the No-Bullshit file: what we affirm was true and checkable at this moment
|
Note
|
Genre. An affirmation is a solemn declaration of the truth of a statement, made by someone who declines to swear an oath. That is exactly what this is: our truth-as-best-believed at a stamped instant — binding on our honesty, not a claim of infallibility. It is not the README and not the EXPLAINME:
Each repo in the estate may carry one ( |
What it is. A short, dated, jointly-signed snapshot of what we can honestly and verifiably claim about this repo at one exact commit. Nothing here is marketing and nothing is a promise about the future — both of those live in the README. This file is the receipt.
How it is designed to work. Three moving parts make it trustworthy:
-
Ground truth, not memory. Every claim below was produced by running the tool in the session that wrote this file (
cargo build,cargo test,idris2 --check,zig build). Where a status doc,STATE.a2ml, or a prior session said otherwise, the live run wins and we flag the contradiction explicitly. -
A frozen anchor. The file names the exact commit SHA, branch, UTC timestamp, and toolchain (see Verifiable anchor), so "true" always means "true at this point". Move the SHA and the file becomes a draft until re-run.
-
A real signature. It is landed by a signed git commit; that signature over this content at the anchored SHA is what makes the affirmation tamper-evident and attributable — not the prose alone.
We are fallible. We can be wrong, stale, or simply mistaken about our own work. This file is our best honest belief, not a proof of its own correctness. Treat it as a falsifiable claim, not gospel.
This document records our best joint belief at the timestamp below. It is not a guarantee of correctness. We may be wrong. We may have missed something — a hole, a stale doc, a proof that does not in fact check, a rename left half-finished.
No intentional overclaim. That is the only guarantee here: we have not knowingly inflated anything. Where something is tested-but-not-proved, we say so. Where a proof file exists but does not typecheck at this commit, we say so and we do not call it "proved". Where something is a placeholder, broken, or refuted, we say so. If you find an honest claim here that turns out false, that is an error to be fixed — not a lie.
Standing invitation to refute. You are invited to bulldoze any claim in this file. We want that. But the fair form of the attack is:
-
Read this file at the stamped commit.
-
Reproduce (or fail to reproduce) the checks in Reproduce it yourself.
-
Then tell us where the discrepancy is, against the artefact as it stood at this moment — so we can either justify it or concede it on the record.
An attack that skips steps 1–2 is attacking a strawman of a different date.
No fights before the facts are cleared up. We are not interested in a dispute over a claim until the discrepancy has actually been checked against the artefact at this commit and we have had the chance to either justify it or concede it on the record. Good faith both ways: bring a reproducible discrepancy and we will fix the claim, the doc, or the code — promptly and without defensiveness. The goal is a corrected record, not a won argument.
Repo |
|
Branch |
|
Commit (HEAD) |
|
Permalink |
https://github.com/hyperpolymath/typell/tree/552f7594a3826d4e059dc3d3dac53d473a2d22c9 |
Verified (UTC) |
2026-06-16T12:25:56Z |
Working-tree delta at verification |
Tracked tree clean at the start of the run. The only delta introduced was the untracked |
Toolchain |
cargo 1.95.0 · rustc 1.95.0 · just 1.50.0 · Idris2 0.8.0 · Zig 0.15.2 |
|
Important
|
If you are reading this at a later commit, the claims may have drifted. Re-run [reproduce] and write a fresh affirmation; do not trust a stale one. |
This affirmation should be read against the repo’s own public claims. Where they drift from what we verified, we say so here rather than quietly leave the reader to find out.
-
README.adoc— present. "Typell — PanLL’s Verification Kernel". Sells the vision (dependent / linear / session types, QTT, effect systems, proof-carrying code) and states "Phase 0: Vision capture and repo scaffolding — complete." That phase-framing is consistent with what we found; the type-system claims are aspirational at this commit (see honest state). -
EXPLAINME.adoc— present. "Show Me The Receipts". Honestly carries its own caveat: "only the kernel architecture exists … the backends are in design/port stages." That is fair. It does not, however, mention that the Rust workspace does not currently build as a whole, nor that the Idris2 ABI does not typecheck — gaps this affirmation records. -
GitHub repo description — "PanLL’s verification kernel — dependent types, linear types, session types, QTT, proof-carrying code, and effect systems for neurosymbolic query languages". Drift: this reads as delivered capability; at this commit these are crate scaffolds and bridge stubs with passing unit-tests, not a working verifier. Read it as scope, not status.
-
GitHub topics —
ai,development,formal-verification,neurosymbolic,open-source,rust,software. Drift:formal-verificationis not yet earned — the Idris2 soundness proofs (src/abi/.idr) do *not typecheck at this commit (errors + open holes; see below).rustis accurate.
(gh metadata fetched in-session via the WSL gh client; the Windows gh.exe
returned HTTP 401 and was not used.)
Typell at this commit is an early-alpha 14-crate Rust scaffold for a database
query verification kernel: 13 of its 14 crates compile and their 245 library
unit-tests pass green right now — but the workspace as a whole does NOT build (a
typell_vql → typell-vcl rename was left half-finished and breaks
typell-server plus two integration-test targets), the documented just test
entrypoint is a placeholder stub that runs nothing, the Idris2 ABI "soundness
proofs" do NOT typecheck, and the Zig FFI does NOT build against the installed
Zig 0.15.2. There is real, green, tested Rust here; there is no verified
formal-verification here today.
-
13 of 14 workspace crates compile clean. HOW:
cargo build --workspace --exclude typell-server→ exit 0 ("Finisheddevprofile" —typell-core,-eclexia,-affinescript,-ephapax,-wokelang,-tangle,-betlang,-mylang,-oblibeny,-jtv,-phronesis,-errorlang,-vcl). -
245 library/binary unit-tests pass; 0 failed, 0 ignored. HOW:
cargo test --workspace --exclude typell-server --lib --bins→ exit 0, thirteentest result: oklines summing to 245 passed (per-crate: 13, 10, 106, 10, 9, 12, 11, 8, 13, 9, 11, 24, 9). These are genuine, fast, green unit tests of the bridge/rules/resource modules. -
Toolchains are present and runnable — cargo/rustc 1.95.0, just 1.50.0, Idris2 0.8.0, Zig 0.15.2 all responded to
--version. -
No
believe_me/assert_total/postulateappears in any.idrsource. HOW:grep -rniE "believe_me|assert_total|postulate|trustMe"oversrc/abi/matched only README prose and one explanatory comment. The "zero believe_me" invariant is literally satisfied — but see the honest nuance: it is vacuously satisfied because the proofs do not typecheck at all.
This is the proved-core vs tested-implementation gap, and for typell it is
wider than usual and points the other way: there is a tested implementation
core (245 green Rust unit-tests) and there is no proved core at all at this
commit. The Idris2 files in src/abi/ are intended to be the soundness
proofs for the calculus underlying check.rs/infer.rs, but they do not
compile (errors + open ?holes; see loud-failures). So:
-
Nothing in typell is "proved" today. Every formal-verification claim is, at best, "argued in Idris2 source that does not yet typecheck".
-
Even if those proofs did check, they would model an idealised core calculus, not establish that the Rust kernel refines it — the same unproved bridge every such project has. We are two steps short of that bridge, not one.
-
The README/topics word "formal-verification" is therefore not earned at this commit. Anyone citing typell as "formally verified" is overclaiming.
Hard proofs are explicitly delegated to Echidna (README: "NOT a theorem prover — it delegates complex proofs to Echidna"). We did not run Echidna in this session; that boundary is out of scope here and is neither confirmed nor refuted by this affirmation.
Known-broken but fenced here (loud failures, recorded not hidden)
|
Note
|
1. The full workspace does not build. 2. Two integration-test targets do not compile — same incomplete rename, in
3. 4. The Idris2 ABI proofs do not typecheck. 5. The Zig FFI does not build. |
-
STATE.a2mlis stale / refuted at this commit. It recordslast-result = "221 tests passing, 0 failures, 0 warnings",total-tests = 221, and lists every bridge crate asstatus = "complete". The live run shows 245 lib/bin unit-tests (not 221), the workspace not building, and atypell-vqlcrate name that no longer exists (it istypell-vcl). Thecompletion-percentage = 35and the per-phase percentages (e.g. "Phase 1: Idris2 ABI — 100%") are not corroborated; the Idris2 ABI does not typecheck. TreatSTATE.a2mlas aspirational, not as evidence. -
"Zero believe_me" is true but vacuous — no soundness is established because the proofs do not compile (see nuance above).
-
No claim of a working verification protocol, type checker, or backend was reproduced. The JSON-RPC server crate (
typell-server) is precisely the one that does not compile. The VCL/GQL/KQL backends are scaffolds, consistent with the README’s own "design/port stages" caveat.
From the repo root, at the commit above:
# Toolchains used
cargo --version # cargo 1.95.0
rustc --version # rustc 1.95.0
just --version # just 1.50.0
idris2 --version # Idris 2, version 0.8.0
zig version # 0.15.2
# Full workspace build — FAILS (exit 101): typell_vql -> typell-vcl rename half-done
CARGO_INCREMENTAL=0 cargo build --workspace
# 13/14 crates build — exit 0
CARGO_INCREMENTAL=0 cargo build --workspace --exclude typell-server
# Unit tests on the buildable crates — exit 0; 245 passed, 0 failed, 0 ignored
CARGO_INCREMENTAL=0 cargo test --workspace --exclude typell-server --lib --bins
# Two integration-test targets — FAIL to compile (same rename), e.g.:
CARGO_INCREMENTAL=0 cargo test -p typell-vcl --test vcl_bridge_tests # error[E0433] typell_vql
# NOT run this session (status unknown): the typell-core integration suites
# (they do NOT import typell_vql, so the rename does not break them):
# CARGO_INCREMENTAL=0 cargo test -p typell-core --test e2e_test --test property_test --test core_comprehensive_tests
# 'just test' runs NOTHING (placeholder recipe) — observe it only echoes
just test
# Idris2 ABI — does NOT typecheck (Foreign.idr is the only module that passes)
# modules declare TYPELL.ABI.<M>, so check from a matching source dir:
tmp=$(mktemp -d); mkdir -p "$tmp/TYPELL/ABI"; cp src/abi/*.idr "$tmp/TYPELL/ABI/"
( cd "$tmp" && for m in Types Layout Foreign Soundness InferenceSoundness LevelMonotonicity; do \
echo "-- $m"; idris2 --check "TYPELL/ABI/$m.idr"; done )
# Zig FFI — does NOT build against Zig 0.15.2 (addSharedLibrary removed)
( cd ffi/zig && zig build ) # exit 2Expected: the two --exclude typell-server commands are green (build exit 0;
245 passed; 0 failed; 0 ignored); the workspace build, the two typell_vql
integration targets, just test, the Idris2 ABI check, and zig build all fail
exactly as fenced above. The three typell-core integration suites were not
run this session (status unknown, not asserted). Hard proofs (Echidna) are out
of scope and were not run.
"A real, early-alpha Rust verification-kernel scaffold: 13/14 crates build and 245 unit-tests pass green now — but the full workspace does NOT build (an unfinished
typell_vql→typell-vclrename),just testruns nothing, the Idris2 'soundness proofs' do NOT typecheck (so 'formal-verification' is unearned and 'zero believe_me' is vacuous), and the Zig FFI does NOT build on Zig 0.15.2. Hard proofs are delegated to Echidna and were not run. Tested-in-parts, proved nowhere — promising scaffold, not a working verifier. No intentional overclaim."
We, the undersigned, assert that to the best of our joint belief at the timestamp above, every claim in this file is true and was checked as described — with no intentional overclaim, and with the open gaps stated rather than hidden.
-
Engineering party (AI): Claude Opus 4.8 (
claude-opus-4-8[1m]) — ran the build, test, and proof checks recorded here on 2026-06-16T12:25:56Z and stands behind the wording above as a faithful report of those runs. -
Owner / maintainer: Jonathan D.A. Jewell — signs by committing this file with
-S(id_ed25519_signing); the git commit signature over this content, at the commit SHA recorded above, is the cryptographic form of this affirmation.Signed-off-date: (fill on signing)
|
Tip
|
The authoritative, tamper-evident signature is the signed git commit that lands this file. If the SHA in Verifiable anchor matches the parent of that commit and the commit verifies, this affirmation is anchored. If they don’t match, treat the file as a draft. |