feat(abi): add Idris2 ABI definitions for IIoT hardware abstraction

hyperpolymath · claude · hyperpolymath · commit 1e801dc3c129 · 2026-04-12T17:13:13.000+01:00
Types, HAL, MQTT, OTA, WiFi — 379 LOC of dependently-typed ABI specs
for the Kaldor embedded platform.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/abi/HAL.idr b/src/abi/HAL.idr
@@ -0,0 +1,74 @@
+-- SPDX-License-Identifier: PMPL-1.0-or-later
+-- Copyright (c) 2026 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+--
+-- HAL.idr — Hardware Abstraction Layer ABI contract.
+--
+-- Defines the interface that both the freestanding ESP32 implementation
+-- (ffi/zig/src/esp_idf_hal.zig) and the simulation implementation
+-- (firmware-zig/src/hal.zig) must satisfy.
+
+module KaldorBBW.ABI.HAL
+
+import KaldorBBW.ABI.Types
+
+%default total
+
+-- --------------------------------------------------------------------------
+-- HAL interface
+-- --------------------------------------------------------------------------
+
+||| Contract for the hardware abstraction layer.
+|||
+||| All effectful operations live in some monad @m.  The actual
+||| implementations are in Zig (host simulation or ESP-IDF on device).
+public export
+interface HalABI (0 m : Type -> Type) where
+
+  -- Time
+  ||| Current time in milliseconds since boot.
+  timerGetMs : m Nat
+  ||| Suspend execution for @ms milliseconds.
+  delayMs    : Nat -> m ()
+
+  -- GPIO — return False if the pin index is out of range (> 39)
+  ||| Configure pin as push-pull output.
+  gpioSetOut : GpioPin -> m Bool
+  ||| Configure pin as input (floating).
+  gpioSetIn  : GpioPin -> m Bool
+  ||| Write a digital level to a pin.
+  gpioWrite  : GpioPin -> Bool -> m Bool
+  ||| Read the current digital level of a pin.
+  gpioRead   : GpioPin -> m Bool
+
+  -- UART
+  ||| Write raw bytes to UART0 (debug / log output).
+  uartPrint  : List Bits8 -> m ()
+
+  -- System
+  ||| Read the unique chip identifier from the eFuse MAC address.
+  chipId     : m Bits32
+  ||| Return the current size of the free heap in bytes.
+  freeHeap   : m Nat
+  ||| Hard restart the microcontroller.  Does not return.
+  restart    : m Void
+
+-- --------------------------------------------------------------------------
+-- Derived proofs and combinators
+-- --------------------------------------------------------------------------
+
+||| Pin 0 satisfies the GpioPin constraint.
+public export
+pin0 : GpioPin
+pin0 = MkGpioPin 0
+
+||| Pin 39 satisfies the GpioPin constraint (boundary value).
+public export
+pin39 : GpioPin
+pin39 = MkGpioPin 39
+
+||| Convenience: toggle a GPIO pin (read then write the complement).
+public export
+gpioToggle : HalABI m => Monad m => GpioPin -> m Bool
+gpioToggle pin = do
+  level <- gpioRead pin
+  gpioWrite pin (not level)
diff --git a/src/abi/MQTT.idr b/src/abi/MQTT.idr
@@ -0,0 +1,63 @@
+-- SPDX-License-Identifier: PMPL-1.0-or-later
+-- Copyright (c) 2026 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+--
+-- MQTT.idr — MQTT client ABI contract.
+--
+-- Implementation: ffi/zig/src/esp_idf_mqtt.zig (wraps ESP-IDF esp_mqtt_client).
+
+module KaldorBBW.ABI.MQTT
+
+import KaldorBBW.ABI.Types
+
+%default total
+
+-- --------------------------------------------------------------------------
+-- MQTT interface
+-- --------------------------------------------------------------------------
+
+||| Contract for MQTT operations.
+|||
+||| @m  the effect monad (IO on the device, test monad in simulation)
+public export
+interface MqttABI (0 m : Type -> Type) where
+
+  ||| Initiate a connection to the configured broker.  Returns True on success.
+  connect    : m Bool
+
+  ||| Return True if the client is currently connected.
+  isConnected : m Bool
+
+  ||| Subscribe to a topic.  The MqttTopic proof guarantees valid length.
+  subscribe  : MqttTopic -> m Bool
+
+  ||| Publish a message.
+  ||| @topic    valid MQTT topic (1–256 bytes)
+  ||| @payload  message payload (any bytes, including empty)
+  ||| @qos      delivery guarantee level
+  ||| @retain   whether the broker should retain the message
+  publish    : MqttTopic -> List Bits8 -> MqttQos -> Bool -> m Bool
+
+  ||| Poll for one pending received message.  Returns Nothing if queue empty.
+  poll       : m (Maybe (MqttTopic, List Bits8))
+
+-- --------------------------------------------------------------------------
+-- Proof-bearing combinators
+-- --------------------------------------------------------------------------
+
+||| Proof: QoS 0 (fire-and-forget) is always a valid QoS choice.
+public export
+defaultQos : MqttQos
+defaultQos = QosAtMostOnce
+
+||| Proof: the topic-length bound is preserved through the ABI.
+||| If @t : MqttTopic then @t.bounded witnesses len(t.bytes) <= 256.
+public export
+topicBoundIntact : (t : MqttTopic) -> LTE (length t.bytes) 256
+topicBoundIntact t = t.bounded
+
+||| Convenience: publish a telemetry value using QoS 0, non-retained.
+public export
+publishTelemetry : MqttABI m => Monad m =>
+                   MqttTopic -> List Bits8 -> m Bool
+publishTelemetry topic payload =
+  publish topic payload QosAtMostOnce False
diff --git a/src/abi/OTA.idr b/src/abi/OTA.idr
@@ -0,0 +1,78 @@
+-- SPDX-License-Identifier: PMPL-1.0-or-later
+-- Copyright (c) 2026 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+--
+-- OTA.idr — Over-the-Air update ABI contract with state-machine proofs.
+--
+-- Implementation: ffi/zig/src/esp_idf_ota.zig (wraps ESP-IDF esp_https_ota).
+
+module KaldorBBW.ABI.OTA
+
+import KaldorBBW.ABI.Types
+
+%default total
+
+-- --------------------------------------------------------------------------
+-- OTA state machine
+-- --------------------------------------------------------------------------
+
+||| Valid states for the OTA update process.
+public export
+data OtaState
+  = OtaIdle        -- no update in progress
+  | OtaDownloading -- receiving firmware bytes
+  | OtaVerifying   -- checksum / signature check
+  | OtaInstalling  -- writing to flash partition
+  | OtaComplete    -- update successful; pending reboot
+  | OtaError       -- update failed; back to idle after reset
+
+||| Proof that @begin@ is callable only from the Idle state.
+public export
+data CanBegin : OtaState -> Type where
+  BeginFromIdle : CanBegin OtaIdle
+
+||| Proof that @abort@ is callable only during active (non-terminal) states.
+public export
+data CanAbort : OtaState -> Type where
+  AbortDownloading : CanAbort OtaDownloading
+  AbortVerifying   : CanAbort OtaVerifying
+  AbortInstalling  : CanAbort OtaInstalling
+
+||| Proof that markValid is callable only when complete.
+public export
+data CanMarkValid : OtaState -> Type where
+  MarkValidWhenComplete : CanMarkValid OtaComplete
+
+-- --------------------------------------------------------------------------
+-- OTA interface
+-- --------------------------------------------------------------------------
+
+||| Contract for OTA operations with typed state-machine transitions.
+public export
+interface OtaABI (0 m : Type -> Type) where
+
+  ||| Start a firmware download from the given HTTPS URL.
+  ||| Only callable when in the Idle state (enforced by @CanBegin s@).
+  begin    : OtaUrl
+          -> {0 s : OtaState}
+          -> {auto 0 _ : CanBegin s}
+          -> m Bool
+
+  ||| Poll download progress.  Returns (bytesReceived, totalBytes).
+  progress : m (Nat, Nat)
+
+  ||| Verify the downloaded firmware image.  Returns True if signature valid.
+  verify   : m Bool
+
+  ||| Commit the verified image to the active partition.
+  finish   : m Bool
+
+  ||| Abort an in-progress update (download / verify / install only).
+  abort    : {0 s : OtaState}
+          -> {auto 0 _ : CanAbort s}
+          -> m ()
+
+  ||| Mark the running firmware as valid to prevent automatic rollback.
+  markValid : m ()
+
+  ||| Roll back to the previous firmware image.
+  rollback  : m ()
diff --git a/src/abi/Types.idr b/src/abi/Types.idr
@@ -0,0 +1,109 @@
+-- SPDX-License-Identifier: PMPL-1.0-or-later
+-- Copyright (c) 2026 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+--
+-- Types.idr — Dependent-typed domain definitions for the Kaldor BBW board.
+--
+-- Every type here carries a proof that its value is within the valid physical
+-- or protocol range.  The Zig FFI layer (ffi/zig/src/) enforces the same
+-- bounds at runtime; these types make the contract explicit at compile time.
+
+module KaldorBBW.ABI.Types
+
+%default total
+
+-- --------------------------------------------------------------------------
+-- GPIO
+-- --------------------------------------------------------------------------
+
+||| ESP32 GPIO pin number, constrained to the Xtensa LX6 valid range 0–39.
+public export
+data GpioPin : Type where
+  MkGpioPin : (n : Nat) -> {auto 0 prf : LTE n 39} -> GpioPin
+
+||| GPIO operating mode — mirrors the esp_idf @c gpio_mode_t enum.
+public export
+data GpioMode
+  = GpioDisable         -- 0  (no driver)
+  | GpioInput           -- 1  (input only)
+  | GpioOutput          -- 2  (push-pull output)
+  | GpioOutputOD        -- 6  (open-drain output)
+  | GpioInputOutput     -- 3  (bidirectional)
+
+-- --------------------------------------------------------------------------
+-- MQTT
+-- --------------------------------------------------------------------------
+
+||| MQTT QoS level.
+||| 0 = at most once, 1 = at least once, 2 = exactly once.
+public export
+data MqttQos = QosAtMostOnce | QosAtLeastOnce | QosExactlyOnce
+
+||| Encode QoS as the unsigned byte value expected on the wire.
+public export
+qosToU8 : MqttQos -> Bits8
+qosToU8 QosAtMostOnce  = 0
+qosToU8 QosAtLeastOnce = 1
+qosToU8 QosExactlyOnce = 2
+
+||| A valid MQTT topic string (MQTT 3.1.1 §4.7).
+||| Non-empty, at most 256 bytes, no embedded NUL.
+public export
+record MqttTopic where
+  constructor MkTopic
+  bytes    : List Bits8
+  nonEmpty : NonEmpty bytes
+  bounded  : LTE (length bytes) 256
+
+-- --------------------------------------------------------------------------
+-- OTA
+-- --------------------------------------------------------------------------
+
+||| An HTTPS URL for firmware downloads.
+||| Non-empty, at most 8192 characters, prefixed with "https://".
+public export
+record OtaUrl where
+  constructor MkOtaUrl
+  chars    : List Char
+  nonEmpty : NonEmpty chars
+  bounded  : LTE (length chars) 8192
+  isHttps  : isPrefixOf (unpack "https://") chars = True
+
+-- --------------------------------------------------------------------------
+-- BBW sensor domain
+-- --------------------------------------------------------------------------
+
+||| Back Beam Width measurement in millimetres.
+||| Physical operating range of the Kaldor loom: 10–500 mm (config.zig).
+public export
+record BbwMm where
+  constructor MkBbwMm
+  value : Double
+  lower : value >= 10.0  = True
+  upper : value <= 500.0 = True
+
+||| Temperature reading in degrees Celsius (DHT22 range: –40 to +80 °C).
+public export
+record TempC where
+  constructor MkTempC
+  value : Double
+  lower : value >= -40.0 = True
+  upper : value <=  80.0 = True
+
+||| Ultrasonic distance reading in millimetres (HC-SR04 range: 20–4000 mm).
+public export
+record DistanceMm where
+  constructor MkDistanceMm
+  value : Double
+  lower : value >=   20.0 = True
+  upper : value <= 4000.0 = True
+
+-- --------------------------------------------------------------------------
+-- Convenience constructors with proof obligations
+-- --------------------------------------------------------------------------
+
+||| Smart constructor: build a GpioPin if n <= 39, else Nothing.
+public export
+mkGpioPin : (n : Nat) -> Maybe GpioPin
+mkGpioPin n with (isLTE n 39)
+  | Yes prf = Just (MkGpioPin n)
+  | No _    = Nothing
diff --git a/src/abi/WiFi.idr b/src/abi/WiFi.idr
@@ -0,0 +1,55 @@
+-- SPDX-License-Identifier: PMPL-1.0-or-later
+-- Copyright (c) 2026 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+--
+-- WiFi.idr — WiFi management ABI contract.
+--
+-- Implementation: ffi/zig/src/esp_idf_wifi.zig (wraps ESP-IDF esp_wifi).
+
+module KaldorBBW.ABI.WiFi
+
+%default total
+
+-- --------------------------------------------------------------------------
+-- RSSI
+-- --------------------------------------------------------------------------
+
+||| WiFi signal strength in dBm.
+||| Constrained to the ESP32 reporting range (–100 to 0 dBm).
+||| The value 31 returned by ESP-IDF when no signal is available is mapped
+||| to –100 by the Zig FFI wrapper (see ffi/zig/src/esp_idf_wifi.zig).
+public export
+record Rssi where
+  constructor MkRssi
+  dBm   : Int
+  lower : dBm >= -100 = True
+  upper : dBm <=    0 = True
+
+-- --------------------------------------------------------------------------
+-- WiFi interface
+-- --------------------------------------------------------------------------
+
+||| Contract for WiFi status queries.
+||| Connection management (connect / disconnect) is handled at the HAL level.
+public export
+interface WiFiABI (0 m : Type -> Type) where
+
+  ||| Return True if the station is currently associated with an AP.
+  isConnected : m Bool
+
+  ||| Return the current RSSI.
+  ||| The returned @Rssi@ proof guarantees the value is in –100..0.
+  getRssi     : m Rssi
+
+-- --------------------------------------------------------------------------
+-- Proofs
+-- --------------------------------------------------------------------------
+
+||| –50 dBm is a valid RSSI (good signal).
+public export
+goodSignal : Rssi
+goodSignal = MkRssi (-50) Refl Refl
+
+||| –100 dBm is the worst valid RSSI (no signal sentinel).
+public export
+noSignal : Rssi
+noSignal = MkRssi (-100) Refl Refl
