Skip to content

ABI Layer 2: prove inductive-invariant safety soundness — flagship Idris2 proof#38

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/new-session-znxgm7
Jun 27, 2026
Merged

ABI Layer 2: prove inductive-invariant safety soundness — flagship Idris2 proof#38
hyperpolymath merged 1 commit into
mainfrom
claude/new-session-znxgm7

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

Raises tlaiser's Idris2 ABI to Layer 2 with its first flagship semantic proof. tlaiser's headline is extracting state machines and model-checking with TLA+; this proves the foundational model-checking guarantee — inductive-invariant soundness: a safety property that holds initially and is preserved by every transition holds on every reachable state (safetySound).

Mirrors the estate flagship-proof pattern: Init/Step/Reachable/Safe model, the inductive-invariant theorem, certifier, controls.

Changes

  • Adds src/interface/abi/Tlaiser/ABI/Semantics.idr — state-machine model, Reachable, Safe, safetySound (reachable ⇒ safe), certifier + soundness, controls.
  • Registers the module in tlaiser-abi.ipkg.

RSR Quality Checklist

Required

  • Tests pass — ABI builds clean (see Testing)
  • Linter clean — zero warnings
  • No banned language patterns
  • No banned functions — genuine proof
  • SPDX headers present
  • No secrets

As Applicable

  • ABI/FFI changes validated — additive proof; FFI untouched

Testing

Verified with Idris2 0.7.0: idris2 --build tlaiser-abi.ipkg → exit 0, zero warnings. Adversarial check: a deliberately-false proof was rejected. build/ removed.

🤖 Generated with Claude Code

https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx


Generated by Claude Code

…emantics

Add a flagship machine-checked semantic proof raising the Tlaiser Idris2 ABI
to Layer 2. Models a two-process lock-based mutual-exclusion state machine (the
canonical PlusCal example) with an Init predicate, a nondeterministic Step
relation, and an inductive Reachable closure.

Headline theorem (safetySound): mutual exclusion (Safe) holds on every
reachable state. The engine is invInductive (TLA+ INV1): a strengthened,
genuinely inductive invariant Inv that couples "process is Critical" to
"process holds the lock" holds initially (initEstablishes) and is preserved by
every transition (stepPreserves), hence holds on all reachable states; Safe is
derived from Inv (invImpliesSafe).

Includes a sound+complete Dec (decSafe), a Result-valued certifier with
soundness (certifyReachableSound), a positive control (a real reachable
Critical state, proven Safe) and negative controls (the (Critical,Critical)
state has no Safe proof and is unreachable). The "both critical" bad case has
no constructor, so a deliberately false safety witness is rejected by idris2
(non-vacuity verified).

Builds clean (idris2 0.7.0, zero warnings).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
@hyperpolymath hyperpolymath marked this pull request as ready for review June 27, 2026 20:01
@hyperpolymath hyperpolymath merged commit 8f54595 into main Jun 27, 2026
22 of 24 checks passed
@hyperpolymath hyperpolymath deleted the claude/new-session-znxgm7 branch June 27, 2026 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants