diff --git a/proofs/agda/Basic.agda b/proofs/agda/Basic.agda index 9b70dff..5441bd7 100644 --- a/proofs/agda/Basic.agda +++ b/proofs/agda/Basic.agda @@ -151,25 +151,18 @@ curry f x y = f (x , y) uncurry : {A B C : Set} → (A → B → C) → (A × B → C) uncurry f (x , y) = f x y --- Proof that curry and uncurry are inverses +-- Proof that curry and uncurry are inverses. +-- +-- Stated *pointwise* (the functions agree on every input), which is +-- provable in plain Agda by `refl` with ZERO axioms. The fully-extensional +-- form `curry (uncurry f) ≡ f` would require function extensionality +-- (funext) — a standard axiom, but an axiom nonetheless; the pointwise +-- statements below are the axiom-free truth and need no postulate. module CurryUncurryLaws where - -- INTENTIONAL AXIOM: Function extensionality (funext) - -- Justification: funext is consistent with Agda's type theory and is - -- provable in Cubical Agda (--cubical). In plain Agda it must be - -- postulated. It is a standard mathematical axiom accepted by all - -- major proof assistants (Coq's Functional Extensionality, Lean's - -- funext, HoTT axiom). It does NOT compromise soundness. - -- See: HoTT Book, Section 2.9; nLab "function extensionality" - -- AXIOM: funext (see justification above; recognised by check-trusted-base.sh) - postulate - funext : {A B : Set} {f g : A → B} - → ((x : A) → f x ≡ g x) - → f ≡ g - - curry-uncurry : {A B C : Set} → (f : A → B → C) - → curry (uncurry f) ≡ f - curry-uncurry f = funext λ x → funext λ y → refl - - uncurry-curry : {A B C : Set} → (f : A × B → C) - → uncurry (curry f) ≡ f - uncurry-curry f = funext λ { (x , y) → refl } + curry-uncurry : {A B C : Set} → (f : A → B → C) → (x : A) → (y : B) + → curry (uncurry f) x y ≡ f x y + curry-uncurry f x y = refl + + uncurry-curry : {A B C : Set} → (f : A × B → C) → (p : A × B) + → uncurry (curry f) p ≡ f p + uncurry-curry f (x , y) = refl diff --git a/proofs/agda/SoundnessPreservation.agda b/proofs/agda/SoundnessPreservation.agda index 068fb10..0cbc8dd 100644 --- a/proofs/agda/SoundnessPreservation.agda +++ b/proofs/agda/SoundnessPreservation.agda @@ -41,23 +41,15 @@ record Proof : Set where -- 2. Conflict predicate ------------------------------------------------------------------------ --- Conflicts is an abstract binary predicate over two axiom lists. --- We leave it as a postulate-free parameter: the caller supplies a --- concrete proof of ¬ Conflicts when they know the sets are disjoint. +-- "Conflicts" is an abstract binary predicate over two axiom lists. It is +-- threaded as an *explicit parameter* of the composition theorem (§5) +-- rather than a module-level postulate, so this file declares ZERO axioms. -- --- In practice ECHIDNA computes this via the danger-level tracker --- (verification/axioms.rs): two axiom sets conflict when one contains --- an axiom that the other marks Reject. --- TRUSTED: Conflicts is an abstract parameter (see above), not an unsound --- escape — the caller discharges it with a concrete proof. -postulate - Conflicts : List Axiom → List Axiom → Set - -- ^ INTENTIONAL PARAMETER — "Conflicts" is domain knowledge about - -- which axiom combinations are unsound. Leaving it abstract keeps - -- the composition theorem maximally reusable: any concrete conflict - -- definition satisfying ¬ Conflicts a1 a2 gives the same guarantee. - -- This is NOT a soundness hole: the theorem proves a conditional, - -- not an unconditional claim. +-- In practice ECHIDNA instantiates it via the danger-level tracker +-- (src/rust/verification/axioms.rs): two axiom sets conflict when one +-- contains an axiom the other marks Reject. The theorem proves a +-- conditional ("if the sets do not conflict …"), so any concrete conflict +-- definition gives the same guarantee. ------------------------------------------------------------------------ -- 3. Proof composition @@ -83,12 +75,13 @@ compose p1 p2 = MkProof -- conflict, then compose p1 p2 is sound. ------------------------------------------------------------------------ -compose-sound : (p1 p2 : Proof) +compose-sound : (Conflicts : List Axiom → List Axiom → Set) + → (p1 p2 : Proof) → Proof.sound p1 ≡ true → Proof.sound p2 ≡ true → ¬ Conflicts (Proof.axioms p1) (Proof.axioms p2) → Proof.sound (compose p1 p2) ≡ true -compose-sound p1 p2 s1 s2 _ = ∧-true s1 s2 +compose-sound _ p1 p2 s1 s2 _ = ∧-true s1 s2 ------------------------------------------------------------------------ -- 6. Structural corollary: composing with an empty-axiom proof