verify: attempt theorem_pae_injective_on_types proof (audit C-1 progress)#116
Merged
Conversation
Building on PR #108's discharge of lemma_le64_injective, this commit replaces the `assume(false)` in `theorem_pae_injective_on_types` with an explicit ~70-line proof. Structure: 1. Establish lengths of every prefix in `spec_pae`'s `Seq::add` chain (spec_le64 → length 8; Seq::add is length-additive). 2. Contrapositive on `pae1 == pae2`: a. Total-length equality → |type1| == |type2| b. For every index i, derive pae1[16+i] == type1[i] via the Seq::add indexing axiom, applied through the four `.add`s of spec_pae. Same chain for pae2. c. Extensionality (`=~=`) lifts byte-wise agreement to `type1 == type2`, contradicting the `requires type1 != type2`. This is the natural next-easiest admit after lemma_le64_injective — no SHA-256, no crypto, just structural reasoning over Seq::add. The proof has NOT been validated locally because Bazel/Verus tooling was unavailable in the agent's sandbox. The Verus CI job carries `continue-on-error: true` (audit C-1 mask) so the worst case is the proof doesn't discharge and the assert chain becomes diagnostic documentation rather than a hard verification gate. The structured `assert` chain in the proof body is itself useful for the next attempt regardless. Refs: audit C-1 (incremental closure progressing). Verifies (if Verus accepts): CR-3 (parser injectivity, payload-type component of PAE). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
5 tasks
avrabe
added a commit
that referenced
this pull request
May 16, 2026
Patch release bundling four PRs: #112 — Kani matrix fix + per-job tolerate_failure pattern #114 — Cerisier formalization companion docs (mapping + scenarios) #115 — bump regorus 0.2.8 → 0.10, fully clears RUSTSEC-2026-0097 #116 — second Verus admit attempt (theorem_pae_injective_on_types) Notable: cargo audit ignore-list is down to one entry (rustls-pemfile, unmaintained-upstream). No actively-fixable RUSTSEC advisories remain. Audit-related fixes from this release are summarised in the "Audit follow-ups" sections of the CHANGELOG. Issue #117 (Sigstore Fulcio cert rotation invalidated our pinned fingerprints) was surfaced during this cycle and is tracked separately — not blocking because audit C-4 documents that pinning is currently warn-only. Trace: skip Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Second Verus admit attempt, after PR #108's discharge of `lemma_le64_injective`.
Proof structure
Replaces `assume(false)` in `theorem_pae_injective_on_types` with an explicit ~70-line proof:
a. Total-length equality → `|type1| == |type2|`
b. For every index `i`, derive `pae1[16+i] == type1[i]` via the `Seq::add` indexing axiom, applied through the four `.add`s of `spec_pae`. Same chain for `pae2`.
c. Extensionality (`=~=`) lifts byte-wise agreement to `type1 == type2`, contradicting the `requires type1 != type2`.
This is the natural next-easiest admit after `lemma_le64_injective`: no SHA-256, no crypto, just structural reasoning over `Seq::add`.
Honesty caveat
The proof has not been validated locally — Bazel + Verus tooling was unavailable in the agent's sandbox. The Verus CI job carries `continue-on-error: true` (audit C-1 mask) so the worst case is the proof doesn't discharge and the `assert` chain becomes diagnostic documentation rather than a hard verification gate. The structured `assert` chain in the proof body is itself useful for the next attempt regardless.
What CI tells us
Either way, no regression risk.
Refs: audit C-1.
Verifies (if Verus accepts): CR-3 (parser injectivity, payload-type component of PAE).