@@ -12,7 +12,9 @@ This is the single document that enumerates *what AffineScript must prove*, at
1212gap between the soundness *arguments* the project relies on (prose in
1313`docs/academic/proofs/`, the borrow-checker comments in `lib/borrow.ml`,
1414`docs/CAPABILITY-MATRIX.adoc`) and the soundness *proofs* that are actually
15- mechanized today (almost none — see <<status>>).
15+ mechanized today: a growing axiom-free Coq core (13 files) that pins each
16+ obligation on a deliberately *small model* — no full-language theorem is
17+ discharged yet (see <<status>>).
1618
1719It supersedes the previous near-empty `PROOF-NEEDS.md`, which recorded only the
18202026-03-29 template-ABI cleanup (preserved in <<history>>).
@@ -68,12 +70,18 @@ than the prose corpus suggests:
6870 `TypeSafety.v` is example lemmas about list length, not AffineScript. Not
6971 core-metatheory.
7072* **`formal/`** — the directory #513 names as the mechanized-proof target now
71- **exists** (Coq/Rocq 8.18), axiom-free throughout: `K1_CodegenPreservation.v`
72- (K-1, minimal fragment) + `K1Let_CodegenPreservation.v` (K-1 grown with
73- variables/`let`/environment) + `F1_TransformerPreservation.v` (F-1, composing
74- on K-1) are mechanized; `Siblings_Stated.v` states P-2/P-3/F-3/F-4, now
75- **discharged for concrete models** in `P2_Progress.v` / `P3_BorrowSound.v` /
76- `F3_PragmaDecidable.v` / `F4_ErrorFaithful.v` (see <<outstanding>>, <<faces>>).
73+ **exists** (Coq/Rocq 8.18), axiom-free throughout — **13 files, 22 `Print
74+ Assumptions` closure reports**, all "Closed under the global context". Codegen
75+ keystone: `K1_CodegenPreservation.v` (K-1 minimal) +
76+ `K1Let_CodegenPreservation.v` (K-1 grown with variables/`let`/environment).
77+ Faces front-end: `F1_TransformerPreservation.v` (F-1, composing on K-1).
78+ `Siblings_Stated.v` states P-2/P-3/F-3/F-4, **discharged for concrete models**
79+ in `P2_Progress.v` (first-order) + `P2_Stlc.v` (STLC with functions + the
80+ substitution lemma, funext-free) / `P3_BorrowSound.v` (single-bit) +
81+ `P3_BorrowGraph.v` (multi-resource loan graph) / `F3_PragmaDecidable.v` /
82+ `F4_ErrorFaithful.v`. Affine/QTT layer: `QttSemiring.v` (`{0,1,ω}`) +
83+ `AffineUsage.v` (`λx.x` affine, `λx. x x` not) + `QttTyping.v` (quantitative
84+ typing, `usage x t = Γ x` sound). See <<outstanding>>, <<faces>>.
7785* **Research tracks** (not core soundness): `docs/academic/tropical-session-types/`
7886 (Lean), `proposals/echo-types/EchoEncodingFaithfulness.agda`,
7987 `proposals/idaptik/migrated/**/*Boundary.agda` (echo-types loss-with-residue,
@@ -207,18 +215,20 @@ The work in flight changes which obligations are *load-bearing* and which are
207215 (<<faces>>) compose into end-to-end correctness. Rigour `XL`. Status `partial`
208216 (was `prose`): a Wave-0 mechanized seed — `formal/K1_CodegenPreservation.v`
209217 (Coq, no axioms) — proves preservation for a minimal nat/bool · add/and
210- fragment compiled to a stack machine; the real AffineScript AST + real
211- typed-WASM operational semantics remain the open obligation.
218+ fragment compiled to a stack machine — `K1Let_CodegenPreservation.v` grows it
219+ with de Bruijn variables, `let`, and an environment; the real AffineScript AST
220+ + real typed-WASM operational semantics remain the open obligation.
212221* **K-2 — Effect-soundness is *blocked*, not merely unproven.** P-6 cannot be
213222 honestly *stated against the current backend* because #555 drops handler arms
214223 on three of the codegen targets. The obligation must be split: (a) prove
215224 soundness against the *interpreter's intended* handler semantics, then (b)
216225 prove the lowered targets refine that semantics — which (b) currently *fails*.
217226 This makes #555 a proof-blocking defect, not just a runtime bug.
218227* **K-3 — Borrow soundness must be stated to *reject* #554.** Any mechanized P-3
219- must take the #554 program as a *negative* test (must not typecheck). Without
220- Polonius (#553) the current checker cannot; so P-3's statement should be
221- written now even though its proof waits on #553.
228+ must take the #554 program as a *negative* test (must not typecheck). *Done in
229+ the model:* `P3_BorrowSound.v` and `P3_BorrowGraph.v` reject the #554 witness
230+ (`[OBorrow; OMove; OUseRef]`); the full-language negative test still waits on
231+ Polonius (#553), which the real-checker statement needs to reject it in general.
222232* **K-4 — `CAPABILITY-MATRIX.adoc` rows are latent obligations.** Every row not
223233 marked `enforced` (effects `partial`, refinements `declared-but-unwired`, …)
224234 is a place where a prose proof presumes behaviour the implementation does not
@@ -343,29 +353,37 @@ F-1 (full transformer preservation) is non-trivial rather than a formality.
343353| Wave | Items | Gates
344354
345355| 0
346- | **Done.** `formal/` stood up (Coq); **K-1 mechanized** + **grown**
347- (variables/`let`); **F-1 mechanized** (composes on K-1); and **P-2/P-3/F-3/F-4
348- mechanized** for concrete models (small-step progress+preservation; borrow
349- soundness rejecting #554; pragma locality + alias functionality; error
350- faithfulness). 11 closure reports, all axiom-free. NEXT (Wave 1): grow each
351- model toward the real language — `if`/functions/QTT in P-2, the real borrow
352- graph in P-3 — and cross-link `CAPABILITY-MATRIX.adoc` rows (K-4).
356+ | **Done.** `formal/` stood up (Coq); **K-1 mechanized**; **F-1 mechanized**
357+ (composes on K-1); **P-2/P-3/F-3/F-4 mechanized** for concrete models
358+ (small-step progress+preservation; borrow soundness rejecting #554; pragma
359+ locality + alias functionality; error faithfulness). The axiom-free seed.
353360| —
354361
355362| 1
356- | Discharge solo-core P-2 (progress+preservation). Mechanize F-3/F-5 (small,
357- self-contained OCaml-property obligations; no semantics needed).
363+ | **Done.** Grew the models toward the real language: **P-2 → STLC with functions
364+ + the substitution lemma** (`P2_Stlc.v`, funext-free); **P-3 → a multi-resource
365+ borrow graph** (`P3_BorrowGraph.v`: loan edges, liveness, move-locality,
366+ multi-resource #554 rejected). *Leftover:* F-5 (small, self-contained
367+ `render_ty` injectivity) and the K-4 `CAPABILITY-MATRIX` cross-link.
358368| Wave 0
359369
360370| 2
361- | K-1 codegen preservation skeleton → unblocks F-1, F-2-full, F-6. Split P-6 per
362- K-2 and surface #555 as proof-blocking.
363- | Wave 1; #555
371+ | **Done (static).** The affine/QTT layer — **`QttSemiring.v`** (`{0,1,ω}` laws +
372+ occurrence homomorphism), **`AffineUsage.v`** (`λx.x` affine, `λx. x x` not),
373+ **`QttTyping.v`** (quantitative typing, `usage x t = Γ x` sound). *Leftover:*
374+ the *dynamic* half — a quantitative substitution lemma over `P2_Stlc.v` that
375+ carries the quantity accounting through reduction.
376+ | Wave 1
364377
365378| 3
366- | Extend solo-core to Duet (traits+effects: P-6, P-10) then Ensemble (P-4 full,
367- refinements P-9, borrowing P-3-full pending #553).
368- | Wave 2; #553
379+ | **The real lift (open — the bulk of the remaining work).** Replace the toy
380+ objects with the real ones: formalise the **real AffineScript AST** and the
381+ **real typed-WASM operational semantics**, then re-prove K-1/F-1/F-2 against
382+ them (this is what makes K-1/F-1 `XL`, and what actually resolves #601). Then
383+ the still-`prose`/`absent` obligations: P-5 (inference), P-6 (effects — blocked
384+ on #555/K-2), P-7 (resolution), P-8 (parser), P-10 (coherence); faces F-6/F-7;
385+ full-language borrowing (P-3) pending #553.
386+ | Wave 2; #555; #553
369387|===
370388
371389[#xref]
0 commit comments