ABI Layer 4: prove the FFI result-code seam is injective + faithful#48
Merged
Conversation
New module K9iser.ABI.Semantics proves the repo's headline property
("Wrap configs into self-validating K9 contracts"): a config that
SATISFIES a "must"-contract (a required key present whose value lies
within an inclusive numeric range) provably validates, and a config that
VIOLATES it (missing key OR out-of-range value) provably does not.
- Faithful model: Config = assoc list (Key, Nat); Contract = key + [lo,hi].
- Headline proposition `Validates c cfg` has constructors only for the
satisfying case (resolver equation + InRange via propositional LTE);
no constructor exists for a missing key or out-of-range value.
- Sound + complete `decValidates : Dec (Validates c cfg)` and `decInRange`.
- Certifier `certify` into the ABI Result code, with `certifySound` and
`certifyComplete`.
- Positive control `goodValidates` (replicas=5 in [1,10]) and two negative
controls: `badRangeNotValidates` (replicas=0) and `missingNotValidates`.
ABI builds clean (exit 0, zero warnings). A deliberately false witness
for the out-of-range config is rejected by idris2 (non-vacuity verified).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Add a second, deeper machine-checked theorem over the existing Layer-2
Semantics model, raising the Idris2 ABI to Layer 3. Proves how config
validation behaves under CONJUNCTION of K9 contracts, distinct from the
Layer-2 single-contract soundness/completeness:
- ValidatesBoth / ValidatesAll: binary and n-ary conjunction over the
existing Validates proposition.
- validatesAndIff / validatesAllConsIff: decomposition isomorphisms
(real witness round-trips, = Refl).
- validatesBothSym: commutativity of conjunction.
- decValidatesAll: sound + complete decision, built compositionally
from the Layer-2 decValidates.
- validatesAllAppend{Fwd,Bwd}: distribution of conjunction over list
append (induction on the bundle).
- validatesAllWeaken: monotonicity / downward-closure.
- certifyAll{,Sound,Complete}: certifier into the ABI Result code.
- Positive controls (twoValidatesBoth / twoValidatesBundle) and
negative / non-vacuity controls (mixedNotBoth / mixedNotBundle),
all machine-checked; resolver equations proved via resolveHead /
resolveSkip lemmas (String decEq does not reduce definitionally).
No believe_me / postulate / assert_total / sorry. %default total.
Registered last in k9iser-abi.ipkg. Clean build, zero warnings;
a deliberately-false ValidatesAll over the out-of-range config is
rejected by the type checker (non-vacuity confirmed).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Prove resultToInt is a sound wire encoding: a faithful decoder intToResult with resultRoundTrip (lossless), injectivity derived from the round-trip, positive decode controls, and a machine-checked non-vacuity control (distinct codes have distinct ints). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Signed-off-by: Jonathan D.A. Jewell <6759885+hyperpolymath@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Layer 4 (seal the ABI↔FFI seam): proves the FFI result-code encoding (
resultToInt) is a sound, lossless wire encoding — decoderintToResultwithresultRoundTrip, from whichresultToIntInjectiveis derived. Distinct ABI outcomes never collide on the C wire. Complements the structuralabi-ffi-gate.py.New module
*.ABI.FfiSeam(importsTypes). Positive + non-vacuity controls.Testing
Idris2 0.7.0
--build→ exit 0, zero warnings. Adversarial rejection confirmed.build/removed. Nobelieve_me/postulate/sorry.🤖 Generated with Claude Code
https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Generated by Claude Code