cedar-policy
diff --git a/‎cedar-lean/Cedar/Thm/TPE/Soundness.lean‎
Lines changed: 13 additions & 1151 deletions b/‎cedar-lean/Cedar/Thm/TPE/Soundness.lean‎
Lines changed: 13 additions & 1151 deletions
diff --git a/‎cedar-lean/Cedar/Thm/TPE/Soundness/And.lean‎
Lines changed: 190 additions & 0 deletions b/‎cedar-lean/Cedar/Thm/TPE/Soundness/And.lean‎
Lines changed: 190 additions & 0 deletions
diff --git a/‎cedar-lean/Cedar/Thm/TPE/Soundness/Basic.lean‎
Lines changed: 145 additions & 0 deletions b/‎cedar-lean/Cedar/Thm/TPE/Soundness/Basic.lean‎
Lines changed: 145 additions & 0 deletions
@@ -0,0 +1,190 @@
+/-
+ Copyright Cedar Contributors
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-/
+
+
+import Cedar.TPE
+import Cedar.Spec
+import Cedar.Validation
+import Cedar.Thm.TPE.Input
+import Cedar.Thm.TPE.ErrorFree
+import Cedar.Thm.TPE.WellTyped
+import Cedar.Thm.Validation
+import Cedar.Thm.WellTyped
+import Cedar.Thm.Data.Control
+
+import Cedar.Thm.TPE.Soundness.Basic
+
+namespace Cedar.Thm
+
+open Cedar.Spec
+open Cedar.Validation
+open Cedar.TPE
+open Cedar.Thm
+
+theorem partial_evaluate_is_sound_and
+{x₁ x₂ : Residual}
+{req : Request}
+{es : Entities}
+{preq : PartialRequest}
+{pes : PartialEntities}
+{env : TypeEnv}
+(h₂ : InstanceOfWellFormedEnvironment req es env)
+(h₃ : RequestAndEntitiesRefine req es preq pes)
+(hᵢ₁ : Residual.WellTyped env x₁)
+(hᵢ₂ : Residual.WellTyped env x₂)
+(hᵢ₃ : x₁.typeOf = CedarType.bool BoolType.anyBool)
+(hᵢ₄ : x₂.typeOf = CedarType.bool BoolType.anyBool)
+(hᵢ₅ : Except.toOption (x₁.evaluate req es) = Except.toOption ((TPE.evaluate x₁ preq pes).evaluate req es))
+(hᵢ₆ : Except.toOption (x₂.evaluate req es) = Except.toOption ((TPE.evaluate x₂ preq pes).evaluate req es)) :
+  Except.toOption ((x₁.and x₂ (CedarType.bool BoolType.anyBool)).evaluate req es) =
+  Except.toOption ((TPE.evaluate (x₁.and x₂ (CedarType.bool BoolType.anyBool)) preq pes).evaluate req es)
+:= by
+  simp [TPE.evaluate, TPE.and]
+  split
+  case _ ty heq =>
+    simp [heq, Residual.evaluate] at hᵢ₅
+    have h₅ := to_option_right_ok' hᵢ₅
+    simp [Residual.evaluate, h₅, Result.as, Coe.coe, Value.asBool]
+    split
+    case _ heq₁ =>
+      have h₆ := residual_well_typed_is_sound h₂ hᵢ₂ heq₁
+      rw [hᵢ₄] at h₆
+      rcases instance_of_anyBool_is_bool h₆ with ⟨_, h₆⟩
+      replace hᵢ₆ := to_option_left_ok hᵢ₆ heq₁
+      simp only [h₆, Except.map_ok, hᵢ₆]
+    case _ heq₁ =>
+      simp only [Except.map_error]
+      rw [heq₁] at hᵢ₆
+      rcases to_option_left_err hᵢ₆ with ⟨_, hᵢ₆⟩
+      simp only [hᵢ₆, Except.toOption]
+  case _ heq =>
+    simp [heq, Residual.evaluate] at hᵢ₅
+    have h₅ := to_option_right_ok' hᵢ₅
+    simp [Residual.evaluate, h₅, Result.as, Coe.coe, Value.asBool, Residual.evaluate]
+  case _ heq =>
+    simp [heq, Residual.evaluate] at hᵢ₅
+    rcases to_option_right_err hᵢ₅ with ⟨_, hᵢ₅⟩
+    simp [Residual.evaluate, hᵢ₅, Result.as, Residual.evaluate, Except.toOption]
+  case _ heq _ _ _ =>
+    simp [heq, Residual.evaluate] at hᵢ₆
+    have h₅ := to_option_right_ok' hᵢ₆
+    simp [Residual.evaluate]
+    generalize h₆ : x₁.evaluate req es = res₁
+    cases res₁
+    case ok =>
+      have h₇ := residual_well_typed_is_sound h₂ hᵢ₁ h₆
+      rw [hᵢ₃] at h₇
+      rcases instance_of_anyBool_is_bool h₇ with ⟨_, h₇⟩
+      simp [h₇, Result.as, Coe.coe, Value.asBool]
+      split
+      case _ heq₁ =>
+        subst heq₁
+        rw [h₇] at h₆
+        rw [←h₆]
+        exact hᵢ₅
+      case _ heq₁ =>
+        simp [h₅]
+        simp at heq₁
+        subst heq₁
+        subst h₇
+        rw [←h₆]
+        exact hᵢ₅
+    case error =>
+      simp [h₆] at hᵢ₅
+      rcases to_option_left_err hᵢ₅ with ⟨_, hᵢ₅⟩
+      simp only [Except.toOption, Result.as, Except.bind_err, hᵢ₅]
+  case _ =>
+    simp [Residual.evaluate]
+    cases h₅ : x₁.evaluate req es
+    · simp [Result.as, Except.toOption]
+      cases h₆ : (TPE.evaluate x₁ preq pes).errorFree <;> simp
+      · split <;> simp
+        rename_i h₇
+        simp [Residual.evaluate] at h₇
+        rw [h₅] at hᵢ₅
+        simp [Except.toOption] at hᵢ₅
+        split at hᵢ₅ <;> try contradiction
+        clear hᵢ₅ ; rename_i hᵢ₅
+        simp [hᵢ₅, Result.as] at h₇
+      · split <;> simp
+        rename_i h₇
+        simp [Residual.evaluate] at h₇
+        subst h₇
+        rw [Residual.error_free_spec] at h₆
+        have h₇ : Residual.WellTyped env (TPE.evaluate x₁ preq pes) :=
+          partial_eval_preserves_well_typed h₂ h₃ hᵢ₁
+        have h₈ := error_free_evaluate_ok h₂ h₇ h₆
+        simp [Except.isOk, Except.toBool] at h₈
+        split at h₈ <;> try contradiction
+        clear h₈ ; rename_i h₈
+        rw [h₅, h₈] at hᵢ₅
+        simp [Except.toOption] at hᵢ₅
+    · simp [Result.as, Except.toOption, Coe.coe, Value.asBool]
+      simp [h₅, Except.toOption] at hᵢ₅
+      split at hᵢ₅ <;> try contradiction
+      simp at hᵢ₅
+      subst hᵢ₅
+      rename_i hᵢ₅
+      rename_i v _
+      have ⟨_, hv⟩ : ∃ b, v = .prim (.bool b) := by
+        have h₇ := residual_well_typed_is_sound h₂ hᵢ₁ h₅
+        rw [hᵢ₃] at h₇
+        exact instance_of_anyBool_is_bool h₇
+      subst hv
+      simp only
+      rename_i h₁ _ _ _ _ _
+      simp [h₁, Except.toOption, Residual.evaluate] at hᵢ₆
+      split at hᵢ₆ <;> simp at hᵢ₆
+      subst hᵢ₆
+      rename_i hᵢ₆
+      simp [hᵢ₆]
+      rename_i b _
+      have hb : (if b = false then (Except.ok (Value.prim (Prim.bool b)) : Except Spec.Error _) else Except.ok (Value.prim (Prim.bool false))) = Except.ok (.prim (.bool false)) := by
+        split
+        · rename_i hb
+          simpa using hb
+        · simp
+      simp [hb]
+      rename_i ty _ _ _ _ _
+      cases he : (TPE.evaluate x₁ preq pes).errorFree<;> simp [Residual.evaluate, hᵢ₅, Result.as, Coe.coe, Value.asBool]
+      cases b <;> simp
+  case _ =>
+    simp [Residual.evaluate]
+    generalize h₅ : x₁.evaluate req es = res₁
+    cases res₁
+    case ok =>
+      have h₆ := residual_well_typed_is_sound h₂ hᵢ₁ h₅
+      rw [hᵢ₃] at h₆
+      rcases instance_of_anyBool_is_bool h₆ with ⟨_, h₆⟩
+      subst h₆
+      replace h₅ := to_option_left_ok hᵢ₅ h₅
+      simp [Result.as, Coe.coe, h₅, Value.asBool]
+      generalize h₇ : x₂.evaluate req es = res₂
+      cases res₂
+      case _ =>
+        rw [h₇] at hᵢ₆
+        rcases to_option_left_err hᵢ₆ with ⟨_, hᵢ₆⟩
+        simp [hᵢ₆]
+        split <;> simp [Except.toOption]
+      case _ =>
+        replace h₇ := to_option_left_ok hᵢ₆ h₇
+        rw [h₇]
+    case error =>
+      rw [h₅] at hᵢ₅
+      rcases to_option_left_err hᵢ₅ with ⟨_, hᵢ₅⟩
+      simp [Result.as, hᵢ₅, Except.toOption]
+
+end Cedar.Thm
@@ -0,0 +1,145 @@
+/-
+ Copyright Cedar Contributors
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-/
+
+
+import Cedar.TPE
+import Cedar.Spec
+import Cedar.Validation
+import Cedar.Thm.TPE.Input
+import Cedar.Thm.TPE.ErrorFree
+import Cedar.Thm.TPE.WellTyped
+import Cedar.Thm.Validation
+import Cedar.Thm.WellTyped
+import Cedar.Thm.Data.Control
+
+/-!
+This file contains basic utility theorems used in the TPE soundness proof.
+-/
+
+namespace Cedar.Thm
+
+open Cedar.Spec
+open Cedar.Validation
+open Cedar.TPE
+open Cedar.Thm
+
+theorem as_value_some {r : Residual} {v : Value} :
+  r.asValue = .some v → (∃ ty, r = .val v ty)
+:= by
+  intro h
+  simp only [Residual.asValue] at h
+  split at h <;> simp at h
+  subst h
+  simp only [Residual.val.injEq, true_and, exists_eq']
+
+theorem anyM_some_implies_any {α} {xs : List α} {b : Bool}  (f : α → Option Bool) (g : α → Bool) :
+(∀ x b, f x = some b → g x = b) → List.anyM f xs = some b → xs.any g = b
+:= by
+  intro h₁ h₂
+  induction xs generalizing b
+  case nil =>
+    simp only [List.anyM, Option.pure_def, Option.some.injEq, Bool.false_eq] at h₂
+    simp only [List.any_nil, h₂]
+  case cons head tail hᵢ =>
+    simp only [List.any_cons]
+    simp only [List.anyM, Option.pure_def, Option.bind_eq_bind] at h₂
+    generalize h₃ : f head = res
+    cases res <;> simp [h₃] at h₂
+    case some =>
+      split at h₂
+      case _ =>
+        simp only [Option.some.injEq, Bool.true_eq] at h₂
+        subst h₂
+        specialize h₁ head true h₃
+        simp only [h₁, Bool.true_or]
+      case _ =>
+        specialize hᵢ h₂
+        simp only [hᵢ, Bool.or_eq_right_iff_imp]
+        specialize h₁ head false h₃
+        simp only [h₁, Bool.false_eq_true, false_implies]
+
+theorem to_option_eq_do₁ {α β ε} {res₁ res₂: Except ε α} (f : α → Except ε β) :
+  Except.toOption res₁ = Except.toOption res₂ →
+  Except.toOption (do let x ← res₁; f x) = Except.toOption (do let x ← res₂; f x)
+:= by
+  intro h₁
+  simp [Except.toOption] at *
+  split at h₁ <;>
+  split at h₁ <;>
+  simp at h₁
+  case _ => subst h₁; simp only [Except.bind_ok]
+  case _ => simp only [Except.bind_err]
+
+theorem to_option_eq_map {α β ε} {res₁ res₂: Except ε α} (f : α → β) :
+  Except.toOption res₁ = Except.toOption res₂ →
+  Except.toOption (f <$> res₁) = Except.toOption (f <$> res₂)
+:= by
+  intro h₁
+  simp [Except.toOption] at *
+  split at h₁ <;>
+  split at h₁ <;>
+  simp at h₁
+  case _ => subst h₁; simp only
+  case _ => simp only [Except.map_error]
+
+theorem to_option_eq_do₂ {α ε} {res₁ res₂ res₃ res₄: Except ε α} (f : α → α → Except ε α) :
+  Except.toOption res₁ = Except.toOption res₃ →
+  Except.toOption res₂ = Except.toOption res₄ →
+  Except.toOption (do let x ← res₁; let y ← res₂; f x y) = Except.toOption (do let x ← res₃; let y ← res₄; f x y)
+:= by
+  intro h₁ h₂
+  simp [Except.toOption] at *
+  split at h₁ <;>
+  split at h₁ <;>
+  split at h₂ <;>
+  split at h₂ <;>
+  simp at h₁ <;>
+  simp at h₂
+  case _ => subst h₁; subst h₂; simp only [Except.bind_ok]
+  case _ => simp only [Except.bind_err, Except.bind_ok]
+  case _ => simp only [Except.bind_ok, Except.bind_err]
+  case _ => simp only [Except.bind_err]
+
+theorem to_option_eq_mapM {α β ε} {ls : List α} (f g: α → Except ε β) :
+(∀ x,
+  x ∈ ls →
+    Except.toOption (f x) = Except.toOption (g x)) →
+  Except.toOption (List.mapM f ls) =
+  Except.toOption (List.mapM g ls)
+:= by
+  induction ls
+  case nil => simp only [List.not_mem_nil, false_implies, implies_true, List.mapM_nil]
+  case cons head tail hᵢ =>
+    simp only [List.mem_cons, forall_eq_or_imp, List.mapM_cons, bind_pure_comp, and_imp]
+    intro h
+    simp only [Except.toOption] at h
+    split at h <;> split at h <;> simp at h
+    case _ heq₁ _ _ heq₂ =>
+      subst h
+      simp only [heq₁, Except.bind_ok, heq₂]
+      intro h
+      specialize hᵢ h
+      simp only [Except.toOption] at hᵢ
+      split at hᵢ <;> split at hᵢ <;> simp at hᵢ
+      case _ heq₃ _ _ heq₄ =>
+        subst hᵢ
+        simp only [heq₃, Except.map_ok, heq₄]
+      case _ heq₃ _ _ heq₄ =>
+        simp only [Except.toOption, heq₃, Except.map_error, heq₄]
+    case _ heq₁ _ _ heq₂ =>
+      simp only [Except.toOption, heq₁, Except.bind_err, heq₂, implies_true]
+
+end Cedar.Thm