proof(verisimdb): close V10 (transaction serializability) in TLA+

Serializability.tla extends V5's atomicity claim (single transaction)
to concurrent transactions under atomic two-phase locking.

Protocol modelled:
  * Each txn declares a fixed read-set + write-set.
  * Begin(t) atomically acquires the whole access-set, or blocks.
  * Commit(t) releases all locks and appends t to the commit log.

Atomic acquisition rules out deadlock by construction; combined with
per-modality lock mutex, it also makes the commit log a conflict-
equivalent serial schedule of the concurrent execution.

Safety properties (composite SerializabilitySafe):
  * NoSharedLocks             -- 2PL mutex.
  * LocksOnlyWhileActive      -- IDLE/COMMITTED own no locks.
  * ActiveHoldsFullAccessSet  -- no partial acquisitions.
  * CommitLogInjective        -- each txn commits at most once.
  * CommitLogSound            -- log only contains COMMITTED txns.
  * NoConcurrentConflict      -- central serializability claim:
                                 two conflicting txns are never
                                 simultaneously ACTIVE.

Liveness: EveryTxnCommits -- every txn eventually commits under weak
fairness. (Atomic acquisition + finite conflict graph prevents
starvation.)

Scenario (fixed at module level, because TLC config cannot express
record literals): 3 txns × 3 modalities with every pair of txns
conflicting on at least one modality -- the smallest non-trivial
serializability test that forces full single-file schedule. 31
reachable states, depth 7, sub-second run.

Wiring: `just verify-tlaplus` now runs V5 (OctadAtomicity), V9
(Normalizer), and V10 (Serializability) in sequence.

Closes V10. This finishes the TLA+-shaped VeriSimDB proof obligations.
V2/V3/V4/V6 remain Lean4-blocked on mathlib bootstrap; V11/V12 are
Idris2-shaped and separately tracked.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

verisimdb/Justfile

@@ -64,8 +64,9 @@ verify-tlaplus:
                     -workers auto -config "$cfg" "$spec"
         fi
     }
-    run_tlc OctadAtomicity.tla OctadAtomicity.cfg
+    run_tlc OctadAtomicity.tla  OctadAtomicity.cfg
     run_tlc Normalizer.tla      Normalizer.cfg
+    run_tlc Serializability.tla Serializability.cfg
 
 # ── Test ───────────────────────────────────────────────────────
 

verisimdb/verification/proofs/tlaplus/README.adoc

@@ -67,15 +67,42 @@ Default config: 4 modalities (`graph`, `vector`, `semantic`,
 `document`), 3 distinct values, `MaxSteps=3`. 84 reachable states,
 finishes in < 1s. Verified 2026-04-17.
 
+== V10: Transaction serializability
+
+Specification: `Serializability.tla` +
+Configuration: `Serializability.cfg` +
+Source being verified: `rust-core/verisim-octad/src/transaction.rs` (concurrent path)
+
+Extends V5's single-transaction atomicity to concurrent transactions
+under atomic two-phase locking. Each transaction declares a fixed
+read-set + write-set; `Begin(t)` atomically acquires the whole
+access-set (or blocks), `Commit(t)` releases locks and appends to the
+commit log -- which is, by construction, a valid serial schedule.
+
+Safety (composite `SerializabilitySafe`):
+
+* `NoSharedLocks` -- 2PL mutex invariant.
+* `LocksOnlyWhileActive` -- IDLE/COMMITTED txns hold no locks.
+* `ActiveHoldsFullAccessSet` -- no partial lock acquisitions.
+* `CommitLogInjective` -- each txn commits at most once.
+* `CommitLogSound` -- log entries are only COMMITTED txns.
+* `NoConcurrentConflict` -- the central claim: two conflicting
+  transactions are never simultaneously ACTIVE, so every schedule is
+  conflict-equivalent to the commit-log order.
+
+Liveness: `EveryTxnCommits` -- every txn eventually commits (atomic
+acquisition rules out deadlock and therefore starvation under WF).
+
+Default scenario: 3 transactions (t1, t2, t3) × 3 modalities (m1, m2, m3)
+with every pair of txns conflicting on at least one modality. 31
+reachable states, depth 7, sub-second. Verified 2026-04-17.
+
 == Cross-references
 
-* `developer-ecosystem/standards/docs/proofs/spec-templates/T1-critical/verisimdb.md` -- V5, V9
-* `/home/hyper/Desktop/proof-debt-plan.md` -- Dependability / VeriSimDB V5, V9
+* `developer-ecosystem/standards/docs/proofs/spec-templates/T1-critical/verisimdb.md` -- V5, V9, V10
+* `/home/hyper/Desktop/proof-debt-plan.md` -- Dependability / VeriSimDB V5, V9, V10
 
-== Future specs in this directory
+== Remaining TLA+ work
 
-V10 (transaction serializability) is the remaining TLA+-shaped VeriSimDB
-obligation. It will land as a separate `Serializability.tla`; extend
-`verify-tlaplus` in the Justfile to include it. State-space concerns:
-V10 models concurrent transactions and may blow up past V5/V9's sub-
-second runs -- start with 2 transactions, widen cautiously.
+None at this tier. V5/V9/V10 close the TLA+-shaped VeriSimDB proof
+obligations. V2/V3/V4/V6 stay Lean4-blocked; V11/V12 are Idris2-shaped.

verisimdb/verification/proofs/tlaplus/Serializability.cfg

@@ -0,0 +1,20 @@
+\* SPDX-License-Identifier: PMPL-1.0-or-later
+\* TLC configuration for Serializability.tla (V10).
+\*
+\* The scenario (Txns, Modalities, TxnReads, TxnWrites) is fixed at module
+\* level because TLC config files cannot represent record literals. See the
+\* comment block in Serializability.tla for the scenario choice rationale.
+\*
+\* Expected state space: 3 txns × 3 status values × 2^3 lock-sets × commit
+\* log permutations. TLC prunes heavily via the Begin/Commit guards; actual
+\* reachable ~hundreds of states. Sub-second run.
+
+SPECIFICATION Spec
+
+INVARIANTS
+    SerializabilitySafe
+
+PROPERTIES
+    EveryTxnCommits
+
+CHECK_DEADLOCK FALSE

verisimdb/verification/proofs/tlaplus/Serializability.tla

@@ -0,0 +1,198 @@
+---------------------------- MODULE Serializability ----------------------------
+\* SPDX-License-Identifier: PMPL-1.0-or-later
+\* Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+\*
+\* V10: Conflict serializability for concurrent transactions on an octad.
+\* Corresponds to rust-core/verisim-octad/src/transaction.rs (concurrent path).
+\*
+\* V5 proved atomicity for a single transaction under crashes. V10 extends
+\* that to *multiple* concurrent transactions: the spec asserts that any
+\* concurrent execution is conflict-equivalent to some serial execution of
+\* the same transactions.
+\*
+\* Concurrency protocol modelled: atomic two-phase locking (2PL+atomic-acquire).
+\*   - Each transaction has a fixed access-set (reads \cup writes) declared at
+\*     design time (the TxnAccess constant).
+\*   - Begin(t) atomically acquires the full access-set, or blocks.
+\*   - Commit(t) releases locks and appends to the commit log.
+\* This rules out deadlock by construction (atomic acquisition) and by the
+\* same stroke makes the commit-log a valid serial schedule of the concurrent
+\* execution. The spec's job is to verify both claims.
+
+EXTENDS Naturals, FiniteSets, Sequences, TLC
+
+\* Scenario is fixed at module level because TLC config files cannot express
+\* record literals for TxnReads/TxnWrites, and this keeps a single-file spec
+\* straightforwardly model-checkable. Alternative scenarios live as separate
+\* .tla files.
+\*
+\* The scenario chosen: 3 transactions and 3 modalities, with pairwise
+\* conflicts forming a simple chain. This is the smallest non-trivial
+\* serializability test:
+\*   - t1 reads {m1, m2}, writes {m1}.   (conflicts with t2 on m1)
+\*   - t2 reads {m1},     writes {m2}.   (conflicts with t1 on m1,
+\*                                        with t3 on m2)
+\*   - t3 reads {m2},     writes {m3}.   (conflicts with t2 on m2)
+\* Every pair of txns has an overlapping access-set, so 2PL must serialise
+\* *some* total order on them. TLC explores all possible commit orders.
+
+Txns == {"t1", "t2", "t3"}
+Modalities == {"m1", "m2", "m3"}
+
+TxnReads  == [t \in Txns |->
+    CASE t = "t1" -> {"m1", "m2"}
+      [] t = "t2" -> {"m1"}
+      [] t = "t3" -> {"m2"}]
+
+TxnWrites == [t \in Txns |->
+    CASE t = "t1" -> {"m1"}
+      [] t = "t2" -> {"m2"}
+      [] t = "t3" -> {"m3"}]
+
+ASSUME Cardinality(Txns) >= 2       \* serializability is trivial for 1 txn
+ASSUME Cardinality(Modalities) >= 1
+ASSUME TxnReads \in [Txns -> SUBSET Modalities]
+ASSUME TxnWrites \in [Txns -> SUBSET Modalities]
+
+\* A transaction's access-set is everything it reads or writes. 2PL acquires
+\* the whole set atomically at Begin.
+AccessSet(t) == TxnReads[t] \cup TxnWrites[t]
+
+VARIABLES
+    txnStatus,      \* [Txns -> {"IDLE", "ACTIVE", "COMMITTED"}]
+    holdsLocks,     \* [Txns -> SUBSET Modalities] -- currently held
+    commitLog       \* Seq(Txns) -- commit order (the serial schedule)
+
+vars == <<txnStatus, holdsLocks, commitLog>>
+
+Status == {"IDLE", "ACTIVE", "COMMITTED"}
+
+TypeOK ==
+    /\ txnStatus \in [Txns -> Status]
+    /\ holdsLocks \in [Txns -> SUBSET Modalities]
+    /\ commitLog \in Seq(Txns)
+
+Init ==
+    /\ txnStatus = [t \in Txns |-> "IDLE"]
+    /\ holdsLocks = [t \in Txns |-> {}]
+    /\ commitLog = << >>
+
+--------------------------------------------------------------------------------
+\* Begin: atomically acquire all locks in AccessSet(t). Fires only if no other
+\* transaction currently holds any lock in AccessSet(t). Atomic acquisition
+\* is what rules out deadlock -- no partial lock sets ever exist.
+--------------------------------------------------------------------------------
+Begin(t) ==
+    /\ txnStatus[t] = "IDLE"
+    /\ \A other \in Txns:
+         (other /= t) => (holdsLocks[other] \cap AccessSet(t) = {})
+    /\ txnStatus' = [txnStatus EXCEPT ![t] = "ACTIVE"]
+    /\ holdsLocks' = [holdsLocks EXCEPT ![t] = AccessSet(t)]
+    /\ UNCHANGED commitLog
+
+--------------------------------------------------------------------------------
+\* Commit: release all locks, mark COMMITTED, append to serial log. Only an
+\* ACTIVE transaction (= one that has successfully acquired) can commit.
+--------------------------------------------------------------------------------
+Commit(t) ==
+    /\ txnStatus[t] = "ACTIVE"
+    /\ holdsLocks[t] = AccessSet(t)
+    /\ txnStatus' = [txnStatus EXCEPT ![t] = "COMMITTED"]
+    /\ holdsLocks' = [holdsLocks EXCEPT ![t] = {}]
+    /\ commitLog' = Append(commitLog, t)
+
+Next ==
+    \/ \E t \in Txns: Begin(t)
+    \/ \E t \in Txns: Commit(t)
+
+\* Fairness: every ACTIVE txn eventually commits, every IDLE txn eventually
+\* begins (or has no opportunity because all other txns hold its locks --
+\* but atomic acquisition means some txn always makes progress, so an IDLE
+\* txn cannot be permanently starved in this model).
+Spec == Init /\ [][Next]_vars
+        /\ \A t \in Txns: WF_vars(Begin(t) \/ Commit(t))
+
+--------------------------------------------------------------------------------
+\* Safety properties
+--------------------------------------------------------------------------------
+
+\* I1. Lock mutex: no two transactions hold overlapping locks simultaneously.
+\* This is the 2PL invariant; its violation would be a direct serializability
+\* failure.
+NoSharedLocks ==
+    \A t1, t2 \in Txns:
+        (t1 /= t2) => (holdsLocks[t1] \cap holdsLocks[t2] = {})
+
+\* I2. Locks are held only by ACTIVE transactions. IDLE and COMMITTED txns
+\* own no locks.
+LocksOnlyWhileActive ==
+    \A t \in Txns:
+        (txnStatus[t] \in {"IDLE", "COMMITTED"}) => (holdsLocks[t] = {})
+
+\* I3. Lock-set matches the txn's AccessSet when ACTIVE. No partial acquisitions.
+\* This is what atomic-Begin enforces structurally.
+ActiveHoldsFullAccessSet ==
+    \A t \in Txns:
+        (txnStatus[t] = "ACTIVE") => (holdsLocks[t] = AccessSet(t))
+
+\* I4. No duplicate commit log entries -- each txn commits at most once.
+CommitLogInjective ==
+    \A i, j \in 1..Len(commitLog):
+        (commitLog[i] = commitLog[j]) => (i = j)
+
+\* I5. Commit log only contains COMMITTED txns.
+CommitLogSound ==
+    \A i \in 1..Len(commitLog):
+        txnStatus[commitLog[i]] = "COMMITTED"
+
+\* I6. CENTRAL serializability claim: for any two committed conflicting txns
+\* (sharing a written modality), the one that appears earlier in the commit
+\* log is the one that accessed first. Because 2PL prevents overlap, this is
+\* always true -- the commit log IS a conflict-equivalent serial order.
+\*
+\* Formal statement: if t1 and t2 both appear in commitLog and they conflict
+\* (t1 writes some m that t2 reads or writes, or vice versa), then their
+\* relative order in commitLog is consistent with the (trivially unique)
+\* sequential order in which they held the shared lock. Since only one txn
+\* can hold a given lock at a time and locks are released at Commit, the txn
+\* committed earlier necessarily ran earlier. So the log IS the schedule.
+\*
+\* Operationally this reduces to: two conflicting txns both committed implies
+\* they don't appear "simultaneously" in the log -- which is trivially true
+\* of a sequence. What we really want to check is that ACTIVE sets of
+\* conflicting txns never co-exist. That is exactly NoSharedLocks when
+\* combined with ActiveHoldsFullAccessSet -- two ACTIVE txns have disjoint
+\* access-sets, so no WW / WR / RW conflict can be concurrent.
+NoConcurrentConflict ==
+    \A t1, t2 \in Txns:
+        (t1 /= t2
+         /\ txnStatus[t1] = "ACTIVE" /\ txnStatus[t2] = "ACTIVE"
+         /\ ((TxnWrites[t1] \cap (TxnReads[t2] \cup TxnWrites[t2])) /= {}
+             \/ (TxnWrites[t2] \cap (TxnReads[t1] \cup TxnWrites[t1])) /= {}))
+        => FALSE
+
+SerializabilitySafe ==
+    /\ TypeOK
+    /\ NoSharedLocks
+    /\ LocksOnlyWhileActive
+    /\ ActiveHoldsFullAccessSet
+    /\ CommitLogInjective
+    /\ CommitLogSound
+    /\ NoConcurrentConflict
+
+--------------------------------------------------------------------------------
+\* Liveness
+--------------------------------------------------------------------------------
+
+\* Every transaction eventually commits. Under atomic-acquire 2PL + WF, no
+\* transaction can be starved forever: every state has at least one enabled
+\* action (either some IDLE txn can Begin, since at most |Txns|-1 txns can
+\* be ACTIVE at once -- and a fully ACTIVE state has at least one Commit
+\* enabled; and after any Commit, freed locks re-enable some IDLE Begin).
+EveryTxnCommits ==
+    \A t \in Txns: <>(txnStatus[t] = "COMMITTED")
+
+THEOREM SerializabilitySafety == Spec => []SerializabilitySafe
+THEOREM AllCommit              == Spec => EveryTxnCommits
+
+================================================================================