[Dijkstra] LEDGER-pov: complete the proof — gov re-derivation; Certs/Utxo/Utxow facts as parameters#1223
Merged
williamdemeo merged 9 commits intoJun 25, 2026
Conversation
…ders Per the top-down LEDGER-pov strategy (#1203), the Certs-PoV facts become module-parameter stubs, discharged later by #1210, so this PR proves only the ENTITIES/LEDGER layer. - Delete the provider modules Certs/Properties/PoV.lagda.md and Certs/Properties/PoVLemmas.lagda.md. - Drop their imports from Certs/Properties.lagda.md (keep Computational). - Add CERTS-pov as a parameter of the ENTITIES-PoV module in Entities/Properties/PoV.lagda.md, replacing the deleted import. Certs.Properties and Entities.Properties.PoV typecheck under Agda 2.8.0 via the project Nix flake. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
…gov summand Applies the unambiguous, additive corrections to the (non-build-path) LEDGER-pov draft. The deep batch-balance arithmetic is deliberately deferred: it depends on the Utxo/Utxow-PoV interface that lives in #1189, not on this branch. - Give LEDGER-PoV a CERTS-pov parameter (Certs-PoV stub, #1210) threaded into the ENTITIES-PoV instantiation, and a CERTS-coinFromDeposits-updateCertDeposits parameter (closed-form cert-deposit coin equation, #1210). - Add the governance-deposit parameters rmOrphanDRepVotes-coinFromGovDeposit and GOVS-coinFromGovDeposit (per the resume note), with a generic proposalsOf helper. - Rename coinFromDeposit -> coinFromDeposits (the spec renamed it). - Thread the coinFromGovDeposit summand into the LedgerState totals: the LEDGER-I case and the LEDGER-V G0/G' where-definitions. - Update the status note to record what is done and the precise deferred work (calculateDepositsChange/DepositsChange/UTXOW-* interface + the gov-deposit re-derivation: a SUBLEDGERS-gov-coin induction and a restated batch balance). Verified scope-clean up to the deferred chain: Agda elaborates proposalsOf, all module parameters, and the ENTITIES-PoV instantiation, stopping only at the documented not-on-branch interface (calculateDepositsChange). The file is an intentional WIP draft and is not on the build path. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
The closed-form cert-deposit helpers were hoisted to `Certs` for downstream Certs-level PoV proofs; the comment named the now-removed `Certs.Properties.PoVLemmas` module. Generalize the wording (prose only; no Agda change). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
…d fixes Toward completing the LEDGER-pov proof so it typechecks (CI builds this file via the html target, which globs all of src/). Progress, each verified up to the next error by `nix develop --command agda`: - Define the local deposit-change interface (DepositsChange = ℤ × ℤ with Top/SubOf projections and calculateDepositsChange via coinFromDeposits diffs), so posNeg-deposits and the dc/dct/dcs machinery typecheck. - Add posPart-negPart-sym (the ℕ-level posPart/negPart cancellation), which the draft referenced but never defined. - Import _⊖_ from Data.Integer (Ledger.Prelude does not re-export it). - Fix two invalid pair-bindings (`a , b = e` with separate signatures) in SUBLEDGERS-certs-pov and the LEDGER-V case: bind the pair then project. Remaining: add the Utxo/Utxow-PoV facts (utxow-pov-invalid, UTXOW-V-mechanical, UTXOW-batch-balance-coin) as #1186 module-parameter stubs, and complete the gov-summand re-derivation. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
…ters Two of the three Utxo/Utxow-PoV facts as #1186 module-parameter stubs, verified to typecheck (the checker now advances to UTXOW-batch-balance-coin): - utxow-pov-invalid: an invalid top-level tx's UTXOW step preserves UTxO coin. - UTXOW-V-mechanical: the valid single-tx mechanical coin equation. Remaining: UTXOW-batch-balance-coin (the consumedBatch ≡ producedBatch coin projection, with govProposalsDeposits on produced) and the gov-summand re-derivation through bat'/the main chain. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
… goal left Checkpoint: the full LEDGER-V chain now typechecks up to the final clause, which fails (as expected) because the existing 3-summand chain proves U₀+R₀+D₀ ≡ U₂+R₂+D₂ while the goal getCoin s ≡ getCoin s' carries the gov summand G' = coinFromGovDeposit (rmOrphanDRepVotes cs₂ govSt₂). Fixes in this commit: - UTXOW-batch-balance-coin parameter (no-gov form for now), inlined ⊖ so it reduces to the chain's DepositsChangeTopOf/SubOf form. - posPart-negPart-sym inductive clause via [1+m]⊖[1+n]≡m⊖n (⊖ does not reduce suc/suc definitionally). - LEDGER-V pattern: correct implicit names in telescope order (utxoState₁, govState₁, certState₁, certState₂, govState₂, utxoState₂) and bind the top-level GOVS step (was discarded). - extract-utxo-netId: UTXOW-normal-⋯/legacy-⋯ need 13 leading args + the UTXO premise (was 11). Remaining: add govProposalsDeposits to UTXOW-batch-balance-coin's produced side, thread +totGov through bat'/the chain, add SUBLEDGERS-gov-coin + the gov-deposit accounting, and assemble the 4-summand goal. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
Foundational gov-deposit lemma (verified to typecheck): induct over SUBLEDGERS,
threading the per-GOVS gov-deposit growth via the GOVS-coinFromGovDeposit
parameter, to get
coinFromGovDeposit (GovStateOf s₁)
≡ coinFromGovDeposit (GovStateOf s₀)
+ Σ_subs govProposalsDeposits pp (ListOfGovProposalsOf stx).
Also adds proposalsOf-Proposals+Votes : proposalsOf (GovProposals+Votes t) ≡
ListOfGovProposalsOf t (polymorphic helper, avoids the GovVote/GovProposal
double-import ambiguity), bridging the GOVS step's proposals to the batch
balance's ListOfGovProposalsOf.
Remaining: gov-inclusive UTXOW-batch-balance-coin + thread +totGov through
bat'/the chain, the gov-deposit accounting (G' ≡ G₀ + totGov), and the
4-summand assembly.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
The Dijkstra LEDGER preservation-of-value proof now typechecks end-to-end (nix develop --command agda, --safe, no postulates/holes). The LEDGER-V chain now proves the full 4-summand goal getCoin s ≡ getCoin s' = U₀+R₀+D₀+G₀ ≡ U₂+R₂+D₂+G' where G' = coinFromGovDeposit (rmOrphanDRepVotes cs₂ govSt₂), by: - Restating UTXOW-batch-balance-coin (the consumedBatch ≡ producedBatch coin projection, #1186's obligation) with the produced-side govProposalsDeposits collected into a single trailing `totGov` term. - Threading +totGov through bat' → LHS+E≡RHS+E → step-ii (mid-extract pulls it out of the middle; the existing arithmetic runs under cong (_+ totGov)), yielding three-summand : U₀+R₀+D₀ ≡ U₂+R₂+D₂+totGov. - gov-acc : totGov + G₀ ≡ G', via SUBLEDGERS-gov-coin (sub-tx GOVS steps), GOVS-coinFromGovDeposit (top GOVS step) + the proposalsOf bridge, and rmOrphanDRepVotes-coinFromGovDeposit. - Assembling the 4-summand goal from three-summand + gov-acc. The UTXOW-PoV facts (utxow-pov-invalid, UTXOW-V-mechanical, UTXOW-batch-balance-coin) remain module parameters, discharged downstream by the utxo/utxow-pov work (#1186). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
… helper The proof is complete, so the three historical "deferred/WIP/does-not-typecheck" status notes are replaced by one accurate note describing the module parameters (discharged downstream) and the four-summand accounting. Also refreshes the GOVS-coinFromGovDeposit and G₀/G' comments, the arithmetic-helpers prose, and removes the now-unused abcd-to-adcb shuffle. No proof changes (still --safe, EXIT 0). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
Contributor
There was a problem hiding this comment.
