Skip to content

feat: EchoReversibilityBridge — discharge 007 L10 reversibility obligations#249

Merged
hyperpolymath merged 2 commits into
mainfrom
claude/echo-reversibility-bridge
Jun 20, 2026
Merged

feat: EchoReversibilityBridge — discharge 007 L10 reversibility obligations#249
hyperpolymath merged 2 commits into
mainfrom
claude/echo-reversibility-bridge

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

What

A new module proofs/agda/EchoReversibilityBridge.agda — the constructive discharge of the 007 language's Layer-10 reversibility (echo-residue) phase-2 proof obligations against echo-types as the library of record.

007 models reversibility with an echo residue (reversible as <name> arms a cell holding an Echo f y; reverse <name> consumes it to recover the input), specified in Idris2 (EchoResidue.idr / EchoResidueLinear.idr). Those obligations were informal requirements on 007's checker. This module re-states the interface they describe and proves echo-types' own Echo / EchoTotalCompletion / EchoLinear satisfy it — turning the informal claim into a checked theorem in the source of truth.

The bridge

Headline Discharges Proof
ReversibleCompletion f Residue the interface 007 needs: hold (arm) / takeForReverse (replay) / reverse-recovers (once-only correctness), residue carrier as a parameter record
echo-reversible : ReversibleCompletion f (Echo f) Echo f is such a carrier hold = echo-intro, takeForReverse = proj₁ (= reverseLinear's witness), recovery refl
reversibility-via-totality : Σ B (Echo f) ↔ A the slogan "irreversible f + residue = reversible representation" symmetric partner of EchoTotalCompletion.A↔ΣEcho via mk↔ₛ′
capability-can-be-dropped : LEcho linear → LEcho affine phase-2 "affine capability" (the undo may be dropped) EchoLinear.weaken
no-recovery-once-dropped phase-2 "linear consumption / Spent doesn't reverse" (no section of weaken) EchoLinear.no-section-weaken

Discipline

  • --safe --without-K, zero postulates, no funext.
  • Wired into All.agda (next to EchoCNOBridge, the other cross-repo 007 bridge).
  • Five headlines pinned in Smoke.agda under their own using block with a header comment.
  • Verified on the latest main: EchoReversibilityBridge.agda, Smoke.agda, and All.agda all agda --safe --without-K exit 0 (captured locally; absolute-zero fetched at the CI-pinned ref 3ff5cee).

Notes

  • The Agda here is the source of truth; 007's Rust checker and Idris2 spec mirror this model. The takeForReverse field is the total Just-branch of 007's takeForReverse : … → Maybe a (the Maybe is runtime Holding/Spent bookkeeping, not part of the type-level correspondence).
  • A 007-side doc pointer to this module is a trivial follow-up, best landed after 007#55 merges.

🤖 Generated with Claude Code

https://claude.ai/code/session_018CaSgNjNURC7ocsyjYh9We


Generated by Claude Code

…ations

New `proofs/agda/EchoReversibilityBridge.agda`: the constructive discharge of
the 007 language's Layer-10 reversibility (echo-residue) "phase-2" proof
obligations against echo-types as the library of record. 007 models
reversibility with an echo residue (`reversible as`/`reverse`, the Idris2
`EchoResidue.idr`/`EchoResidueLinear.idr` spec); this module re-states the
interface those obligations describe and shows echo-types' own structures
satisfy it.

- `ReversibleCompletion f Residue` — the interface 007's model needs: arm a
  residue (`hold`), take-it-for-reverse (`takeForReverse`), and once-only
  correctness (`reverse-recovers`). Residue carrier is a parameter.
- `echo-reversible : ReversibleCompletion f (Echo f)` — `Echo f` satisfies it:
  `hold = echo-intro` (007's `encode`/`Holding`), `takeForReverse = proj₁`
  (`reverseLinear`'s witness), recovery `refl`.
- `reversibility-via-totality : Σ B (Echo f) ↔ A` — the slogan iso (symmetric
  partner of `EchoTotalCompletion.A↔ΣEcho`): irreversible f + residue =
  reversible representation.
- `capability-can-be-dropped` / `no-recovery-once-dropped` — the phase-2
  "affine capability, linear consumption" discipline via `EchoLinear.weaken`
  / `no-section-weaken`.

--safe --without-K, zero postulates. Wired into All.agda; five headlines
pinned in Smoke.agda. EchoReversibilityBridge + Smoke.agda + All.agda all
exit 0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018CaSgNjNURC7ocsyjYh9We
@github-actions

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 6 issues detected

Severity Count
🔴 Critical 0
🟠 High 3
🟡 Medium 3
View findings
[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/echo-types/echo-types",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "Nominal-only SAST in echo-types: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/echo-types/echo-types",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 6 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 18 day(s) old [STALE]",
    "type": "CSA001",
    "file": ".github/workflows/scorecard.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code-scanning alert TokenPermissionsID (high) at .github/workflows/scorecard.yml is 18 days old (threshold: 7 days) -- overdue for remediation",
    "type": "CSA003",
    "file": ".github/workflows/scorecard.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code-scanning alert hypatia/code_safety/agda_postulate dismissed as 'false positive' -- ensure dismissal is documented and justified",
    "type": "CSA004",
    "file": "proofs/agda/EchoImageFactorizationPropPostulated.agda",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

kernel-guard.sh's classification-drift lint (CI job `check`) requires every
`Echo*.agda` to be named in `docs/echo-types/echo-kernel-note.adoc`. Add
`EchoReversibilityBridge` to the Tier-2 module list (alongside the sibling
cross-repo bridges `EchoCNOBridge` / `EchoEphapaxBridge`) and a descriptive
MAP.adoc cross-repo-bridge entry. `sh scripts/kernel-guard.sh` now PASSes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018CaSgNjNURC7ocsyjYh9We
@github-actions

