ci: make CI genuinely green — rust-ci toolchain pin + canonical Julia ABI-FFI gate#47
Merged
Merged
Conversation
Flagship semantic proof: an Alloy binary relation satisfies the `one` field multiplicity iff every live source maps to exactly one target (target-count = 1) — the OpenAPI "required, single-valued" property. Sound+complete Dec, certifier into the ABI Result codes proven sound, positive control + negative control (a one-source/two-target instance, the Alloy counterexample, is provably rejected). Verified with idris2 0.7.0 (build clean, zero warnings) + adversarial false-proof rejection. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Adds Alloyiser.ABI.Invariants over the existing Semantics model: proves the multiplicity-subsumption theorem oneImpliesLone (OneTargetFor s r -> LoneTargetFor s r) plus its field-level lift, a sound+complete Dec for LoneTargetFor, a sound ABI-Result certifier, and certifyOneEntailsLone tying the two verdicts. Controls: zero-target source is lone (positive), two-target source is not lone (negative), and lone does NOT entail one (strictness / non-vacuity). Distinct from and deeper than the Layer-2 `one` theorem. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Prove the alloyiser FFI result-code encoding is sound: distinct ABI outcomes never collide on the C wire and the integer faithfully round-trips back to the ABI value. - intToResult decoder (boolean Bits32 == so round-trip Refls reduce) - resultRoundTrip : intToResult (resultToInt r) = Just r - resultToIntInjective derived from the round-trip via justInj+cong - positive controls (decode 0/7/8) and a machine-checked non-vacuity control (resultToInt Ok /= resultToInt Error) Genuine proof only: no believe_me/postulate/assert_total/%hint. multToInt is export-only (non-reducing across modules) so it is out of scope here without widening Foreign's visibility. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Assemble the existing per-layer proofs into one inhabited certificate
in Alloyiser.ABI.Capstone:
* ABISound record collects the key proven facts — Layer-2 flagship
`one`-multiplicity (goodConformsOne), Layer-3 `lone` subsumption
invariant (goodConformsLone), and the Layer-4 FFI-seam injectivity
(resultToIntInjective).
* abiContractDischarged : ABISound is built solely from those existing
exported witnesses, so it typechecks iff every prior layer is sound —
the end-to-end manifest -> ABI proofs -> FFI seam soundness statement.
Genuine composition only: no believe_me / postulate / assert_total / etc.
Adversarial control: a bogus seamInjective (Refl with no proof) is
rejected by the typechecker. Build is clean with zero warnings.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
…ble fix); port ABI-FFI gate Python->Bash (Python is estate-banned) Resolves the standing baseline CI reds (rust-ci toolchain error, governance Language/anti-pattern, governance workflow-lint) without altering the proven ABI. The Bash gate reproduces the former Python gate's verdict verbatim (validated across all -iser repos) and catches the same drift classes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
…simiser) in place of the interim Bash port
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make CI genuinely green. Two estate-level CI fixes: bump the shared
rust-ci-reusablepin to currentstandardsHEAD (which carries thetoolchain: stablefix for the SHA-pinneddtolnay/rust-toolchainaction), and replace the estate-banned Python ABI-FFI gate with the canonical Julia gate already adopted byverisimiser.Changes
rust-ci-reusable.ymlpind135b05→8dc2bf0.maincurrently pins astandardsSHA that predates standards#439, so the SHA-pinneddtolnay/rust-toolchainstep fails with'toolchain' is a required input.8dc2bf0is currentstandardsHEAD and includes #439 (toolchain) plus #441/#442.scripts/abi-ffi-gate.py(Python is banned estate-wide) and addscripts/abi-ffi-gate.jl— a behaviour-identical Julia port (same checks: no unrendered{{…}}tokens; every%foreign "C:<name>"isexport fnin the Zig FFI; the IdrisresultToIntmap matches the Zigenum(c_int)Result block on names + values). The workflow now installs Julia 1.11.5 and runs the Julia gate. Matches the canonical gate already inverisimiser.RSR Quality Checklist
Required
.envfiles includedAs Applicable
Testing
ABI-FFI gate verdict verified locally against an algorithm-identical reference port:
ABI-FFI GATE: OK. The Julia port is a line-for-line equivalent of the prior gate; CI installs Julia 1.11.5 to run it.🤖 Generated with Claude Code
Generated by Claude Code