diff --git a/docs/echo-types/paper.adoc b/docs/echo-types/paper.adoc index c786ca6..ebfd3ec 100644 --- a/docs/echo-types/paper.adoc +++ b/docs/echo-types/paper.adoc @@ -10,11 +10,12 @@ *STATUS: living draft, not for submission.* Written 2026-05-17 while the formal result is fresh, so the narrative is captured at full strength now. Sections tagged *[EXPAND]* are deliberate stubs to be -filled as more context accrues (broader worked examples, deeper -related-work comparison, the ordinal/Buchholz consumer-evidence -appendix, an evaluation section). Do not submit until the *[EXPAND]* -tags are cleared and the venue/template are chosen (Pillar E logistics -are offline/author-driven). The TYPES extended abstract +filled as more context accrues; only the ordinal/Buchholz +consumer-evidence appendix remains, and is gated on the ordinal +track reaching Bachmann–Howard (see <>). Do not +submit until that tag clears and the venue/template are chosen +(Pillar E logistics are offline/author-driven). The TYPES extended +abstract (`types-abstract.adoc`) is the short, already-submission-ready companion; this is the full CPP/ITP-style mechanised-metatheory paper it grows into. @@ -542,16 +543,236 @@ present "funext-free" as a feature. We still argue the gate / retraction discipline is a contribution — and this very reframing, logged in `docs/retractions.adoc`, is the discipline working. -== Evaluation and discussion [EXPAND] +== Evaluation and discussion -NOTE: *[EXPAND]* — proof-size / proof-cost table per pillar; the -common-upper-bound idiom analysed honestly (it removes `subst` -*because* the equations carry no comonadic coherence, not as a clever -saving); a discussion of where the construction does *not* extend -(the EI-2 negative result; the funext-relative mediator property; the -thinness-only content) stated as honest bounds, *not* spun as -strengths; threats to validity, including the Gate-2 audit's own -"single recipe" finding. +This section reports proof size and the load-bearing cost of each +pillar, then discusses three honest bounds on the construction and +the threats to validity carried over from the Gate-2 audit. The +posture throughout is the one the retraction note (<>; +`docs/retractions.adoc` R-2026-05-18) committed to: claim the +mechanised strength, neither less nor more. + +=== Proof size per pillar + +The four pillars together occupy ~930 lines across six modules, with +zero postulates and three `rewrite` sites (one in the foundational +`degrade-compose`; one in its `rel-model` lift; one in +`EchoGraded` proper). The single `subst` site that appears in +`EchoPullback.agda` is in the *definitional shape* of the +`IsMediator` record's `coherent` field — the +`subst (λ a → f a ≡ y) (factor v) (proj₂ (m v)) ≡ square c v` +equation that any mediator must witness — and not a transport +inserted to make a proof go through. + +[cols="1,3,1,1,1,1", options="header"] +|=== +| Pillar | Module | LOC | Top decls | `subst`/`rewrite` (code) | Postulates + +| A +| `EchoFiberBridge.agda` +| 56 +| `fiber`, `echo→fib`, `fib→echo`, `echo↔fib` +| 0 / 0 +| 0 + +| B (pullback) +| `EchoPullback.agda` +| 143 +| `EchoCone`, `echo-cone`, `IsMediator`, `echo-pullback-univ`, plus the cone↔SliceHom bridge +| 1 / 0 (the lone `subst` is in `IsMediator.coherent`'s *shape*, not in a proof body) +| 0 + +| B (graded comonad) +| `EchoGradedComonad.agda` +| 159 +| `gextract`, `gduplicate`, `gcomonad-counit-l`, `gcomonad-counit-r`, `gcomonad-coassoc` +| 0 / 0 +| 0 + +| B (graded foundation) +| `EchoGraded.agda` +| 169 +| `Grade`, `_≤g_`, `≤g-prop`, `_⊔g_`, `GEcho`, `degrade`, `degrade-comp`, `degrade-compose`, `degrade-via-join`, plus the ⊔ universal-property trio +| 0 / 1 (`degrade-compose` rewrites by `≤g-prop`) +| 0 + +| C +| `EchoSeparating.agda` +| 139 +| `Sep`, `s₀`, `s₁`, `sep-order-not-prop`, `SepGEcho`, `sep-map-over-{id,comp}`, `SepDegradeCompose`, `sep-degrade-compose-fails` +| 0 / 0 +| 0 + +| D +| `EchoRelModel.agda` +| 261 +| `GradedLossModel`, `GCLaws`, `set-model`, `rel-model`, `model-agreement`, `bridge-natural` +| 0 / 1 +| 0 +|=== + +The two F-2026-05-18a earn-back modules (`EchoPullbackUnivF4.agda` +for the funext-conditional terminal-cone property, and +`EchoStepNDModelF2.agda` for the second model of the *bare* Echo +functor) ride the same budget: each typechecks `--safe --without-K` +with zero postulates, the funext dependency in F4 is a module +parameter rather than a postulate, and both are pinned in `Smoke.agda`. + +What this table is, and what it is not. It is a fingerprint of the +mechanised content — useful for a reader who wants to see, before +reading any proof, that the trusted base is small (zero postulates, +one definitional `subst`, three uses of `rewrite`). It is *not* a +claim of being "small relative to" any comparator; we know of no +fair comparator in the graded-modal literature and decline to +manufacture one. + +=== The common-upper-bound idiom, honestly + +The three graded coherence equations (`gcomonad-counit-l`, +`gcomonad-counit-r`, `gcomonad-coassoc`) are each phrased so that +both sides land in the *same* `GEcho g'` for a free common bound +`g'`, post-composed by an arbitrary degrade into `g'`. In that +phrasing, every proof reduces to two calls of `degrade-compose` +chained through one application of `≤g-prop`, with no `subst` +anywhere. The full coassociativity proof is 17 lines of +`≡-Reasoning` (`EchoGradedComonad.agda`:135–158); each counit proof +is two lines (`:112–113`, `:122–123`). + +It is tempting — and earlier drafts of this paper did — to read this +as a clever encoding trick that saves transport. That reading is +wrong, and the honest reading is uncomfortable. + +The naive grade-equality phrasing of coassociativity would compare +`GEcho ((g₁⊔g₂)⊔g₃)` with `GEcho (g₁⊔(g₂⊔g₃))`, forcing a +`subst GEcho (⊔g-assoc …)` to make the two sides typecheck against +one another. That `subst` then has to be coherent with the comonadic +laws — i.e. one would have to prove that `degrade` commutes with the +transport, that the transport is functorial along `_⊔g_`, and that +the resulting square serialises into the pentagon. All of that is +what a genuine graded comonad in the Petriček–Orchard–Mycroft sense +would carry: a nested family `D_{r·s} ⇒ D_r D_s` whose coherence +*is* the pentagon and triangle of a categorical comonad object. + +The common-upper-bound idiom removes those obligations because there +is no such nested family to be coherent about. `EchoGradedComonad` +does not exhibit a graded comonad in that sense — that claim was +retracted on 2026-05-18 — and the coherence content is exactly +*thinness of the order* (`≤g-prop`) propagated by a single +path-independence lemma (`degrade-compose`). The proofs are short +because the structure they discharge is thin, not because the +encoding is clever. Said sharply: in a hypothetical setting where +`_≤g_` had non-trivial path content, the common-upper-bound idiom +would not save us; we would have to track the path data, and the +mechanisation would look like the literature's graded-comonad +mechanisations rather than like ours. + +The separating model (`EchoSeparating.agda`) is the operational +witness for this reading. It is `EchoGraded` minus `≤g-prop`; every +generic Σ-functoriality law (`sep-map-over-id`, `sep-map-over-comp`, +the functorial-unit triad) still holds by the same definitional +collapse, and `sep-degrade-compose-fails` exhibits a checked +`true ≢ false` refutation of `SepDegradeCompose`. The single +two-line refutation `sep-degrade-compose-fails law = true≢false (law +rfl-lo s₀ s₁ true)` measures exactly the cost of removing +propositionality of the order: one degenerate composition pair +disagrees. That is the only content there is to remove `subst` from +in the first place. + +=== Where the construction does *not* extend + +Three boundaries are mechanised, and we state them as bounds rather +than as features re-spun. + +==== The five-axis simultaneous-integration claim (EI-2) is settled negatively + +Gate-2's identity claim that the five axes (loss, role, linearity, +indexing, modality) integrate *simultaneously* in a non-trivial way +was killed by an explicit falsifier (the `IntegrationAudit.agda` +counterexample family; see `docs/integration-audit.adoc` and +`docs/retractions.adoc` R-2026-04 for the negative-result entry). +The four "characteristic" survivors integrate pairwise at most. This +is recorded as a falsifiable-gate negative, not as a "future work" +deferral; reopening it requires producing a witness that the audit's +falsifier rules out, and we know of none. + +==== The mediator property is funext-relative + +`echo-pullback-univ` discharges *pointwise* uniqueness `∀ v → m' v ≡ +m v` and nothing more (`EchoPullback.agda`:131–143). The +unconditional terminal-cone equality `m' ≡ m` is unstatable in +`--safe --without-K` without funext, and so it is not stated. The +F-2026-05-18a earn-back at `EchoPullbackUnivF4.agda` recovers the +terminal-cone equality *conditionally on an explicit `funext` module +parameter* — never a postulate, and never silently — and is exactly +as strong as that conditional form. The retraction stands for the +unconditional claim. + +==== The content is thinness of the order, full stop + +The coherence equations collapse to `degrade-compose` + `≤g-prop`; +the separating model shows that over generic Σ-functoriality, the +only load-bearing hypothesis is `≤g-prop`. The `GradedLossModel` +interface bakes `⊑-prop` in as a field, and both `set-model` and +`rel-model` fix the *same* grade poset (the second is the first +`× ⊤`, agreeing by `refl`). This is carrier-parametricity over a +fixed thin poset, not semantic model-independence — and was +retracted under that earlier framing. A category theorist reading +this paper should expect the strength of a thin Grothendieck +fibration with a propositional order, not the strength of a graded +comonad in a non-thin lattice. + +=== Threats to validity + +==== The Gate-2 "single recipe" finding + +The Gate-2 handoff (`docs/gate-2-handoff.adoc` Observation G) records +that all four (and the candidate fifth, `RoleGraded`) Gate-2 +"characteristic" survivors instantiate the same recipe: a custom +propositional decoration order on a finite type, an echo-indexed +family whose carrier varies per decoration, and a transport action +along the order. The recipe is useful as organising vocabulary, and +we treat it as such; what it does *not* do is independently +corroborate the modality across decorations — the four instances +are not four independent witnesses, they are one structural pattern +applied four times. Cross-axis distinctness arguments +(`docs/gate-1-handoff.adoc`) supply the per-decoration independence +the recipe itself cannot. Anyone reading the four-instance +table in §"Worked examples" as a robustness check should weaken that +reading accordingly. + +==== Sample-size on consumer evidence + +The two consumer-evidence streams (`absolute-zero` for compute-side +identity programs; the planned Buchholz ordinal-notation track) are +each *one* downstream; the ordinal track is gated on reaching +Bachmann–Howard and is not yet in scope (see <>). +A failure mode of this paper would be over-reading either as +external validation of the *thesis*; both are validations of +particular technical bridges (the Echo–CNO bridge and the eventual +Echo–`<ᵇ` bridge respectively), and not of "Echo as a recognised +modality" in the field. + +==== Conservativity is evidence, not a theorem + +`docs/echo-types/conservativity.adoc` was retracted from +"metatheorem" framing on 2026-05-18. The postulate-free `--safe +--without-K` build plus the definitional Σ-identity are *evidence +for* conservativity over MLTT+Σ, in the same sense any +typechecking artefact is evidence for the propositions whose proofs +it carries — they are not, and are not claimed to be, a discharged +metatheorem over all propositions. Anyone citing this paper as +"echo is conservative over MLTT+Σ" is citing more than the +mechanisation discharges. + +==== Audit re-runs and gate discipline + +The reframing on 2026-05-18 was triggered by an adversarial-review +re-run of Gate-2. The retraction log is append-only; a *future* +re-run could surface a further finding, and the gate discipline +commits us to recording it the same way. This is presented as a +methodological strength only to the extent that the discipline +*succeeds in catching* mis-claims; a reader is entitled to treat +the existence of one retraction as licence to suspect another. == Related work @@ -977,6 +1198,7 @@ falsifiable retraction discipline — of which this reframing is an instance. External validation is the remaining step. [appendix] +[#ordinal-appendix] == Ordinal / Buchholz consumer-evidence [EXPAND] NOTE: *[EXPAND]* — the ordinal-notation / Buchholz collapsing track