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 6 issues detected

Severity Count
🔴 Critical 0
🟠 High 3
🟡 Medium 3
View findings
[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/echo-types/echo-types",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "Nominal-only SAST in echo-types: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/echo-types/echo-types",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 6 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 18 day(s) old [STALE]",
    "type": "CSA001",
    "file": ".github/workflows/scorecard.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code-scanning alert TokenPermissionsID (high) at .github/workflows/scorecard.yml is 18 days old (threshold: 7 days) -- overdue for remediation",
    "type": "CSA003",
    "file": ".github/workflows/scorecard.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code-scanning alert hypatia/code_safety/agda_postulate dismissed as 'false positive' -- ensure dismissal is documented and justified",
    "type": "CSA004",
    "file": "proofs/agda/EchoImageFactorizationPropPostulated.agda",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath marked this pull request as ready for review June 20, 2026 19:19
@hyperpolymath hyperpolymath merged commit e6a15a6 into main Jun 20, 2026
19 checks passed
@hyperpolymath hyperpolymath deleted the claude/echo-reversibility-bridge branch June 20, 2026 19:20
hyperpolymath added a commit that referenced this pull request Jun 20, 2026
…discipline (#250)

## What

A new module `proofs/agda/EchoResidueCell.agda` — the Agda mirror of
**007's `ResidueCell`** (`Holding`/`Spent`) once-only reversal
discipline, the *operational* half that `EchoReversibilityBridge` (#249)
deferred as "runtime bookkeeping".

007's Idris2 spec (`EchoResidueLinear.idr`) enforces once-only via the
**linear quantity** `(1 e : Echo f y)`. Agda has no such quantity under
`--safe`, so this module enforces it via the **state machine** instead —
which is exactly how 007's *runtime* (the rung-3b residue cell) does it.

## The mirror

| This module | Idris `EchoResidueLinear.idr` |
|---|---|
| `ResidueCell f y = holding (Echo f y) \| spent` | `data ResidueCell …
= Holding (1 e) \| Spent` |
| `takeForReverse : ResidueCell f y → Maybe A` | `takeForReverse … :
Maybe a` |
| `consume : ResidueCell f y → ResidueCell f y` (Holding→Spent) | the
cell-state effect of `reverse` |
| `holding-reverses` | `holdingReverses` |
| `spent-does-not-reverse` | `spentDoesNotReverse` |
| **`once-only`** — `takeForReverse (consume c) ≡ nothing` | the `(1 e)`
linear-consumption guarantee |

`once-only` is the headline: after `consume`, a residue replays **at
most once** — the state-machine form of linear consumption, and the
operational content of 007's cross-handler once-only property that the
rung-3b *static* check could only approximate by presence. All proofs
are `refl` (definitional).

## Honest scope

Captures the once-**per-cell** discipline. It does **not** model linear
NON-DUPLICATION (nothing stops a caller copying a `holding` cell before
consuming) — that needs the `(1 e)` quantity / an `@0`-style erasure
encoding, and remains the documented next slice. Stated explicitly in
the module preamble and the MAP.adoc scope note.

## Discipline

- `--safe --without-K`, **zero postulates**, no funext.
- Wired into `All.agda` (next to `EchoReversibilityBridge`); 7 headlines
pinned in `Smoke.agda`.
- Classified up front in `echo-kernel-note.adoc` (Tier 2) + `MAP.adoc`
(the 007-bridge section) — `sh scripts/kernel-guard.sh` PASS (applying
the lesson from #249).
- **Verified on latest `main`:** `EchoResidueCell.agda`, `Smoke.agda`,
and `All.agda` all `agda --safe --without-K` exit 0 (captured locally).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

https://claude.ai/code/session_018CaSgNjNURC7ocsyjYh9We

---
_Generated by [Claude
Code](https://claude.ai/code/session_018CaSgNjNURC7ocsyjYh9We)_

Co-authored-by: Claude <noreply@anthropic.com>
hyperpolymath pushed a commit that referenced this pull request Jun 21, 2026
…rdinal-contradiction flag

Catches the machine ledger up to the gap-closing proofs that landed
without an arc (#249 EchoReversibilityBridge, #250 EchoResidueCell,
#251/#254 EchoSearch decidable+product, #252 EchoApprox Lipschitz,
#257 EchoLLEncoding universal gap, #258 proof-debt variance refresh),
records the cross-repo (echo-types + 007) docs-completeness audit, and
flags one unresolved owner decision: main carries ordinal BH climb
rungs 7 & 8 (f89a3aa, a096764) dated 2026-06-21 — the same day as the
D-2026-06-21 retirement — contradicting the retirement banner. The two
ordinal wiki files are deliberately left un-fixed pending that
reconciliation. Disposition: both repos clean/verified, push-nothing-else.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018CaSgNjNURC7ocsyjYh9We
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants