Skip to content

ABI Layer 2: prove the one-for-one restart invariant — flagship Idris2 proof#35

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/new-session-znxgm7
Jun 27, 2026
Merged

ABI Layer 2: prove the one-for-one restart invariant — flagship Idris2 proof#35
hyperpolymath merged 1 commit into
mainfrom
claude/new-session-znxgm7

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

Raises otpiser's Idris2 ABI to Layer 2 with its first flagship semantic proof. otpiser's headline is generating OTP supervision trees; this proves the one-for-one restart invariant: restarting a failed child leaves the other children untouched and the child set unchanged.

Mirrors the estate flagship-proof pattern: supervisor/child model, OtherIn/RestartedRunning propositions, sound+complete decision, certifyRestart proven sound, positive + negative controls.

Changes

  • Adds src/interface/abi/Otpiser/ABI/Semantics.idrSupervisor/Child, OtherIn, RestartedRunning, the restart-invariant theorems, certifyRestart/soundness, controls.
  • Registers the module in otpiser-abi.ipkg.

RSR Quality Checklist

Required

  • Tests pass — ABI builds clean (see Testing)
  • Linter clean — zero warnings
  • No banned language patterns
  • No banned functions — genuine proof
  • SPDX headers present
  • No secrets

As Applicable

  • ABI/FFI changes validated — additive proof; FFI untouched

Testing

Verified with Idris2 0.7.0: idris2 --build otpiser-abi.ipkg → exit 0, zero warnings. Adversarial check: a deliberately-false proof was rejected. build/ removed.

🤖 Generated with Claude Code

https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx


Generated by Claude Code

Add Otpiser.ABI.Semantics: a faithful Idris2 model of a one-for-one OTP
supervisor (children keyed by id, each Running/Failed) and a restart step,
with machine-checked proofs of the headline fault-tolerance invariant:

  - restartPreservesChildSet: restarting any child leaves the ordered set
    of supervised child ids unchanged (real propositional equality).
  - restartLeavesOthersUntouched: every sibling whose id differs from the
    target survives the restart byte-for-byte identical (Elem soundness).
  - restartHeadRuns / RestartedRunning: the targeted child is set Running.

Positive controls exhibit concrete witnesses over a 3-worker supervisor;
the negative control (negativeSiblingNotReset) refutes, by machine, the
OneForAll-style claim that a failed sibling is reset — establishing the
property is non-vacuous. No believe_me / postulate / assert_total.

Registered in otpiser-abi.ipkg; ABI builds clean with zero warnings.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
@hyperpolymath hyperpolymath marked this pull request as ready for review June 27, 2026 19:58
@hyperpolymath hyperpolymath merged commit ff14998 into main Jun 27, 2026
22 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants