P3: prove SchemaBound (level 2) as a real schema-resolution guarantee#35
Merged
Conversation
Extends the flagship semantic-proof coverage beyond InjectionFree (level 5)
to SchemaBound (level 2: "all references resolve in the schema"). Adds
`Typedqliser.ABI.SchemaBound`, mirroring the Semantics/InjectionFree quality
bar:
* a faithful schema model (`TableDef`/`Schema`) with a total, deterministic
`tableCols` resolver, reusing the existing `Query`/`Pred`/`Value` AST;
* `QuerySchemaBound` — the proposition that the query's table resolves and
every referenced column (projected ++ predicate) is declared. There is no
constructor admitting a dangling reference, so the property is uninhabited
for an unresolved column;
* `decSchemaBound` — a sound + complete `Dec`, so a "Proven" SchemaBound
certificate is backed by a constructive witness and a dangling reference
can never be certified;
* `certifySchemaBoundSound` — the certifier's `Proven` verdict provably
entails the property; `schemaBoundIsLevelTwo : levelNat SchemaBound = 2`;
* positive control (an explicit witness + the certifier computing to
`Proven`) and negative control (`ssn` dangling reference provably cannot
be certified).
Verified with idris2 0.7.0: `idris2 --build typedqliser-abi.ipkg` exits 0 with
zero warnings. Adversarially checked — three deliberately-false proofs (wrong
level ordinal, a dangling `Elem`, a schema-bound witness for the dangling
query) are all rejected by the type checker.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Deepens the flagship semantic-proof coverage of the TypedQLiser ABI. Today only
InjectionFree(level 5) is a real, machine-checked property (PR #33); the other nine levels carry only an abstractProofStatus. This PR makesSchemaBound(level 2 — "all references resolve in the schema") a genuine, sound + complete decidable property over the existing query AST, to the same quality bar asInjectionFree.Changes
src/interface/abi/Typedqliser/ABI/SchemaBound.idr:TableDef(name + declared columns),Schema, and a total, deterministictableColsresolver — reusing the existingQuery/Pred/ValueAST fromSemanticsverbatim.QuerySchemaBound s q— the proposition that the query's table resolves and every referenced column (projected++predicate) is declared. There is no constructor that admits a dangling reference, so the property is uninhabited for an unresolved column.decSchemaBound : (s : Schema) -> (q : Query) -> Dec (QuerySchemaBound s q)— a sound + complete decision procedure, so aProvenSchemaBound certificate is backed by a constructive witness and a dangling reference can never be certified.certifySchemaBound+certifySchemaBoundSound(aProvenverdict provably entails the property), andschemaBoundIsLevelTwo : levelNat SchemaBound = 2.Proven) and negative control (thessndangling reference provably cannot be certified).src/interface/abi/typedqliser-abi.ipkg.RSR Quality Checklist
Required
just testor equivalent) — ABI package builds clean (see Testing); change is ABI-onlyjust fmtor equivalent)idris2 --buildemits zero warningsunsafeblocks without// SAFETY:comments — none presentbelieve_me,unsafeCoerce,Obj.magic,Admitted,sorry) — proofs are genuine (replace/the/sym/absurdonly).envfiles includedAs Applicable
src/interface/abi/andsrc/interface/ffi/stay consistentTesting
Verified with Idris2 0.7.0 (bootstrapped from source):
Adversarial verification — three deliberately-false proofs were checked in a throwaway module (not committed) and the type checker rejected all three (exit 1):
levelNat SchemaBound = 3(it is 2) — rejected.Elem "ssn" ["id","name","email"]— rejected (no witness exists).QuerySchemaBound exampleSchema unboundQuerywitness for the dangling-reference query — rejected.The generated
build/directory was removed and is not committed.🤖 Generated with Claude Code
https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Generated by Claude Code