Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
79 commits
Select commit Hold shift + click to select a range
ef8f8ad
fix(lean): repair PCS encoding corruption and import order
fraware Jun 27, 2026
135e01c
feat(pf-core): add prop-level generated Lean theorems
fraware Jun 27, 2026
ef9a2c8
fix(validate): dedupe helpers and clarify PCS lean-check
fraware Jun 27, 2026
ec97d1d
docs(lean): add structured docstrings to PF-Core theorems
fraware Jun 27, 2026
7243a56
feat(pf-core): cross-language hash-chain and certificate semantics
fraware Jun 27, 2026
976440f
docs(pf-core): add production kernel checklist
fraware Jun 27, 2026
08c0818
docs(pf-core): document generated Lean proofs
fraware Jun 27, 2026
25b85e3
docs(pf-core): add Windows Lean build notes
fraware Jun 27, 2026
a090c46
chore: add PF-Core Tier 1-3 CHANGELOG
fraware Jun 27, 2026
c469c8e
docs(pf-core): refresh assumptions for semantics layer
fraware Jun 27, 2026
3101c16
docs(pf-core): tighten claim boundary language
fraware Jun 27, 2026
5b00533
docs(pf-core): expand contract semantics documentation
fraware Jun 27, 2026
204518b
docs(pf-core): update gap audit for Tier 1-3
fraware Jun 27, 2026
eb74ae8
docs(pf-core): note non-interference under new semantics
fraware Jun 27, 2026
443e3c4
docs(pf-core): refresh demo script for semantics demos
fraware Jun 27, 2026
bb97772
docs(pf-core): extend release checklist
fraware Jun 27, 2026
531dc51
docs(pf-core): refine trusted boundary description
fraware Jun 27, 2026
d63790f
docs: extend PF-Core trace mapping
fraware Jun 27, 2026
c3675d6
feat(pf-core): add semantics_layer to PFCoreContract schema
fraware Jun 27, 2026
fef7c6c
feat(pf-core): extend PFCoreCertificate schema for proof refs
fraware Jun 27, 2026
93a6271
feat(pf-core): extend runtime observation schema
fraware Jun 27, 2026
cdacf92
feat(pf-core): add contract semantics_layer helpers
fraware Jun 27, 2026
174e463
feat(pf-core): enforce semantics on contract validation
fraware Jun 27, 2026
40c72c2
refactor(validate): extract PF-Core detection helpers
fraware Jun 27, 2026
a7dc8d2
refactor(validate): extract PCS core validation module
fraware Jun 27, 2026
0cdf20e
refactor(validate): extract PF-Core validation module
fraware Jun 27, 2026
1794dde
refactor(validate): extract semantics validation module
fraware Jun 27, 2026
2c1963c
refactor(validate): slim validate facade to re-exports
fraware Jun 27, 2026
c78d75b
chore(scripts): add validate.py split helper
fraware Jun 27, 2026
4ebf0ec
feat(pf-core): align runtime observation validation
fraware Jun 27, 2026
014697f
feat(pf-core): codegen Lean from contract semantics
fraware Jun 27, 2026
5f6a842
feat(lean): extend PF-Core lean_check for semantics
fraware Jun 27, 2026
44c50ff
fix(lean): tighten lean_trust for PF-Core claims
fraware Jun 27, 2026
95117b8
feat(conformance): cover PF-Core semantics conformance
fraware Jun 27, 2026
db39052
test(pf-core): extend hash vector parity harness
fraware Jun 27, 2026
b822512
feat(rust): export PF-Core validation from lib
fraware Jun 27, 2026
580f617
feat(rust): implement PF-Core semantics validation
fraware Jun 27, 2026
533bd32
feat(ts): implement PF-Core semantics validation
fraware Jun 27, 2026
ba324da
test(ts): extend PF-Core examples coverage
fraware Jun 27, 2026
5539770
test(pf-core): add PFCoreContract hash vectors
fraware Jun 27, 2026
2b83901
test(pf-core): add PFCoreEvent hash vectors
fraware Jun 27, 2026
508dc93
test(pf-core): add PFCoreTrace hash vectors
fraware Jun 27, 2026
2e36785
test(pf-core): add invalid claim_class hash vector
fraware Jun 27, 2026
cc54785
test(pf-core): add invalid trace hash chain vector
fraware Jun 27, 2026
0647d64
test(pf-core): add invalid contract capability hash vectors
fraware Jun 27, 2026
9d50cd7
test(pf-core): add invalid denied event dropped vectors
fraware Jun 27, 2026
57746d5
feat(examples): add contract capability missing invalid fixture
fraware Jun 27, 2026
d449171
feat(examples): add contract effect missing invalid fixture
fraware Jun 27, 2026
c78894b
feat(examples): add contract evidence ref missing fixture
fraware Jun 27, 2026
4b57f92
feat(examples): add contract policy ref missing fixture
fraware Jun 27, 2026
20e5a40
feat(examples): add contract ref missing invalid fixture
fraware Jun 27, 2026
bfb741f
feat(examples): add cross tenant allowed event fixture
fraware Jun 27, 2026
90470b5
feat(examples): add dropped denied observation fixture
fraware Jun 27, 2026
efd0c57
feat(examples): add lean checked with skipped build fixture
fraware Jun 27, 2026
2f427e0
feat(examples): add lean checked without contract fixture
fraware Jun 27, 2026
58508fc
feat(examples): add lean checked without proof ref fixture
fraware Jun 27, 2026
3d290d4
feat(examples): add lean checked without proof term ref
fraware Jun 27, 2026
d83e0f8
feat(examples): add previous event hash mismatch fixture
fraware Jun 27, 2026
5529fdf
fix(examples): align contract_violation contract semantics
fraware Jun 27, 2026
33f3aac
fix(examples): extend missing_principal observation
fraware Jun 27, 2026
5fbea1d
fix(examples): extend unknown_capability observation
fraware Jun 27, 2026
16d7fbe
fix(examples): extend unknown_effect observation
fraware Jun 27, 2026
79982ab
fix(examples): update contract_checked valid contract
fraware Jun 27, 2026
9a6ee71
fix(examples): update contract_checked valid trace
fraware Jun 27, 2026
d214222
fix(examples): update email_send_authorized observation
fraware Jun 27, 2026
a293796
fix(examples): update file_read_allowed observation
fraware Jun 27, 2026
b06ba88
fix(examples): update file_read_denied_cross_tenant observation
fraware Jun 27, 2026
cbbf6bd
fix(examples): update network_denied observation
fraware Jun 27, 2026
3a52faf
feat(pf-core): extend CertifyEdge for semantics tiers
fraware Jun 27, 2026
174fc75
feat(cli): extend pcs-envelope PF-Core commands
fraware Jun 27, 2026
0c3875d
ci(scripts): add verify-pf-core-adapter shell script
fraware Jun 27, 2026
604acb3
ci(scripts): add run-pf-core-adapter-ci shell script
fraware Jun 27, 2026
2fb0a04
chore(scripts): add deferred PF-Core fixture generator
fraware Jun 27, 2026
a7b1f6c
ci: gate PF-Core Tier 1-3 and adapter jobs
fraware Jun 27, 2026
2c71027
test(pf-core): add Tier 1 semantics test suite
fraware Jun 27, 2026
2943e21
test(pf-core): add deferred semantics test suite
fraware Jun 27, 2026
f51460a
test(pf-core): extend cross-language parity tests
fraware Jun 27, 2026
bb636b8
test(pf-core): adjust stage1 tests for semantics
fraware Jun 27, 2026
a342609
test(pf-core): extend stage2 semantics coverage
fraware Jun 27, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 35 additions & 7 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ jobs:
run: |
cd python
pip install -e ".[dev]"
pytest -q tests/test_pf_core_tier1.py tests/test_pf_core_cross_language.py
pytest -q tests/test_pf_core_stage1.py tests/test_pf_core_stage2.py tests/test_pf_core_stage3.py
pytest -q tests/test_pf_core_phase_f.py
pytest -q
Expand Down Expand Up @@ -81,17 +82,33 @@ jobs:
pip install -e .
pcs validate ../examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json
pcs pf-core validate-trace ../examples/pf-core-valid/tool_use_trace_compiled/pfcore_trace.json
- name: PF-Core CertifyEdge mock check (Phase F3)
- name: PF-Core CertifyEdge check (live or mock)
run: |
cd python
PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \
--trace ../examples/pf-core-valid/labtrust_replay/trace.json \
--property qc_release.temporal.safety \
--out /tmp/PFCoreCertificate.certifyedge.json
pip install -e .
if command -v certifyedge >/dev/null 2>&1; then
pcs pf-core certifyedge-check \
--trace ../examples/pf-core-valid/labtrust_replay/trace.json \
--property qc_release.temporal.safety \
--out /tmp/PFCoreCertificate.certifyedge.json || \
PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \
--trace ../examples/pf-core-valid/labtrust_replay/trace.json \
--property qc_release.temporal.safety \
--out /tmp/PFCoreCertificate.certifyedge.json
else
PCS_CERTIFYEDGE_MOCK=1 pcs pf-core certifyedge-check \
--trace ../examples/pf-core-valid/labtrust_replay/trace.json \
--property qc_release.temporal.safety \
--out /tmp/PFCoreCertificate.certifyedge.json
fi
- name: PF-Core Tier 1 tests
run: |
cd python
pytest -q tests/test_pf_core_tier1.py tests/test_pf_core_cross_language.py
- name: Schema drift check (reference)
run: bash scripts/pcs-schema-diff.sh schemas
- name: PF-Core hash vector parity (Phase 7)
run: bash scripts/verify-pf-core-hash-vectors.sh python/tests/hash_vectors
- name: PF-Core adapter parity (provability-fabric-core pin)
run: bash scripts/run-pf-core-adapter-ci.sh
- name: LabTrust release fixtures
run: |
cd python
Expand Down Expand Up @@ -119,6 +136,17 @@ jobs:
../examples/pf-core-valid/contract_checked/trace.json \
--contracts-dir ../examples/pf-core-valid/contract_checked

