docs: Phase 3b 4-stage staged resolution plan (#235 → #239 / #240 / #241 / #242)#237
Merged
Merged
Conversation
hyperpolymath
force-pushed
the
proof-debt/phase-3b-design-gap-finding
branch
from
d8de922 to
1fcaaf9
Compare
hyperpolymath
changed the title
hyperpolymath
changed the title
…DE.md DO #4 (closes nothing, files #235) Pre-implementation review of Phase 3b's option (a) precondition (forall r, In r (regions_introduced_by e) -> In r R_in_v) found it INSUFFICIENT to discharge T_Lam_L1_*_Eff body cases of the planned subst_typing_gen_l1_m_tfuneff lemma. Why: the substitution lemma recurses into inner lambda bodies (Phase 2 does so via the IH at formal/Semantics_L1.v:1929-1942). Inner T_Lam_L1_*_Eff bodies type at the lambda's declared R_in_inner. R_in is type-level — it lives in the TFunEff slot of the function's TYPE, not in syntax. `regions_introduced_by(e)` only collects ERegion subterms' first arguments; R_in_inner is invisible to it. `tfuneff_lambda_retype_l1_m` (PR #224) requires R' ⊆ R_in_v to discharge T_Lam_L1_*_Eff's side condition. We have no way to bound inner R_in by R_in_v. Phase 2's `subst_typing_gen_l1_m_ground_nonlinear` dodges this via `ground_nonlinear_retype_l1_m`, which is fully (m, R, G)-polymorphic. Phase 3b's TFunEff retype has no analogous escape. Three resolution options documented: 1. Syntactic helper `declared_lambda_r_ins` — requires ELam annotation extension (parameter type only in current syntax). 2. Semantic precondition over the derivation — clean meaning, awkward in Coq. 3. Leaf-only Phase 3b via `tfuneff_lambda_free e` predicate — tactical landing; Phase 5 compound-value redesign subsumes (1)/(2) at leisure. Recommended: option (3). Owner decision required before Phase 3b implementation can start. This PR contains documentation only: - formal/SUBST-LEMMA-GENERALIZATION-DESIGN.md gains a Phase 3b addendum documenting the gap and three resolution options. - .machine_readable/6a2/STATE.a2ml flips phase to `blocked-on-owner-decision` with next_action pointing at #235. No formal/*.v changes. Predecessor PRs unaffected: - Phase 4a (#228) MERGED. - Phase 4b (parallel session, #233) MERGED. - Phase 4c counterexample (#234) auto-merge pending. Phase 4c's `Counterexample_L2.v` independently justifies the conditional preservation_l2 statement regardless of which Phase 3b resolution lands. Per CLAUDE.md owner directive §DO #4 (escalate before patching): this PR IS the escalation. Owner-directive compliance: - No Semantics.v / Typing.v / Counterexample.v touch - No new Axiom / Admitted markers - No closure of residual Semantics_L1.v admits - No sibling-region-disjointness side conditions - No proposal to close `Theorem preservation` to Qed. Refs: #225 (Phase 3b parking lot), #230 (regions_introduced_by helper), #233 (Phase 4b), #234 (Phase 4c counterexample), Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…edes 3-options framing) Owner-approved 2026-05-30 PM. Captures all three "Interesting" values from the option-1/2/3 analysis without committing to any single option's downsides. | Stage | Issue | Scope | |---|---|---| | Stage 1 — IMMEDIATE | #239 | Leaf-only Phase 3b via tfuneff_lambda_free + Counterexample_L2_nested.v + 2-condition preservation_l2. | | Stage 2 — parallel L4 track | #240 | ELam T_param R_in R_out body annotation extension. | | Stage 3 — post-Stage-2 | #241 | Relaxed Phase 3b via declared_lambda_r_ins + CPS proof style. Nested-condition collapses. | | Stage 4 — Phase 5 | #242 | Compound non-linear + region-substitution machinery + UNCONDITIONAL preservation_l2. | Stage 1 green-lit, ships next session. Stages 2-4 tracked but not actioned. Stage 3 blocked on Stage 2; Stage 4 blocked on Stage 3; Stage 2 independent of Stage 1. Why staging beats single-option commitments: - (1) alone forces AST migration before unblocking preservation_l2. - (2) alone introduces inductive-over-derivations with no other use. - (3) alone ends with conditional preservation_l2 forever. The staged plan harvests: - (3)'s tactical landing + honest 2-condition statement at Stage 1. - (1)'s L4 alignment when L4 is ready at Stage 2. - (2)'s higher-order proof style at exactly the point CPS is necessary (Stage 3) — not over-engineered before. - (4)'s region-substitution machinery as the natural sum. Stage 1's 2-condition statement is delivered correctness, not a placeholder. Each condition has a mechanised counterexample (Counterexample_L2.v for fresh-region gap, new Counterexample_L2_nested.v