Doctoral Research · Space Robotics Inspection with a Free-Flying Space Manipulator
A Doctoral Research Journal Aerospace Engineering

Bounding the oracle gap: from a kinematic existence proof to a buildable posture lever

Date: Jun 12, 2026. What this is: a getting-started guide, not a proof. CHAIN_13’s checkpoint left one sentence doing a lot of work — “the oracle’s clean route is a kinematic existence proof; the live system also carries momentum dynamics and base-tracking error, so the achievable gap is the first thing a criteria file should bound.” This note unpacks that sentence into three concrete, separately-attackable bounds, shows the scratch work for the easiest one, and lists what to read first. The 7-DOF arm is the subject throughout; the 6-DOF has no spare degree of freedom, so nothing here applies to it (the per-arm split of AMENDMENT 2).


1. The motivating problem

Here is the puzzle the diagnostics left us. The schedule-κ oracle — a kinematics-only rollout of the demanded camera schedule — tracked the 7-DOF demand with median error 0.0000 m and never came within a factor of two of the singular floor: its worst σ₆ stayed above 0.05 at every flown speed. The live system, flying the same demand, spends up to 27% of its steps below σ₆ = 0.025. Same task, same arm, same walls — one traveler gets through clean, the other falls into potholes.

So a clean route exists. Why can’t we just… take it?

Because the oracle cheats, in three specific ways. It moves the arm kinematically (no forces, no momentum bookkeeping); it holds the base exactly on its guidance trajectory; and it gets to pick arm postures with a policy (the damped pseudo-inverse) that the live controller does not use — the live system reconstructs velocities on the v_n = 0 section, which deliberately parks the spare degree of freedom rather than steering it. Before anyone writes a “follow the oracle’s route” lever, we owe the committee an answer to: how much of the clean route survives once the cheats are removed? That number — the gap — is what the criteria file must bound before any build.

2. Intuition: two sections of the same bundle

Picture one demanded camera pose. The 7-DOF arm has a one-parameter family of configurations that all realize it — the self-motion circle (touch your nose and swing your elbow; the project vocabulary calls the family a fiber). As the schedule sweeps the camera pose along the path, the fibers sweep out a tube in joint space. A route is any continuous thread through the tube that stays on the moving fiber.

The singular walls are frozen surfaces in joint space. Some threads through the tube graze them; some do not. The oracle’s policy picks one thread (call it the witness route); the live v_n = 0 policy picks another. D3’s verdict, in this language: the tube contains at least one wall-clear thread, and the live policy’s thread is not it.

A section is a rule that picks one point on every fiber. The live controller’s rule (“zero self-motion velocity”) is a perfectly good section for suppressing ghost motion — that is what it was built for — but it makes the route an accident of history: where you end up on each fiber depends on where you were on the last one. Nothing steers it away from walls. The proposed lever would replace, or bias, that rule with one that tracks the witness route. The gap question is whether the bias fits inside the budgets the live system actually has.

3. Setting up the objects (definitions, so the symbols stop wobbling)

Let s denote arclength along the demanded schedule, running from 0 to s_end, and let g(s) denote the demanded camera pose at s (position plus pointing axis — five constrained degrees of freedom). For each s, define the fiber

F(s) = { q : the arm configuration q realizes g(s) },

where q is the 7-vector of arm joint angles. Generically F(s) is a one-dimensional curve (the self-motion family). A route is a continuous map q(s) with q(s) ∈ F(s) for every s.

Two routes matter here. Write q_O(s) for the oracle’s witness route — the one the D3 rollout exhibited, with σ₆(q_O(s)) ≥ 0.05 throughout and joint rates inside the live 50 rad/s clip. Write q_L(s) for the live route — the one the flying system actually takes under the v_n = 0 section, the kernel freeze, and the derate.

The lever’s premise is that we can make the live system’s route converge toward q_O. The gap is everything that obstructs that convergence. It splits cleanly into three pieces, and each piece is a bound we can compute offline, from data we already have — no new simulations are needed for any of them.

4. The three gaps, each with its proof technique

Gap 1 — dynamical admissibility of the witness route (direct, constructive)

The oracle never asked whether following q_O takes forces the actuators can produce. The check is constructive: evaluate the inverse dynamics along the witness route. We already log q_O(s) from the rollout; differentiating along s at the mission speed gives the joint velocities and accelerations the route demands, and the reduced dynamics objects the controller already builds (the mass matrix and Coriolis matrix of the breve system) convert those into required generalized forces and base reactions. The bound to pre-register is utilization:

U₁ = max over s of (required torque / saturation limit, required rate / rate limit).

If U₁ ≤ 1 with margin, the route is dynamically admissible; if not, the lever is dead on arrival and we have spent zero simulation hours learning it. Technique note: this is a direct computation, not an inequality — the only subtlety is differentiating a sampled route without amplifying noise (use the analytic schedule rate ṡ = v, and smooth q_O′ the same way the project already smooths surface paths).

Gap 2 — margin consumption by base-tracking error (perturbation bound)

The oracle held the base exactly on guidance. The live base tracks with error — a few degrees of attitude wobble and a COM lag — and the fiber moves when the base moves: the same camera demand seen from a perturbed base asks the arm for a slightly different configuration. The right tool is a singular-value perturbation inequality, and this is the easiest of the three bounds, so we show the scratch work.

Scratch work. We want to know how much σ₆ can drop when the configuration is perturbed. Working backward: σ₆ is the smallest singular value of the matrix J⁺(q), so we first need “how much does σ_min move when the matrix moves,” then “how much does the matrix move when q moves,” then “how much does q move when the base errs.”

The first link is a standard matrix-analysis fact (Weyl’s inequality for singular values): for matrices A and E of the same shape,

σ_min(A + E) ≥ σ_min(A) − ‖E‖₂.

In words: a perturbation of spectral norm ‖E‖₂ cannot push the smallest singular value down by more than ‖E‖₂. No structure of E is needed — this is exactly the worst-case-friendly form a committee likes.

The second link is the Jacobian’s own smoothness: ‖J⁺(q + δq) − J⁺(q)‖₂ is bounded by L_J · ‖δq‖ for a local Lipschitz constant L_J, which we can estimate numerically along the witness route (finite differences of J⁺ in each joint direction; the literature even gives closed-form joint-angle derivatives if an analytic route is preferred). The third link converts the measured base-error distribution from the existing logs into an equivalent configuration perturbation δq (the arm must absorb what the base fails to track; to first order this is the arm Jacobian inverse applied to the base pose error, and we have logged base errors for every flown mission).

Chaining the three links: the witness route’s headroom is σ₆(q_O) − 0.025 ≥ 0.025 (it never dips below 0.05, and the pothole threshold is 0.025). The pre-registrable bound is

U₂ = p99 over the mission of [ L_J · ‖δq(base error)‖ ] / 0.025,

and the lever’s premise survives only if U₂ < 1 — that is, only if measured base error cannot eat the witness route’s entire margin. Note what makes this honest: every factor is either a logged quantity (the base errors), a numerically estimable constant (L_J along q_O), or a theorem (Weyl). Nothing requires believing the lever works.

Gap 3 — reachability under the one spare degree of freedom (the 1-D reduction)

Suppose the route is admissible (Gap 1) and robust (Gap 2). Can the live policy actually steer onto it? The live system has exactly one null direction to spend, and it currently spends it on nothing (v_n = 0). The pleasant surprise is that this gap reduces to a scalar tracking problem.

Parameterize each fiber by a coordinate φ — the angle along the self-motion circle, with the convention anchored anywhere convenient. Every route is then a scalar function φ(s), and the witness route is a known scalar reference φ_O(s). Differentiating along the mission, the fiber coordinate obeys (to first order) a one-dimensional equation of the form

dφ/dt = v_n + d(s, q),

where v_n is the self-motion velocity the policy chooses (the ghost speedometer — the quantity the current section pins to zero) and d(s, q) is a drift term: the self-motion the task itself induces as the fibers twist along the schedule. The drift is computable along the route from quantities the robot code already produces (the kernel direction and the task velocities). The pre-registrable bound is a budget check:

U₃ = p99 over the mission of |dφ_O/dt − d(s, q_O)| / v_n_max,

where v_n_max is the self-motion rate we are willing to grant the lever (it competes with the envelope and pan-centering claimants — one degree of freedom, three claimants, as the 7-DOF derivation already warns). If U₃ < 1, a simple proportional law on the fiber coordinate can track the witness route with the authority available; if not, no clever control law rescues it, because the required rate exceeds the granted rate at some point of the mission.

Why this reduction is the right first move: it converts “design a null-space posture controller” (a vague, high-dimensional task) into “track a known scalar reference with bounded rate” (a problem with a two-line stability argument). The committee question “how do you know your null-space term does not fight the task?” has a structural answer — by construction the fiber coordinate is task-invariant; v_n moves the arm only along the fiber. That is precisely what the M-orthogonal machinery (z_a, k̂) was built to guarantee, and the existing kernel-freeze logic already tells us where the fiber coordinate is well-defined (σ₆ above the freeze floor) and where it is not.

5. What the criteria file should pre-register (and in what order)

bound question it answers data source pass form
U₁ (admissibility) can the actuators follow q_O at mission speed? inverse dynamics along the logged oracle rollout U₁ ≤ 1 with stated margin
U₂ (robustness) can measured base error eat the σ margin? Weyl + L_J along q_O + logged base errors U₂ < 1 at p99
U₃ (reachability) does one spare DOF have the rate to track φ_O? drift + reference rate along q_O vs granted v_n_max U₃ < 1 at p99

The order matters: each bound is cheaper than the next thing it gates, and a failure at any stage kills the lever for free. Only if all three pass does an implementation get written — and then the full-helix A/B remains the adoption gate, exactly as for every other lever. One more honest caveat for the registration: the witness route came from ONE policy (the oracle’s damped inverse). If U₁–U₃ fail for q_O, that kills this witness, not the idea — a different wall-clear route might pass. The criteria file should say which conclusion each failure licenses.

6. Where to start (reading and deriving, in order)

  1. Your own fiber/section formalismgenerated_reports/math/derivation_7dof.md and the fiber, section, z_a, v_n rows of wiki/terminology.md. Gap 3 is a one-page extension of machinery you already own: you have the measuring row (z_a) and the moving direction (k̂); the new object is only the integrated coordinate φ.
  2. Weyl’s inequality for singular values — any matrix-analysis text (Horn & Johnson, Matrix Analysis, the singular-value perturbation section). You need exactly one inequality, stated above; the derivation is three lines from the variational characterization of σ_min, and re-deriving it yourself is good committee armor.
  3. The reduced dynamics objects — M_breve and C_breve in GNC/breve_controller.py (already built every step); Gap 1 is calling them along a stored trajectory.
  4. The witness route itself — rerun validation/schedule_kappa_oracle.py’s rollout with the q series saved (a five-line change, flagged so the committed calibration artifact is untouched); q_O is then a plain array on disk.
  5. For the drift term (Gap 3) — the kernel direction n̂ along q_O comes from the same SVD the oracle already computes; d(s, q) is the projection of the task-consistent joint velocity onto n̂, step by step.

7. The moral

An existence proof is not a controller — but it converts a metaphysical question (“could the 7-DOF ever avoid these walls?”) into three engineering inequalities, each computable tonight from logged data, each with a named theorem or a direct computation behind it, and each cheap to fail. The lever earns the right to be built only by passing all three; the thesis earns a tidy lemma either way, because a bounded no is as defensible as a yes.