fix(abi): wire PanelIsolation + ResourceCleanup via class-J axiom (proof-debt standards#131)#41
Merged
Conversation
Owner
Author
CI auto-trigger anomaly — same as boj-server#132 earlier this session
Same diagnosis as The critical workflow ( Local oracle: Owner: please re-run from the Actions tab once the pool frees up — that's the merge oracle. 🤖 Generated with Claude Code |
…oof-debt standards#131) Discharges the LAST OWED item from gossamer#22's deferred list (the PanelIsolation/ResourceCleanup pair flagged "design call: String == commutativity axiom vs Distinct refactor"). `idris2 0.8.0 --typecheck gossamer-abi.ipkg` now passes 11/11 (was 11/11 on the prior branch but without PanelIsolation/ResourceCleanup — net: gossamer-abi.ipkg goes from 11 to all 13 ABI proof modules wired, with `%default total` and zero unsanctioned escape hatches). NB: this branch is based on `origin/main` (which contains GrooveTermination from gossamer#36); LayoutStability + IPCIntegrity are in flight on gossamer#40 and will need a small ipkg-comment rebase when both this branch and #40 land. Module set on origin/main is 9 wired; this branch adds 2 (PanelIsolation, ResourceCleanup). After #40 merges + rebase: 13 wired. Decision: **Option 1 — sanctioned class-J axiom** (over Option 2's `Distinct`-refactor). Rationale: 1. The axiom is genuine and load-bearing for *any* approach; Option 2 relocates it from `==` commutativity to `decEq` correctness over the same primitive `prim__eq_String`. Same trust budget. 2. Naming it explicitly (`stringNotEqCommut`, classified J in the docstring) makes the trust visible rather than hidden inside `decEq String`. 3. Aligns gossamer with boj-server's posture (`Boj.SafetyLemmas` 5 class-J axioms over `prim__eqChar` / `prim__strAppend` etc.), so the estate has one consistent story for primitive-boundary reasoning rather than diverging postures per repo. 4. The Option 2 ergonomic cost — touching every Distinct call site, creating a style split with sibling `So` types in the same file (MkPanelState, MkPanelChannel) — was non-trivial for what is ultimately the same trust budget. * New class-J axiom `stringNotEqCommut` between the `Distinct` data declaration and the `distinctSym` proof: %unsafe export stringNotEqCommut : {a, b : String} -> So (not (a == b)) -> So (not (b == a)) stringNotEqCommut _ = believe_me () * `distinctSym` re-implemented using the axiom (constructive modulo the named axiom; full proof in the body): distinctSym : Distinct a b -> Distinct b a distinctSym (MkDistinct {a} {b} {prf}) = MkDistinct {a=b} {b=a} {prf = stringNotEqCommut prf} * Moduledoc updated: the "Zero believe_me. All proofs are constructive." banner is replaced with an honest "One class-J axiom (stringNotEqCommut); all other proofs constructive." — the earlier banner was always going to become wrong here; better accurate than aspirational. The OWED note bundled this with PanelIsolation but the actual defects were independent: * Missing `import Data.DPair` (for `Exists` / `Evidence`). * Typo: lowercase `exists` should be `Exists` (Idris2 0.8.0 stdlib capitalises the type name; idris2 suggests the fix in the error). Both 1-line fixes; the module now builds clean. Module list extended with the two newly-wired modules. Header deferred-list comment replaced with a closure summary noting where each formerly-deferred module landed (#36 / #40 / this branch). `IPCIntegrity.ConformsTo`'s `ConformHere` / `ConformThere` lowercase-shadowing warnings and the suspicious `ConformThere` type identity (already flagged in the gossamer#40 PR body) remain. Pre-existing latent defects unrelated to the OWED items in this PR; file as a separate issue if you want them fixed. Refs hyperpolymath/standards#131 Refs hyperpolymath/standards#124 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
force-pushed
the
proof-debt/standards-131-panel-isolation
branch
from
ec8ebd5 to
aaef606
Compare
Documents the trust-base change (gossamer's first class-J axiom), the discharge ledger across PRs #36/#40/#41, and the meta-lesson that landed in the standards#131 closing comment. ## PROOF-NEEDS.md * Replaced the now-incorrect "No `believe_me` ... in ABI layer" line with an honest "One class-J axiom" entry + reference to the new Class-J axioms section. * Added "Class-J axioms (trusted base)" section listing `stringNotEqCommut`, its justification, and the reduce-the-trusted-base path via the boj-server backend-assurance harness when ported. * Added "Discharge ledger" table for the standards#131 close-out (modules → PRs, with merge state). * Recorded the meta-lesson: OWED notes from never-built modules systematically misdiagnose root cause (4-for-4 in gossamer#22's deferred list); build is the only oracle for proof-bearing code. ## .machine_readable/6a2/STATE.a2ml * Bumped `last-updated` from 2026-04-25 to 2026-05-20. * Added a session-history entry summarising the four discharges (#36 / #40 / #41) and the class-J axiom decision (Option 1 vs Option 2 rationale captured). Refs hyperpolymath/standards#131 Refs hyperpolymath/standards#124 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 20, 2026
…dards#131) (#43) Adds a `== Formal verification` section to the README mirroring boj-server's (PR #108, 2026-05-20). Necessary update post-#41 because the README's previous claim of "machine-checked in Idris2" needed nuance now that one believe_me-bodied class-J axiom (`stringNotEqCommut`) exists in PanelIsolation. The new section names: * 13/13 ABI modules build green (was a mix of wired-and-tested vs wired-but-never-built before the standards#131 campaign discharged all four originally-deferred modules). * One believe_me invocation, isolated, classified, soundness-oracle explicit. * Forward link to PROOF-NEEDS.md "Class-J axioms (trusted base)" section (added in PR #41) for full per-site rationale. Symmetric with boj-server's README.adoc:109-129 § Formal verification which documents that repo's 5 class-(J) axioms. Estate-wide pattern: honest disclosure at the README level, full audit in PROOF-NEEDS, machine-readable state in STATE.a2ml. Refs hyperpolymath/standards#131 Refs hyperpolymath/standards#124 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
hyperpolymath
added a commit
that referenced
this pull request
May 20, 2026
…dards#131) (#44) Adds a `== Formal verification` section to the README mirroring boj-server's (PR #108, 2026-05-20). Necessary update post-#41 because the README's previous claim of "machine-checked in Idris2" needed nuance now that one believe_me-bodied class-J axiom (`stringNotEqCommut`) exists in PanelIsolation. The new section names: * 13/13 ABI modules build green (was a mix of wired-and-tested vs wired-but-never-built before the standards#131 campaign discharged all four originally-deferred modules). * One believe_me invocation, isolated, classified, soundness-oracle explicit. * Forward link to PROOF-NEEDS.md "Class-J axioms (trusted base)" section (added in PR #41) for full per-site rationale. Symmetric with boj-server's README.adoc:109-129 § Formal verification which documents that repo's 5 class-(J) axioms. Estate-wide pattern: honest disclosure at the README level, full audit in PROOF-NEEDS, machine-readable state in STATE.a2ml. Refs hyperpolymath/standards#131 Refs hyperpolymath/standards#124 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
16 tasks
hyperpolymath
added a commit
that referenced
this pull request
May 20, 2026
…dards#131) (#47) Adds a `== Formal verification` section to the README mirroring boj-server's (PR #108, 2026-05-20). Necessary update post-#41 because the README's previous claim of "machine-checked in Idris2" needed nuance now that one believe_me-bodied class-J axiom (`stringNotEqCommut`) exists in PanelIsolation. The new section names: * 13/13 ABI modules build green (was a mix of wired-and-tested vs wired-but-never-built before the standards#131 campaign discharged all four originally-deferred modules). * One believe_me invocation, isolated, classified, soundness-oracle explicit. * Forward link to PROOF-NEEDS.md "Class-J axioms (trusted base)" section (added in PR #41) for full per-site rationale. Symmetric with boj-server's README.adoc:109-129 § Formal verification which documents that repo's 5 class-(J) axioms. Estate-wide pattern: honest disclosure at the README level, full audit in PROOF-NEEDS, machine-readable state in STATE.a2ml. Refs hyperpolymath/standards#131 Refs hyperpolymath/standards#124 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
16 tasks
hyperpolymath
added a commit
that referenced
this pull request
May 20, 2026
…dards#131) (#49) Adds a `== Formal verification` section to the README mirroring boj-server's (PR #108, 2026-05-20). Necessary update post-#41 because the README's previous claim of "machine-checked in Idris2" needed nuance now that one believe_me-bodied class-J axiom (`stringNotEqCommut`) exists in PanelIsolation. The new section names: * 13/13 ABI modules build green (was a mix of wired-and-tested vs wired-but-never-built before the standards#131 campaign discharged all four originally-deferred modules). * One believe_me invocation, isolated, classified, soundness-oracle explicit. * Forward link to PROOF-NEEDS.md "Class-J axioms (trusted base)" section (added in PR #41) for full per-site rationale. Symmetric with boj-server's README.adoc:109-129 § Formal verification which documents that repo's 5 class-(J) axioms. Estate-wide pattern: honest disclosure at the README level, full audit in PROOF-NEEDS, machine-readable state in STATE.a2ml. Refs hyperpolymath/standards#131 Refs hyperpolymath/standards#124 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 31 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/upload-artifact@v4 needs attention",
"type": "unpinned_action",
"file": "release.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/download-artifact@v4 needs attention",
"type": "unpinned_action",
"file": "release.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/gossamer/gossamer/src/interface/abi/IPCDispatch.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/gossamer/gossamer/src/interface/abi/ResourceCleanup.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/gossamer/gossamer/src/interface/abi/GrooveTermination.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/gossamer/gossamer/src/interface/abi/HandleLinearity.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/gossamer/gossamer/src/interface/abi/WindowStateMachine.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Discharges the LAST OWED item from
gossamer#22's deferred list — thePanelIsolation/ResourceCleanuppair flagged "design call: String==commutativity axiom vsDistinctrefactor".idris2 0.8.0 --typecheck gossamer-abi.ipkgpasses 11/11 on this branch,%default total. Aftergossamer#40merges and this rebases, the result will be all 13 ABI proof modules wired and green.Refs hyperpolymath/standards#131andhyperpolymath/standards#124. NOT Closes —standards#131close is owner-only (joint-close on agreement; the design choice between axiom and refactor is the substantive bit you'd want a maintainer to sign off on).Branch base note
This branch is on
origin/main(which containsGrooveTerminationfromgossamer#36).LayoutStability+IPCIntegrityare still in flight ongossamer#40. When both this branch and #40 land, a small ipkg-comment rebase will resolve the overlap. Module count on origin/main today: 9 wired; this branch adds 2; #40 adds 2; final state after both merge: 13 wired.Decision: Option 1 — sanctioned class-J axiom
The earlier analysis comment on
standards#131(and this session's conversation) walked through Option 1 (axiom) vs Option 2 (Distinct-refactor). Picking Option 1 because:==is commutative" to "decEqcorrectly decides propositional equality on Strings", which is the same primitive (prim__eq_String) at one more level of indirection. Same trust budget.stringNotEqCommut, classified J in the docstring) makes the trust visible rather than hiding it insidedecEq String's implementation.Boj.SafetyLemmashas 5 class-J axioms overprim__eqChar/prim__strAppend/ etc, with a dedicated property-test + trusted-extraction validation harness on the way (campaignproject_boj_server_backend_assurance_harness). One consistent estate story for primitive-boundary reasoning beats per-repo divergence.Distinctcall site, creating a style split with siblingSotypes in the same file (MkPanelState,MkPanelChannel) — was non-trivial for the same trust budget.Changes
PanelIsolation.idrA new class-J axiom between the
Distinctdata declaration and thedistinctSymproof:distinctSymre-implemented using the axiom:Moduledoc's "Zero believe_me" banner replaced with an honest "One class-J axiom (
stringNotEqCommut); all other proofs constructive." — better accurate than aspirational; this is gossamer's first class-J axiom.ResourceCleanup.idrThe OWED note bundled this with PanelIsolation, but the actual defects were independent:
import Data.DPair(forExists/Evidence)existsshould beExists(Idris2 0.8.0 stdlib capitalises it; idris2 suggested the fix in the error message)gossamer-abi.ipkgModule list extended with the two newly-wired modules. Header deferred-list comment replaced with a closure summary noting where each formerly-deferred module landed (#36 / #40 / this branch).
Verification
Soundness oracle (deferred)
This class-J axiom is principled (
prim__eq_Stringis commutative on every supported backend — Chez, Racket, Node, JS — because they all dispatch to native string-equal which is content-symmetric), but it's still trust that needs external validation. The boj-serverproject_boj_server_backend_assurance_harnesscampaign is building exactly that validation infrastructure (property-tests + trusted-extraction against Chez/BEAM). When that harness exists for gossamer, this axiom can be replaced with a backend-verified theorem.🤖 Generated with Claude Code