Cortex Proof Status
Human-readable status matrix for Cortex proof claims, their Lean declarations, and the Haskell implementation correspondence surface.
On this page
Cortex Proof Status
This page tracks human claims, not raw theorem counts. A single claim may be backed by several Lean declarations, and a proved Lean theorem is not the same thing as executable Haskell correspondence. The matrix keeps those layers separate.
Summary
| Measure | Status |
|---|---|
| Claim rows in this dashboard | 28 |
| Lean-side mechanized claims | 28 / 28 rows |
| Haskell-linked correspondence | 19 / 28 rows have executable hooks, drift checks, tests, or witnesses. |
| Proof-only graph facts | 2 / 28 rows have no direct Haskell counterpart. |
| Lean-target or deferred claims | 0 / 28 rows are still targets or deferred semantic decisions. |
These numbers are intentionally conservative. “Haskell-linked” means the implementation has a specific check, report, witness constructor, or regression surface connected to the claim. It does not mean the compiler is extracted from Lean or that every witness field is produced by a shared oracle.
Status Key
| Column | Value | Meaning |
|---|---|---|
| Lean | integrated | Proved and consumed by a larger end-to-end proof surface. |
| Lean | proven | Proved as a standalone Lean claim. |
| Lean | target | Named target, not mechanized yet. |
| Lean | deferred | Waiting for a sharper semantic/runtime decision. |
| Haskell | witness-backed | The implementation constructs or checks the proof-shaped witness data. |
| Haskell | hooked | The implementation exposes a check/report/preflight tied to the claim. |
| Haskell | tested | Regression tests pin the relevant executable behavior. |
| Haskell | proof-only | The claim is mathematical infrastructure with no direct runtime analog. |
| Haskell | open | Executable correspondence still needs a concrete witness or oracle. |
Compiler Admission Gates
Compiler hygiene gates are tracked outside the proof-claim denominator. For example, duplicate and prefix-conflicting CorePure record paths are rejected before evaluation and covered by Haskell compiler/runtime tests, but they are parser/elaborator admission checks rather than admitted-middle Lean safety claims. If the parser or compiler is later mechanized, those gates can become proof rows.
Matrix
| Area | Human claim | Lean | Haskell | Proof links | Remaining gap |
|---|---|---|---|---|---|
| Graph safety | Endpoint-closed finite relations can be realized as graph/Pulse topology and keep path endpoints inside the vertex set. | proven | proof-only | DAG.ofRelation, graphPath_iff_graphSafetyPath | None at the graph vocabulary layer. |
| Graph quotient | Acyclicity and path vocabulary are stable under graph denotation and quotient equality. | proven | proof-only | acyclic_iff_graphSafetyAcyclic, AlgGraph.acyclic_congr | Existing Wire proofs may migrate to the shared vocabulary over time. |
| Pulse recovery envelope | Recovery normalization preserves the structural safe-run predicate. | integrated | hooked | SafePulseRunState, pulseRecoveryStep_preserves_safeRunState | Concrete map representation and external effects remain outside the Lean kernel. |
| Pulse fixed-result replay | Fixed distinct-node facts classify identically under permutation. | proven | tested | pulseReplayDeterminism_modulo_fixedOutcomes, applyNodeFacts_perm_invariant | Applies to fixed outcomes; live provider behavior is not modeled. |
| CorePure output ports | Successful admitted pure-node evaluation exposes every declared output port and no undeclared outputs. | integrated | witness-backed | pureNode_evalOutputs_keys_in_outputPorts, pureNode_evalOutputs_outputPorts_present | None for output-key shape. |
CorePure where fields | Static where discovery bounds the runtime fields opened into the local environment. | integrated | tested | whereStaticFields_sound, pureNode_evalWhereEnv_localEnv_match | Shared evaluator/static-context oracle remains open. |
| CorePure lowering | A lowered native pure-task config evaluates like the source pure node in the proof model. | proven | hooked | pureNode_lowering_evalOutputs_eq | Full Haskell lowering oracle remains open. |