Pull request overview
This PR completes the Dijkstra-era LEDGER-pov preservation-of-value proof in Ledger/Properties/PoV.lagda.md while intentionally leaving Certs / UTxO / UTxOW PoV facts as module-parameter stubs to be discharged by follow-up work (#1210, #1186). It also removes the Dijkstra Certs PoV provider modules and threads CERTS-pov as a parameter through ENTITIES-PoV into LEDGER-PoV.
Changes:
- Finalize the
LEDGER-povequational chain for the 4-summandgetCoin(UTxO + rewards + cert deposits + gov deposits), including a newSUBLEDGERS-gov-coininduction and gov-deposit accounting wiring. - Remove Dijkstra
Certs.Properties.PoV/Certs.Properties.PoVLemmasmodules and liftCERTS-pov(and the closed-formcoinFromDepositsbridge) into parameters. - Minor documentation/wording adjustment in
Utxo.lagda.mdto reflect the Certs-level PoV usage of hoisted helpers.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
src/Ledger/Dijkstra/Specification/Utxo.lagda.md |
Updates narrative text about hoisted cert-deposit helpers and their downstream use. |
src/Ledger/Dijkstra/Specification/Ledger/Properties/PoV.lagda.md |
Completes LEDGER-pov proof end-to-end, adds gov-deposit accounting and threads Certs/UTxO/UTxOW facts as parameters. |
src/Ledger/Dijkstra/Specification/Entities/Properties/PoV.lagda.md |
Removes dependency on Dijkstra Certs PoV module; adds CERTS-pov as a module parameter. |
src/Ledger/Dijkstra/Specification/Certs/Properties/PoVLemmas.lagda.md |
Deleted (Certs PoV provider removed per top-down plan). |
src/Ledger/Dijkstra/Specification/Certs/Properties/PoV.lagda.md |
Deleted (Certs PoV provider removed per top-down plan). |
src/Ledger/Dijkstra/Specification/Certs/Properties.lagda.md |
Stops re-exporting the deleted PoV modules; keeps Computational. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
a1f3738
into
1187-dijkstra-NEW-ENTITIES-ledger-pov
3 checks passed
williamdemeo
added a commit
that referenced
this pull request
Jun 25, 2026
…Utxo/Utxow facts as parameters (#1223) Completes the Dijkstra LEDGER preservation-of-value proof. Ledger/Properties/PoV.lagda.md typechecks end-to-end (Agda 2.8.0 via the Nix flake, --safe, no postulates/holes). - Lift the Certs-PoV facts (CERTS-pov, CERTS-coinFromDeposits-updateCertDeposits) to module parameters of ENTITIES-PoV and LEDGER-PoV; remove the Certs-PoV provider modules. - Complete the LEDGER-V chain to the four-summand goal getCoin s ≡ getCoin s', including the gov-deposit re-derivation: UTXOW-batch-balance-coin (the consumedBatch ≡ producedBatch coin projection) carries the produced-side govProposalsDeposits as a single trailing totGov, threaded through bat'/LHS+E≡RHS+E/step-ii (three-summand); SUBLEDGERS-gov-coin + GOVS-coinFromGovDeposit (+ the proposalsOf bridge) + rmOrphanDRepVotes-coinFromGovDeposit give gov-acc. - The Utxo/Utxow-PoV facts remain module parameters, discharged by #1186. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
williamdemeo
added a commit
that referenced
this pull request
Jun 25, 2026
…Utxo/Utxow facts as parameters (#1223) Completes the Dijkstra LEDGER preservation-of-value proof. Ledger/Properties/PoV.lagda.md typechecks end-to-end (Agda 2.8.0 via the Nix flake, --safe, no postulates/holes). - Lift the Certs-PoV facts (CERTS-pov, CERTS-coinFromDeposits-updateCertDeposits) to module parameters of ENTITIES-PoV and LEDGER-PoV; remove the Certs-PoV provider modules. - Complete the LEDGER-V chain to the four-summand goal getCoin s ≡ getCoin s', including the gov-deposit re-derivation: UTXOW-batch-balance-coin (the consumedBatch ≡ producedBatch coin projection) carries the produced-side govProposalsDeposits as a single trailing totGov, threaded through bat'/LHS+E≡RHS+E/step-ii (three-summand); SUBLEDGERS-gov-coin + GOVS-coinFromGovDeposit (+ the proposalsOf bridge) + rmOrphanDRepVotes-coinFromGovDeposit give gov-acc. - The Utxo/Utxow-PoV facts remain module parameters, discharged by #1186. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Follow-up into
1187-dijkstra-NEW-ENTITIES-ledger-pov(the lead PR #1203), completing the top-down LEDGER-pov plan from theLedger/Properties/PoV.lagda.mdresume note: proveLEDGER-povin full, leaving the Certs / Utxo / Utxow PoV facts as module-parameter stubs (discharged later by #1210 and the utxo/utxow-pov work, #1186).Ledger/Properties/PoV.lagda.mdnow typechecks end-to-end — Agda 2.8.0 via the project Nix flake,--safe, no postulates or holes, clean recompile.1 — Remove the Certs-PoV providers; lift
CERTS-povto a parameterCerts/Properties/PoV.lagda.mdandCerts/Properties/PoVLemmas.lagda.md.Certs/Properties.lagda.md(keepComputational).CERTS-povas a parameter ofENTITIES-PoV(Entities/Properties/PoV.lagda.md) and ofLEDGER-PoV, threaded into theopen ENTITIES-PoV …instantiation, alongside theCERTS-coinFromDeposits-updateCertDepositsparameter (closed-form cert-deposit coin equation WIP -- [Dijkstra] CIP-159-11a: Certs PoV (per-step coin bridge + RTC lift) (#1185) #1210 provides).2 — Complete the
LEDGER-povproofgetCoinon aLedgerStatehas four summands: UTxO coin, rewards balance, the cert-deposit pots (coinFromDeposits), and the gov-action deposits (coinFromGovDeposit (GovStateOf s), post-#1214). TheLEDGER-Vchain proves the full four-summand goalgetCoin s ≡ getCoin s'whereG' = coinFromGovDeposit (rmOrphanDRepVotes cs₂ govSt₂):coinFromDeposit→coinFromDeposits(spec rename); local deposit-change interface (DepositsChange,calculateDepositsChange, theDepositsChange{Top,Sub}Ofprojections) andposPart-negPart-sym.UTXOW-batch-balance-coinis the coin projection of the spec'sconsumedBatch ≡ producedBatchpremise, with the produced-sidegovProposalsDeposits(top + per-sub) collected into a single trailingtotGov.+ totGovis threaded throughbat'→LHS+E≡RHS+E→step-ii(amid-extractlemma pulls it out of the middle; the existing arithmetic runs undercong (_+ totGov)), givingthree-summand : U₀+R₀+D₀ ≡ U₂+R₂+D₂+totGov. A newSUBLEDGERS-gov-coininduction (over the sub-tx GOVS steps) +GOVS-coinFromGovDeposit(top GOVS step, via a smallproposalsOfbridge) +rmOrphanDRepVotes-coinFromGovDepositgivegov-acc : totGov + G₀ ≡ G'. The body assembles the two.The Utxo/Utxow-PoV facts —
utxow-pov-invalid,UTXOW-V-mechanical,UTXOW-batch-balance-coin, and the UTxO algebra (balance-∪,split-balance,subutxow-step-coin,utxo₁-tx-spend-eq,fresh-top-tx-id, …) — remain module parameters, the interface to be discharged by #1186 (…NEW-ENTITIES-utxo-utxow-pov).UTXOW-batch-balance-coinis stated as the coin projection of the spec's batch-balance premise, so its discharge there is direct.Conway-side touches (resume-note item 7)
The Conway changes already on #1203 (
Conway/Conformance/Properties, the ConwayCerts/LedgerPoV files,Conway/…/GenMinSpend) are a Conway-internal refactor that drops now-provable assumption parameters made redundant by theLedger.Preludehoist; none reference Dijkstra code, and part of that hoist (sum-map-+) is used by theLEDGER-povchain. They are therefore not "only needed for the removed modules", so they are kept (reverting would cascade into the Prelude hoist for no correctness gain).Checklist
CHANGELOG.md🤖 Generated with Claude Code
https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
Generated by Claude Code