pf-core-adapter:
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: PF-Core provability-fabric-core adapter parity
run: bash scripts/run-pf-core-adapter-ci.sh

rust:
runs-on: ubuntu-latest
steps:
Expand Down
25 changes: 25 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Changelog

## PF-Core v0.1 production kernel (Tier 1–3)

### Added

- `semantics_layer` on `PFCoreContract.v0` declaring per-field discharge layers (`lean`, `runtime`, `out_of_scope`).
- `contract_semantics_checked` on `PFCoreCertificate.v0` derived from contract semantics layers and actual checks.
- Shared negative hash vectors under `python/tests/hash_vectors/pf_core/invalid/` with Rust and Python parity tests.
- `pcs pcs-envelope check` alias for PCS release-envelope consistency; `pcs lean-check` retained with deprecation notice.
- `scripts/run-pf-core-adapter-ci.sh` for provability-fabric-core hash-vector pin verification.
- Tier 1 tests in `python/tests/test_pf_core_tier1.py`.
- Documentation: `generated-proofs.md`, `windows-lean.md`, updated gap audit and contract semantics.

### Changed

- PCS release path framed as envelope-only (`ProofChecked`); not conflated with PF-Core `LeanKernelChecked`.
- Cross-language PF-Core parity extended to contract validation and denied-event preservation (Rust `pf_core.rs`, TypeScript `pfCore.ts`).
- CertifyEdge CI tries live CLI when present, falls back to `PCS_CERTIFYEDGE_MOCK=1`.

