{P}_{\mathrm{unc}}$. The body of the paper ends here: it has specified an end-to-end discrete residual pipeline, differentiation interfaces, and conservative certification semantics, together with optional multiphysics extensions and explicit limitations. Conclusion This paper has provided a discrete, optimization-facing mathematical specification for an end-to-end stellarator design-evaluation pipeline in which multiple coupled physics and engineering modules are treated uniformly as an implicitly defined residual system $\mathcal{R}(\mathbf{U},\mathbf{p})=\mathbf{0}$. The central contribution is not a new physical model, but a rigorous *contract* for what a pipeline must return in order to make feasibility and sensitivity claims auditable: a state $\mathbf{U}$, a diagnostic record $\mathcal{D}$ containing residual norms, tolerances, conditioning proxies, and other intermediate observables, and explicit rejection/inconclusive semantics when numerical credibility prerequisites fail. On the optimization side, the document formalized implicit differentiation and adjoint calculus for the fully coupled discretized system, emphasizing matrix-free JVP/VJP interfaces as the primary derivative contract. The framework explicitly links derivative credibility to conditioning and degeneracy diagnostics: when the Jacobian of the coupled residual (or key sub-blocks such as Boozer or KKT systems) is ill-conditioned, or when eigenvalue separation and KKT regularity checks fail, derivatives are flagged non-credible rather than silently used. For constraints, the paper adopted a certification-first philosophy in which every hard inequality is evaluated through a one-sided conservative oracle of the form \[g_{i,\mathrm{cert}} = \widehat g_i + \Delta_i^{\mathrm{num}} + \Delta_i^{\mathrm{unc}},\] with an auditable decomposition into nominal discrete margin, numerical inflation (residual tolerances, truncation, grid undersampling, integration error, smoothing inflation), and parametric/robust inflation (declared uncertainty sets with explicit remainder control). Generic certification primitives were specified for (i) sampled extrema via Lipschitz/$\delta$-net envelopes, (ii) ODE/trajectory-based gates via Lipschitz error propagation and integrator bookkeeping, (iii) spectral gates via one-sided enclosures with residual and separation evidence, and (iv) Monte Carlo responses via one-sided confidence bounds with explicit assumptions and global risk allocation. Within this unified architecture, representative module interfaces were specified across the design stack: a minimal +1D plasma backbone with conservative power-balance residual diagnostics and falsifiable intermediate observables; geometry and shape-derivative interfaces plus a Boozer-transform residual block with truncation and conditioning diagnostics; stability and confinement-adjacent gates (generalized eigenproblem proxies, bootstrap fixed-point regularity diagnostics, resonance/island non-overlap logic, and prompt-loss certificates) expressed in certified, one-sided forms; and inner engineering layers treated as convex subproblems embedded by KKT residuals (coil synthesis and thermal routing templates) to make feasibility and sensitivities auditable. The paper also showed how blanket/shield, neutronics, thermal-hydraulics, and tritium inventory models can be incorporated as additional residual blocks with adjoint-compatible sensitivity hooks, including distributionally robust linearized bounds when assumptions are explicitly declared. Finally, the document elevated falsification and benchmarking to first-class outputs: every evaluation must be traceable to stored diagnostics, and benchmark design can be posed as an auditable set-selection problem (e.g., via a submodular informativeness score) provided derivative credibility prerequisites are met. Limitations were stated explicitly. All guarantees are discrete-only and conditional on declared assumptions and reported diagnostics; the framework does not establish physical adequacy of any proxy (Boozer-based metrics, stability eigenproxies, reduced island or prompt-loss models, transport closures, surrogate models, or MC tail assumptions). Consequently, the primary practical implication is methodological: the specification is designed to prevent *numerical* false feasibility and to force explicit “inconclusive/reject” outcomes when evidence is insufficient, thereby enabling modular replacement, systematic refinement, and structured external validation as the necessary next step. [HARD CODED END-OF-PAPER MARK -- ALL CONTENT SHOULD BE ABOVE THIS LINE]

More Info