Make all STSs in the Agda spec executable

Author: javierdiaz72

docs/agda-spec/src/Interface/HasOrder.agda

@@ -64,7 +64,7 @@ module _ {a} {A : Set a} where
       <-asymmetric : Asymmetric _<_
       <-asymmetric = ≤-antisym⇒<-asym ≤-antisym
 
-      open IsEquivalence ≈-isEquivalence renaming (sym to ≈-sym)
+      open IsEquivalence ≈-isEquivalence using () renaming (sym to ≈-sym) public
 
       <-trans : Transitive _<_
       <-trans i<j j<k =
@@ -78,20 +78,51 @@ module _ {a} {A : Set a} where
       <⇒¬>⊎≈ x<y (inj₁ y<x) = <-asymmetric x<y y<x
       <⇒¬>⊎≈ x<y (inj₂ x≈y) = <-irrefl (≈-sym x≈y) x<y
 
+      ≥⇒≮ : ∀ {x y} → y ≤ x → ¬ (x < y)
+      ≥⇒≮ y≤x x<y = contradiction (to ≤⇔<∨≈ y≤x) (<⇒¬>⊎≈ x<y)
+
+    open HasPartialOrder ⦃...⦄
+
     record HasDecPartialOrder : Set (sucˡ a) where
       field
         ⦃ hasPartialOrder ⦄ : HasPartialOrder
         ⦃ dec-≤ ⦄ : _≤_ ⁇²
         ⦃ dec-< ⦄ : _<_ ⁇²
 
+    record HasTotalOrder : Set (sucˡ a) where
+      field
+        ⦃ hasPartialOrder ⦄ : HasPartialOrder
+        ≤-total : Total _≤_
+
+      ≤-isTotalOrder : IsTotalOrder _≈_ _≤_
+      ≤-isTotalOrder = record { isPartialOrder = ≤-isPartialOrder ; total = ≤-total }
+
+      ≮⇒≥ : Decidable _≈_ → ∀ {x y} → ¬ (x < y) → y ≤ x
+      ≮⇒≥ _≈?_ {x} {y} x≮y with x ≈? y | ≤-total y x
+      ... | yes x≈y  | _        = IsPreorder.reflexive ≤-isPreorder (≈-sym x≈y)
+      ... | _        | inj₁ y≤x = y≤x
+      ... | no  x≉y  | inj₂ x≤y = contradiction (≤∧≉⇒< (x≤y , x≉y)) x≮y
+
+    open HasTotalOrder ⦃...⦄
+
+    record HasDecTotalOrder : Set (sucˡ a) where
+      field
+        ⦃ hasTotalOrder ⦄ : HasTotalOrder
+        ⦃ dec-≤ ⦄ : _≤_ ⁇²
+        ⦃ dec-< ⦄ : _<_ ⁇²
+
   HasPreorder≡ = HasPreorder {_≈_ = _≡_}
   HasDecPreorder≡ = HasDecPreorder {_≈_ = _≡_}
   HasPartialOrder≡ = HasPartialOrder {_≈_ = _≡_}
   HasDecPartialOrder≡ = HasDecPartialOrder {_≈_ = _≡_}
+  HasTotalOrder≡ = HasTotalOrder {_≈_ = _≡_}
+  HasDecTotalOrder≡ = HasDecTotalOrder {_≈_ = _≡_}
 
 open HasPreorder ⦃...⦄ public
 open HasPartialOrder ⦃...⦄ public hiding (hasPreorder)
 open HasDecPartialOrder ⦃...⦄ public hiding (hasPartialOrder)
+open HasTotalOrder ⦃...⦄ public hiding (hasPartialOrder)
+open HasDecTotalOrder ⦃...⦄ public hiding (hasTotalOrder)
 
 module _ {a} {A : Set a} {_≈_ : Rel A a} where
 

docs/agda-spec/src/Interface/HasOrder/Instance.agda

@@ -16,6 +16,9 @@ instance
   ℕ-hasPartialOrder = HasPartialOrder ∋ record
     { ≤-antisym = Nat.≤-antisym }
   ℕ-hasDecPartialOrder = HasDecPartialOrder {A = ℕ} ∋ record {}
+  ℕ-hasTotalOrder = HasTotalOrder ∋ record
+    { ≤-total = Nat.≤-total }
+  ℕ-hasDecTotalOrder = HasDecTotalOrder {A = ℕ} ∋ record {}
 
   import Data.Integer.Properties as Int hiding (_≟_)
   ℤ-hasPreorder = HasPreorder ∋ record {Int; ≤⇔<∨≈ = let open Int in mk⇔
@@ -29,3 +32,6 @@ instance
   ℚ-hasPreorder = hasPreorderFromNonStrict Rat.≤-isPreorder _≟_
   ℚ-hasPartialOrder = HasPartialOrder ∋ record { ≤-antisym = Rat.≤-antisym }
   ℚ-hasDecPartialOrder = HasDecPartialOrder {A = ℚ} ∋ record {}
+  ℚ-hasTotalOrder = HasTotalOrder ∋ record
+    { ≤-total = Rat.≤-total }
+  ℚ-hasDecTotalOrder = HasDecTotalOrder {A = ℚ} ∋ record {}

docs/agda-spec/src/InterfaceLibrary/Ledger.lagda

@@ -27,10 +27,13 @@ record LedgerInterface : Type₁ where
     NewEpochState      : Type
     getPParams         : NewEpochState → PParams
     getEpoch           : NewEpochState → Epoch
-    getPoolDistr       : NewEpochState → PoolDistr 
+    getPoolDistr       : NewEpochState → PoolDistr
     adoptGenesisDelegs : NewEpochState → Slot → NewEpochState
     _⊢_⇀⦇_,NEWEPOCH⦈_  : ⊤ → NewEpochState → Epoch → NewEpochState → Type
 \end{code}
+\begin{code}[hide]
+    ⦃ Computational-NEWEPOCH ⦄ : Computational _⊢_⇀⦇_,NEWEPOCH⦈_ String
+\end{code}
 \caption{Ledger interface}
 \label{fig:interface:ledger}
 \end{figure*}

docs/agda-spec/src/Ledger/Crypto.lagda

@@ -5,6 +5,12 @@ module Ledger.Crypto where
 
 open import Ledger.Prelude hiding (T)
 
+module _ (M : Type↑) where
+  _⁴ : ∀ {ℓ} {A B C D : Type ℓ} → (A → B → C → D → Type ℓ) → Type _
+  _⁴ _~_~_~_ = ∀ {x y z w} → M (x ~ y ~ z ~ w)
+
+_⁇⁴ = _⁇ ⁴
+
 \end{code}
 
 \subsection{Serialization}
@@ -20,7 +26,7 @@ record Serializer : Type₁ where
 \begin{code}
         Ser             : Type
         encode          : {T : Type} → T → Ser
-        decode          : {T : Type} → Ser → T
+        decode          : {T : Type} → Ser → Maybe T
         _∥_             : Ser → Ser → Ser
 \end{code}
 \emph{Properties}
@@ -29,7 +35,7 @@ record Serializer : Type₁ where
         enc-dec-correct :
 \end{code}
 \begin{code}
-          ∀ {T : Type} (x : T) → decode (encode x) ≡ x
+          ∀ {T : Type} (x : T) → decode (encode x) ≡ just x
 \end{code}
 \caption{Definitions for serialization}
 \label{fig:defs:serialization}
@@ -136,7 +142,7 @@ record KESScheme (srl : Serializer) : Type₁ where
 \end{code}
 \emph{Properties}
 \begin{code}[hide]
-  field -- ⦃ Dec-isSigned ⦄ : isSigned ⁇⁴ -- TODO: Define ⁇⁴ if needed
+  field ⦃ Dec-isSigned ⦄ : isSigned ⁇⁴
         isSigned-correct :
 \end{code}
 \begin{code}        

docs/agda-spec/src/Ledger/Types/Epoch.agda

@@ -17,12 +17,12 @@ additionVia sucFun (suc l) r = sucFun (additionVia sucFun l r)
 
 record EpochStructure : Type₁ where
   field Slotʳ     : Semiring 0ℓ 0ℓ
-        KESPeriod : Type; ⦃ DecEq-KESPeriod ⦄ : DecEq KESPeriod; ⦃ HasPreorder-KESPeriod ⦄ : HasPreorder≡ {A = KESPeriod}
         Epoch     : Type; ⦃ DecEq-Epoch ⦄ : DecEq Epoch; ⦃ Show-Epoch ⦄ : Show Epoch
+        KESPeriod : Type; ⦃ DecEq-KESPeriod ⦄ : DecEq KESPeriod; ⦃ DecTo-KESPeriod ⦄ : HasDecTotalOrder≡ {A = KESPeriod}
 
   Slot = Semiring.Carrier Slotʳ
 
-  field ⦃ DecPo-Slot ⦄                : HasDecPartialOrder≡ {A = Slot}
+  field ⦃ DecTo-Slot ⦄                : HasDecTotalOrder≡ {A = Slot}
         ⦃ DecEq-Slot ⦄                : DecEq Slot
 
         epoch                         : Slot → Epoch

docs/agda-spec/src/Makefile

@@ -39,3 +39,7 @@ clean:
 	       $(LATEX_DIR)/$(PDF_NAME).*\
 	       $(LATEX_DIR)/*.aux\
 	       $(OUT_DIR)/
+
+wipe: clean
+	rm -rf $(LATEX_DIR)/Spec\
+	       $(OUT_DIR)/

docs/agda-spec/src/Spec/BlockDefinitions.lagda

@@ -31,6 +31,9 @@ record BlockStructure : Type₁ where
     HashBBody  : Type -- hash of a block body
     VRFRes     : Type -- VRF result value
 \end{code}
+\begin{code}[hide]
+    ⦃ DecEq-HashHeader ⦄ : DecEq HashHeader
+\end{code}
 \emph{Concrete types}
 \begin{code}
   BlockNo = ℕ -- block number

docs/agda-spec/src/Spec/ChainHead/Properties.agda

@@ -0,0 +1,110 @@
+{-# OPTIONS --safe #-}
+
+open import InterfaceLibrary.Ledger
+open import Spec.BaseTypes using (Nonces)
+open import Spec.BlockDefinitions
+open import Ledger.Crypto
+open import Ledger.Script
+open import Ledger.Types.Epoch
+open import Data.Rational.Ext
+
+module Spec.ChainHead.Properties
+  (crypto : _) (open Crypto crypto)
+  (nonces : Nonces crypto) (open Nonces nonces)
+  (es     : _) (open EpochStructure es)
+  (ss     : ScriptStructure crypto es) (open ScriptStructure ss)
+  (bs     : BlockStructure crypto nonces es ss) (open BlockStructure bs)
+  (af     : _) (open AbstractFunctions af)
+  (li     : LedgerInterface crypto es ss) (let open LedgerInterface li)
+  (rs     : _) (open RationalExtStructure rs)
+  where
+
+open import Ledger.Prelude
+open import Ledger.PParams crypto es ss using (PParams; ProtVer)
+open import Spec.TickForecast crypto es ss li
+open import Spec.TickForecast.Properties crypto es ss li
+open import Spec.TickNonce crypto es nonces
+open import Spec.TickNonce.Properties crypto es nonces
+open import Spec.Protocol crypto nonces es ss bs af rs
+open import Spec.Protocol.Properties crypto nonces es ss bs af rs
+open import Spec.ChainHead crypto nonces es ss bs af li rs
+
+instance
+
+  prtlSeqChecks⁇ : prtlSeqChecks ⁇²
+  prtlSeqChecks⁇ {nothing}                    {_}  .dec = yes tt
+  prtlSeqChecks⁇ {lab@(just ⟦ bℓ , sℓ , _ ⟧ℓ)} {bh} .dec =
+    sℓ     <? slot       ×-dec
+    bℓ + 1 ≟  blockNo    ×-dec
+    ph     ≟  prevHeader
+    where
+      open BHBody (proj₁ bh)
+      ph = lastAppliedHash lab
+
+chainChecks? : ∀ maxpv ps bh → Dec (chainChecks maxpv ps bh)
+chainChecks? maxpv (maxBHSize , maxBBSize , protocolVersion) bh =
+  m             ≤? maxpv     ×-dec
+  headerSize bh ≤? maxBHSize ×-dec
+  bodySize      ≤? maxBBSize
+  where
+    m = proj₁ protocolVersion
+    open BHBody (proj₁ bh)
+
+instance
+
+  _ = Monad-ComputationResult
+
+  Computational-CHAINHEAD : Computational _⊢_⇀⦇_,CHAINHEAD⦈_ String
+  Computational-CHAINHEAD = record {Go} where
+    open Computational ⦃...⦄ renaming (computeProof to comp; completeness to complete)
+    computeTICKF = comp {STS = _⊢_⇀⦇_,TICKF⦈_}
+    computeTICKN = comp {STS = _⊢_⇀⦇_,TICKN⦈_}
+    computePRTCL = comp {STS = _⊢_⇀⦇_,PRTCL⦈_}
+    module Go
+      (nes : NewEpochState)
+      (s   : ChainHeadState) (let ⟦ cs , η₀ , ηv , ηc , ηh , lab ⟧ᶜˢ = s)
+      (bh  : BHeader)        (let (bhb , σ) = bh; open BHBody bhb)
+      where
+
+      e₁      = getEpoch nes
+      nₚₕ     = prevHashToNonce (lastAppliedHash lab)
+      lab′    = just ⟦ blockNo , slot , headerHash bh ⟧ℓ
+      ticknΓ  = ⟦ ηc , nₚₕ ⟧ᵗᵉ
+      ticknSt = ⟦ η₀ , ηh ⟧ᵗˢ
+      prtclSt = ⟦ cs , ηv , ηc ⟧ᵖˢ
+
+      computeProof : ComputationResult String (∃[ s′ ] nes ⊢ s ⇀⦇ bh ,CHAINHEAD⦈ s′)
+      computeProof = case ¿ prtlSeqChecks ¿² lab bh of λ where
+        (no _)    → failure "Failed in CHAINHEAD"
+        (yes psc) → do
+          (forecast , tickfStep) ← computeTICKF _ nes slot
+          let
+            e₂ = getEpoch forecast
+            ne = (e₁ ≠ e₂)
+            pp = getPParams forecast; open PParams
+            pd = getPoolDistr forecast
+          case chainChecks? MaxMajorPV (pp .maxHeaderSize , pp .maxBlockSize , pp .pv) bh of λ where
+            (no _)   → failure "Failed in CHAINHEAD"
+            (yes cc) → do
+              (⟦ η₀′ , _ ⟧ᵗˢ , ticknStep) ← computeTICKN ticknΓ ticknSt ne
+              (_             , prtclStep) ← computePRTCL ⟦ pd , η₀′ ⟧ᵖᵉ prtclSt bh
+              success (-, Chain-Head (psc , tickfStep , cc , ticknStep , prtclStep))
+
+      completeness : ∀ s′ → nes ⊢ s ⇀⦇ bh ,CHAINHEAD⦈ s′ → (proj₁ <$> computeProof) ≡ success s′
+      completeness ⟦ cs′ , η₀′ , ηv′ , ηc′ , ηh′ , lab′ ⟧ᶜˢ (Chain-Head (psc , tickfStep , cc , ticknStep , prtclStep))
+        with ¿ prtlSeqChecks ¿² lab bh
+      ... | no ¬psc = contradiction psc ¬psc
+      ... | yes _
+        with computeTICKF _ nes slot | complete _ nes _ _ tickfStep
+      ... | success (forecast , _) | refl
+        with
+          (let pp = getPParams forecast; open PParams
+           in chainChecks? MaxMajorPV (pp .maxHeaderSize , pp .maxBlockSize , pp .pv) bh)
+      ... | no ¬cc = contradiction cc ¬cc
+      ... | yes _
+        with
+          (let e₂ = getEpoch forecast; ne = (e₁ ≠ e₂)
+           in computeTICKN ticknΓ ticknSt ne) | complete ticknΓ ticknSt _ _ ticknStep
+      ... | success (⟦ η₀′ , _ ⟧ᵗˢ , _) | refl
+        with computePRTCL ⟦ getPoolDistr forecast , η₀′ ⟧ᵖᵉ prtclSt bh | complete ⟦ getPoolDistr forecast , η₀′ ⟧ᵖᵉ prtclSt _ _ prtclStep
+      ... | success _ | refl = refl

docs/agda-spec/src/Spec/OperationalCertificate.lagda

@@ -112,7 +112,7 @@ data _⊢_⇀⦇_,OCERT⦈_ where
     in
     ∙ c₀ ≤ kp
     ∙ kp < c₀ +ᵏ MaxKESEvo
-    ∙ ∃[ m ] just m ≡ currentIssueNo stpools cs hk × (n ≡ m ⊎ n ≡ suc m)
+    ∙ ∃[ m ] (just m ≡ currentIssueNo stpools cs hk × (n ≡ m ⊎ n ≡ suc m))
     ∙ isSignedˢ issuerVk (encode (vkₕ , n , c₀)) τ
     ∙ isSignedᵏ vkₕ t (encode bhb) σ
     ────────────────────────────────

docs/agda-spec/src/Spec/OperationalCertificate/Properties.agda

@@ -0,0 +1,55 @@
+{-# OPTIONS --safe #-}
+
+open import Ledger.Crypto
+open import Ledger.Script
+open import Ledger.Types.Epoch
+open import Spec.BaseTypes using (Nonces)
+open import Spec.BlockDefinitions
+
+module Spec.OperationalCertificate.Properties
+  (crypto : _) (open Crypto crypto)
+  (nonces : Nonces crypto) (open Nonces nonces)
+  (es     : _) (open EpochStructure es)
+  (ss     : ScriptStructure crypto es) (open ScriptStructure ss)
+  (bs     : BlockStructure crypto nonces es ss) (open BlockStructure bs)
+  (af     : _) (open AbstractFunctions af)
+  where
+
+open import Ledger.Prelude
+open import Data.Maybe.Relation.Unary.Any as M
+open import Spec.OperationalCertificate crypto nonces es ss bs af
+
+instance
+
+  Computational-OCERT : Computational _⊢_⇀⦇_,OCERT⦈_ String
+  Computational-OCERT = record {Go} where
+    module Go (stpools : OCertEnv) (cs : OCertState) (bh : BHeader) where
+      bhb = bh .proj₁; open BHBody bhb
+      σ = bh .proj₂
+      open OCert oc renaming (σ to τ)
+      hk = hash issuerVk
+      kp = kesPeriod slot
+      t = kp -ᵏ c₀
+
+      hyps = ¿ c₀ ≤ kp
+             × kp < c₀ +ᵏ MaxKESEvo
+             × M.Any (λ m → n ≡ m ⊎ n ≡ suc m) (currentIssueNo stpools cs hk)
+             × isSignedˢ issuerVk (encode (vkₕ , n , c₀)) τ
+             × isSignedᵏ vkₕ t (encode bhb) σ ¿
+
+      computeProof : ComputationResult String (∃[ cs′ ] stpools ⊢ cs ⇀⦇ bh ,OCERT⦈ cs′)
+      computeProof with hyps
+      ... | no ¬p = failure "Failed in OCERT"
+      ... | yes (p₁ , p₂ , p₃ , p₄ , p₅) = success (-, Update-OCert (p₁ , p₂ , satisfied× p₃ , p₄ , p₅))
+        where
+          satisfied× : ∀ {a p} {A : Set a} {y : Maybe A} {P : Pred A p} → M.Any P y → ∃[ x ] just x ≡ y × P x
+          satisfied× (just Px) = (-, refl , Px)
+
+      completeness : ∀ cs′ → stpools ⊢ cs ⇀⦇ bh ,OCERT⦈ cs′ → (proj₁ <$> computeProof) ≡ success cs′
+      completeness _ (Update-OCert (p₁ , p₂ , (_ , p , q) , p₄ , p₅))
+        with hyps
+      ... | yes prf rewrite dec-yes hyps prf .proj₂ = refl
+      ... | no ¬prf = contradiction (p₁ , p₂ , AnyP×≡→AnyP (Equivalence.to M.just-equivalence q) p , p₄ , p₅) ¬prf
+        where
+          AnyP×≡→AnyP : ∀ {a p} {A : Set a} {x : A} {y : Maybe A} {P : Pred A p} → M.Any P (just x) → just x ≡ y → M.Any P y
+          AnyP×≡→AnyP {P = P} prf eq = subst (M.Any P) eq prf