Skip to content

[Dijkstra] LEDGER-pov: complete the proof — gov re-derivation; Certs/Utxo/Utxow facts as parameters#1223

Merged
williamdemeo merged 9 commits into
1187-dijkstra-NEW-ENTITIES-ledger-povfrom
claude/gifted-bardeen-iiix4j
Jun 25, 2026
Merged

[Dijkstra] LEDGER-pov: complete the proof — gov re-derivation; Certs/Utxo/Utxow facts as parameters#1223
williamdemeo merged 9 commits into
1187-dijkstra-NEW-ENTITIES-ledger-povfrom
claude/gifted-bardeen-iiix4j

Conversation

@williamdemeo

@williamdemeo williamdemeo commented Jun 23, 2026

Copy link
Copy Markdown
Member

Description

Follow-up into 1187-dijkstra-NEW-ENTITIES-ledger-pov (the lead PR #1203), completing the top-down LEDGER-pov plan from the Ledger/Properties/PoV.lagda.md resume note: prove LEDGER-pov in full, leaving the Certs / Utxo / Utxow PoV facts as module-parameter stubs (discharged later by #1210 and the utxo/utxow-pov work, #1186).

Ledger/Properties/PoV.lagda.md now typechecks end-to-end — Agda 2.8.0 via the project Nix flake, --safe, no postulates or holes, clean recompile.

1 — Remove the Certs-PoV providers; lift CERTS-pov to a parameter

  • Delete Certs/Properties/PoV.lagda.md and Certs/Properties/PoVLemmas.lagda.md.
  • Drop their imports from Certs/Properties.lagda.md (keep Computational).
  • Add CERTS-pov as a parameter of ENTITIES-PoV (Entities/Properties/PoV.lagda.md) and of LEDGER-PoV, threaded into the open ENTITIES-PoV … instantiation, alongside the CERTS-coinFromDeposits-updateCertDeposits parameter (closed-form cert-deposit coin equation WIP -- [Dijkstra] CIP-159-11a: Certs PoV (per-step coin bridge + RTC lift) (#1185) #1210 provides).

2 — Complete the LEDGER-pov proof

getCoin on a LedgerState has four summands: UTxO coin, rewards balance, the cert-deposit pots (coinFromDeposits), and the gov-action deposits (coinFromGovDeposit (GovStateOf s), post-#1214). The LEDGER-V chain proves the full four-summand goal getCoin s ≡ getCoin s' where G' = coinFromGovDeposit (rmOrphanDRepVotes cs₂ govSt₂):

  • coinFromDepositcoinFromDeposits (spec rename); local deposit-change interface (DepositsChange, calculateDepositsChange, the DepositsChange{Top,Sub}Of projections) and posPart-negPart-sym.
  • Gov summand (the re-derivation). UTXOW-batch-balance-coin is the coin projection of the spec's consumedBatch ≡ producedBatch premise, with the produced-side govProposalsDeposits (top + per-sub) collected into a single trailing totGov. + totGov is threaded through bat'LHS+E≡RHS+Estep-ii (a mid-extract lemma pulls it out of the middle; the existing arithmetic runs under cong (_+ totGov)), giving three-summand : U₀+R₀+D₀ ≡ U₂+R₂+D₂+totGov. A new SUBLEDGERS-gov-coin induction (over the sub-tx GOVS steps) + GOVS-coinFromGovDeposit (top GOVS step, via a small proposalsOf bridge) + rmOrphanDRepVotes-coinFromGovDeposit give gov-acc : totGov + G₀ ≡ G'. The body assembles the two.

The Utxo/Utxow-PoV facts — utxow-pov-invalid, UTXOW-V-mechanical, UTXOW-batch-balance-coin, and the UTxO algebra (balance-∪, split-balance, subutxow-step-coin, utxo₁-tx-spend-eq, fresh-top-tx-id, …) — remain module parameters, the interface to be discharged by #1186 (…NEW-ENTITIES-utxo-utxow-pov). UTXOW-batch-balance-coin is stated as the coin projection of the spec's batch-balance premise, so its discharge there is direct.

Conway-side touches (resume-note item 7)

The Conway changes already on #1203 (Conway/Conformance/Properties, the Conway Certs/Ledger PoV files, Conway/…/GenMinSpend) are a Conway-internal refactor that drops now-provable assumption parameters made redundant by the Ledger.Prelude hoist; none reference Dijkstra code, and part of that hoist (sum-map-+) is used by the LEDGER-pov chain. They are therefore not "only needed for the removed modules", so they are kept (reverting would cascade into the Prelude hoist for no correctness gain).

Checklist

  • Commit sequence broadly makes sense and commits have useful messages
  • Any semantic changes to the specifications are documented in CHANGELOG.md
  • Code is formatted according to CONTRIBUTING.md
  • Self-reviewed the diff

🤖 Generated with Claude Code

https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r


Generated by Claude Code

claude added 7 commits June 23, 2026 02:33
…ders

Per the top-down LEDGER-pov strategy (#1203), the Certs-PoV facts become
module-parameter stubs, discharged later by #1210, so this PR proves only
the ENTITIES/LEDGER layer.

- Delete the provider modules Certs/Properties/PoV.lagda.md and
  Certs/Properties/PoVLemmas.lagda.md.
- Drop their imports from Certs/Properties.lagda.md (keep Computational).
- Add CERTS-pov as a parameter of the ENTITIES-PoV module in
  Entities/Properties/PoV.lagda.md, replacing the deleted import.

Certs.Properties and Entities.Properties.PoV typecheck under Agda 2.8.0 via
the project Nix flake.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
…gov summand

Applies the unambiguous, additive corrections to the (non-build-path) LEDGER-pov
draft.  The deep batch-balance arithmetic is deliberately deferred: it depends on
the Utxo/Utxow-PoV interface that lives in #1189, not on this branch.

- Give LEDGER-PoV a CERTS-pov parameter (Certs-PoV stub, #1210) threaded into the
  ENTITIES-PoV instantiation, and a CERTS-coinFromDeposits-updateCertDeposits
  parameter (closed-form cert-deposit coin equation, #1210).
- Add the governance-deposit parameters rmOrphanDRepVotes-coinFromGovDeposit and
  GOVS-coinFromGovDeposit (per the resume note), with a generic proposalsOf helper.
- Rename coinFromDeposit -> coinFromDeposits (the spec renamed it).
- Thread the coinFromGovDeposit summand into the LedgerState totals: the LEDGER-I
  case and the LEDGER-V G0/G' where-definitions.
- Update the status note to record what is done and the precise deferred work
  (calculateDepositsChange/DepositsChange/UTXOW-* interface + the gov-deposit
  re-derivation: a SUBLEDGERS-gov-coin induction and a restated batch balance).

Verified scope-clean up to the deferred chain: Agda elaborates proposalsOf, all
module parameters, and the ENTITIES-PoV instantiation, stopping only at the
documented not-on-branch interface (calculateDepositsChange).  The file is an
intentional WIP draft and is not on the build path.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
The closed-form cert-deposit helpers were hoisted to `Certs` for downstream
Certs-level PoV proofs; the comment named the now-removed `Certs.Properties.PoVLemmas`
module.  Generalize the wording (prose only; no Agda change).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
…d fixes

Toward completing the LEDGER-pov proof so it typechecks (CI builds this file via
the html target, which globs all of src/).  Progress, each verified up to the next
error by `nix develop --command agda`:

- Define the local deposit-change interface (DepositsChange = ℤ × ℤ with
  Top/SubOf projections and calculateDepositsChange via coinFromDeposits diffs), so
  posNeg-deposits and the dc/dct/dcs machinery typecheck.
- Add posPart-negPart-sym (the ℕ-level posPart/negPart cancellation), which the
  draft referenced but never defined.
- Import _⊖_ from Data.Integer (Ledger.Prelude does not re-export it).
- Fix two invalid pair-bindings (`a , b = e` with separate signatures) in
  SUBLEDGERS-certs-pov and the LEDGER-V case: bind the pair then project.

Remaining: add the Utxo/Utxow-PoV facts (utxow-pov-invalid, UTXOW-V-mechanical,
UTXOW-batch-balance-coin) as #1186 module-parameter stubs, and complete the
gov-summand re-derivation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
…ters

Two of the three Utxo/Utxow-PoV facts as #1186 module-parameter stubs, verified
to typecheck (the checker now advances to UTXOW-batch-balance-coin):

- utxow-pov-invalid: an invalid top-level tx's UTXOW step preserves UTxO coin.
- UTXOW-V-mechanical: the valid single-tx mechanical coin equation.

Remaining: UTXOW-batch-balance-coin (the consumedBatch ≡ producedBatch coin
projection, with govProposalsDeposits on produced) and the gov-summand
re-derivation through bat'/the main chain.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
… goal left

Checkpoint: the full LEDGER-V chain now typechecks up to the final clause, which
fails (as expected) because the existing 3-summand chain proves U₀+R₀+D₀ ≡
U₂+R₂+D₂ while the goal getCoin s ≡ getCoin s' carries the gov summand
G' = coinFromGovDeposit (rmOrphanDRepVotes cs₂ govSt₂).

