Skip to content

proof: total bodies for VerifierSpecAgreement + SourceVerifierAgreement (items 7 + 8)#79

Merged
hyperpolymath merged 1 commit into
mainfrom
proof/verifier-spec-agreement-bodies
May 27, 2026
Merged

proof: total bodies for VerifierSpecAgreement + SourceVerifierAgreement (items 7 + 8)#79
hyperpolymath merged 1 commit into
mainfrom
proof/verifier-spec-agreement-bodies

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 27, 2026

Summary

Closes the multi-week residual flagged by PR #74's design-pass: the two agreement records introduced by PR #72 (VerifierSpecAgreement, SourceVerifierAgreement) now have concrete inhabitants with totally proven bodies in every direction. Zero believe_me, zero postulate, %default total preserved.

This is an alternative-design PR to the stacked chain #72#74. It does not depend on either landing; it builds straight off main with a single new module (src/abi/TypedWasm/ABI/VerifierSpec.idr).

Design choice that unblocks the full bodies

VADifferential / SADifferential now carry the structural witness the differential harness attested — packaged inline via an embedded TrustedFixture m:

data VerifierAccepts : ModuleSummary -> Type where
  VAStructural   : FunctionsAccepted m.functions -> VerifierAccepts m
  VADifferential : (fixture : TrustedFixture m)  -> VerifierAccepts m

record TrustedFixture (m : ModuleSummary) where
  constructor MkTrustedFixture
  trustedFixtureName : String
  trustedFixtureId   : Nat
  trustedWitness     : FunctionsAccepted m.functions

differentialAccepted :
     (fixtureName : String) -> (fixtureId : Nat)
  -> FunctionsAccepted m.functions
  -> VerifierAccepts m

The trust-injection moment is exactly the act of constructing one — fixture name + id never travel without the structural witness the harness's accept-verdict establishes. Every MkTrustedFixture is a single grep point for audit.

Consequence: all four agreement lemmas become total by case analysis. Both VAStructural and VADifferential surface a FunctionsAccepted m.functions payload that wraps directly into SpecAccepts; the spec-to-verifier direction lifts via VAStructural; source ↔ verifier mirror the same pattern.

verifierIsSound : (m : ModuleSummary) -> VerifierAccepts m -> SpecAccepts m
verifierIsSound _ (VAStructural   fa) = MkSpecAccepts fa
verifierIsSound _ (VADifferential tf) = trustedToSpec tf

verifierIsComplete : (m : ModuleSummary) -> SpecAccepts m -> VerifierAccepts m
verifierIsComplete _ (MkSpecAccepts fa) = VAStructural fa

Comparison with PR #74 (Maybe-returning bridges)

PR #74 keeps VADifferential opaque (string + nat only) and exposes Maybe-returning bridges plus a closed-world RegisteredFixture GADT. Soundness/completeness for the unparameterised agreement records remain unprovable in that design — explicitly noted in #74 as "multi-week residual".

This PR refactors the data type instead. The audit story is preserved (every MkTrustedFixture is a single grep point), but the agreement records cease to be obligations and become inhabited records like any other.

The two designs are mutually exclusive at the data-type level (VADifferential's payload differs). If both PRs are wanted in evolved form, #74's RegisteredFixture machinery composes cleanly on top of this PR's witness-carrying ctors as a tighter audit layer.

What's in the module

Single file (~620 LOC, zero banned patterns):

  • OwnershipIntent / FunctionSummary / ModuleSummary — shared spec surface
  • TokenFresh / IntentsLinearAcceptable / FunctionsAccepted — structural acceptance predicates the three sides share at L7+L10
  • TrustedFixture m — packaged differential-harness attestation
  • SpecAccepts / VerifierAccepts / SourceAccepts — three predicates; the latter two have a *Differential ctor carrying a TrustedFixture
  • differentialAccepted / sourceAccepted — smart constructors that thread the structural witness through
  • trustedToSpec / trustedToVerifier / trustedToSource — projections
  • The four agreement lemmas, total bodies: verifierIsSound, verifierIsComplete, sourceImpliesVerifier, verifierImpliesSource
  • record VerifierSpecAgreement / record SourceVerifierAgreement — record shapes match PR proof: A10 + A11 + A12 — close 2 named + 6 untracked proof-debt items (19 theorems, 50/50 regression) #72
  • verifierSpecAgreement / sourceVerifierAgreement — concrete inhabitants, the first total no-believe_me such values in the codebase
  • sourceImpliesSpec / specImpliesSource + *Concrete specialisations — end-to-end composition lemmas
  • Concrete instances: empty module, allocFreeModule, plus fixtureCleanLinearConsumerModule mirrored from cross_compat row 1 — exercises the differential path end-to-end through the agreement record
  • Discrimination: notSpecAcceptsBadDoubleConsume, notVerifierAcceptsBadDoubleConsume (both ctors), notSourceAcceptsBadDoubleConsume (both ctors), notSpecAcceptsBadDoubleProduce — show L10 has teeth and the differential escape hatch can't smuggle a bad module past the verifier

Regression

tests/proof/regression.mjs gains 33 Layer 1 grep assertions covering every new top-level name (data ctors, lemmas, records, concrete witnesses, discrimination proofs). Layer 2 (Idris2 --build of the ipkg) verified locally.

While here, fixed a pre-existing latent bug: Layer 2 invoked idris2 --check typed-wasm.ipkg, which the Idris2 0.8.0 CLI rejects (--check takes a single .idr path, not an ipkg). Changed to --build. CI was unaffected because it skips Layer 2 (idris2 not on PATH in e2e.yml); local strict runs now actually exercise it.

Build oracle

IDRIS2_PREFIX=$IDRIS2/0.8.0 idris2 --build src/abi/typed-wasm.ipkg

22/22 modules, rc=0, no warnings from the new module.

PATH=$IDRIS2/0.8.0/bin:$PATH \
IDRIS2_PREFIX=$IDRIS2/0.8.0 \
  node tests/proof/regression.mjs --strict
# 59 passed, 0 failed, 0 skipped

Test plan

🤖 Generated with Claude Code

@hyperpolymath @claude
proof: total bodies for VerifierSpecAgreement + SourceVerifierAgreeme…
72cc1da 
…nt (post-A10 items 7 + 8)

Closes the multi-week residual flagged by PR #74's design-pass: the
two agreement records now have concrete inhabitants
(`verifierSpecAgreement` / `sourceVerifierAgreement`) with totally
proven bodies in every direction, zero `believe_me`, zero `postulate`,
`%default total` preserved.

Design choice that unblocks the full bodies
-------------------------------------------

The differential constructor carries the structural witness it
certifies.  `VADifferential` / `SADifferential` now package

    (fixtureName, fixtureId, FunctionsAccepted m.functions)

via an inline `TrustedFixture m`.  The trust-injection moment is
exactly the act of constructing one — fixture name + id never travel
without the structural witness the differential harness attested.

Consequence: all four agreement lemmas become total by case analysis.
Both `VAStructural` and `VADifferential` surface a `FunctionsAccepted
m.functions` payload that wraps directly into `SpecAccepts`; the
spec-to-verifier direction lifts via `VAStructural`; source ↔
verifier mirror the same pattern.

Comparison with PR #74's design (Maybe-returning bridges)
---------------------------------------------------------

PR #74 keeps `VADifferential` opaque (string + nat only) and exposes
`Maybe`-returning bridges plus a closed-world `RegisteredFixture`
GADT.  Soundness/completeness for the unparameterised agreement
records remain unprovable in that design — explicitly noted as
"multi-week residual".

This PR refactors the data type instead.  The audit story is
preserved (every `MkTrustedFixture` is a single grep point), but the
agreement records cease to be obligations and become inhabited
records like any other.

What's in the module
--------------------

Single file (`src/abi/TypedWasm/ABI/VerifierSpec.idr`, ~620 LOC,
zero banned patterns):

* `OwnershipIntent` / `FunctionSummary` / `ModuleSummary` — the
  shared spec surface (mirror of `typedwasm.ownership` custom section).
* `TokenFresh` / `IntentsLinearAcceptable` / `FunctionsAccepted` —
  structural acceptance predicates the spec / verifier / source side
  all share at L7+L10.
* `TrustedFixture m` — packaged differential-harness attestation.
* `SpecAccepts` / `VerifierAccepts` / `SourceAccepts` — three
  predicates; the latter two have a `*Differential` ctor carrying a
  `TrustedFixture`.
* `differentialAccepted` / `sourceAccepted` — smart constructors that
  thread the structural witness through.
* `trustedToSpec` / `trustedToVerifier` / `trustedToSource` —
  projections.
* `verifierIsSound` / `verifierIsComplete` / `sourceImpliesVerifier`
  / `verifierImpliesSource` — the four agreement lemmas, total bodies.
* `record VerifierSpecAgreement` / `record SourceVerifierAgreement`
  — record obligations, unchanged in shape from PR #72.
* `verifierSpecAgreement` / `sourceVerifierAgreement` — concrete
  inhabitants, the first total no-`believe_me` such values in the
  codebase.
* `sourceImpliesSpec` / `specImpliesSource` + `*Concrete`
  specialisations — end-to-end composition lemmas.
* Concrete instances: empty module, `allocFreeModule`, plus
  `fixtureCleanLinearConsumerModule` mirrored from cross_compat row 1
  — exercises the differential path end-to-end through the agreement
  record.
* Discrimination: `notSpecAcceptsBadDoubleConsume`,
  `notVerifierAcceptsBadDoubleConsume` (both ctors),
  `notSourceAcceptsBadDoubleConsume` (both ctors),
  `notSpecAcceptsBadDoubleProduce` — show L10 has teeth and the
  differential escape hatch can't smuggle a bad module past the
  verifier.

Regression
----------

`tests/proof/regression.mjs` gains 33 Layer 1 grep assertions
covering every new top-level name (data ctors, lemmas, records,
concrete witnesses, discrimination proofs).  Layer 2 (Idris2 `--build`
of the ipkg) verified locally: 22/22 modules, rc=0.

While here, fixed a pre-existing latent bug in the same file: Layer 2
invoked `idris2 --check typed-wasm.ipkg`, which the Idris2 0.8.0 CLI
rejects (`--check` takes a single `.idr` path, not an ipkg).  Changed
to `--build typed-wasm.ipkg` per the standing instruction.  CI was
unaffected because it skips Layer 2 (idris2 not on PATH in
`.github/workflows/e2e.yml`), but local strict runs now actually
exercise it.

Build oracle
------------

    IDRIS2_PREFIX=$IDRIS2/0.8.0 \
      idris2 --build src/abi/typed-wasm.ipkg

22/22 modules, rc=0, no warnings from the new module (pre-existing
shadowing warnings elsewhere unchanged).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 27, 2026 08:16
This was referenced May 27, 2026
Closed
Merged
Merged
Merged
hyperpolymath added a commit that referenced this pull request May 27, 2026
@hyperpolymath @claude
docs: comprehensive update for 2026-05-27 proof-debt closure pass (st…
8f959bd 
…acked on #80) (#84)

## Summary

Comprehensive documentation update covering the 2026-05-27 proof-debt
closure pass (PRs #79 + #80). Touches every relevant surface:
human-facing docs, machine-readable manifests, wiki pages (including a
new `Proof-Debt-Status.md`).

**Stacked on #80** so PROOF-NEEDS banner edits don't conflict. When #80
lands, this PR's diff narrows.

## What changes

### Human-facing

- **CHANGELOG.md** — new "Proof-debt closure pass (2026-05-27)" section
above the existing Phase 0 entry
- **PROOF-NEEDS.md** — adds a 2026-05-27 reconciliation banner for #79
(items 7+8 bodies closed) above the existing 2026-05-27 banner for #80
- **LEVEL-STATUS.md** — extends the `Proofs.idr` row; adds new
`VerifierSpec.idr` row to proof-inventory; extends the "Post-codegen
verifier (Rust)" section with the spec-of-record alignment paragraph
- **TEST-NEEDS.md** — source-module count 21 → 22; proof-regression 25 →
107 (with attribution)
- **README.adoc** — NOTE callout under the L1-L10 / L11-L12 table
pointing to VerifierSpec and the new Proof-Debt-Status wiki page
- **docs/supplementary/proof-inventory.adoc** (paper-facing) — two new
theorem entries: `thm-verifier-spec-agreement`,
`thm-attestation-entails-semantic-property`

### Wiki (docs/wiki/)

- **Home.md** — status line + Idris2 ABI architecture bullet mention
2026-05-27 closures + new Proof-Debt-Status page
- **Phase-0-Status.md** — new "2026-05-27 — Post-Phase-0 proof-debt
closure pass" section at the tail
- **Proof-Debt-Status.md** (NEW) — comprehensive page covering
invariants, 22-module table, three 2026-05-27 closures, outstanding
long-tail in priority order, 4-layer runtime safety table,
build-and-test oracle. This is the page to point at when asked _"where
is the theorem?"_
- **README.md** — adds Proof-Debt-Status to the page inventory

### Machine-readable

- **.machine_readable/6a2/STATE.a2ml** — `last-updated` 2026-05-25 →
2026-05-27; session note replaced with proof-debt narrative;
test-surface 545 → 627 (proof regression 25 → 107); 3 new milestone
entries; new `[proof-debt-closure-pass-2026-05-27]` section with
structured PR records; new `[long-tail-open-after-2026-05-27]` section
enumerating the four blocked / parallel-session items

### Untouched (verified not relevant)

- `.hypatia-ignore` — no banned-language patterns introduced
- `ROADMAP.adoc` — version/release milestones, PROOF-NEEDS items don't
appear at that altitude
- `EXPLAINME.adoc` — per-level claims; VerifierSpec isn't a level
- `META.a2ml` / `PLAYBOOK.a2ml` / `NEUROSYM.a2ml` / `ECOSYSTEM.a2ml` —
architecture-level, not session-state

## Build oracle

```
IDRIS2_PREFIX=\$IDRIS2/0.8.0 idris2 --build src/abi/typed-wasm.ipkg
```

21/21 modules on this branch (the new VerifierSpec.idr module comes from
#79). After all three PRs land on main, the count becomes 22/22.

## Test plan

- [ ] CI E2E green
- [ ] CI governance + scanners green
- [ ] Once #80 lands, this PR's diff narrows; PROOF-NEEDS conflict (mine
+ #80's banner) auto-resolves trivially since I built on top of #80
- [ ] Owner review of the wiki Proof-Debt-Status page (it's the most
visible new artefact)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 06ec00e into main May 27, 2026
26 of 27 checks passed
@hyperpolymath hyperpolymath deleted the proof/verifier-spec-agreement-bodies branch May 27, 2026 12:03
hyperpolymath added a commit that referenced this pull request May 27, 2026
@hyperpolymath
merge: main into proof/level-attestation-witness-indexed — status-tra…
fe9b675 
…cker concatenation post PR #72 landing

- STATE.a2ml / CHANGELOG.md / LEVEL-STATUS.md / PROOF-NEEDS.md / regression.mjs: merge both sides
  (preserve A11-A13 entries from PR #72 and #79+#80 entries from this PR)
- VerifierSpec.idr row in LEVEL-STATUS.md updated to reflect promotion from statement-level (A13) to total bodies (PR #79)
- All status-tracker concatenations; no proof code touched
hyperpolymath added a commit that referenced this pull request May 27, 2026
@hyperpolymath @claude
proof+docs: LevelAttestationW + WitnessCertificate + comprehensive do…
8b65384 
…cs sweep (standards#130 long-tail + 2026-05-27 proof-debt pass) (#80)

## Summary

Three stacked slices, now in a single PR because the stacked-PR base
auto-merged immediately on the unprotected branch:

1. **`LevelAttestationW` (originally #80 sole content)** — closes the
standards#130 long-tail residual from the 2026-05-18 PROOF-NEEDS
reconciliation banner: "Stronger 'attestation entails the level's
semantic property' (needs `LevelAttestation` reindexed by witness)
remains tracked future work under standards#130." 15 constructors, 15
smart ctors, 15 extractors, legacy bridge, 15 round-trip `Refl`s,
uniform achievement lemma.
2. **`WitnessCertificate` (folded in from #83)** — extends the
per-attestation witness retention to the WHOLE certificate via an
existential wrapper `SomeAttestationW`. `record WitnessCertificate`
mirrors `ProofCertificate` with witness-carrying levels, plus
`composeWitness`, `WitnessAchieved` predicate, and composition-compat
lemma `composeWitnessLegacyAgree`.
3. **Comprehensive docs sweep (folded in from #84)** — covers PRs #79 +
#80 across every relevant surface: CHANGELOG, PROOF-NEEDS, LEVEL-STATUS,
TEST-NEEDS, README.adoc, docs/supplementary/proof-inventory.adoc,
.machine_readable/6a2/STATE.a2ml, wiki (Home + Phase-0-Status + README +
NEW Proof-Debt-Status.md).

## Design

Mirror of #79's pattern on `VerifierSpec.idr`: constructors carry the
witness, trust-injection moves to construction, downstream consumers get
total extractors instead of `believe_me`-discharged claims.

```idris
-- Slice 1: per-attestation witness retention
data LevelAttestationW : (n : Nat) -> Type where
  AttestL7W  : {s : Schema}
            -> (w : ExclusiveWitness s)
            -> LevelAttestationW 7
  -- … 14 more, one per level

attestL7W_EntailsAliasFree :
     LevelAttestationW 7
  -> (s : Schema ** ExclusiveWitness s)
attestL7W_EntailsAliasFree (AttestL7W {s} w) = (s ** w)

-- Slice 2: certificate-level witness retention via existential
data SomeAttestationW : Type where
  MkSomeAttW : {n : Nat} -> LevelAttestationW n -> SomeAttestationW

record WitnessCertificate where
  constructor MkWitnessCert
  witnessLevels        : List SomeAttestationW
  witnessHighestProven : Nat
  witnessMultiModule   : List CompatCertificate

witnessToLegacy : WitnessCertificate -> ProofCertificate
composeWitness  : WitnessCertificate -> WitnessCertificate -> WitnessCertificate
WitnessAchieved : (n : Nat) -> WitnessCertificate -> Type
```

## What's in the PR

### Slice 1 (LevelAttestationW)
- `data LevelAttestationW : (n : Nat) -> Type` — 15 ctors
- 15 `attestLNW_*` smart constructors
- 15 `attestLNW_Entails<Property>` extractors
- `toLegacy : {n : Nat} -> LevelAttestationW n -> LevelAttestation`
bridge
- 15 round-trip `Refl` equalities
- `attestLW_AchievedIn` uniform achievement lemma

### Slice 2 (WitnessCertificate)
- `data SomeAttestationW` existential wrapper + `someAttLevel` /
`someAttToLegacy` projections
- `record WitnessCertificate` mirror of `ProofCertificate`
- `witnessLevelsToLegacy` (explicit recursion)
- `witnessToLegacy` bridge
- `composeWitness`
- `witnessLevelsToLegacyAppend` (mapAppend-style helper)
- `composeWitnessLegacyAgree` — composing legacy projections equals
projecting witness composition
- `WitnessAchieved` lifted via the bridge; `witnessAchievedIsLegacy`
definitional `Refl`
- `emptyWitnessCertificate`, `singletonWitnessCertificate`, `someAtt`
smart ctors
- `emptyWitnessToLegacy` `Refl` round-trip

### Slice 3 (docs)
- **CHANGELOG.md** — 2026-05-27 proof-debt closure pass section
- **PROOF-NEEDS.md** — 2026-05-27 banner for #79 (items 7+8 closure)
above the existing 2026-05-27 banner for #80 (standards#130 closure)
- **LEVEL-STATUS.md** — extended `Proofs.idr` row; new
`VerifierSpec.idr` row; "Post-codegen verifier (Rust)" §"Spec-of-record
alignment" paragraph
- **TEST-NEEDS.md** — source modules 21 → 22, proof regression 25 → 107
- **README.adoc** — NOTE callout pointing to VerifierSpec +
Proof-Debt-Status wiki
- **docs/supplementary/proof-inventory.adoc** — two new theorem entries
(`thm-verifier-spec-agreement`,
`thm-attestation-entails-semantic-property`)
- **.machine_readable/6a2/STATE.a2ml** — last-updated, session note,
test-surface 545 → 627, 3 new milestones, new
`[proof-debt-closure-pass-2026-05-27]` +
`[long-tail-open-after-2026-05-27]` sections
- **docs/wiki/Home.md** — status + architecture mentions
- **docs/wiki/Phase-0-Status.md** — new tail section
- **docs/wiki/Proof-Debt-Status.md** — NEW comprehensive proof-debt
inventory page
- **docs/wiki/README.md** — page-inventory update

## Erasure / reduction notes

- Type-level indices on the `LevelAttestationW` ctors are
RUNTIME-AVAILABLE (no `{0}`) so extractors can project both the witness
AND the indices.
- `SomeAttestationW`'s `n` is RETAINED for projection via
`someAttLevel`.
- `witnessLevelsToLegacy` is recursive rather than `map`-eta because
Idris2 0.8.0 doesn't reduce `map f []` past the eta-reduced reference.
- `emptyWitnessToLegacy` inlines its LHS (`MkWitnessCert [] 0 []`)
because `let`-bound top-level values don't unfold through `Refl` in
Idris2 0.8.0.

## What this does NOT change

`LevelAttestation`, `MkAttestation`, `attestLN_*`, `attestLN_Sound`,
`LevelAchievedIn`, `composeCertificates`, `ProofCertificate` — all
unchanged.

## Build oracle

```
IDRIS2_PREFIX=\$IDRIS2/0.8.0 idris2 --build src/abi/typed-wasm.ipkg
```

21/21 modules on this branch (VerifierSpec.idr comes from PR #79; once
both #79 and #80 land, count becomes 22/22). rc=0. Zero new `believe_me`
/ `assert_total` / `postulate` / `sorry` / `assert_smaller`. `%default
total` preserved.

## Regression

`tests/proof/regression.mjs` gains 49 Layer 1 assertions covering both
source slices.

## Relationship to other open PRs

- **PR #79** (VerifierSpec items 7/8 bodies) — independent; both close
different post-A10 items. No file overlap on source (different module).
Docs slice mentions both for context.
- **PR #72** (items 5a/5b/A12) — additive overlap on `Proofs.idr` and
`PROOF-NEEDS.md`; mechanical rebase.
- **PR #74** — closed as superseded.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath