proof(verisimdb): close V2/V12 and replay-check Lean4/Idris2 proofs

Author: hyperpolymath

verisimdb/verification/PROOF-STATUS.md

@@ -0,0 +1,55 @@
+# Proof Status — VeriSimDB
+
+<!-- SPDX-License-Identifier: PMPL-1.0-or-later -->
+<!-- Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) -->
+
+Tracking status of formal verification proofs for the VeriSimDB cross-modality octad database.
+
+Obligations catalogued in `developer-ecosystem/standards/docs/proofs/spec-templates/T1-critical/verisimdb.md`.
+
+## Policy
+
+- **No** `believe_me`, `assert_total`, `postulate`, `sorry`, `Admitted` in fixable positions.
+- All proofs are constructive.
+- `%default total` in all Idris2 files.
+- Idris2 for type-level / constructive proofs; TLA+ for concurrent + adversarial state-machine properties; Lean4 for the remaining numeric/induction-heavy obligations.
+
+## Proof Inventory
+
+### Idris2
+
+| File | LOC | Properties | Obligation | Status |
+|------|-----|------------|------------|--------|
+| `verification/proofs/idris2/OctadCoherence.idr` | 327 | 8 modalities + 3 irredundant cross-modality invariants; `opPreservesCoherence` for all 6 Ops; `opsPreserveCoherence` for any Op sequence | **V1** | COMPLETE 2026-04-17 (`e2e5d9b`) |
+| `verification/proofs/idris2/DriftMetric.idr` | ~140 | Hamming-distance drift is a metric: reflexivity, symmetry, triangle inequality; threshold-detection soundness + completeness | **V8** | COMPLETE 2026-04-17 (`182cc7c`) |
+| `verification/proofs/idris2/ConnectorSafety.idr` | ~200 | Schema + ValidatedValue + total validator; every JSON → typed conversion is schema-checked by construction (Obj.magic elimination) | **V11** | COMPLETE 2026-04-17 (`95c3867`) |
+| `verification/proofs/idris2/FFIOwnership.idr` | ~100 | `Owned` ownership-state token, non-null deref witness, and freeability restricted to `Alive` so double-free is uninhabited by type | **V12** | COMPLETE 2026-04-17 (Codex replay-checked) |
+
+### Lean4
+
+| File | LOC | Properties | Obligation | Status |
+|------|-----|------------|------------|--------|
+| `verification/proofs/lean4/VCLTypeSoundness.lean` | ~300 | Query-core progress + preservation + multi-step soundness + synth/check soundness for `VCLBidir`-shaped typing | **V2** | COMPLETE 2026-04-17 (Codex replay-checked with `lean` + `lake build`) |
+| `verification/proofs/lean4/VCLSubtyping.lean` | ~200 | Structural subtype transitivity + decidability for core VCL types | **V3** | COMPLETE 2026-04-17 (Codex replay-checked with `lean` + `lake build`) |
+| `verification/proofs/lean4/RaftSafety.lean` | ~260 | Commit monotonicity, append isolation, WF preservation, single-node log matching | **V4** | COMPLETE 2026-04-17 (Codex replay-checked with `lean` + `lake build`) |
+| `verification/proofs/lean4/WALIntegrity.lean` | ~200 | Sequence monotonicity, CRC validity model, replay compositionality, checkpoint idempotence | **V6** | COMPLETE 2026-04-17 (Codex replay-checked with `lean` + `lake build`) |
+
+### TLA+
+
+| File | States | Depth | Properties | Obligation | Status |
+|------|--------|-------|------------|------------|--------|
+| `verification/proofs/tlaplus/OctadAtomicity.tla` | 134,160 | 19 | Atomicity (COMMITTED⇒all 8; ABORTED⇒none), NoObservablePartial, StatusMonotone, EveryTxnResolves (liveness) | **V5** | COMPLETE 2026-04-17 (`9d3dfd8`) |
+| `verification/proofs/tlaplus/Normalizer.tla` | 84 | 2 | SourceIsMaximal, NormalizeIdempotent, PostStepNoDrift, FixedPointStable, Convergence (`<>[]~HasDrift`) | **V9** | COMPLETE 2026-04-17 (`81e1d52`) |
+| `verification/proofs/tlaplus/Serializability.tla` | 33 | 7 | NoSharedLocks, LocksOnlyWhileActive, ActiveHoldsFullAccessSet, CommitLogInjective/Sound, NoConcurrentConflict, EveryTxnCommits | **V10** | COMPLETE 2026-04-17 (`94aa56f`, hardened `2390e52`) |
+
+Model-checked via `just verify-tlaplus` (Eclipse Temurin 21 JRE via podman-ephemeral container; no host Java install needed on Fedora Atomic). Regression-gated by `.github/workflows/verify-tlaplus.yml` on every push/PR touching `verisimdb/verification/proofs/tlaplus/**`.
+
+## Remaining Debt
+
+None in the tracked V1-V12 set as of 2026-04-17 replay checks.
+
+## Notes
+
+- **Lean4 replay check**: `VCLTypeSoundness.lean`, `VCLSubtyping.lean`, `RaftSafety.lean`, and `WALIntegrity.lean` all pass direct `lean` checks and package-level `lake build` under Lean 4.16.0 on this host.
+- **V10 scenario**: the committed scenario uses partial conflicts (t1/t2 disjoint, t3 shares with both) to actually exercise concurrency — TLC reaches states with multiple simultaneously-ACTIVE transactions, so `NoConcurrentConflict` is non-vacuous.
+- **Podman recipe**: `just verify-tlaplus` fetches `tla2tools.jar` to `~/.local/share/` on first run and executes TLC in an `eclipse-temurin:21-jre` container. Works identically on Fedora Atomic (this host) and any machine with podman. Host Java is used if present.

verisimdb/verification/proofs/idris2/FFIOwnership.idr

@@ -0,0 +1,113 @@
+-- SPDX-License-Identifier: PMPL-1.0-or-later
+-- Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath)
+--
+-- FFIOwnership.idr - V12: FFI pointer validity + ownership discipline.
+--
+-- Scope (spec V12):
+--   (1) Non-null before dereference.
+--   (2) Ownership state is explicit in the type.
+--   (3) Double-free is blocked by type shape (`free` only accepts Alive).
+
+module FFIOwnership
+
+%default total
+
+------------------------------------------------------------------------
+-- Ownership state
+------------------------------------------------------------------------
+
+public export
+data PtrState : Type where
+  Alive : PtrState
+  Freed : PtrState
+
+------------------------------------------------------------------------
+-- Raw pointer model + non-null witness
+------------------------------------------------------------------------
+
+public export
+record RawPtr where
+  constructor MkRawPtr
+  addr : Nat
+
+public export
+data NonNull : Nat -> Type where
+  IsNonNull : (k : Nat) -> NonNull (S k)
+
+------------------------------------------------------------------------
+-- Owned pointer token
+------------------------------------------------------------------------
+
+||| Ownership token indexed by pointer state.
+|||
+||| - `Owned Alive` carries a non-null proof.
+||| - `Owned Freed` is a tombstone token that cannot be dereferenced or freed.
+public export
+record Owned (st : PtrState) where
+  constructor MkOwned
+  raw : RawPtr
+  nonNull : case st of
+              Alive => NonNull raw.addr
+              Freed => ()
+
+------------------------------------------------------------------------
+-- Core API
+------------------------------------------------------------------------
+
+||| Allocate an owned pointer token from a non-zero address witness.
+public export
+alloc : (addr : Nat) -> NonNull addr -> Owned Alive
+alloc addr nn = MkOwned (MkRawPtr addr) nn
+
+||| Free consumes an `Alive` token and returns a `Freed` tombstone token.
+||| No function in this module turns `Freed` back into `Alive`.
+public export
+free : Owned Alive -> Owned Freed
+free (MkOwned rp _) = MkOwned rp ()
+
+||| Dereference is only available for `Alive` tokens.
+public export
+derefAddr : Owned Alive -> Nat
+derefAddr (MkOwned rp _) = rp.addr
+
+------------------------------------------------------------------------
+-- Proof obligations
+------------------------------------------------------------------------
+
+||| Non-null invariant for dereference: every dereference target is provably non-zero.
+public export
+derefNonNull : (o : Owned Alive) -> NonNull (derefAddr o)
+derefNonNull (MkOwned _ nn) = nn
+
+||| Capability witness: only `Alive` pointers are freeable.
+public export
+data CanFree : PtrState -> Type where
+  FreeAlive : CanFree Alive
+
+||| There is no capability to free a `Freed` token.
+public export
+noCanFreeFreed : CanFree Freed -> Void
+noCanFreeFreed FreeAlive impossible
+
+||| Freeing requires the `Alive` capability at the type level.
+public export
+freeWithCap : (st : PtrState) -> CanFree st -> Owned st -> Owned Freed
+freeWithCap Alive FreeAlive o = free o
+
+||| "Double free is impossible" witness: a second free would need `CanFree Freed`,
+||| but that type is uninhabited.
+public export
+doubleFreeImpossible : (o : Owned Freed) -> CanFree Freed -> Void
+doubleFreeImpossible _ cap = noCanFreeFreed cap
+
+------------------------------------------------------------------------
+-- Sanity checks
+------------------------------------------------------------------------
+
+public export
+allocOneNonNull : derefNonNull (alloc 1 (IsNonNull 0)) = IsNonNull 0
+allocOneNonNull = Refl
+
+public export
+freePreservesAddress : (o : Owned Alive) -> (free o).raw.addr = o.raw.addr
+freePreservesAddress (MkOwned _ _) = Refl

verisimdb/verification/proofs/lean4/RaftSafety.lean

@@ -104,8 +104,8 @@ A **valid** append carries:
 
 /-- `getElem?` of the last element in a singleton-appended list. -/
 private theorem getElem?_snoc_last {α} (l : List α) (x : α) :
-    (l ++ [x])[l.length]? = some x :=
-  List.getElem?_concat_length
+    (l ++ [x])[l.length]? = some x := by
+  exact List.getElem?_concat_length l x
 
 /-- In bounds `getElem?` of appended list equals original. -/
 private theorem getElem?_snoc_left {α} (l : List α) (x : α) (i : Nat)
@@ -167,13 +167,13 @@ theorem appendEntry_WF (rl : RaftLog) (e : RaftEntry)
         rw [getElem?_snoc_left _ _ _ hi_lt] at hgi
         have hlen_pos : 0 < rl.entries.length :=
           Nat.lt_of_le_of_lt (Nat.zero_le i) hi_lt
-        have hne : rl.entries ≠ [] := List.length_pos_iff.mp hlen_pos
+        have hne : rl.entries ≠ [] := (List.length_pos.mp hlen_pos)
         have hbound : rl.entries.length - 1 < rl.entries.length := by omega
         have hlast_get : rl.entries.getLast? = some (rl.entries.getLast hne) :=
-          List.getLast?_eq_some_getLast hne
+          List.getLast?_eq_getLast rl.entries hne
         have hlast_idx : rl.entries[rl.entries.length - 1]? = some (rl.entries.getLast hne) := by
           rw [List.getElem?_eq_getElem hbound]
-          exact (congrArg some (List.getLast_eq_getElem hne)).symm
+          exact (congrArg some (List.getLast_eq_getElem rl.entries hne)).symm
         have hterm_e := hterm (rl.entries.getLast hne) hlast_get
         have hei_last : ei.term ≤ (rl.entries.getLast hne).term :=
           hwf.termMono i (rl.entries.length - 1) ei (rl.entries.getLast hne)