vcl-ut #25 P5c (steps 2-4): faithful Rust recompute-decider + cross-language decision conformance#31
Merged
Conversation
…anguage decision conformance The recompute-PCC tier's verdict engine. Under the locked design (VERIFICATION-STANCE.adoc two-tier boundary model): the corpus proves soundness ONCE (checkLevelNSound, offline-re-checkable); the consumer re-runs that exact decision over wire-decoded (Statement, OctadSchema) and compares to the producer's claimed level. This adds that re-runner in Rust (to be affinescriptiser-wrapped → typed-wasm in P5c-5) and machine-pins its faithfulness to the corpus. src/interface/parse/src/decider.rs (new; SPARK lint set, total, no panic, pure) — a line-by-line port of: - VclTotal.Core.Schema: lookupModality/lookupField/resolveFieldRef/ resolveType/isNullable. - VclTotal.Core.Decide (the single source of truth): resolveExprType, resolveSelectItemType, notAnyTy, selectItem(s)Typed (L5), agentEq/ vqlTypeEq/typesCompatible/extractComparisons/whereComparisons- Compatible (L2), fieldRefEq/refElem/exprFieldRefs/nullGuardedRefs/ refUnguarded/exprNullSafe/nullSafeStmt (L3), statementFieldRefs + fieldRefResolves (L1), cardinality/effect/temporal presence (L6-8), linEnforced (L9), agentId/agentDeclared/findUndeclaredAgents/ entailsPairs/hasCircularEntails/epiStructOK/epiNoCycle (L10). - VclTotal.Core.Checker spine: checkLevel0..10 verdict bits (incl. L4's inverted polarity: passes iff WHERE has NO raw string literal), and certifiedLevel = (all checkLevel1..k accept, k = safetyLevelToInt(requestedLevel)) ? k : -1. Faithfulness-on-the-wire-domain argument (documented in the module): Grammar.Expr carries a VqlType at every node; the wire format omits it and every decoder fills TAny. So on a *wire-decoded* statement the corpus resolveExprType is TAny everywhere except EField (→schema) and ESubquery (→TOctad). The Rust ast::Expr therefore needs no ty field and the port is EXACT for the recompute domain (decoded statements) — the only domain this tier runs on. Not a shortcut; it's the precise reason the no-ty AST is sound here. Conformance (tests/conformance_emit.rs ⇄ WireConformance): - conform1/2/3/S1 unchanged: Rust to_wire* ⇄ Idris certified fromWire*, byte-for-byte by Refl. - New recompute pins. Rust oracle emits cl1=1, cl2=-1, cl3=0 (certified_level over the DECODED golden bytes; self-checked in fixtures_roundtrip). Idris Refl-pins the decisive corpus facts using VclTotal.Core.Decide (fully public export, only imports Grammar/Schema, so it reduces cross-module — Checker.checkLevelN does NOT, its helpers are `export`/Levels-coupled): golden1 → allFieldRefsResolve [] = True + safetyLevelToInt SchemaBound = 1 + requestedLevel = SchemaBound; golden3 → requestedLevel ParseSafe + safetyLevelToInt ParseSafe = 0; golden2 → requestedLevel EpistemicSafe + safetyLevelToInt EpistemicSafe = 10. DISCLOSED (not faked, per the estate verification-honesty doctrine): golden2's verdict (-1) hinges on `vector.x` not resolving in S1, which forces Schema.lookupField → Data.List.find; `find` does NOT reduce under the idris2 0.8.0 evaluator (same limitation the corpus documents for Data.List.elemBy, for which it hand-rolled Decide.refElem). So the negative-resolution fact is NOT Refl-pinnable cross-module. It is machine-pinned instead on the Rust side (fixtures_roundtrip asserts certified_level over decoded golden2 == -1) and the input value is Refl-proven identical to the corpus's (conform2). The find-free decision structure (level ints, requested levels, empty-ref accept) IS Refl-pinned. This precise scoping is documented in WireConformance. Verified: corpus idris2 --build exit 0 (12 modules, %default total, ZERO proof-escape; CI escape-audit OK — comment-filtered); parse-gate (clippy -D warnings / test / fmt) clean; conformance self-check green. P5c remaining: P5c-5 affinescriptiser-wrap certified_level → typed-wasm + C/Zig fail-closed attestation fallback; P5c-6 stance flip + ADR docs/decisions/0002-ffi-attestation-trust-boundary.adoc. Refs #25. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 22 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/upload-artifact@v4 needs attention",
