Where shield is the framework's detective — a passive observer that emits anomaly events — control is the engineer: an active governor that adjusts plant inputs to keep framework primitives at desired operating points.
The control objectives are framework intrinsic thresholds
- \(\beta < 1\) (Theorem 1, brake threshold) — the cascade returns to rest in finite cascade-time. Framework-native definition of "the system can be turned off".
- \(\mathfrak{A} \le \tau_{T3}\) (Theorem 10) — all sensor channels read the same underlying state. Cross-shadow disagreement is the framework-native "decoherence" alarm.
- \(\sigma_{\text{cross}}\) small (Theorem 11) — shadow basket converges to a single brake exponent.
- \(\mathcal{P}\) cadence-stamped (Theorem 13) — each control band can be governed at its own rate.
What this composes with
The control derivative supplies a cost layer. It does not supply the policy — that is delivered by classical MPC, LQR, or RL machinery the user already operates. The framework's contribution is the domain-agnostic anomaly cost; the user's contribution is everything else (actuator dynamics, regulatory constraints, plant-specific priors).
shield : shadow_stream → 𝓐, σ_cross, β → alert event
control: shadow_stream → 𝓐, σ_cross, β → cost J(u)
↓
control policy → u*Cost function structure
$$ J(\text{shadows}, u) \;=\; \alpha \cdot \max(0, \mathfrak{A} - \tau_{T3})^2 \;+\; \beta \cdot \sigma_{\text{cross}}^2 \;+\; \gamma \cdot \max(0, \beta_{\text{brake}} - 1) \;+\; \delta \cdot \|u\|^2 $$
Smooth softplus / sqrt-form approximations keep the cost differentiable in u. Each term has a clean theorem anchor: \(\alpha\)-term (T10 quadratic), \(\beta\)-term (T11 quadratic), \(\gamma\)-term (T1 linear-rectified), \(\delta\)-term (actuation regularisation).
See per-section pages for the full scope, benchmarks vs PID, and plant adapter library.