proof: discharge charEqSym axiom (5→4) + TLA+ model of the Elixir JsWorker#251
Merged
Conversation
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
boj-server | c5956d7 | Jun 24 2026, 05:52 PM |
…d base 5->4) charEqSym (symmetry of prim__eqChar) was classified a class-(J) NECESSARY axiom, but it is derivable from charEqSound: a True result forces propositional equality (collapsing both sides to the same expression), and a mixed True/False split is impossible under soundness. Replace the believe_me with a constructive proof. Verified by `idris2 --typecheck boj.ipkg` (Idris2 0.8.0, 17/17 modules clean) and `scripts/check-trusted-base.sh`. First (a) DISCHARGED entry under the trusted-base reduction policy (standards#203), reducing the sanctioned axiom count 5 -> 4. The survivors (charEqSound, unpackLength, appendLengthSum, substrLengthBound) remain genuinely irreducible over opaque Char/String primitives. Reconcile the count across the gate + docs and fix pre-existing drift: - scripts/check-trusted-base.sh: EXPECTED_AXIOMS 5 -> 4 - PROOF-NEEDS.md, docs/proof-debt.md: move charEqSym to (a); count 5 -> 4 - src/abi/README.adoc: correct believe_me enumeration (logSafeBounded is constructive, not a believe_me, but was wrongly listed); grade D -> C; CartridgeDispatch is in boj.ipkg (no longer WIP) - .machine_readable/6a2/STATE.a2ml: believe-me-count 5 -> 4 - docs/backend-assurance/prim__eqChar.md: charEqSym now a derived theorem Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y
…d (item 4)
Models BojRest.JsWorker (elixir/lib/boj_rest/js_worker.ex): a GenServer
pipelining concurrent requests to one persistent Deno Port, matched by id,
with a per-request 30s timeout and crash-replies-all + :one_for_one restart.
Closes the "Elixir harness has no formal coverage" gap on the proof axis
(the Idris2 ABI proofs end at the Zig FFI boundary; the BEAM-side protocol
was test-only). Formal-proof axis only — does not move the CRG grade.
TLC (Requests = {r1,r2,r3}) verifies, no error across 341 states / depth 8:
- ReplyOnce: no caller replied twice under any response/timeout/crash
interleaving (the Map.pop guard) -- headline result.
- Consistent + NoPendingWhileDown: crash clears pending atomically.
- EventuallyReplied (liveness): the 30s timer guarantees every request
terminates even if Deno hangs.
Sanity controls (ReachOk/ReachTimeout/ReachCrashed) are refuted, proving
non-vacuity -- all terminal reply kinds are reachable.
Future work (README): JsWorkerPool routing/supervision; the Invoker pool once
ADR-0005/0006 land (Invoker is fork-per-request today).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y
hyperpolymath
force-pushed
the
claude/awesome-davinci-8afqgy
branch
from
836c977 to
c5956d7
Compare
🔍 Hypatia Security ScanFindings: 219 issues detected
View findings[
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "pages-deploy.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in pages-deploy.yml",
"type": "missing_timeout_minutes",
"file": "pages-deploy.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in push-email-notify.yml",
"type": "missing_timeout_minutes",
"file": "push-email-notify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🏁 path-claims benchCommit NumbersHost-dependent — compare deltas across commits, not absolute values. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proof-completion work across two layers. Both pieces share this branch because the session is pinned to it; they are logically independent and reviewable as separate commits.
1 — ABI: discharge
charEqSymaxiom → constructive theorem (666c3e0)charEqSym : (x, y : Char) -> (x == y) = (y == x)was a class-(J)believe_meaxiom classified "genuinely unavoidable." It isn't — it is derivable fromcharEqSound(which the repo already has):x == y = True→charEqSoundgivesx = y, collapsing both sides → bothTrue;True/Falsesplit is impossible (soundness forces the contradiction);False→ trivially equal.No new axiom is introduced. This is the first
(a) DISCHARGEDentry under the trusted-base reduction policy (standards#203), dropping the sanctioned count 5 → 4. Survivors (charEqSound,unpackLength,appendLengthSum,substrLengthBound) remain genuinely irreducible over opaqueChar/Stringprimitives.Verified:
cd src/abi && idris2 --typecheck boj.ipkg→ 17/17 modules clean (Idris2 0.8.0, Chez 9.5.8);bash scripts/check-trusted-base.sh→ OK, 4 axioms. (Same run confirmsBoj.CartridgeDispatch/BJ1 still type-checks.)Count reconciled across
check-trusted-base.sh(EXPECTED_AXIOMS5→4),PROOF-NEEDS.md,docs/proof-debt.md(charEqSym → §(a)),STATE.a2ml, anddocs/backend-assurance/prim__eqChar.md. Also fixed pre-existing drift insrc/abi/README.adoc: it wrongly listedlogSafeBoundedas a believe_me (constructive since #116), said "graded D" (READINESS says C), and called CartridgeDispatch "WIP / not inboj.ipkg" (it's in-package and type-checks).2 — Elixir: TLA+ model of
BojRest.JsWorker(836c977)specs/elixir-harness/— a TLA+ model ofelixir/lib/boj_rest/js_worker.ex(GenServer pipelining concurrent requests to one persistent Deno Port, per-request 30 s timeout, crash-replies-all +:one_for_onerestart). Closes the "Elixir harness has no formal coverage" gap on the proof axis (the Idris2 proofs stop at the Zig FFI boundary).Verified with TLC (
Requests = {r1,r2,r3}, 341 states, no error):Map.popguard). Headline.pendingatomically.ReachOk/ReachTimeout/ReachCrashedsanity controls all refuted (all terminal outcomes reachable).Deferred (noted in the README): the
JsWorkerPoolrouting/supervision layer, and theInvokerpool once it exists (it's fork-per-request today — ADR-0005/0006).Scope
Items 1 + 2 (Idris ABI) and item 4 (Elixir model). Zig FFI/invariants (item 3) is out of scope (separate workstream). Also carries
ef959f0(priorallTakededup, not yet onmain). Neither piece moves the CRG grade — both are on the formal-proof axis, not the empirical/dogfooding axis.🤖 Generated with Claude Code
https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y
Generated by Claude Code