[Dijkstra] (DEPRECATED) CIP-159-11c: Prove LEDGER PoV#1190
Closed
williamdemeo wants to merge 6 commits into
Closed
[Dijkstra] (DEPRECATED) CIP-159-11c: Prove LEDGER PoV#1190williamdemeo wants to merge 6 commits into
williamdemeo wants to merge 6 commits into
Conversation
3 tasks
ca99121 to
aec8700
Compare
cf1eeab to
24e189f
Compare
aec8700 to
8638126
Compare
24e189f to
c20ef17
Compare
f34dd7b to
ed32fcc
Compare
c20ef17 to
1a6f0e5
Compare
4 tasks
cf7a86b to
e494a2e
Compare
e494a2e to
f1cc871
Compare
7b5b569 to
11c8ec1
Compare
f1cc871 to
91db883
Compare
11c8ec1 to
d119313
Compare
91db883 to
ac0e814
Compare
After moving direct-deposit application from LEDGER-V into POST-CERT, CERTS-pov now produces a symmetric "consumed = produced" equation: getCoin s₁ + getCoin (DirectDepositsOf Γ) ≡ getCoin sₙ + getCoin (WithdrawalsOf Γ) Thread the direct-deposit term through the LEDGER-pov proof: * SUBLEDGERS-certs-pov gains "+ sum (map ddwl stxs)" on the LHS, where ddwl = getCoin ∘ DirectDepositsOf is the per-sub-tx direct-deposit total (analogous to wdrwl). * combined-certs gains "+ allDirectDeps" on the LHS, composing the per-sub CERTS-pov chain with the top-level call. * The main LEDGER-V chain wraps the result in +-cancelʳ-≡ to discharge the asymmetric "+ allDirectDeps" combined-certs introduces. Removed: * The certStateFinal local definition (LEDGER-V no longer applies applyDirectDeposits). * step-ii and the applyDirectDeposits-rewardsBalance module parameter (subsumed by indexedSumᵛ'-∪⁺ inside POST-CERT-pov). * The DD-split module parameter (subsumed by per-tx CERTS-pov chain). * Stale "Key Lemma" subsection and stale commented-out lines in bat'. * Unused imports +-identityʳ and +-0-monoid. * Redundant local aliases in bat's where-block. Documentation: rewrote "Key Differences from Conway" point 2 and the LEDGER-V Proof Outline to reflect the new architecture; clarified the LEDGER-I outline.
d119313 to
495acf3
Compare
This was referenced May 20, 2026
williamdemeo
added a commit
that referenced
this pull request
May 21, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
williamdemeo
added a commit
that referenced
this pull request
May 21, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
williamdemeo
added a commit
that referenced
this pull request
May 27, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
williamdemeo
added a commit
that referenced
this pull request
May 29, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
williamdemeo
added a commit
that referenced
this pull request
Jun 2, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
williamdemeo
added a commit
that referenced
this pull request
Jun 9, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
williamdemeo
added a commit
that referenced
this pull request
Jun 15, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
Member
Author
|
superseded by PR #1203 |
williamdemeo
added a commit
that referenced
this pull request
Jun 25, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
williamdemeo
added a commit
that referenced
this pull request
Jun 25, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
williamdemeo
added a commit
that referenced
this pull request
Jun 30, 2026
Step 4 of the LEDGER preservation-of-value plan (#1187). Chains the three lemmas already proved in steps 2-3 over the single ENTITIES constructor: applyWithdrawals-pov on (wdrls, r₀) CERTS-pov on the inner ⟦ ... ,CERTS⦈ premise applyDirectDeposits-pov on (dd, r₁) The resulting equation is the value-flow statement for the whole rule: getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s' + getCoin (WithdrawalsOf Γ) ENTITIES-pov takes the two per-batch NetworkId witnesses as separate arguments, mirroring extract-netId's output in the old #1190 LEDGER-pov proof. These witnesses are produced at the call site by the SUBUTXOW/UTXOW step and threaded into ENTITIES-pov from there. The module ENTITIES-PoV inherits and re-exports the three set/map parameters of ApplyToRewards-PoV (∪ˡ-lookup-preserve, sum-map-proj₂≡getCoin, setToList-Unique), to be discharged in a follow-up. Also adds a top-level Entities.Properties module that re-exports the two property submodules, matching the existing Certs.Properties convention.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DEPRECATED. This PR was based on
CERT-PostandCERT-Presetup. It is superseded by #1203 which is based on theENTITIESapproach.Description
Closes #1187.
This PR proves the top-level
LEDGER-povtheorem for the Dijkstra era, building on theCertsandUtxo/UtxowPoV machinery from PRs #<new-A>and #<new-B>. It is the third of three replacing the original PR #1169.It targets the branch of PR #
<new-B>so that CI sees the full PoV chain in order; once #<new-B>merges, this PR will be retargeted tomaster.Module
Ledger.Properties.PoVHasCoininstances andLEDGER-povDesign notes
Why the proof reasons about
LEDGER-Vas a single stepThe Dijkstra
LEDGER-povproof does not decompose into independentSUBLEDGERS-povandUTXOW-povpieces, because (i) individualSUBUTXOrules have no balance equation — only the batch-levelconsumedBatch ≡ producedBatch(inUTXO) constrains the total — and (ii) sub-transactions may individually transfer value between UTxO and CertState (via sub-withdrawals, sub-deposits, sub-direct-deposits) without local balancing. Instead, the proof reasons about the entireLEDGER-Vstep at once.applyDirectDepositscancellation is the main new challengeIn
LEDGER-V,certStateFinal = certStateWithDDeps tx certState₂ = record certState₂ { dState = applyDirectDeposits (DirectDepositsOf tx) (DStateOf certState₂) }. Direct deposit value appears inproducedBatch(UTxO side) and incertStateFinal(CertState side), so it cancels in the total. The proof is an equational chain combiningSUBLEDGERS-certs-pov, top-levelCERTS-pov, the batch-UTxO-accounting step, and theapplyDirectDeposits-rewardsBalanceidentity. Per-transaction direct deposit application (PR #1161) makes this slightly cleaner than batch-wide application would have been, because each transaction's direct-deposit total appears next to its ownproducedTxterm inproducedBatch, mirrored by its owncertStateWithDDepsstep.Helpers proved here
SUBLEDGERS-certs-pov— induction over theSUBLEDGERSreflexive-transitive closure, composing per-sub-transactionCERTS-povinvocations.SUBLEDGERS-utxo-coin— parallel induction trackinggetCoin (UTxOStateOf _)through theSUBLEDGERSchain via the per-stepSUBUTXOWcoin equation.LEDGER-pov— bothLEDGER-VandLEDGER-Icases.The
LEDGER-Icase is straightforward:certStateandgovStare unchanged,SUBLEDGERSis a no-op, and only theUTXOWstep affectsgetCoin, which it preserves viautxow-pov-invalid(from PR #<new-B>).Outstanding proof obligations
The following are stated as module parameters of
Ledger.Properties.PoV, with detailed proof sketches in comments. Each will be discharged in a follow-up; the dependencies are now in place.CIP-159–specific or Dijkstra-specific:
applyDirectDeposits-rewardsBalance— should follow from∪⁺properties.subutxow-step-coin— per-stepSUBUTXOWcoin equation. Requires a batch-wide "spend inputs preserved" invariant and freshness of each sub-tx's TxId relative to the running UTxO.utxo₁-tx-spend-eqandfresh-top-tx-id— batch-wide invariants on the post-SUBLEDGERSUTxO state. Both follow from batch-wide input disjointness and TxId freshness, which the outer UTXO rule establishes at the batch level but does not expose per-step.Era-independent (can be discharged in a small standalone follow-up):
posNeg-deposits— deposit-change posPart/negPart identity. Provable from the definition ofcalculateDepositsChangeand the standardy + posPart (x − y) ≡ x + negPart (x − y)lemma.DD-split— aggregation identity forallDirectDeposits. Provable once we confirmallDirectDepositssums top-level and sub-level direct deposits disjointly.sum-map-+— standard list algebra.The shared parameters (
balance-∪,split-balance,outs-disjoint,noMintTx,noMintSubTx,∪ˡ-res-lookup-preserve,sum-map-proj₂≡getCoin,setToList-Unique) are the same ones already taken as parameters in PRs #<new-A>and #<new-B>; they are threaded through here.The invariant properties from §§3–6 of the parent issue #1123 (phantom asset, non-negative balance, direct-deposit registration, balance-interval satisfaction) are mostly straightforward consequences of
UTXO-Premisesconjuncts and are deferred to a follow-up.Checklist
CHANGELOG.md