for nested-lambda gap). This PR contains documentation only: - formal/SUBST-LEMMA-GENERALIZATION-DESIGN.md gains a Phase 3b resolution addendum (the 4-stage plan superseding 3-options). - .machine_readable/6a2/STATE.a2ml flips phase back to `implementation`; next_action points at Stage 1 (#239). No formal/*.v changes in this PR. Owner-directive compliance (across all 4 stages): - No Semantics.v / Typing.v / Counterexample.v (legacy) touch - No Axiom / Admitted markers - No closure of residual Semantics_L1.v admits — strictly NEW infrastructure under the four-layer redesign - Per-layer derivation: preservation_l2 closes via L2 infra; legacy preservation remains Admitted (PROVABLY FALSE) per 2026-05-27 directive Refs: #235 (parent finding), #239 (Stage 1), #240 (Stage 2), #241 (Stage 3), #242 (Stage 4). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
force-pushed
the
proof-debt/phase-3b-design-gap-finding
branch
from
2512860 to
724abf3
Compare
hyperpolymath
changed the title
🔍 Hypatia Security ScanFindings: 75 issues detected
View findings[
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in abi-verify.yml",
"type": "missing_timeout_minutes",
"file": "abi-verify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in coq-build.yml",
"type": "missing_timeout_minutes",
"file": "coq-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in governance.yml",
"type": "missing_timeout_minutes",
"file": "governance.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in hypatia-scan.yml",
"type": "missing_timeout_minutes",
"file": "hypatia-scan.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "missing_timeout_minutes",
"file": "instant-sync.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_timeout_minutes",
"file": "mirror.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in rust-ci.yml",
"type": "missing_timeout_minutes",
"file": "rust-ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase D slice 4 Phase 3b — design-gap finding (#235) + 4-stage staged resolution plan owner-approved 2026-05-30 PM. Stages tracked at #239 / #240 / #241 / #242.
No
formal/*.vchanges. No CI changes (the parallel-session PR #236 owns the Coq EACCES fix).4-stage staged resolution plan
The original three-option framing in #235 is superseded by a staged plan that captures all three "Interesting" values without committing to any single option's downsides.
tfuneff_lambda_free+Counterexample_L2_nested.v+ 2-conditionpreservation_l2.ELam T_param R_in R_out bodyannotation extension. AST + typing rule + cascading.declared_lambda_r_ins ⊆ R_in_v+ CPS v-typing argument. Nested-condition collapses.preservation_l2.Why staging beats single-option commitments
The staged plan: (3) ships today's value at Stage 1, (1) lands L4's value at L4's timeline (Stage 2), (2)'s value is harvested at exactly the point CPS is necessary not over-engineered (Stage 3), (4) reaches unconditional preservation_l2 as the natural sum.
Stage 1's correctness is delivered, not provisional
Each of the 2 conditions on Stage 1's
preservation_l2has a mechanised counterexample:Counterexample_L2.v(already on main, PR docs+test: Phase D slice 4 Phase 4c — mechanised soundness-gap counterexample for TFunEff β #234) — fresh-region gap.Counterexample_L2_nested.v(new in Stage 1) — nested-lambda gap.Programs outside the conditional form a precisely-documented soundness class.
Sequencing
Changes
formal/SUBST-LEMMA-GENERALIZATION-DESIGN.md— Phase 3b addendum (gap finding + 3-options framing) + Phase 3b resolution addendum (4-stage staged plan)..machine_readable/6a2/STATE.a2ml— phase =implementation; next_action = Stage 1 (Phase 3b Stage 1: leaf-only substitution lemma + 2-condition preservation_l2 + Counterexample_L2_nested #239) implementation.No
formal/*.vchanges; Coqc 8.18.0 unaffected.Predecessor PRs
preservation_l2_app_eff_beta_linear+ hotfix duplicatetfuneff_lambda_retype_l1_m#228) MERGED —preservation_l2_app_eff_beta_linear.preservation_l2_app_eff_beta_ground_nonlinear_l1.Counterexample_L2.v3-Qed soundness-gap witness.Owner-directive compliance (across all 4 stages)
Semantics.v/Typing.v/Counterexample.v(legacy) touch.Axiom/Admittedmarkers.Semantics_L1.vadmits — strictly NEW infrastructure under the four-layer redesign.Test plan
Refs: #225 (Phase 3b parking lot), #230 (
regions_introduced_by), #233 (Phase 4b), #234 (Phase 4c), #235 (parent finding), #236 (parallel Coq EACCES fix), #239 (Stage 1), #240 (Stage 2), #241 (Stage 3), #242 (Stage 4).🤖 Generated with Claude Code