### Documented (deferred)

- Full global non-interference remains open research (`non-interference.md`).
- Role-to-capability split is a permanent trusted-boundary assumption (`assumptions.md`).
- PKI signing infrastructure out of scope for v0.1.
15 changes: 15 additions & 0 deletions docs/pf-core-trace-mapping.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,21 @@ Both repos agree on:

PCS hash vectors under `python/tests/hash_vectors/` must match provability-fabric-core `adapters/pcs/tests/fixtures/hash_vectors/` at the pinned PF-Core tag.

PF-Core-specific vectors live under `python/tests/hash_vectors/pf_core/` (`PFCoreEvent.v0`, `PFCoreTrace.v0`, `PFCoreContract.v0`) and are verified in Python, Rust, and TypeScript parity tests.

---

## Runtime observation ordering

`PFCoreRuntimeObservation.v0` carries a required non-negative `sequence` field. Deterministic trace compilation orders observations by `(sequence, source_index)` before hash chaining:

1. Sort observations by `sequence` ascending; equal sequences preserve input order.
2. Compile each observation to `PFCoreEvent.v0` using its `sequence` value.
3. Recompute `previous_event_hash` / `event_hash` sequentially from genesis.
4. Reject traces that drop denied observations (`DroppedDeniedEvent`).

Single-observation compile paths (`compile_runtime_observation_to_event`) preserve the observation `sequence` and `policy_ref` as `contract_refs`.

---

## LabTrust replay path
Expand Down
6 changes: 3 additions & 3 deletions docs/pf-core/assumptions.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ PF-Core proofs and certificates are conditional on explicit assumptions. This do
## Cryptographic assumptions

- SHA-256 collision resistance for canonical artifact hashes and event hash chains.
- `signature_or_digest` fields bind artifact bytes; full PKI signing infrastructure is out of scope for v0.1.
- `signature_or_digest` fields bind artifact bytes; **PKI signing, HSM integration, and X.509 certificate chains are out of scope for PF-Core v0.1** (documented assumption only).

## Producer assumptions

Expand All @@ -18,15 +18,15 @@ PF-Core proofs and certificates are conditional on explicit assumptions. This do
- `LeanKernelChecked` is emitted **only** when that concrete proof succeeds (`traceSafeD … = true` via `decide`). `--skip-build` or `--skip-lean-proof` yields `RuntimeChecked` only.
- `lake build PFCore` means the PF-Core library compiles; individual traces still require generated proof files for kernel claims.
- Theorem names in `PF_CORE_THEOREM_CATALOG` exist as Lean symbols (enforced by `pcs pf-core audit-lean-catalog`).
- PCS `pcs lean-check` (without `--trace`) is **not** Lean-backed per trace. It prints the assurance boundary and exits; it must not be described as kernel-verified trace safety.
- PCS `pcs pcs-envelope check` (alias `pcs lean-check`) validates release-envelope consistency only; it must not be described as PF-Core kernel-verified trace safety.

## Role and capability alignment (permanent boundary)

- Lean `HasCapability` inspects `principal.capabilities` only; **roles are not expanded in the kernel**.
- The PF-Core runtime compiler expands known roles into explicit capability ids on compiled principals.
- Traces submitted to `pcs pf-core lean-check` must list those expanded capabilities explicitly; lean-check rejects principals where `capabilities` does not match role expansion.
- Runtime authorization may still consult roles during compilation; lean-check and Lean proofs rely on the explicit capability list only.
- This role-to-capability split is a **permanent trusted-boundary assumption**, not a temporary Stage 1 gap.
- This role-to-capability split is a **permanent trusted-boundary assumption** unless a future Lean RoleMap stage expands kernel capability resolution.

## Registry assumptions

Expand Down
17 changes: 13 additions & 4 deletions docs/pf-core/claim-boundary.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,20 @@ The claim-boundary linter (`pcs pf-core audit-claims`) fails on these phrases in
| fully verified runtime | runtime-checked trace with explicit claim class |
| formally verified platform | release-envelope consistency theorem family (for PCS Lean scope) |

## LeanCheckResult.v0 (PCS bridge artifact)
## PCS release-envelope consistency (`pcs pcs-envelope check`)

PF-Core `pcs pf-core lean-check` emits a registered `LeanCheckResult.v0` object alongside optional `PFCoreCertificate.v0` output.
PCS release-envelope checks validate `ProofObligation.v0` against the PCS theorem catalog in `lean/PCS/Theorems.lean`.

- Preferred command: `pcs pcs-envelope check --obligations … --out …`
- Legacy alias: `pcs lean-check` (prints deprecation notice; same behavior)
- Emits `LeanCheckResult.v0` with lifecycle status `ProofChecked` when obligations pass
- Does **not** prove PF-Core trace safety; does not emit `LeanKernelChecked`

Use `pcs pf-core lean-check --trace …` for PF-Core kernel assurance (`LeanKernelChecked` when concrete proof succeeds).

### Current behavior (Stage 4)
## PF-Core lean-check (`pcs pf-core lean-check`)

PF-Core `pcs pf-core lean-check` emits a registered `LeanCheckResult.v0` object alongside optional `PFCoreCertificate.v0` output.

- `status: LeanProofChecked` means Python deciders passed, the no-sorry audit passed, `lake build PFCore` succeeded, and a generated concrete proof file checked `traceSafeD tr = true` via the Lean kernel.
- `status: DecidersPassed` means deciders (and no-sorry audit) passed but Lean proof was skipped (`--skip-build` or `--skip-lean-proof`) or only runtime assurance was requested.
Expand All @@ -52,7 +61,7 @@ Do **not** treat PCS lifecycle `ProofChecked` as a PF-Core formal claim. PF-Core

Successful lean-check writes a certificate with matching `claim_class`, `assumption_refs`, `theorems_checked`, `obligations`, `lean_build_status`, `lean_proof_checked`, and `disclaimer`.

- `LeanKernelChecked` requires `proof_term_ref`, `proof_ref`, `lean_proof_checked: true`, and successful concrete Lean proof.
- `LeanKernelChecked` requires `proof_term_ref`, `proof_ref`, `lean_proof_checked: true`, successful concrete Lean proof, and **contract grounding** (non-empty event `contract_refs` or `default_contract_ref: "trace-safe"` aligned with `PFCore.traceSafeContract`).
- `--skip-build` or `--skip-lean-proof` yields `RuntimeChecked` only (no `proof_term_ref`).

### Mapping guidance for PF-Core certificates
Expand Down
79 changes: 67 additions & 12 deletions docs/pf-core/contract-semantics.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,58 @@ This document maps `PFCoreContract.v0` JSON fields to runtime checker predicates
| `ContractPostSpec` | `post` object |
| `ContractInvariantSpec` | `invariant` object |

## semantics_layer (PFCoreContract.v0)

Each contract may declare which fields are discharged in Lean, checked only at runtime, or explicitly out of scope:

```json
"semantics_layer": {
"require_capability": "lean",
"require_role": "runtime",
"require_decision": "lean",
"require_trace_safe": "lean"
}
```

Field names are bare (unique across pre/post/invariant). When `semantics_layer` is omitted, defaults are derived from the mapping table below.

| Layer | Meaning |
|-------|---------|
| `lean` | Discharged by generated Lean `ContractDecide` proofs when lean-check runs |
| `runtime` | Validated by `pcs pf-core validate-contracts` only |
| `out_of_scope` | Documented gap; must not appear on active required fields |

Validation rejects orphan semantics entries, active fields marked `out_of_scope`, and inconsistent explicit layers.

## semantics_layer (PFCoreContract.v0)

Contracts may declare per-field discharge layers at the source:

```json
"semantics_layer": {
"require_capability": "lean",
"require_role": "runtime",
"require_policy_ref": "runtime"
}
```

Allowed values: `lean`, `runtime`, `out_of_scope`.

When `semantics_layer` is omitted, defaults are derived from the mapping table below. Explicit entries must match the canonical layer for active fields (validated by `pcs validate`).

## Formal mapping table (JSON ↔ Lean ↔ runtime)

| JSON field | Runtime (`pf_core_contract.py`) | Lean decider | Generated proof |
|------------|-----------------------------------|--------------|-----------------|
| `pre.require_capability` | `_principal_has_capability` | `contractPreD` / `hasCapabilityD` | `concrete_contract_pre_*` |
| `pre.require_effect` | `_action_has_effect` | `contractPreD` / `actionHasEffectD` | `concrete_contract_pre_*` |
| `pre.require_tenant_match` | `_tenant_matches` | `contractPreD` / `actionWithinTenantD` | `concrete_contract_pre_*` |
| `pre.require_role` | role list membership | **Not mapped** | — |
| `pre.require_policy_ref` | `contract_refs` contains ref | **Not mapped** | — |
| `pre.require_evidence_ref` | `evidence_refs` contains ref | **Not mapped** | — |
| `post.require_decision` | decision equality | `contractPostD` | `concrete_contract_post_*` |
| `post.require_event_safe` | capability + tenant on allow | `contractPostD` / `eventSafeD` | `concrete_contract_post_*` |
| `invariant.require_trace_safe` | (trace-level) | `contractInvariantD` / `traceSafeD` | `concrete_trace_satisfies_*` |
| JSON field | Default layer | Runtime (`pf_core_contract.py`) | Lean decider | Generated proof |
|------------|---------------|-----------------------------------|--------------|-----------------|
| `pre.require_capability` | `lean` | `_principal_has_capability` | `contractPreD` / `hasCapabilityD` | `concrete_contract_pre_*` |
| `pre.require_effect` | `lean` | `_action_has_effect` | `contractPreD` / `actionHasEffectD` | `concrete_contract_pre_*` |
| `pre.require_tenant_match` | `lean` | `_tenant_matches` | `contractPreD` / `actionWithinTenantD` | `concrete_contract_pre_*` |
| `pre.require_role` | `runtime` | role list membership | **Not mapped** | — |
| `pre.require_policy_ref` | `runtime` | `contract_refs` contains ref | **Not mapped** | — |
| `pre.require_evidence_ref` | `runtime` | `evidence_refs` contains ref | **Not mapped** | — |
| `post.require_decision` | `lean` | decision equality | `contractPostD` | `concrete_contract_post_*` |
| `post.require_event_safe` | `lean` | capability + tenant on allow | `contractPostD` / `eventSafeD` | `concrete_contract_post_*` |
| `invariant.require_trace_safe` | `lean` | (trace-level) | `contractInvariantD` / `traceSafeD` | `concrete_trace_satisfies_*` |

Per-event discharge: `satisfiesContractSpecD`. Trace-level: `traceSatisfiesContractSpecsD`.

Expand All @@ -41,7 +80,23 @@ When `contract_refs` appear on events and contract JSON is found alongside the t
2. Generated `.lean` file includes `ContractPreSpec` / `PostSpec` / `Inv` defs and `decide` proofs.
3. `lake env lean` on the generated module discharges concrete obligations.

Fields marked **Not mapped** remain runtime-only; codegen documents the gap in the header when refs exist but contracts are missing.
Fields marked **Not mapped** remain runtime-only unless `semantics_layer` overrides a mapped field to `runtime`. Codegen skips Lean obligations for non-`lean` fields.

## contract_semantics_checked (PFCoreCertificate.v0)

When `pcs pf-core lean-check` emits a certificate, it includes:

```json
"contract_semantics_checked": {
"lean": ["contract-id.pre.require_capability", "..."],
"runtime": ["contract-id.pre.require_role", "..."]
}
```

- `lean`: contract fields with `semantics_layer` `lean` (discharged by generated Lean proofs when lean-check succeeds).
- `runtime`: fields with layer `runtime` (validated by `pcs pf-core validate-contracts`).

Out-of-scope fields are omitted from both lists.

## Invariant preservation (Lean)

Expand Down
Loading
Loading