fix(coq): preservation 29 → 22 open goals via universal-IH + atomic closers#106
Merged
hyperpolymath merged 2 commits intoMay 20, 2026
Merged
Conversation
…closers Builds on PR #102's 910 -> 29 reduction. Closes 7 more residuals (29 -> 22) via two structural fixes: ## 1. Universal-IH revert (closes 6 congruence-case goals) PR #102's `remember (mu, R, e) as cfg` discharged cross-cases but left congruence-case IHs unusable — they inherited the OUTER cfg equation (`(mu_inner, R_inner, e_inner) = (mu, R, EOuter ...)`, inconsistent in general). Fix: `revert mu R e mu' R' e' Hcfg Hcfg'` before `induction Hstep`. Each case's IH now carries clean universal quantification over the inner step's config: IHHstep : forall mu R e mu' R' e', (?mu_in, ?R_in, ?e_in) = (mu, R, e) -> (?mu_out, ?R_out, ?e_out) = (mu', R', e') -> forall G T G', R; G |- e : T -| G' -> exists G_out, R'; G |- e' : T -| G_out The 6 congruence cases closed by this universal IH are the ones whose sibling typing premises are already at the post-step region R' (no region/context bridging needed). ## 2. Per-class closing tactics (closes 1 axiom-case goal) Added 6 `all: try solve [...]` blocks after the existing chain, each targeting one residual class per PRESERVATION-HANDOFF.md: - T_Loc inversion for S_StringConcat axiom (closed 1 goal) - T_StringNew / T_Loc / T_I32 / T_Unit / T_Pair direct - subst_preserves_typing for beta-reductions - Universal-IH pattern for congruence The first 5 target classes contribute no closures empirically (those cases were already closed by PR #102's `try solve` chain once the cross-cases got discriminated). The closures come from the universal-IH block + the T_Loc inversion for the axiom case. ## Remaining 22 goals All need additional metatheoretic lemmas: - **Sibling typing under post-step region**: for S_X_Step1 congruence cases, the unstepped sibling expression is typed under R but the reconstructed compound needs it under R'. Requires a "step preserves R unless inner expression is region-touching" lemma, plus a region-invariance application. - **Context bridging**: same congruence cases also need the sibling's typing context (G') to bridge to the new context (G_inner from IH). Needs a "step preserves linearity tracking on siblings" lemma — substantial. - **EBorrow inversion for S_StringLen_Step**: typing premise wraps `EBorrow e` not `e` directly; needs an extra inversion step before IH application. - **S_Region_Step + T_Region_Active**: the documented language- design blocker — region-env *weakening* lemma for non-values. Per PRESERVATION-HANDOFF.md these are 1-2 days of tactic work plus the region-weakening lemma (~50-150 LOC). The Admitted stays on `preservation`; supporting lemmas already Qed. Refs standards#124, ephapax#102, ephapax#104. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
deleted the
proof-debt/ephapax-preservation-close-29-existentials
branch
This was referenced May 20, 2026
hyperpolymath
added a commit
that referenced
this pull request
May 21, 2026
…ofs (#116) ## Summary **Preservation existential count: 22 → 12** (10 goals closed). Builds on the region-invariance lemma `step_R_eq_or_touches_region` (PR #114) by adding per-step-constructor manual proof scripts inside `Theorem preservation`. ## Closed (10 step constructors) | Constructor | Closure technique | |---|---| | `S_Let_Val`, `S_LetLin_Val` | β-reduction via `subst_preserves_typing` + `value_context_unchanged` | | `S_App_Fun` | Inversion of `ELam` typing + value-context invariance on arg | | `S_If_True`, `S_If_False` | Branch typing under `VBool`'s unchanged-ctx via `value_context_unchanged` | | `S_Fst`, `S_Snd` | `EPair` inversion → child typing match | | `S_Case_Inl`, `S_Case_Inr` | `EInl` / `EInr` typing inversion + body substitution | | `S_Copy` | `T_Pair` on non-linear value with equal pre/post context | ## Open (12 remaining) **11 congruence cases** (`S_StringConcat_Step1/2`, `S_StringLen_Step`, `S_Let_Step`, `S_LetLin_Step`, `S_App_Step1/2`, `S_If_Step`, `S_Pair_Step1/2`, `S_Case_Step`). Root cause: the **linearity-context drift** I diagnosed earlier — even after `step_R_eq_or_touches_region` puts us in the `R = R'` branch, the IH's output context (a Skolem variable from `edestruct`) doesn't unify with the sibling premise's pre-context. So `eapply T_Foo; [exact Hout | exact Hsibling]` fails on the middle-context unification. The tactic-block scaffolding for these 11 cases is in place (poses `step_R_eq_or_touches_region`, dispatches the LEFT branch, specialises `IHHstep`), with the final reconstruction silently failing — they fall through to `Admitted`. The right next step is **lemma B**: a "step preserves output linearity context" or context-transfer re-typing via the existing `typing_ctx_transfer`/`type_determinacy` machinery. **1 region case** (`S_Region_Step` + `T_Region_Active`): the documented language-design blocker — region-env weakening for non-values. Tracked in `formal/PRESERVATION-HANDOFF.md`. ## Verification ``` $ coqc -Q . Ephapax Semantics.v (builds clean; Admitted preservation now at 12 existentials) ``` ## Refs - `standards#124` (proof-debt audit epic) - `ephapax#102` (910 → 29 via remember-cfg) - `ephapax#106` (29 → 22 via universal-IH revert) - `ephapax#114` (region-invariance lemma — used here) ## Cumulative | State | Open goals | |---|---:| | Pre-#102 | 910 | | Post-#102 | 29 | | Post-#106 | 22 | | **Post this PR** | **12** | 98.7% reduction across the day from start of campaign. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 21, 2026
…122) Closure sweep after PR #116 took preservation from 22 → 12 open goals and PR #121 landed Phase 1 scaffold. Updates the preservation-count claims across docs to reflect 12, and adds a CHANGELOG entry summarising the full 2026-05-20 → 2026-05-21 reduction campaign. ## Files updated | File | What changed | |---|---| | `README.adoc` | Coq formal-foundations paragraph; reduction chain now lists all 8 PRs through #121; clear pointer to ROADMAP closure plan | | `ROADMAP.adoc` | Formal-proof status table row (`12 open goals`); v0.1 blocker entry; v1.0 status; 97.6% → 98.7% reduction figure | | `EXPLAINME.adoc` | Coq theorem table; reduction-story bullets extended through #114, #116, #121 | | `CHANGELOG.md` | New "Proof state" + "Documentation" sections under `[Unreleased]` tracking the full PR chain (#92, #102, #104, #106, #114, #115, #116, #117, #121) + the Idris2 totality campaign (#89–#100) + doc/wiki refresh (#113 + wiki) | ## Companion wiki update `Home.md`, `Proof-status.md`, `What-can-go-wrong.md` updated in the wiki repo with the same 22 → 12 figures + extended reduction story. Pushed separately to wiki master. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Builds on PR #102 (910 → 29 reduction). Closes 7 more residuals via two structural fixes.
1. Universal-IH revert (closes 6 congruence-case goals)
PR #102's
remember (mu, R, e) as cfgdischarged cross-cases but left congruence-case IHs unusable — they inherited the OUTER cfg equation:which is inconsistent in general (the inner expression is not the outer compound). Fix:
revert mu R e mu' R' e' Hcfg Hcfg'beforeinduction Hstep. Each case's IH now carries clean universal quantification:IHHstep : forall mu R e mu' R' e', (?mu_in, ?R_in, ?e_in) = (mu, R, e) -> (?mu_out, ?R_out, ?e_out) = (mu', R', e') -> forall G T G', R; G |- e : T -| G' -> exists G_out, R'; G |- e' : T -| G_outThe 6 congruence cases closed by this are the ones whose sibling typing premises don't need region/context bridging.
2. Per-class closing tactics (closes 1 axiom-case goal)
The new T_Loc inversion tactic handles
S_StringConcat's "type mismatch: result isELoc l' rbut goal asksTString r0" — inverting the siblingELoc l1 rtyping yieldsr0 = r, then T_Loc applies.Added 5 more atomic closers (T_StringNew, T_I32, T_Unit, T_Pair, subst_preserves_typing) — these are pre-emptive for cases the existing chain may not have hit, but empirically contributed 0 closures in this PR's diff.
Remaining 22 goals
All need additional metatheoretic lemmas:
Sibling typing under post-step region: for
S_X_Step1congruence cases, the unstepped sibling expression is typed under R but the reconstructed compound needs it under R'. Needs a "step preserves R unless inner expression is region-touching" lemma + a region-invariance application.Context bridging: same congruence cases also need the sibling's typing context (G') to bridge to the new context (G_inner from IH). Needs a "step preserves linearity tracking on siblings" lemma — substantial.
EBorrow inversion for
S_StringLen_Step: typing premise wrapsEBorrow e, notedirectly; needs an extra inversion step before IH application.S_Region_Step + T_Region_Active: the documented language-design blocker — needs a region-env weakening lemma for non-values (~50–150 LOC by itself).Per
formal/PRESERVATION-HANDOFF.mdthese are 1–2 days of tactic work plus the region-weakening lemma. TheAdmitted.stays onpreservation; supporting lemmas already Qed.Verification
Refs
standards#124(proof-debt audit epic)ephapax#102(910 → 29 reduction)ephapax#104(PROOF STATUS docs correction)Test plan
coqc -Q . Ephapax Semantics.vbuilds cleanShow Existentials.before Admitted reports 22 (down from 29 on main)Qed.-proven lemmas added; no proof-engineering shortcuts viaassert/admit🤖 Generated with Claude Code