| CorePure value contracts | Successful pure outputs propagate proof-side output value contracts. | integrated | tested | pureNode_evalOutputs_values_satisfy_outputContracts, pureNode_evalOutputs_values_satisfy_valueContracts | Full Wire contract wrapping correspondence remains open. |
| CorePure builtin authority | The closed CorePure builtin mirror contains only pure-value entries. | proven | tested | closedBuiltinSignature_eq, closedBuiltinEnv_authorityFree | The Haskell evaluator still owns the executable builtin table. |
| CorePure static context | Top-level pure bindings evaluated from the empty environment establish the static context used by where discovery. | proven | witness-backed | topLevelBindings_establish_staticContext | Shared evaluator oracle remains open. |
| Node boundary normal form | CorePure factors through ingress, body, and egress while preserving static environment, output ports, and contracts. | integrated | hooked | NodeBoundaryNormalForm, CorePure.corePureBoundary, corePure_evalOutputs_eq_egress_after_body_after_ingress | Registered executor body certificates remain external. |
| Registry edge compatibility | Registry-admitted edges discharge the generic edge-compatibility obligation. | proven | open | registry_contract_edge_sound, registryBoundary_edge_sound | Runtime witness production for all registry edges remains open. |
| Source linear port carrier | Certified Wire/Circuit source objects carry source endpoint linearity, preserve it through overlay and certified contraction, and forget to endpoint-closed relation topology. | proven | hooked | SourcePortInstance, LinearPortGraph, LinearPortGraph.PortLinear, LinearPortGraph.forgetPorts, forgetPorts_edgeEndpointsInVertices, forgetPorts_overlay, overlay_preserves_portLinear, contract_preserves_portLinear, BulkContract.loweredEdges, bulkContract_preserves_portLinear, forgetPorts_bulkContract, LinearPortObject.nodePorts, LinearPortOperation.apply_result_portLinear, LinearPortSystem.certified_portLinear, CertifiedGraph.BoundaryMatchTrace, CertifiedGraph.BoundaryMatchTrace.determined, CertifiedGraph.connectOf, AdmissionArtifact.PrimitiveTraceStackValid, AdmissionArtifact.SelectBridgeEntriesConsumed, AdmissionArtifact.PhantomBridgeBulkConnectionsReplayed, AdmissionArtifact.validatorReady_primitiveConnect_compatiblePair_consumed, AdmissionArtifact.validatorReady_primitiveOverlay_mem_prefixAvailable, AdmissionArtifact.validatorReady_primitiveConnect_mem_prefixAvailable | Primitive graph admission now consumes a certified BulkContract trace plus exact match-set witness for =>; Haskell admission artifacts validate the emitted primitive rows as one postorder replay stack whose final source-visible frontier matches the artifact summary, with select bridge entries and phantom-adapter bulk rows replayed by exact primitive matched connections. Lean also exposes compatible-pair consumption and prefix-order availability for overlay/connect rows. Direct Lean witness construction from the JSON rows remains open. |
| Bounded fan composition | make, makeEach, and finite-product * are certified source constructions built from exact make and phantom-shape witnesses over open node ports, overlay, and bulk contraction. | proven | hooked | LinearPortGraph.MakeWitness, LinearPortGraph.MakeWitness.toObject, LinearPortGraph.MakeWitness.make_disjoint_of_distinctBindings, LinearPortGraph.KindInstantiatedFrontiers, LinearPortGraph.Make.accept_portLinear, LinearPortGraph.MakeEach.accept_portLinear, AdmissionArtifact.GeneratedFormArtifact.sourceMakeItems, AdmissionArtifact.AdmissionStaticValue.toStaticValue, AdmissionArtifact.validatorReady_generated_sourceChild_staticRecordFieldsUnique, AdmissionArtifact.validatorReady_generated_sourceChild_staticRecordFieldsUnique_toStaticValue, AdmissionArtifact.validatorReady_generated_make_sourceMakeItems_labelsCanonical, AdmissionArtifact.validatorReady_generated_make_sourceMakeItems_valuesEmpty, AdmissionArtifact.validatorReady_emptyGeneratedForm_bindingRow, LinearPortGraph.PhantomDirection, LinearPortGraph.ProductAdapterKind, LinearPortGraph.PhantomProductShape, LinearPortGraph.BulkContractContainsPair, LinearPortGraph.LinearPortObject.bulkContract, LinearPortGraph.PhantomAdapterWitness, LinearPortGraph.PhantomAdapterWitness.starInsertion, AdmissionArtifact.validatorReady_phantomAdapter_record_multi_boundary_labeled, AdmissionArtifact.validatorReady_phantomAdapter_record_multi_boundary_field_mem, AdmissionArtifact.validatorReady_phantomAdapter_indexed_multi_contract_eq, AdmissionArtifact.validatorReady_phantomAdapter_indexed_multiCompatibilityShapesUnique, AdmissionArtifact.validatorReady_phantomAdapter_indexed_elementValid | Haskell expands literal/pre-bound numeric make, makeEach, record-form *, and bounded-indexed [T; N] *; [T; 0] is the empty finite product, and compile-from-text emits schema-versioned admission artifacts for generated families, Lean-shaped makeEach Value payloads, and phantom adapters. Those artifacts now decode and re-encode through the Haskell artifact schema. Lean names the decoded artifact target, projects generated source rows into MakeItem, exposes make’s count-derived labels, value-free source rows, and duplicate-free static record payload fields, and projects phantom-adapter rows into record boundary-label, indexed element-contract, and indexed compatibility-key uniqueness facts. Exact witness validation from executable kind/product substitution remains open. Kind support now requires template frontier labels to be the declared PortLabel formal before generated labels replace them. |
| Ephemeral frontier reclaim | A finished linear source frontier has no remaining open producer or consumer obligations, so its in-memory endpoint resources are structurally reclaimable. | proven | open | LinearPortGraph.FrontierFinished, LinearPortGraph.OutputReclaimable, LinearPortGraph.InputReclaimable, frontierFinished_noRemainingConsumerObligations, frontierFinished_noRemainingProducerObligations, frontierFinished_reclaimable | Runtime reclaim hooks and durable-profile retention policy remain open. |
| Closed actualized port linearity | Every closed actualized input has one edge producer; every output has one edge or terminal-discharge consumer; aligned port-use witnesses match the source carrier exactly. | proven | open | ActualizedPortInstance, OutputPortUse, ActualizedPortGraph.ClosedPortLinear, actualizedOutputPort_consumed_exactly_once, actualizedInputPort_produced_exactly_once, compiledPortUseWitness_edge_input_uniqueProducer, portUseWitness_toGraph_closedPortLinear, selectActualize_preserves_closedPortLinearity, SourceToActualizedProjection, PortUseWitness.AlignedWith, compiledPortUseWitness_exact_output, compiledPortUseWitness_exact_input, PortUseWitness.alignedWith_edge_iff | Aligned-witness exactness closes source-to-actualized output/input domain and edge-consumer projection on top of port-use witnesses; compiler witness production and terminal-discharge correspondence remain open. |
| Rewrite admission | Runtime-shaped planner checks imply an abstract admissible rewrite. | integrated | hooked | planGraphRewriteChecks_admissible, runtimePlannerConstruction_admissible | Full field-by-field witness production remains open. |
| Constructed rewrite chains | Finite constructed chains erase to abstract rewrite chains and preserve source validity and budget bounds. | proven | open | ConstructedPlanningChain.toRewriteChain, finalBudget_le_initial | Runtime chain correspondence remains a later bridge. |
| Registry boundary under rewrites | Constructed deltas and chains preserve registry boundary when added-node and added-edge obligations are bundled. | integrated | open | constructedPlannedRewriteDelta_preserves_registryBoundary, constructedPlanningChain_preserves_registryBoundary_of_constructedDelta | Executable added-node and added-edge admission witnesses remain open. |
| Select source admission | Source select(...) clauses are admitted against two-or-more exclusive output sums with label-first key resolution, unique contract fallback, total coverage, and latent bodies. | proven | open | SelectAdmission.SelectableOutputShape, SelectAdmission.resolveArmKey, SelectAdmission.admitClause, SelectAdmission.admitClauseAtNode, SelectAdmission.LatentSelectAdmission.FromClause, SelectAdmission.LatentSelectAdmission.toLatentBranchFamily, AdmissionArtifact.validatorReady_select_identityArm_bridgeShape, AdmissionArtifact.validatorReady_select_nonIdentityArm_bodyShapes, AdmissionArtifact.validatorReady_select_variantsShareExclusiveGroup | Runtime selected-arm lowering is hooked separately; compile-from-text emits select admission artifacts with source indices and resolution modes, while Lean validation of admitted latent branch evidence and body-provenance witnesses remains open. The validator-ready artifact surface now exposes branch body-shape facts for identity/non-identity arms and the source exclusive group shared by persisted base variants. |
| Select actualization | A certified selected branch lowers to retained-anchor appendAfter and inherits constructed-step admission. | proven | hooked | selectActualize_lowers_to_appendAfter, selectActualize_preserves_registryBoundary | Selected-arm admission is hooked by lowering tests; persisted materialization audit remains open. |
| Unselected branches | Unselected branch nodes are outside the selected raw fragment and, under namespace freshness, outside the constructed delta. | integrated | tested | selectActualize_unselected_not_in_selectedFragment, selectedBranch_unselected_not_replayed, selectedBranch_unselected_not_in_delta_topology | Runtime durable-lineage audit must still produce the namespace-freshness/provenance witnesses. |
| Selected branch budget | Selected-arm actualization consumes the constructed selected-fragment cost. | integrated | hooked | selectActualize_consumes_selected_cost, SelectedBranchRecoveryRecord.step_toRewrite_admissible | Executable selected-cost accounting is covered by the selected branch admission witness; port-level budgeting is out of scope. |
| CorePure facts into Pulse safety | Successful admitted CorePure evaluation can emit a Pulse success fact without leaving the safe-run envelope. | integrated | open | corePureExecutionStep_preserves_safeRunState | Runtime fact production remains a correspondence target. |
| Wire/Pulse admitted run trace | Every finite trace over the closed admitted-middle alphabet preserves the combined Wire/Pulse safe state and cannot finish stuck. | integrated | hooked | WirePulseSnapshot.runStart_establishes_safeRunState, AdmittedWirePulseStep, AdmittedWirePulseTrace.preserves_safeRunState, AdmittedWirePulseTrace.preserves_safeRunState_from_runStart, AdmittedWirePulseTrace.final_not_stuck_from_runStart | CorePure-success steps require the CorePure payload type; runtime steps must still produce constructor-specific witnesses, materialization, and provenance decoding. |
| Wire/Pulse fixed-result replay | The Wire/Pulse envelope inherits fixed-result replay determinism. | proven | open | wirePulseExecutionFacts_replay_deterministic | Runtime replay witness remains open. |
| Boundary resource algebra | Runtime-shaped rewrites declare constructor-specific boundary laws and constructed planner steps expose budgeted one-slot use. | proven | witness-backed | GraphRewrite.expandNode_resourceUse, GraphRewrite.appendAfter_resourceUse, ConstructedPlanningStep.boundaryResourceCost_fits_budget, ConstructedPlanningChain.SlotUniqueTrace | Executable epoch production and port-level resource accounting remain open. |
| Rewrite boundary laws | Replacement and append-continuation preserve boundary under distinct law-specific obligations. | proven | hooked | BoundaryResource.SubstitutionExposesAnchorBoundary, BoundaryResource.substitution_preserves_boundary, BoundaryResource.appendContinuation_preserves_boundary | Concrete substitution boundary-exposure witnesses remain open. |
| Latent recovery determinism | Recovery records loaded from the same persisted admission replay the same selected branch, constructed delta, and budget state. | proven | witness-backed | PersistedSelectedBranchAdmission, SelectedBranchRecoveryRecord.Provenance, SelectedBranchRecoveryRecord.PhantomAdapterEmbedding, selectedBranch_recovery_deterministic, selectedBranch_recovery_embeddedPhantomAdapter_artifact_replayed_and_pruned, selectedBranch_recovery_preserves_safeRunState | Runtime must still decode durable rewrite lineage into the persisted-admission witness; phantom-adapter artifact correspondence now has a Lean embedding target. |
Wire Admission Notes
- The current Wire admission correspondence target is deliberately staged: Haskell emits
schema-versioned JSON metadata, the executable Haskell validator decides
wireAdmissionArtifactValidatorReady, Lean mirrors that predicate asAdmissionArtifact.ValidatorReady, andAdmissionArtifact.validatorReady_soundpackages the resulting primitive, generated-form, select, and phantom-adapter obligations asAdmissionArtifact.Sound. That is the established cutline for this PR. - Lean now owns an executable primitive-stack replay checker:
AdmissionArtifact.primitiveTraceStackValidCheck_soundproves that a successful check implies the relationalPrimitiveTraceStackValidobligation.AdmissionArtifact.validatorReadyCheck_soundnow lifts the same Lean-owned executable strategy to the fullValidatorReadycontract: schema version, summary-key uniqueness, summary-row validity, summary domain closure, summary identities matching primitive rows, summary frontiers backed by primitive rows, exact summary residual-frontier matching, raw connections matching primitive rows, component-domain closure, component-row uniqueness, generated-form reference anchoring, component frontier backing, generated-child frontier exactness, primitive stack replay, primitive overlay ledger prefix availability, primitive connect frontier backing, primitive connect frontier prefix availability, select bridge frontier backing, select bridge entry consumption, select arm body-boundary matching, select body-node freshness, select body-node disjointness, phantom bridge frontier backing, phantom bridge frontier exactness, phantom bulk replay, primitive row validity, local generated-form validity, local phantom-adapter validity, and local select-row validity.AdmissionArtifact.validatorReadyCheck_soundnessthen composes that result withAdmissionArtifact.validatorReady_soundto produceAdmissionArtifact.Sound. Haskell integration still needs to run this checker on decoded artifacts; the Lean checker is now the intended artifact-validation authority. - Primitive artifact replay now has an explicit reconstruction target:
AdmissionArtifact.PrimitiveGraphReconstruction. FromAdmissionArtifact.Sound,AdmissionArtifact.Sound.toPrimitiveGraphReconstructionrecovers the final primitive replay frame, proves it matches the top-level summary, proves source-visible primitive rows are duplicate-free, classifies every primitive frontier key as exposed, consumed, or select-internal, and keeps raw-connection projection tied to replayed primitive contractions. This is intentionally not yetGraphElaboration.CertifiedGraph: accepted-node declarations and binding expansion are still separate correspondence evidence. - Generated-form artifacts now have the same kind of artifact-boundary reconstruction:
AdmissionArtifact.GeneratedReconstruction.AdmissionArtifact.Sound.toGeneratedReconstructionproves that persistedmake/makeEachrows recover accepted sourceMakeItems, unique source child provenance for each surviving generated node, primitive-backed child frontiers, frontier-key accounting through primitive replay, canonical value-freemakepayloads, and decoded static payload projection. This is intentionally not yetKindInstantiatedFrontiersorMakeWitness; accepted-kind substitution evidence is still the next boundary. - Phantom-adapter artifacts now also reconstruct at the artifact boundary:
AdmissionArtifact.PhantomReconstruction.AdmissionArtifact.Sound.toPhantomReconstructionproves that every persisted*row has a primitive-backed generated adapter node, a source-linear open phantom-node object, frontier-key accounting through primitive replay, replayed left/right bulk rows, direction-specific multi/singular endpoint coverage, and record or bounded-indexed product-shape evidence. This is intentionally not yetPhantomAdapterWitness: the serialized row does not contain the left/right operand objects or certifiedBulkContracttraces. - Select-admission artifacts now reconstruct at the artifact boundary:
AdmissionArtifact.SelectReconstruction.AdmissionArtifact.Sound.toSelectReconstructionproves that every persistedselect(...)row has projected latent-admission key coverage, source arm provenance, label-first or unique-contract-fallback resolution evidence, latent body freshness and pairwise body disjointness, condition-bridge/body-boundary shape evidence, and selected-variant bridge entry consumption. This is intentionally not selected-branch durable recovery: replaying the chosen latent body remains a separate recovery witness. - The remaining end-to-end compiler theorem is stronger than
Sound: it must show that every accepted Wire program causes the Haskell compiler to emit an artifact satisfying the validator, and that decoded rows can be replayed into the concrete Lean witnesses consumed by graph admission, generated-form admission, select recovery, and phantom-adapter insertion. Those completeness and executable-decoder correspondence proofs are intentionally outside this PR. - Haskell admission artifacts now validate exact select bridge entry consumption and phantom-adapter
bulk replay; the Lean mirror exposes these as
AdmissionArtifact.SelectBridgeEntriesConsumed,AdmissionArtifact.PhantomBridgeBulkConnectionsReplayed, and matchingValidatorReadyprojection theorems. Primitive overlay/connect rows also expose prefix availability and compatible-pair consumption, so artifact replay order and boundary-pair use are available without unfolding the stack validator. - Generated-family artifact handoff is now source-row exact: Lean recovers a unique source
generated-child row for every surviving child row, preserves the source payload, exposes
binding-owned generated node names, and surfaces per-child frontier validity and uniqueness
through
AdmissionArtifact.ValidatorReadyaccessors. - Phantom-adapter artifact handoff now exposes row and domain facts directly: Lean names the product-shape, multi-side, singular, and left/right bulk-row obligations that Haskell validates, including stronger boundary closure over optional exclusive-group owners, record boundary labels, record aggregate-contract rows, indexed element-contract rows, nested-indexed element rejection, and singular endpoint equality with the serialized aggregate product contract. Admission artifact schema version 3 carries the record aggregate contract explicitly so the Haskell row can be checked against the Lean product-shape contract instead of being inferred from record fields.
- Primitive replay has per-branch exactness theorems for empty, node, binding-reference, overlay, and connect rows, and select admission exposes label-resolution uniqueness, contract-fallback uniqueness, and identity/non-identity body-shape projections from the emitted artifact rows.
- The Haskell compiler now gates metadata emission through
wireAdmissionArtifactValidatorReady, so compiled circuits cannot publish a schema-versioned admission artifact that fails the same executable predicate mirrored by Lean’sAdmissionArtifact.ValidatorReadytarget. SelectedBranchRecoveryRecord.PhantomAdapterEmbeddingis the recovery-side hook for the case where a selected branch contains a finite-product*adapter. The embedding theorem proves the persisted adapter node is replayed by the selected branch and pruned from every unselected branch.
How To Read The Counts
The numerator is the number of dashboard claims at that status. The denominator is the current dashboard goal set: the 28 claims above. Adding a new semantic claim should increase the denominator instead of hiding work inside an existing row.
The strictest question is not “is there a Lean theorem?” but:
semantic claim
-> Lean statement
-> Lean proof
-> Haskell witness or oracle
-> runtime path consumes that witnessMost open work is in the last two steps. The Lean side is now substantially ahead of the executable correspondence surface.
Related
- ../ADRs/0038-wire-proof-track-theorem-ledger.md — detailed theorem ledger.
- ../Architecture/03-formalism-stack.md — formalism stack.
- ../Architecture/05-wire-language.md — Wire architecture.
- development.md — local Lean and docs commands.