A confident verdict is only worth what its worst error costs. For Atlas that worst error is false-safety — saying "classical is enough" when it is not. This page is the adversarial audit of that failure: how we attack it, what we measured, what we guard, and the limits we declare instead of hiding.
Atlas says CPU/cheap, but the circuit really needed a QPU or a cluster. The user trusts a wrong "don't buy" and gets a wrong answer. This is the failure that destroys trust, and the one the architecture is constrained to never make on a certified case.
Atlas over-routes (says harder than necessary). You spend more than you had to, but you do not get a wrong scientific result. Annoying, not dangerous — and on the corpus this happens 0 times.
Source: SELF_ASSESSMENT #1. The single false-safety is moat_ladder_n28_t8_s3 — a route-class boundary artifact (both methods agree the cost is ~2²⁸ ≈ 4 GB), not a "said classical when you truly need a QPU" error. Full confusion matrix on the Benchmark page §2.
The composition exists precisely to cancel each single method's blind spot. Measured on the 800-circuit slice where single-estimator baselines exist (FS = false-safety, FA = false-alarm):
| Estimator | False-safety | False-alarm | failure mode |
|---|---|---|---|
| Atlas (min-over-methods) | 1 | 0 | the composition cancels each single blind spot |
| treewidth-only | 0 | 166 | cries wolf — massively over-routes |
| MPS-only | 16 | 0 | truncation silently understates hardness |
| magic-only | 8 | 96 | both errors at once |
This is the real selling stat of multi-method routing: no single axis gets you to 1 FS / 0 FA. Truncated MPS bond is a lower bound and is never allowed to certify safety; treewidth (cotengra) is a greedy upper bound; magic via Stim is exact. Atlas surfaces these provenance facts rather than treating all axes as equal measurements.
Source: SELF_ASSESSMENT #1; COMPETITIVE.md §4. Guard logic in route_adjudicator.py (treewidth_only … failure_mode: "false_alarm"; mps_only … false_safety flag).
A deferral that keys off the predicted route is, by construction, blind to false-safety — because false-safety is Atlas not routing hard. So the guard had to be route-independent.
atlas_falsesafety.py measures evidence fragility on a cheap verdict — a trusted estimator routing harder, a small margin to the next harder threshold, reliance on an invalidated/truncated bound — gated by whether the governing estimator is exact. HIGH risk on a cheap verdict downgrades the tier to verify. The iteration was honest: the first cut over-flagged 71% of trivial CPU circuits (statevector-by-qubit-count is structurally pessimistic for n>21); gating on governing-estimator exactness fixed it.
0% over-flag on trivial CPU circuits, and the 1 known false-safety still caught (HIGH → verify). This reduces the measurable false-safety surfaced as a confident verdict — it does not conjure ground truth where none exists.
Source: SELF_ASSESSMENT #1 (atlas_falsesafety.py); AUDIT_BACKLOG (713630e: route-independent guard, 0% over-flag on trivial CPU, catches the 1 known false-safety).
An adversarial pass red-teamed the triage path itself. It found a real denial-of-service: a crafted dense circuit could make the cost routine hang (compute-bound) instead of degrading gracefully.
Finding and fix: the engine's compute-bound hang on dense n≥32 is resolved by a per-circuit wall-clock timeout that degrades, not hangs — atlas_timeout.cost_atlas_guarded (fork+kill). On the hard-regime slice: 8 resolved / 2 compute-bound / 0 hangs. The adversarial battery is a permanent regression: 0 false-security across its rounds (self-designed; ~8 vectors over 2 rounds — stated exactly, not inflated).
It is over the adversarial battery's N circuits (2 rounds, ~8 vectors), self-designed — we say exactly that, not "0 false-security, period." On the threaded web tier, fork-after-threads is unsafe, so the guarded path runs in batch/CLI and the web tier keeps an n-cap. That trade-off is declared, not hidden.
Source: benchmarks/adversarial_attack.py + adversarial_findings.json (CLAIMS C3); AUDIT_BACKLOG P1-7 (cost_atlas_guarded fork+kill, f2e4eeb+); CLAIMS C4 (guard reach-2q + killable delegation in webui.py).
An audit is only credible if it can reverse a published number against us. This one did.
An earlier session, using a "device-faithful" Aer simulator, measured a per-layer ratio κ̂ ≈ 0.40 (<1), implying hardware degrades slower than inferred — "extend the depth ceiling ~14%." Our own Porter-Thomas calibration on real metal reversed it: κ̂ = 2.62 (>1). The simulator was underestimating correlated/non-Markovian noise. The correction tightens the realistic ceiling to ≈11 layers (vs an optimistic first-order 29–49) — i.e. it moved to the conservative, safe side. We never re-introduce κ̂<1.
Source: QPU_RESULTS.md §7; DEBTS (auto-correction #10); detail on the Benchmark page §5.
Each lens and extension below was verified in-session with a reproducible command. Run with PYTHONPATH=src pixi run python <module> from physics-magnitude-lab/.
| Lens / order parameter | Module | Verification |
|---|---|---|
| 1 · magic (fold) | regime_classifier | n_T* = 2.41 (SoTA) |
| 2 · entanglement (min-cut) | idea6_mincut_lens | S ≤ min-cut in all cases (bound holds) |
| 3 · treewidth | contraction_router | 2^treewidth, interaction graph |
| 4 · operator-spread (avalanche) | avalanche_meter | predicts peak 66.283 = measured |
| 5 · non-Gaussianity (flattener) | flattener | hop+T (T=800) → 2³²⁰ → 2 ms |
| 6 · central charge | idea1_critical_lens | c → 0.5 (Ising), Calabrese-Cardy |
| 7 · negativity / sign | idea14_negativity_lens | control κ_sign = 0.000 / diamond 0.641 |
Full ledger (lenses + 5-idea extensions + 8 pieces, each with module and verified number, plus the named honesty limits) in AUDIT_LEDGER.md. Reproducible images: phase_diagram.png, invasion_percolation.png, sandpile.png.
| Limit | Status |
|---|---|
| External audited benchmark | CONCEDED — the #1 credibility gap. The corpus and oracle are self-generated; the conformal guarantee is honest given the corpus, but no third party has audited the oracle or the families. |
| Hard (ESCALATE) regime | Unmeasurable by construction — 0 of 2,517 certified there (the BQP≠BPP wall). False-safety there is reduced, not proven absent. |
| Corpus diversity | 2,517 variants, not 2,517 independent structural families; exchangeability assumed, not proven. |
| Transpiler / SWAP overhead | Not in the cost metric — Atlas costs the logical circuit (known limitation, not a strength). |
| Noise model | UI slider is a toy-global envelope; the measured per-edge model lives in noise_local_validation but is not yet wired to the interactive panel. |
| False-safety in hard hardware | A genuinely hard circuit will not run with fidelity either → the judge is the classical guard (validated 0/5), not the QPU. |
Source: SELF_ASSESSMENT (limits table); DEBTS.md (P2/P3 + "fundamental limitations — not debt"); COMPETITIVE.md §4. The rule is constant: declare the ignorance, do not hide it.