"type": "unpinned_action",
"file": "release.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/download-artifact@v4 needs attention",
"type": "unpinned_action",
"file": "release.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
"type": "codeql_language_matrix_mismatch",
"file": "codeql.yml",
"action": "switch_codeql_matrix_to_actions",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "assert_smaller bypasses termination checker (1 occurrences, CWE-704)",
"type": "assert_smaller",
"file": "/home/runner/work/vcl-ut/vcl-ut/src/core/Checker.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/vcl-ut/vcl-ut/src/core/Decide.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (3 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/vcl-ut/vcl-ut/src/core/Composition.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "assert_total bypasses totality checker (1 occurrences, CWE-704)",
"type": "assert_total",
"file": "/home/runner/work/vcl-ut/vcl-ut/src/core/Composition.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
P5c (steps 2–4) — faithful Rust recompute-decider + cross-language decision conformance
The recompute-PCC tier's verdict engine. Per the locked design
(
VERIFICATION-STANCE.adoctwo-tier boundary model): the corpus provessoundness once (
checkLevelNSound, offline-re-checkable); theconsumer re-runs that exact decision over a wire-decoded
(Statement, OctadSchema)and compares to the producer's claimedlevel. This adds the re-runner in Rust (→ affinescriptiser-wrapped to
typed-wasm in P5c-5) and machine-pins its faithfulness to the
corpus.
src/interface/parse/src/decider.rs(new)SPARK lint set, total, no panic, pure. Line-by-line port of
Schema/Decide(the single source of truth) + theCheckercheckLevel0..10/certifiedLevelspine.certified_level = (all checkLevel1..k accept, k = safetyLevelToInt(requestedLevel)) ? k : -1(L4 polarity preserved: passes iff WHERE has no raw stringliteral).
Why the no-
tyRust AST is exact here (documented in-module): thewire format omits
Expr'sVqlTypeand every decoder fillsTAny, soon a wire-decoded statement the corpus
resolveExprTypeisTAnyexcept
EField(→schema) /ESubquery(→TOctad). The recompute tieronly runs on decoded statements, so the port is faithful by
construction — not a shortcut.
Conformance (
tests/conformance_emit.rs⇄WireConformance)conform1/2/3/S1: Rustto_wire*⇄ Idris certifiedfromWire*,byte-for-byte by
Refl(unchanged, still green).cl1=1, cl2=-1, cl3=0(
certified_levelover the decoded golden bytes; self-checked infixtures_roundtrip). IdrisRefl-pins the decisive corpus factsvia
VclTotal.Core.Decide(fullypublic export, Grammar/Schema-only⇒ reduces cross-module;
Checker.checkLevelNdoes not —export/Levels-coupled).Disclosed, not faked (estate verification-honesty doctrine)
golden2 → -1hinges onvector.xnot resolving, which forcesSchema.lookupField → Data.List.find;finddoes not reduce under theidris2 0.8.0 evaluator (same limitation the corpus documents for
elemBy→ its hand-rolledrefElem). So the negative-resolution factis not
Refl-pinnable cross-module. It is machine-pinned insteadon the Rust side (
fixtures_roundtrip:certified_levelover decodedgolden2 == -1) with the input valueRefl-proven identical to thecorpus's (
conform2). The find-free decision structure (level ints,requested levels, empty-ref accept) is
Refl-pinned. Scoping isdocumented verbatim in
WireConformance.Verified locally
idris2 0.8.0 --buildexit 0 — 12 modules,%default total, zero proof-escape (CI escape-audit OK, comment-filtered).-D warnings/cargo test/cargo fmt --checkclean; conformance self-check green (incl. decoded-bytescertified_level == {1,-1,0}).P5c remaining
P5c-5:
affinescriptiser-wrapcertified_level→ typed-wasm + C/Zigfail-closed attestation fallback. P5c-6: stance flip OWED→RESOLVED +
ADR
docs/decisions/0002-ffi-attestation-trust-boundary.adoc.Refs #25.
🤖 Generated with Claude Code