Fixes in this commit:
- UTXOW-batch-balance-coin parameter (no-gov form for now), inlined ⊖ so it
  reduces to the chain's DepositsChangeTopOf/SubOf form.
- posPart-negPart-sym inductive clause via [1+m]⊖[1+n]≡m⊖n (⊖ does not reduce
  suc/suc definitionally).
- LEDGER-V pattern: correct implicit names in telescope order
  (utxoState₁, govState₁, certState₁, certState₂, govState₂, utxoState₂) and
  bind the top-level GOVS step (was discarded).
- extract-utxo-netId: UTXOW-normal-⋯/legacy-⋯ need 13 leading args + the UTXO
  premise (was 11).

Remaining: add govProposalsDeposits to UTXOW-batch-balance-coin's produced side,
thread +totGov through bat'/the chain, add SUBLEDGERS-gov-coin + the gov-deposit
accounting, and assemble the 4-summand goal.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
Foundational gov-deposit lemma (verified to typecheck): induct over SUBLEDGERS,
threading the per-GOVS gov-deposit growth via the GOVS-coinFromGovDeposit
parameter, to get

  coinFromGovDeposit (GovStateOf s₁)
    ≡ coinFromGovDeposit (GovStateOf s₀)
      + Σ_subs govProposalsDeposits pp (ListOfGovProposalsOf stx).

Also adds proposalsOf-Proposals+Votes : proposalsOf (GovProposals+Votes t) ≡
ListOfGovProposalsOf t (polymorphic helper, avoids the GovVote/GovProposal
double-import ambiguity), bridging the GOVS step's proposals to the batch
balance's ListOfGovProposalsOf.

Remaining: gov-inclusive UTXOW-batch-balance-coin + thread +totGov through
bat'/the chain, the gov-deposit accounting (G' ≡ G₀ + totGov), and the
4-summand assembly.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
@williamdemeo williamdemeo marked this pull request as draft June 23, 2026 06:25
claude added 2 commits June 23, 2026 06:47
The Dijkstra LEDGER preservation-of-value proof now typechecks end-to-end
(nix develop --command agda, --safe, no postulates/holes).

The LEDGER-V chain now proves the full 4-summand goal
  getCoin s ≡ getCoin s'  =  U₀+R₀+D₀+G₀ ≡ U₂+R₂+D₂+G'
where G' = coinFromGovDeposit (rmOrphanDRepVotes cs₂ govSt₂), by:

- Restating UTXOW-batch-balance-coin (the consumedBatch ≡ producedBatch coin
  projection, #1186's obligation) with the produced-side govProposalsDeposits
  collected into a single trailing `totGov` term.
- Threading +totGov through bat' → LHS+E≡RHS+E → step-ii (mid-extract pulls it
  out of the middle; the existing arithmetic runs under cong (_+ totGov)),
  yielding three-summand : U₀+R₀+D₀ ≡ U₂+R₂+D₂+totGov.
- gov-acc : totGov + G₀ ≡ G', via SUBLEDGERS-gov-coin (sub-tx GOVS steps),
  GOVS-coinFromGovDeposit (top GOVS step) + the proposalsOf bridge, and
  rmOrphanDRepVotes-coinFromGovDeposit.
- Assembling the 4-summand goal from three-summand + gov-acc.

The UTXOW-PoV facts (utxow-pov-invalid, UTXOW-V-mechanical,
UTXOW-batch-balance-coin) remain module parameters, discharged downstream by
the utxo/utxow-pov work (#1186).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
… helper

The proof is complete, so the three historical "deferred/WIP/does-not-typecheck"
status notes are replaced by one accurate note describing the module parameters
(discharged downstream) and the four-summand accounting.  Also refreshes the
GOVS-coinFromGovDeposit and G₀/G' comments, the arithmetic-helpers prose, and
removes the now-unused abcd-to-adcb shuffle.  No proof changes (still --safe, EXIT 0).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
@williamdemeo williamdemeo changed the title [Dijkstra] LEDGER-pov: stub Certs-PoV via module parameters + safe re-derivation corrections [Dijkstra] LEDGER-pov: complete the proof — gov re-derivation; Certs/Utxo/Utxow facts as parameters Jun 23, 2026
@williamdemeo williamdemeo marked this pull request as ready for review June 25, 2026 02:45
@williamdemeo williamdemeo requested a review from Copilot June 25, 2026 02:54

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR completes the Dijkstra-era LEDGER-pov preservation-of-value proof in Ledger/Properties/PoV.lagda.md while intentionally leaving Certs / UTxO / UTxOW PoV facts as module-parameter stubs to be discharged by follow-up work (#1210, #1186). It also removes the Dijkstra Certs PoV provider modules and threads CERTS-pov as a parameter through ENTITIES-PoV into LEDGER-PoV.

Changes:

  • Finalize the LEDGER-pov equational chain for the 4-summand getCoin (UTxO + rewards + cert deposits + gov deposits), including a new SUBLEDGERS-gov-coin induction and gov-deposit accounting wiring.
  • Remove Dijkstra Certs.Properties.PoV / Certs.Properties.PoVLemmas modules and lift CERTS-pov (and the closed-form coinFromDeposits bridge) into parameters.
  • Minor documentation/wording adjustment in Utxo.lagda.md to reflect the Certs-level PoV usage of hoisted helpers.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/Ledger/Dijkstra/Specification/Utxo.lagda.md Updates narrative text about hoisted cert-deposit helpers and their downstream use.
src/Ledger/Dijkstra/Specification/Ledger/Properties/PoV.lagda.md Completes LEDGER-pov proof end-to-end, adds gov-deposit accounting and threads Certs/UTxO/UTxOW facts as parameters.
src/Ledger/Dijkstra/Specification/Entities/Properties/PoV.lagda.md Removes dependency on Dijkstra Certs PoV module; adds CERTS-pov as a module parameter.
src/Ledger/Dijkstra/Specification/Certs/Properties/PoVLemmas.lagda.md Deleted (Certs PoV provider removed per top-down plan).
src/Ledger/Dijkstra/Specification/Certs/Properties/PoV.lagda.md Deleted (Certs PoV provider removed per top-down plan).
src/Ledger/Dijkstra/Specification/Certs/Properties.lagda.md Stops re-exporting the deleted PoV modules; keeps Computational.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@williamdemeo williamdemeo merged commit a1f3738 into 1187-dijkstra-NEW-ENTITIES-ledger-pov Jun 25, 2026
3 checks passed
@williamdemeo williamdemeo deleted the claude/gifted-bardeen-iiix4j branch June 25, 2026 03:15
williamdemeo added a commit that referenced this pull request Jun 25, 2026
…Utxo/Utxow facts as parameters (#1223)

Completes the Dijkstra LEDGER preservation-of-value proof.
Ledger/Properties/PoV.lagda.md typechecks end-to-end (Agda 2.8.0 via the Nix
flake, --safe, no postulates/holes).

- Lift the Certs-PoV facts (CERTS-pov, CERTS-coinFromDeposits-updateCertDeposits)
  to module parameters of ENTITIES-PoV and LEDGER-PoV; remove the Certs-PoV
  provider modules.
- Complete the LEDGER-V chain to the four-summand goal getCoin s ≡ getCoin s',
  including the gov-deposit re-derivation: UTXOW-batch-balance-coin (the
  consumedBatch ≡ producedBatch coin projection) carries the produced-side
  govProposalsDeposits as a single trailing totGov, threaded through
  bat'/LHS+E≡RHS+E/step-ii (three-summand); SUBLEDGERS-gov-coin +
  GOVS-coinFromGovDeposit (+ the proposalsOf bridge) +
  rmOrphanDRepVotes-coinFromGovDeposit give gov-acc.
- The Utxo/Utxow-PoV facts remain module parameters, discharged by #1186.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
williamdemeo added a commit that referenced this pull request Jun 25, 2026
…Utxo/Utxow facts as parameters (#1223)

Completes the Dijkstra LEDGER preservation-of-value proof.
Ledger/Properties/PoV.lagda.md typechecks end-to-end (Agda 2.8.0 via the Nix
flake, --safe, no postulates/holes).

- Lift the Certs-PoV facts (CERTS-pov, CERTS-coinFromDeposits-updateCertDeposits)
  to module parameters of ENTITIES-PoV and LEDGER-PoV; remove the Certs-PoV
  provider modules.
- Complete the LEDGER-V chain to the four-summand goal getCoin s ≡ getCoin s',
  including the gov-deposit re-derivation: UTXOW-batch-balance-coin (the
  consumedBatch ≡ producedBatch coin projection) carries the produced-side
  govProposalsDeposits as a single trailing totGov, threaded through
  bat'/LHS+E≡RHS+E/step-ii (three-summand); SUBLEDGERS-gov-coin +
  GOVS-coinFromGovDeposit (+ the proposalsOf bridge) +
  rmOrphanDRepVotes-coinFromGovDeposit give gov-acc.
- The Utxo/Utxow-PoV facts remain module parameters, discharged by #1186.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01We2YdXX2ozJAdAbCrRwi6r
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants