|
1 | 1 | # PROOF-NEEDS.md — nextgen-databases |
2 | 2 |
|
3 | | -## Current State |
| 3 | +## Current State (Updated 2026-04-11) |
4 | 4 |
|
5 | | -- **src/abi/*.idr**: YES (in lithoglyph) — `BofigEntities.idr`, `GQLdt/ABI/Foreign.idr` |
| 5 | +- **VeriSimDB ABI**: `verisimdb/src/abi/` — `Types.idr`, `Layout.idr`, `Foreign.idr` (873 LOC, genuine domain ABI) |
| 6 | +- **Lithoglyph ABI**: `lithoglyph/` — `BofigEntities.idr`, `GQLdt/ABI/Foreign.idr` |
6 | 7 | - **Dangerous patterns**: 0 (4 references are documentation asserting "no believe_me" invariant) |
7 | 8 | - **LOC**: ~202,000 (Rust + Idris2) |
8 | | -- **ABI layer**: Lithoglyph has Idris2 ABI with constructive proofs, explicit no-believe_me policy |
| 9 | +- **Connector Obj.magic casts**: ELIMINATED 2026-04-10 — 5 ReScript connectors now use typed externals |
9 | 10 |
|
10 | 11 | ## What Needs Proving |
11 | 12 |
|
12 | | -| Component | What | Why | |
13 | | -|-----------|------|-----| |
14 | | -| VeriSimDB WAL correctness | Write-ahead log guarantees durability and ordering | WAL bugs cause data loss — the worst database bug | |
15 | | -| VeriSimDB transaction isolation | ACID properties hold under concurrent access | Isolation violations corrupt data silently | |
16 | | -| VeriSimDB ZKP bridge | Zero-knowledge proof generation is sound | Unsound ZKP breaks semantic verification | |
17 | | -| VeriSimDB HNSW index | Vector similarity search returns correct nearest neighbours | Wrong results from vector search corrupt ML pipelines | |
18 | | -| VeriSimDB query planner | Query optimization preserves result equivalence | Optimized query must return same results as unoptimized | |
19 | | -| VeriSimDB drift detection | Drift detector correctly identifies schema changes | Missed drift causes silent data corruption | |
20 | | -| Lithoglyph entity proofs | Extend BofigEntities constructive proofs | Current proofs cover basic entities; need full coverage | |
21 | | -| QuandleDB algebraic laws | Quandle operations satisfy rack/quandle axioms | Mathematical structure must be correct by construction | |
| 13 | +### P0 — Critical (require Lean4/TLA+/Coq — not I2) |
22 | 14 |
|
23 | | -## Recommended Prover |
| 15 | +| # | Component | Prover | Notes | |
| 16 | +|---|-----------|--------|-------| |
| 17 | +| V1 | Octad coherence invariant | I2 | 8 modalities mutually consistent post-operation | |
| 18 | +| V2 | VQL type inference soundness | Cq/L4 | Bidirectional inference correct | |
| 19 | +| V3 | VQL subtyping transitivity + decidability | L4 | | |
| 20 | +| V4 | Raft consensus safety | L4 | No log divergence after commit | |
| 21 | +| V5 | Transaction atomicity | TLA | All-or-nothing across 8 modalities | |
24 | 22 |
|
25 | | -**Idris2** — Lithoglyph already has constructive Idris2 proofs. VeriSimDB WAL and transaction proofs fit naturally. ZKP soundness may need **Coq** for deeper cryptographic proofs. |
| 23 | +### P1 — High (require Lean4/Agda/Isabelle — not I2) |
26 | 24 |
|
27 | | -## Priority |
| 25 | +| # | Component | Prover | Notes | |
| 26 | +|---|-----------|--------|-------| |
| 27 | +| V6 | WAL integrity | L4 | CRC, replay idempotence, segment ordering | |
| 28 | +| V7 | Provenance chain immutability | Ag | Hash chain, monotonic timestamps | |
| 29 | +| V8 | Drift metric correctness | Iz | Detection algorithm numerical bounds | |
| 30 | + |
| 31 | +### P2 — Standard (I2 actionable) |
| 32 | + |
| 33 | +| # | Component | Prover | Notes | |
| 34 | +|---|-----------|--------|-------| |
| 35 | +| V11 | Connector type safety | I2 | Obj.magic eliminated; Idris2 proof of typed external shapes | |
| 36 | +| V12 | FFI pointer validity + memory ownership | I2 | `verisimdb/src/abi/Foreign.idr` lifetime model | |
28 | 37 |
|
29 | | -**HIGH** — VeriSimDB is the standard database across the ecosystem. WAL correctness and transaction isolation are critical — bugs here corrupt data in every downstream project. The ZKP bridge is security-critical. |
| 38 | +Note: V9/V10 require TLA+ (not I2). |
30 | 39 |
|
31 | | -## Template ABI Cleanup (2026-03-29) |
| 40 | +## Recommended Prover |
| 41 | + |
| 42 | +**Idris2** for V11/V12 (P2, I2-actionable). V0-V8 require Lean4/Agda/Isabelle/TLA+ specialists. |
| 43 | + |
| 44 | +## Priority |
32 | 45 |
|
33 | | -Template ABI removed -- was creating false impression of formal verification. |
34 | | -The removed files (Types.idr, Layout.idr, Foreign.idr) contained only RSR template |
35 | | -scaffolding with unresolved {{PROJECT}}/{{AUTHOR}} placeholders and no domain-specific proofs. |
| 46 | +**MEDIUM** (was HIGH) — V1-V8 require non-Idris2 provers. V11/V12 (I2/P2) are the remaining I2-actionable items; Obj.magic already eliminated from connectors. WAL/transaction/consensus remain open for L4/TLA+ sessions. |
0 commit comments