Slice 2: make chapeliser provably-real — CI machine-checks proofs/FFI/Chapel + honest status#27
Merged
Merged
Conversation
Slice 2 — make chapeliser provably-real and honest.
Provable-real: add .github/workflows/provable.yml with four jobs that
verify everything outside the (already-green) Rust layer:
- idris2-proofs: `idris2 --check` Types/Layout/Foreign.idr
- zig-ffi: `zig build test` the FFI reference impl (Zig 0.14)
- codegen-drift: regenerate the golden sample and diff vs committed
- chapel-golden: compile + RUN the generated Chapel via `chpl`
Add examples/golden/ end-to-end fixture: a minimal per-item/merge "echo"
manifest, its committed codegen output, and a ~60-line C FFI stub so CI
can compile and run the generated Chapel (asserts 8/8 items conserved).
This closes the STATE.a2ml action "generate + compile + run".
Honest status — stop asserting what isn't machine-checked yet:
- ROADMAP: Phase 1 "(COMPLETE)" -> "(IMPLEMENTED — verification gated
in CI)"; add Phase 1b tracking the four CI jobs; drop "compilable"
from the bare codegen bullet.
- Fix the test-count claim: "15 tests (6+8+1)" -> actual "63 (22+40+1)".
- README: Idris2 "Formal proofs that" -> "proof obligations,
machine-checked in CI"; correct src paths; honest Status paragraph.
- STATE.a2ml: blockers/next-actions/maintenance reflect CI-gated
verification; last-result=warn until provable.yml is green.
The Idris2/Zig/Chapel toolchains are not installable in the dev sandbox,
so CI (GitHub runners) is the verifier. Until provable.yml is green these
artifacts are "written", not "verified" — and the docs now say exactly that.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ
🔍 Hypatia Security ScanFindings: 62 issues detected
View findings[
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "provable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "provable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action mlugg/setup-zig@v1 needs attention",
"type": "unpinned_action",
"file": "provable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "provable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "provable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
First provable.yml run surfaced real bugs (all toolchains installed and ran — the failures were genuine, not infra). Fix each: - Chapel: codegen emitted `return` inside `on Locales[0]` (load-phase error path), which `chpl` rejects. Restructure to set a `loadFailed` flag + `break`, then `return` after the `on` block. Regenerate golden. - Idris2: idris2 0.8 requires the source file path to match the dotted module name; nest Types/Layout/Foreign under Chapeliser/ABI/ and point the CI check paths there. - Zig: build.zig panicked installing a *versioned* shared library (major_only_filename null in Zig 0.14) — drop `lib.version`; also linkLibC() on libs + tests (main.zig uses std.heap.c_allocator). Also address the advisory Hypatia comment on provable.yml: pin actions/checkout to the estate SHA and add timeout-minutes to every job (mlugg/setup-zig SHA-pin left as a noted follow-up — advisory medium). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ
🔍 Hypatia Security ScanFindings: 54 issues detected
View findings[
{
"reason": "Action mlugg/setup-zig@v1 needs attention",
"type": "unpinned_action",
"file": "provable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 18, 2026
…obs (#28) Follow-up to #27 (merged). #27 landed the `provable.yml` workflow and got **Zig + codegen-drift green**, but merged while two jobs were still failing — this greens them: ### `idris2-proofs` Removed the three auxiliary `DecEq` instances (`Result`, `PartitionStrategy`, `GatherStrategy`). They are **not used by any of the load-bearing proofs** (completeness / disjointness / conservation / round-trip / layout) and relied on a `decEq _ _ = No absurd` catch-all, which Idris2 rejects — `No absurd` needs *explicit* off-diagonal constructor pairs (as the base library's `DecEq Bool` does). The invariant proofs are untouched; a comment notes they can be re-added via elaborator-reflection derivation if decidable equality is ever needed. ### `chapel-golden` `chpl` reported `Could not find C function for c_process_item` — the `c_*` externs are called inside the `coforall … on loc` (potentially-remote) block, which Chapel requires to have a real C prototype. The generated `<name>_chapeliser.h` only declares the `echo_*` *user* contract, not the `c_*` bridge ABI. Fix (a proper codegen improvement, not a golden-only hack): - `header.rs` now also emits **`<name>_abi.h`** with the 12 `c_*` prototypes. - `chapel.rs` emits **`require "<name>_abi.h";`** in the wrapper module. - the `chapel-golden` job passes **`-I …/include`** so the `require` resolves. - golden fixtures regenerated (adds `echo_abi.h` + the `require` line). ### Verified locally Rust layer still **63 tests green**, codegen **drift-free**. The idris2/chapel toolchains aren't installable in the dev sandbox, so — as with #27 — CI is the verifier; turning these two jobs green is the acceptance gate, and I'll drive it. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ --- _Generated by [Claude Code](https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 18, 2026
Pins the last unpinned action in `provable.yml` to its commit SHA, clearing the one remaining advisory Hypatia `unpinned_action` finding (medium) introduced in #27/#28. `mlugg/setup-zig@v1` → `mlugg/setup-zig@53fc45b17fe98b52f92ee5ea08ff48a85a3e7eb7 # v1.2.2` SHA resolved via `git ls-remote https://github.com/mlugg/setup-zig` (the `v1` tag points to the same commit as `v1.2.2`). No behaviour change — same action, same `version: 0.14.0`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ --- _Generated by [Claude Code](https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-on to base camp (#26, merged). Goal of this slice: move chapeliser from
"asserted in prose" to machine-verified, and make the docs honest about what
is and isn't checked today.
Provable-real —
.github/workflows/provable.ymlThe Rust CLI/codegen is already green (63 tests via
rust-ci.yml). This adds anew workflow that verifies everything outside Rust:
idris2-proofsidris2 --checktype-checksTypes.idr,Layout.idr,Foreign.idr(the dependent-type ABI proofs)zig-ffizig build testcompiles + runs the Zig FFI reference impl (Zig 0.14)codegen-driftdiffs against the committed tree (fails on drift)chapel-goldenchpl, asserting 8/8 items conservedGolden sample —
examples/golden/A minimal end-to-end fixture that closes the
STATE.a2mlaction "generate +compile + run":
echo.toml— deliberatelyper-item/mergeso the generated Chapel pulls inno optional modules (no BlockDist/DynamicIters/AtomicObjects) → small,
stable compile surface.
generated/— committed codegen output (reviewable + drift-checked).ffi_stub.c— ~60-line C echo implementation of the 12c_*functions so theChapel can be linked and run without user code.
Honest status — stop claiming what isn't checked yet
ROADMAP.adoc: Phase 1(COMPLETE)→(IMPLEMENTED — verification gated in CI); new Phase 1b tracks the four CI jobs (each flips[x]only when green); dropped "compilable" from the bare codegen bullet.15 tests (6 unit + 8 integration + 1 doc)was wrong — actual is 63 (22 + 40 + 1).README.adoc: Idris2 "Formal proofs that…" → "proof obligations, machine-checked in CI"; corrected source paths (src/interface/abi,src/interface/ffi); honest pre-alpha Status paragraph.STATE.a2ml: blockers / next-actions / maintenance now reflect CI-gated verification (last-result = warnuntilprovable.ymlis green).Why CI is the verifier (not local)
The idris2 / zig / chpl toolchains aren't installable in the dev sandbox
(
ziglang.organd the GitHub releases API are network-blocked here; buildingidris2 from source is sandbox-restricted). So GitHub runners are the verifier.
Until
provable.ymlis green, these artifacts are "written", not "verified" —and the docs now say exactly that. Kept as a draft for that reason: driving
the four jobs to green is the acceptance gate, and a first run may surface real
fixes (e.g. Idris2
DecEqtotality, ChapelTime/reduce API specifics) — thatiteration is the "make it real" work.
Follow-up (not blocking): pin action/image refs (
actions/checkout,mlugg/setup-zig,chapel/chapel,idris2-pack) to SHAs per estate policyonce the tags are confirmed working.
🤖 Generated with Claude Code
https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ
Generated by Claude Code