diff --git a/src/interface/abi/Lustreiser/ABI/Capstone.idr b/src/interface/abi/Lustreiser/ABI/Capstone.idr new file mode 100644 index 0000000..a52083c --- /dev/null +++ b/src/interface/abi/Lustreiser/ABI/Capstone.idr @@ -0,0 +1,100 @@ +-- SPDX-License-Identifier: MPL-2.0 +-- Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) +-- +||| Layer 5 — END-TO-END ABI SOUNDNESS CERTIFICATE for Lustreiser. +||| +||| This module proves NO new domain theorem. It is the CAPSTONE: it +||| ASSEMBLES the already-proven facts from every prior ABI layer into a +||| single inhabited certificate value. The certificate ties the whole +||| chain together — +||| +||| manifest (lustreiser.toml describes the node) +||| -> ABI proofs: +||| * Layer 2 (Semantics): the flagship per-tick / whole-run +||| SAFETY BOUND — the saturating counter never exceeds its cap +||| (reusing the exported positive control `safeWatchdogWithinBound` +||| and the whole-run control `safeRunWithinBound`); +||| * Layer 3 (Invariants): the deeper ALGEBRAIC invariant — `run` +||| is a left monoid action of the input stream on node state +||| (reusing the exported concrete witness `appendWitness` of the +||| flagship `runAppend` law, and the `monotoneWitness` of +||| `satInc` monotonicity); +||| -> FFI seam (Layer 4): the result-code encoding is INJECTIVE, so the +||| C integer crossing the Zig FFI unambiguously reconstructs the ABI +||| `Result` (reusing the exported `resultToIntInjective`). +||| +||| The single value `abiContractDischarged : ABISound` below is constructed +||| ENTIRELY from those existing exported witnesses/theorems. Because it +||| typechecks, every prior layer is jointly sound: if any one of them were +||| unsound (e.g. the bound proof, the action law, or the seam injectivity), +||| this value would fail to elaborate. That is the end-to-end statement. +module Lustreiser.ABI.Capstone + +import Data.Nat + +import Lustreiser.ABI.Types +import Lustreiser.ABI.Semantics +import Lustreiser.ABI.Invariants +import Lustreiser.ABI.FfiSeam + +%default total + +-------------------------------------------------------------------------------- +-- The capstone certificate record +-------------------------------------------------------------------------------- + +||| `ABISound` bundles the KEY proven facts of the Lustreiser ABI, one field +||| per layer. There is no constructor escape hatch: each field demands a real +||| proof term, so the record is inhabited ONLY if every layer is genuinely +||| discharged. +public export +record ABISound where + constructor MkABISound + + ||| Layer 2 flagship (per-tick safety bound): the canonical watchdog node + ||| (cap = 3, state = 2) provably stays within its static bound. Reuses the + ||| exported positive control from `Semantics`. + flagshipBound : WithinBound (MkCounter 3 2) + + ||| Layer 2 whole-run safety: running a real input stream (where saturation + ||| actually fires) from a within-bound start stays within bound. Reuses the + ||| exported `safeRunWithinBound`. + flagshipRunBound : + WithinBound (run [Tick,Tick,Tick,Tick,Reset,Tick] (MkCounter 3 0)) + + ||| Layer 3 deeper invariant (monoid-action / fold-fusion law on a concrete + ||| split): replaying `[Tick,Tick]` then `[Reset,Tick]` equals replaying the + ||| whole four-tick stream. Reuses the exported `appendWitness` instance of + ||| the flagship `runAppend` theorem. + layer3Action : + run ([Tick,Tick] ++ [Reset,Tick]) (MkCounter 3 0) + = run [Reset,Tick] (run [Tick,Tick] (MkCounter 3 0)) + + ||| Layer 3 orthogonal invariant (order-preservation): `satInc` is monotone + ||| in its counter argument on a concrete instance. Reuses the exported + ||| `monotoneWitness`. + layer3Monotone : LTE (satInc 3 1) (satInc 3 2) + + ||| Layer 4 FFI-seam soundness: the result-code encoding is INJECTIVE — no + ||| two ABI `Result`s collide on the wire. The full theorem `resultToIntInjective` + ||| is carried as a field, so the seam guarantee is part of the certificate. + ffiSeamInjective : + (a, b : Result) -> resultToInt a = resultToInt b -> a = b + +-------------------------------------------------------------------------------- +-- THE CAPSTONE: a single inhabited value built from prior-layer proofs +-------------------------------------------------------------------------------- + +||| The end-to-end soundness certificate. Every field is one of the EXISTING +||| exported witnesses/theorems from the layer modules — nothing is reproved, +||| nothing is fabricated. If any prior layer were unsound, this value would +||| not typecheck; its mere existence discharges the full ABI contract. +public export +abiContractDischarged : ABISound +abiContractDischarged = MkABISound + { flagshipBound = safeWatchdogWithinBound + , flagshipRunBound = safeRunWithinBound + , layer3Action = appendWitness + , layer3Monotone = monotoneWitness + , ffiSeamInjective = resultToIntInjective + } diff --git a/src/interface/abi/lustreiser-abi.ipkg b/src/interface/abi/lustreiser-abi.ipkg index 4b76945..a0df637 100644 --- a/src/interface/abi/lustreiser-abi.ipkg +++ b/src/interface/abi/lustreiser-abi.ipkg @@ -12,3 +12,4 @@ modules = Lustreiser.ABI.Types , Lustreiser.ABI.Semantics , Lustreiser.ABI.Invariants , Lustreiser.ABI.FfiSeam + , Lustreiser.ABI.Capstone