Skip to content

feat(ffi/zig): formal ABI verification — comptime proofs + boundary tests#247

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/vigilant-carson-ufu47c
Jun 24, 2026
Merged

feat(ffi/zig): formal ABI verification — comptime proofs + boundary tests#247
hyperpolymath merged 1 commit into
mainfrom
claude/vigilant-carson-ufu47c

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Summary

  • ffi/zig/src/abi_axioms.zig — standalone file (no imports) declaring every ABI-crossing numeric constant as comptime_int and proving invariants via @compileError. Pure compile-time step: zig build abi-axioms.
  • ffi/zig/src/abi_verify.zig — 40 tests: §A comptime cross-module proofs (live Zig types vs axioms), §B–E exhaustive C-ABI boundary tests (catalogue, invocation shim, hash constants, safety), §F thread-safety spot check. Run with zig build abi-verify.
  • Zig 0.16 mutex migrationstd.Thread.Mutex was removed; 9 FFI modules patched with a local Mutex wrapper over std.atomic.Mutex + spinLoopHint(). Call sites unchanged.
  • docs/zig-ffi-verification.adoc — documents the verification methodology, evidence taxonomy ([STATIC]/[CROSS]/[RUNTIME]/[ASSUMED]), trust chain (Idris2 → axioms → comptime → tests), known gaps, and how to run.

Verification results

zig build abi-axioms abi-verify
Build Summary: 6/6 steps succeeded; 40/40 tests passed

Trust taxonomy

Tag Meaning
[STATIC] comptime in same file — binary cannot violate it
[CROSS] comptime cross-module in abi_verify.zig — fires at compile time
[RUNTIME] Exhaustive boundary test at run time
[ASSUMED] Cross-language contract (Idris2↔Zig) underprovable by either tool alone

Known gaps (documented in §A.6 / docs)

  • Loader import conflict: loader.zig uses @import("catalogue.zig") (relative path), preventing it from being imported alongside catalogue in abi_verify.zig. Fix: change to @import("catalogue").
  • C header alignment: generated/abi/boj_catalogue.h #define values are not auto-checked against axioms. Manual cross-check confirms parity at time of writing.

Test plan

  • zig build abi-axioms — compile-time proofs green
  • zig build abi-verify — 40/40 tests pass
  • zig build seams shim — existing tests unaffected (38/38 pass)
  • Review docs/zig-ffi-verification.adoc for accuracy

🤖 Generated with Claude Code

https://claude.ai/code/session_01F8pqMfJViUaKabWKNQ9wUg

Generated by Claude Code

@claude
feat(ffi/zig): formal ABI verification with comptime proofs + boundar…
e259f83 
…y tests

Adds two new Zig modules that establish the FFI ABI invariants as
machine-checked axioms and verify them exhaustively:

- `ffi/zig/src/abi_axioms.zig`: standalone file (no imports) declaring
  every ABI-crossing numeric constant as a comptime_int and proving
  invariants at compile time via `@compileError`. Four axiom domains:
  invocation (RC_* codes), catalogue (status/protocol/domain/tier/bounds),
  loader (hash lengths, LOADER_MATCH≠CAT_OK trap), safety (SAFETY_SAFE≠0
  trap).  `zig build abi-axioms` is a pure compile-time proof step.

- `ffi/zig/src/abi_verify.zig`: cross-checks live Zig enum/constant values
  against the axioms at compile time (§A), then runs 40 runtime boundary
  tests (§B catalogue, §C invocation shim, §D hash constants, §E safety,
  §F thread-safety).  `zig build abi-verify` runs 40 tests.

Trust taxonomy used throughout: [STATIC] comptime in-file, [CROSS] comptime
cross-module, [RUNTIME] boundary test, [ASSUMED] cross-language contract.

Also fixes Zig 0.16 API break: `std.Thread.Mutex` was removed. Nine FFI
modules (catalogue, loader, sla, coprocessor, community, sdp, guardian,
verisimdb, federation) are migrated to a local Mutex wrapper over
`std.atomic.Mutex` + `spinLoopHint()`. The wrapper preserves the
`.lock()/.unlock()` API so call sites are unchanged.

Adds `docs/zig-ffi-verification.adoc` documenting the verification
methodology, evidence taxonomy, known gaps (loader import conflict, C
header alignment, Idris2 cross-language contract), and how to run.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01F8pqMfJViUaKabWKNQ9wUg
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 24, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 boj-server e259f83 Jun 24 2026, 04:02 PM

@hyperpolymath hyperpolymath marked this pull request as ready for review June 24, 2026 16:04
@hyperpolymath hyperpolymath merged commit 3077b4f into main Jun 24, 2026
18 of 19 checks passed
@hyperpolymath hyperpolymath deleted the claude/vigilant-carson-ufu47c branch June 24, 2026 16:04
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 25, 2026
View reviewed changes
Comment thread ffi/zig/src/abi_verify.zig
@@ -0,0 +1,726 @@
// SPDX-License-Identifier: MPL-2.0
@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 218 issues detected

Severity Count
🔴 Critical 15
🟠 High 131
🟡 Medium 72

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action actions/checkout@v4 needs attention",
    "type": "unpinned_action",
    "file": "pages-deploy.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in pages-deploy.yml",
    "type": "missing_timeout_minutes",
    "file": "pages-deploy.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "missing_timeout_minutes",
    "file": "scorecard-enforcer.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "codeql_missing_actions_language",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown

🏁 path-claims bench

Commit c1f6a3e

Numbers 
path-claims bench  (node v22.23.0)

  scenario                                              iters       ms        ns/op          ops/s
  --------------------------------------------------------------------------------------------------------------
  register: 10 active claims, 3 new paths               50000 iters    191 ms      3.83 µs/op    261.0k ops/s
  register: 100 active claims, 3 new paths              20000 iters    341 ms     17.07 µs/op     58.6k ops/s
  register: 1000 active claims, 3 new paths              5000 iters   1377 ms    275.41 µs/op      3.6k ops/s
  register: 100 active claims, 20 new paths              5000 iters    478 ms     95.75 µs/op     10.4k ops/s

  pathsOverlap: deep diverge at segment 4             1000000 iters    171 ms     171.9 ns/op     5.82M ops/s
  pathsOverlap: short prefix match                    1000000 iters    145 ms     145.1 ns/op     6.89M ops/s

  refresh (existing claim)                             100000 iters     10 ms     108.5 ns/op     9.22M ops/s
  list (100 active claims)                              50000 iters    386 ms      7.74 µs/op    129.2k ops/s

  (Bench numbers depend on host; use deltas across commits, not absolute values.)

Host-dependent — compare deltas across commits, not absolute values.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer
@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hyperpolymath @github-advanced-security @claude