diff --git a/02_FORMAL/lean/RIINA.lean b/02_FORMAL/lean/RIINA.lean index e19eee82..a4d51291 100644 --- a/02_FORMAL/lean/RIINA.lean +++ b/02_FORMAL/lean/RIINA.lean @@ -1,9 +1,8 @@ -- Domain files (bulk of theorems — compile independently) import RIINA.Domains.All --- MobileOS, Industries, Compliance excluded: transpiler .mk constructor bug --- import RIINA.Domains.MobileOS --- import RIINA.Industries --- import RIINA.Compliance +import RIINA.Domains.MobileOS +import RIINA.Industries +import RIINA.Compliance -- Core files depend on Foundations.Syntax/Semantics which need hand-written Lean port. -- Excluded until transpiler generates valid Lean for core Coq definitions. -- import RIINA.Foundations.Syntax diff --git a/02_FORMAL/lean/RIINA/Compliance/DO178CCompliance.lean b/02_FORMAL/lean/RIINA/Compliance/DO178CCompliance.lean index 5da09b9e..147fe678 100644 --- a/02_FORMAL/lean/RIINA/Compliance/DO178CCompliance.lean +++ b/02_FORMAL/lean/RIINA/Compliance/DO178CCompliance.lean @@ -88,7 +88,7 @@ Generated by scripts/generate-multiprover.py | DAL_A_Full_Compliance | DAL_A_Full_Compliance | OK | -/ -namespace RIINA +namespace RIINA.Compliance.DO178CCompliance /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -96,20 +96,25 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs +/-- Coq compatibility: check if pair is in list -/ +def pair_in_list {α : Type} [DecidableEq α] (p : α) (xs : List α) : Bool := xs.any (fun x => x == p) + /-- Boolean conjunction iff (matches Coq: andb_true_iff) -/ private theorem andb_true_iff (a b : Bool) : @@ -118,6 +123,13 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) +/-- Coq compatibility: Nat less-than test -/ +def Nat.ltb (a b : Nat) : Bool := decide (a < b) + /-- DAL (matches Coq: Inductive DAL) -/ inductive DAL where | DAL_A : DAL @@ -153,8 +165,8 @@ abbrev mkReq := Requirement.mk /-- TraceLink (matches Coq: Record TraceLink) -/ structure TraceLink where trace_req : Requirement - trace_code : List - trace_tests : List + trace_code : List Nat + trace_tests : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for TraceLink. -/ abbrev mkTrace := TraceLink.mk @@ -173,10 +185,10 @@ abbrev mkCov := CoverageData.mk /-- CodeAnalysis (matches Coq: Record CodeAnalysis) -/ structure CodeAnalysis where - ca_all_code : List - ca_reachable_code : List - ca_deactivated_code : List - ca_deactivated_documented : List + ca_all_code : List Nat + ca_reachable_code : List Nat + ca_deactivated_code : List Nat + ca_deactivated_documented : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for CodeAnalysis. -/ abbrev mkCodeAnalysis := CodeAnalysis.mk @@ -185,7 +197,7 @@ abbrev mkCodeAnalysis := CodeAnalysis.mk structure StackAnalysis where stack_allocated : Nat stack_max_usage : Nat - stack_per_function : List + stack_per_function : List (Nat × Nat) deriving DecidableEq, Repr /-- Coq constructor alias for StackAnalysis. -/ abbrev mkStack := StackAnalysis.mk @@ -222,24 +234,24 @@ abbrev mkInputVal := InputValidation.mk /-- ExceptionHandling (matches Coq: Record ExceptionHandling) -/ structure ExceptionHandling where - eh_exception_types : List - eh_handled_types : List + eh_exception_types : List Nat + eh_handled_types : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for ExceptionHandling. -/ abbrev mkExcept := ExceptionHandling.mk /-- DataCoupling (matches Coq: Record DataCoupling) -/ structure DataCoupling where - dc_data_dependencies : List - dc_documented_dependencies : List + dc_data_dependencies : List Nat + dc_documented_dependencies : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for DataCoupling. -/ abbrev mkDataCoupling := DataCoupling.mk /-- ControlCoupling (matches Coq: Record ControlCoupling) -/ structure ControlCoupling where - cc_control_dependencies : List - cc_documented_dependencies : List + cc_control_dependencies : List Nat + cc_documented_dependencies : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for ControlCoupling. -/ abbrev mkControlCoupling := ControlCoupling.mk @@ -255,16 +267,16 @@ abbrev mkSafety := SafetyProperty.mk /-- FunctionAnalysis (matches Coq: Record FunctionAnalysis) -/ structure FunctionAnalysis where - fa_specified_functions : List - fa_implemented_functions : List + fa_specified_functions : List Nat + fa_implemented_functions : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for FunctionAnalysis. -/ abbrev mkFuncAnalysis := FunctionAnalysis.mk /-- RobustnessTest (matches Coq: Record RobustnessTest) -/ structure RobustnessTest where - rt_invalid_input_types : List - rt_tested_invalid_inputs : List + rt_invalid_input_types : List Nat + rt_tested_invalid_inputs : List Nat rt_all_gracefully_handled : Bool deriving DecidableEq, Repr /-- Coq constructor alias for RobustnessTest. -/ @@ -314,21 +326,21 @@ abbrev mkConfig := ConfigurationManagement.mk /-- DO178CCompliance (matches Coq: Record DO178CCompliance) -/ structure DO178CCompliance where comp_dal : DAL - comp_traces : List + comp_traces : List Nat comp_coverage : CoverageData comp_code_analysis : CodeAnalysis comp_stack : StackAnalysis comp_timing : TimingAnalysis - comp_partitions : List - comp_inputs : List + comp_partitions : List Nat + comp_inputs : List Nat comp_exceptions : ExceptionHandling comp_data_coupling : DataCoupling comp_control_coupling : ControlCoupling - comp_safety_props : List + comp_safety_props : List Nat comp_func_analysis : FunctionAnalysis comp_robustness : RobustnessTest comp_determinism : DeterminismAnalysis - comp_rt_tasks : List + comp_rt_tasks : List Nat comp_resources : ResourceUsage comp_config : ConfigurationManagement deriving DecidableEq, Repr @@ -570,4 +582,4 @@ theorem COMPLY_003_20 : ∀ (c : DO178CCompliance), configuration_compliant (com theorem DAL_A_Full_Compliance : ∀ (c : DO178CCompliance), full_dal_a_compliance c = true → comp_dal c = DAL_A := by cases ‹_› <;> simp <;> omega -end RIINA +end RIINA.Compliance.DO178CCompliance diff --git a/02_FORMAL/lean/RIINA/Compliance/HIPAACompliance.lean b/02_FORMAL/lean/RIINA/Compliance/HIPAACompliance.lean index 24e9ba75..7c91a916 100644 --- a/02_FORMAL/lean/RIINA/Compliance/HIPAACompliance.lean +++ b/02_FORMAL/lean/RIINA/Compliance/HIPAACompliance.lean @@ -61,7 +61,7 @@ Generated by scripts/generate-multiprover.py | COMPLY_001_15 | COMPLY_001_15 | OK | -/ -namespace RIINA +namespace RIINA.Compliance.HIPAACompliance /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -69,20 +69,33 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: list map -/ +@[inline] def map {α β : Type} (f : α → β) (xs : List α) : List β := xs.map f +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) +/-- Coq compatibility: Nat less-than test -/ +def Nat.ltb (a b : Nat) : Bool := decide (a < b) + +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs +/-- Coq compatibility shim: List filter -/ +@[inline] def filter {α : Type} (f : α → Bool) (xs : List α) : List α := xs.filter f /-- Role (matches Coq: Inductive Role) -/ inductive Role where @@ -127,7 +140,7 @@ inductive AuthFactor where /-- AuthState (matches Coq: Record AuthState) -/ structure AuthState where - auth_factors : List + auth_factors : List Nat auth_user_id : Nat auth_timestamp : Nat deriving DecidableEq, Repr @@ -171,7 +184,7 @@ structure BreachEvent where breach_detected_time : Nat breach_occurred_time : Nat breach_user_id : Nat - breach_phi_ids : List + breach_phi_ids : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for BreachEvent. -/ abbrev mkBreach := BreachEvent.mk @@ -188,11 +201,11 @@ abbrev mkSession := Session.mk /-- SystemState (matches Coq: Record SystemState) -/ structure SystemState where - state_phi_records : List - state_audit_log : List - state_active_sessions : List - state_user_roles : List - state_disposals : List + state_phi_records : List Nat + state_audit_log : List Nat + state_active_sessions : List Nat + state_user_roles : List Nat + state_disposals : List Nat state_current_time : Nat deriving DecidableEq, Repr /-- Coq constructor alias for SystemState. -/ @@ -210,7 +223,7 @@ abbrev mkTransmission := Transmission.mk /-- BREACH_DETECTION_LIMIT_S (matches Coq: Definition BREACH_DETECTION_LIMIT_S) -/ def BREACH_DETECTION_LIMIT_S : Nat := - Z.to_nat 86400%Z + 86400 /-- can_access (matches Coq: Definition can_access) -/ def can_access (role : Role) (cat : PHICategory) : Bool := @@ -317,15 +330,15 @@ theorem COMPLY_001_02 : ∀ (ts : TransportSecurity), is_hipaa_transport ts = tr rfl /-- COMPLY_001_03 (matches Coq) -/ -theorem COMPLY_001_03 : ∀ (role : Role) (cat : PHICategory), can_access role cat = false → ~ (can_access role cat = true) := by +theorem COMPLY_001_03 : ∀ (role : Role) (cat : PHICategory), can_access role cat = false → ¬(can_access role cat = true) := by simp_all [Bool.and_eq_true] /-- COMPLY_001_04 (matches Coq) -/ -theorem COMPLY_001_04 : ∀ (log : list AuditEntry) (user_id phi_id timestamp action : nat) (success : bool), let new_log := access_with_audit log user_id phi_id timestamp action success in audit_∃_for new_log user_id phi_id = true := by +theorem COMPLY_001_04 : ∀ (log : List AuditEntry) (user_id phi_id timestamp action : Nat) (success : Bool), let new_log := access_with_audit log user_id phi_id timestamp action success in audit_exists_for new_log user_id phi_id = true := by simp /-- COMPLY_001_05 (matches Coq) -/ -theorem COMPLY_001_05 : ∀ (role : Role) (requested : list PHICategory) (cat : PHICategory), In cat (minimum_necessary_access role requested) → can_access role cat = true := by +theorem COMPLY_001_05 : ∀ (role : Role) (requested : List PHICategory) (cat : PHICategory), In cat (minimum_necessary_access role requested) → can_access role cat = true := by simp_all [Bool.and_eq_true] /-- COMPLY_001_06 (matches Coq) -/ @@ -349,23 +362,29 @@ theorem COMPLY_001_10 : ∀ (auth : AuthState), is_mfa auth = true → length (a simp_all [Bool.and_eq_true] /-- COMPLY_001_11 (matches Coq) -/ -theorem COMPLY_001_11 : ∀ (current_time last_activity : nat), current_time - last_activity > session_timeout → session_expired current_time last_activity = true := by +theorem COMPLY_001_11 : ∀ (current_time last_activity : Nat), current_time - last_activity > session_timeout → session_expired current_time last_activity = true := by simp_all [Bool.and_eq_true] /-- COMPLY_001_12 (matches Coq) -/ -theorem COMPLY_001_12 : ∀ (s : Session) (current_time : nat), session_is_active s = true → current_time - session_last_activity s > session_timeout → session_is_active (check_and_terminate current_time s) = false := by +theorem COMPLY_001_12 : ∀ (s : Session) (current_time : Nat), session_is_active s = true → current_time - session_last_activity s > session_timeout → session_is_active (check_and_terminate current_time s) = false := by simp_all [Bool.and_eq_true] + +/-- Check if all user IDs in the list are unique -/ +def all_unique_ids (users : List (Nat × Role)) : Bool := + let ids := users.map (fun p => p.1) + ids.length = ids.eraseDups.length + /-- COMPLY_001_13 (matches Coq) -/ -theorem COMPLY_001_13 : ∀ (users : list (nat * Role)) (uid : nat) (r1 r2 : Role), all_unique_ids users = true → In (uid, r1) users → In (uid, r2) users → r1 = r2 := by +theorem COMPLY_001_13 : ∀ (users : List (Nat * Role)) (uid : Nat) (r1 r2 : Role), all_unique_ids users = true → In (uid, r1) users → In (uid, r2) users → r1 = r2 := by cases ‹_› <;> simp /-- COMPLY_001_14 (matches Coq) -/ -theorem COMPLY_001_14 : ∀ (log : list AuditEntry) (user_id phi_id timestamp : nat) (cat : PHICategory), let new_log := emergency_access log user_id phi_id timestamp in audit_∃_for new_log user_id phi_id = true ∧ can_access Emergency cat = true := by +theorem COMPLY_001_14 : ∀ (log : List AuditEntry) (user_id phi_id timestamp : Nat) (cat : PHICategory), let new_log := emergency_access log user_id phi_id timestamp in audit_exists_for new_log user_id phi_id = true ∧ can_access Emergency cat = true := by cases ‹_› <;> simp /-- COMPLY_001_15 (matches Coq) -/ theorem COMPLY_001_15 : ∀ (t : Transmission), transmission_secure t = true → trans_security t = TLS13 ∧ phi_encryption (trans_phi t) = EncryptedAES256 ∧ trans_verified t = true := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Compliance.HIPAACompliance diff --git a/02_FORMAL/lean/RIINA/Compliance/PCIDSSCompliance.lean b/02_FORMAL/lean/RIINA/Compliance/PCIDSSCompliance.lean index 1d195b76..6de2a858 100644 --- a/02_FORMAL/lean/RIINA/Compliance/PCIDSSCompliance.lean +++ b/02_FORMAL/lean/RIINA/Compliance/PCIDSSCompliance.lean @@ -84,7 +84,7 @@ Generated by scripts/generate-multiprover.py | COMPLY_002_15_vault_isolation | COMPLY_002_15_vault_isolation | OK | -/ -namespace RIINA +namespace RIINA.Compliance.PCIDSSCompliance /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -92,20 +92,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List map -/ +@[inline] def map {α β : Type} (f : α → β) (xs : List α) : List β := xs.map f /-- Boolean conjunction iff (matches Coq: andb_true_iff) -/ private theorem andb_true_iff (a b : Bool) : @@ -114,6 +116,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b +/-- Coq compatibility: Nat less-than test -/ +def Nat.ltb (a b : Nat) : Bool := decide (a < b) + /-- CHDType (matches Coq: Inductive CHDType) -/ inductive CHDType where | PAN : CHDType @@ -196,7 +203,7 @@ abbrev mkPCIAudit := PCIAudit.mk /-- TokenVault (matches Coq: Record TokenVault) -/ structure TokenVault where - vault_tokens : List + vault_tokens : List (Nat × Nat) vault_key : KeyState vault_isolated : Bool deriving DecidableEq, Repr @@ -205,9 +212,9 @@ abbrev mkVault := TokenVault.mk /-- PCISystem (matches Coq: Record PCISystem) -/ structure PCISystem where - pci_chd_records : List - pci_audit_log : List - pci_keys : List + pci_chd_records : List Nat + pci_audit_log : List Nat + pci_keys : List Nat pci_vault : TokenVault deriving DecidableEq, Repr /-- Coq constructor alias for PCISystem. -/ @@ -312,7 +319,7 @@ def transmission_compliant (t : Transmission) : Bool := /-- token_lookup (matches Coq: Definition token_lookup) -/ def token_lookup (vault : TokenVault) (token : Nat) (has_key : Bool) : Option Nat := match find (fun p => Nat.eqb (fst p) token) (vault_tokens vault) with - | Some (_, pan) => Some pan + | Some (_, pan) => some pan | None => None /-- data_past_retention (matches Coq: Definition data_past_retention) -/ @@ -391,11 +398,11 @@ theorem COMPLY_002_04_pin_no_compliant_encryption : ∀ (enc : EncState), pci_co cases ‹_› <;> simp /-- COMPLY_002_05_key_rotation_detection (matches Coq) -/ -theorem COMPLY_002_05_key_rotation_detection : ∀ (k : KeyState) (current_time : nat), key_creation_time k + key_rotation_period k < current_time → key_needs_rotation k current_time = true := by +theorem COMPLY_002_05_key_rotation_detection : ∀ (k : KeyState) (current_time : Nat), key_creation_time k + key_rotation_period k < current_time → key_needs_rotation k current_time = true := by simp_all [Bool.and_eq_true] /-- COMPLY_002_05_key_no_rotation_needed (matches Coq) -/ -theorem COMPLY_002_05_key_no_rotation_needed : ∀ (k : KeyState) (current_time : nat), current_time ≤ key_creation_time k + key_rotation_period k → key_needs_rotation k current_time = false := by +theorem COMPLY_002_05_key_no_rotation_needed : ∀ (k : KeyState) (current_time : Nat), current_time ≤ key_creation_time k + key_rotation_period k → key_needs_rotation k current_time = false := by simp_all [Bool.and_eq_true] /-- COMPLY_002_06_access_requires_need_to_know (matches Coq) -/ @@ -423,23 +430,23 @@ theorem COMPLY_002_08_access_granted_implies_mfa : ∀ (u : User), grant_chd_acc simp_all [Bool.and_eq_true] /-- COMPLY_002_09_audit_entry_has_timestamp (matches Coq) -/ -theorem COMPLY_002_09_audit_entry_has_timestamp : ∀ (ts usr act : nat) (chd : CHDType) (succ : bool) (prev : nat), pci_timestamp (create_audit_entry ts usr act chd succ prev) = ts := by +theorem COMPLY_002_09_audit_entry_has_timestamp : ∀ (ts usr act : Nat) (chd : CHDType) (succ : Bool) (prev : Nat), pci_timestamp (create_audit_entry ts usr act chd succ prev) = ts := by simp /-- COMPLY_002_09_audit_entry_has_user (matches Coq) -/ -theorem COMPLY_002_09_audit_entry_has_user : ∀ (ts usr act : nat) (chd : CHDType) (succ : bool) (prev : nat), pci_user (create_audit_entry ts usr act chd succ prev) = usr := by +theorem COMPLY_002_09_audit_entry_has_user : ∀ (ts usr act : Nat) (chd : CHDType) (succ : Bool) (prev : Nat), pci_user (create_audit_entry ts usr act chd succ prev) = usr := by simp /-- COMPLY_002_09_audit_entry_has_action (matches Coq) -/ -theorem COMPLY_002_09_audit_entry_has_action : ∀ (ts usr act : nat) (chd : CHDType) (succ : bool) (prev : nat), pci_action (create_audit_entry ts usr act chd succ prev) = act := by +theorem COMPLY_002_09_audit_entry_has_action : ∀ (ts usr act : Nat) (chd : CHDType) (succ : Bool) (prev : Nat), pci_action (create_audit_entry ts usr act chd succ prev) = act := by simp /-- COMPLY_002_10_audit_has_hash (matches Coq) -/ -theorem COMPLY_002_10_audit_has_hash : ∀ (ts usr act : nat) (chd : CHDType) (succ : bool) (prev : nat), pci_hash (create_audit_entry ts usr act chd succ prev) = prev + ts + usr + act := by +theorem COMPLY_002_10_audit_has_hash : ∀ (ts usr act : Nat) (chd : CHDType) (succ : Bool) (prev : Nat), pci_hash (create_audit_entry ts usr act chd succ prev) = prev + ts + usr + act := by simp /-- COMPLY_002_10_empty_log_valid (matches Coq) -/ -theorem COMPLY_002_10_empty_log_valid : ∀ (h : nat), audit_chain_valid [] h = true := by +theorem COMPLY_002_10_empty_log_valid : ∀ (h : Nat), audit_chain_valid [] h = true := by rfl /-- COMPLY_002_11_tls12_compliant (matches Coq) -/ @@ -459,19 +466,19 @@ theorem COMPLY_002_11_transmission_requires_encryption : ∀ (t : Transmission), cases ‹_› <;> simp <;> omega /-- COMPLY_002_12_token_no_key_no_pan (matches Coq) -/ -theorem COMPLY_002_12_token_no_key_no_pan : ∀ (vault : TokenVault) (token : nat), token_lookup vault token false = None := by +theorem COMPLY_002_12_token_no_key_no_pan : ∀ (vault : TokenVault) (token : Nat), token_lookup vault token false = None := by simp /-- COMPLY_002_12_tokenization_irreversible_without_key (matches Coq) -/ -theorem COMPLY_002_12_tokenization_irreversible_without_key : ∀ (vault : TokenVault) (token pan : nat), token_lookup vault token false = Some pan → False := by +theorem COMPLY_002_12_tokenization_irreversible_without_key : ∀ (vault : TokenVault) (token pan : Nat), token_lookup vault token false = some pan → False := by simp_all [Bool.and_eq_true] /-- COMPLY_002_13_past_retention_detected (matches Coq) -/ -theorem COMPLY_002_13_past_retention_detected : ∀ (creation current max_days : nat), creation + max_days < current → data_past_retention creation current max_days = true := by +theorem COMPLY_002_13_past_retention_detected : ∀ (creation current max_days : Nat), creation + max_days < current → data_past_retention creation current max_days = true := by simp_all [Bool.and_eq_true] /-- COMPLY_002_13_within_retention_ok (matches Coq) -/ -theorem COMPLY_002_13_within_retention_ok : ∀ (creation current max_days : nat), current ≤ creation + max_days → data_past_retention creation current max_days = false := by +theorem COMPLY_002_13_within_retention_ok : ∀ (creation current max_days : Nat), current ≤ creation + max_days → data_past_retention creation current max_days = false := by simp_all [Bool.and_eq_true] /-- COMPLY_002_14_secure_deletion_unrecoverable (matches Coq) -/ @@ -502,4 +509,4 @@ theorem COMPLY_002_15_non_cde_always_compliant : ∀ (z : NetworkZone), zone_is_ theorem COMPLY_002_15_vault_isolation : ∀ (sys : PCISystem), vault_isolated (pci_vault sys) = true → system_scope_isolated sys = true := by intro h; exact h -end RIINA +end RIINA.Compliance.PCIDSSCompliance diff --git a/02_FORMAL/lean/RIINA/Compliance/VerifiedCompliance.lean b/02_FORMAL/lean/RIINA/Compliance/VerifiedCompliance.lean index b8e72b2b..56d0f782 100644 --- a/02_FORMAL/lean/RIINA/Compliance/VerifiedCompliance.lean +++ b/02_FORMAL/lean/RIINA/Compliance/VerifiedCompliance.lean @@ -110,7 +110,7 @@ Generated by scripts/generate-multiprover.py | AJ_001_35_remediation_tracked | AJ_001_35_remediation_tracked | OK | -/ -namespace RIINA +namespace RIINA.Compliance.VerifiedCompliance /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -118,20 +118,34 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b + +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs +/-- Coq compatibility shim: List filter -/ +@[inline] def filter {α : Type} (f : α → Bool) (xs : List α) : List α := xs.filter f + +/-- Coq compatibility: type alias for data subject identifier -/ +abbrev DataSubjectId := Nat +/-- Coq compatibility: cardholder data environment -/ +abbrev CDE := List Nat +/-- Coq compatibility: non-CDE network segment -/ +abbrev NonCDE := List Nat /-- Regulation (matches Coq: Inductive Regulation) -/ inductive Regulation where @@ -155,7 +169,7 @@ inductive ControlStatus where structure PersonalData where pd_subject : DataSubjectId pd_category : String - pd_value : List + pd_value : List Nat pd_purpose : String pd_consent : Bool pd_collected : Nat @@ -170,7 +184,7 @@ abbrev mkPD := PersonalData.mk /-- DataStore (matches Coq: Record DataStore) -/ structure DataStore where - store_data : List + store_data : List PersonalData store_purpose : String store_compliant : Bool store_encrypted : Bool @@ -181,9 +195,9 @@ abbrev mkStore := DataStore.mk /-- PHI (matches Coq: Record PHI) -/ structure PHI where phi_patient_id : Nat - phi_data : List + phi_data : List Nat phi_created : Nat - phi_accessed_by : List + phi_accessed_by : List Nat phi_encrypted : Bool phi_access_controlled : Bool phi_logged : Bool @@ -196,7 +210,7 @@ abbrev mkPHI := PHI.mk /-- CardholderData (matches Coq: Record CardholderData) -/ structure CardholderData where - chd_pan : List + chd_pan : List Nat chd_pan_encrypted : Bool chd_expiry : Nat chd_cvv_stored : Bool @@ -222,7 +236,7 @@ abbrev mkControl := Control.mk structure ControlMapping where mapping_control : Control mapping_riina_track : String - mapping_proof_ref : Option + mapping_proof_ref : Option Nat mapping_status : ControlStatus deriving DecidableEq, Repr /-- Coq constructor alias for ControlMapping. -/ @@ -276,8 +290,8 @@ abbrev mkTest := SecurityTest.mk /-- CompliancePolicy (matches Coq: Record CompliancePolicy) -/ structure CompliancePolicy where policy_regulation : Regulation - policy_controls : List - policy_mappings : List + policy_controls : List Control + policy_mappings : List ControlMapping policy_compliant : Bool deriving DecidableEq, Repr /-- Coq constructor alias for CompliancePolicy. -/ @@ -286,9 +300,9 @@ abbrev mkPolicy := CompliancePolicy.mk /-- EvidenceChain (matches Coq: Record EvidenceChain) -/ structure EvidenceChain where evidence_control : Control - evidence_items : List + evidence_items : List Nat evidence_timestamp : Nat - evidence_signature : List + evidence_signature : List Nat evidence_valid_flag : Bool deriving DecidableEq, Repr /-- Coq constructor alias for EvidenceChain. -/ @@ -297,7 +311,7 @@ abbrev mkEvidence := EvidenceChain.mk /-- GapAnalysis (matches Coq: Record GapAnalysis) -/ structure GapAnalysis where gap_policy : CompliancePolicy - gap_detected : List + gap_detected : List Control gap_analysis_complete : Bool deriving DecidableEq, Repr /-- Coq constructor alias for GapAnalysis. -/ @@ -329,233 +343,236 @@ def is_proven (s : ControlStatus) : Bool := /-- data_minimization_holds (matches Coq: Definition data_minimization_holds) -/ def data_minimization_holds (store : DataStore) : Prop := - store.(store_compliant) = true → - forall pd, In pd store.(store_data) → pd.(pd_necessary) = true + store.store_compliant = true → + forall pd, In pd store.store_data → pd.pd_necessary = true /-- purpose_limitation_holds (matches Coq: Definition purpose_limitation_holds) -/ def purpose_limitation_holds (store : DataStore) : Prop := - store.(store_compliant) = true → - forall pd, In pd store.(store_data) → pd.(pd_purpose) = store.(store_purpose) + store.store_compliant = true → + forall pd, In pd store.store_data → pd.pd_purpose = store.store_purpose /-- storage_limitation_holds (matches Coq: Definition storage_limitation_holds) -/ def storage_limitation_holds (store : DataStore) (now : Nat) : Prop := - store.(store_compliant) = true → - forall pd, In pd store.(store_data) → - pd.(pd_collected) + pd.(pd_retention) >= now + store.store_compliant = true → + forall pd, In pd store.store_data → + pd.pd_collected + pd.pd_retention >= now /-- accuracy_holds (matches Coq: Definition accuracy_holds) -/ def accuracy_holds (store : DataStore) : Prop := - store.(store_compliant) = true → - forall pd, In pd store.(store_data) → pd.(pd_accurate) = true + store.store_compliant = true → + forall pd, In pd store.store_data → pd.pd_accurate = true /-- integrity_holds (matches Coq: Definition integrity_holds) -/ def integrity_holds (store : DataStore) : Prop := - store.(store_compliant) = true → - forall pd, In pd store.(store_data) → pd.(pd_integrity_protected) = true + store.store_compliant = true → + forall pd, In pd store.store_data → pd.pd_integrity_protected = true /-- access_right_holds (matches Coq: Definition access_right_holds) -/ def access_right_holds (store : DataStore) (subject : DataSubjectId) : Prop := - store.(store_compliant) = true → - forall pd, In pd store.(store_data) → pd.(pd_subject) = subject → - pd.(pd_exportable) = true + store.store_compliant = true → + forall pd, In pd store.store_data → pd.pd_subject = subject → + pd.pd_exportable = true /-- erasure_right_holds (matches Coq: Definition erasure_right_holds) -/ def erasure_right_holds (store store' : DataStore) (subject : DataSubjectId) : Prop := - store.(store_compliant) = true → - (forall pd, In pd store.(store_data) → pd.(pd_subject) = subject → - ~ In pd store'.(store_data)) /\ - (forall pd, In pd store.(store_data) → pd.(pd_subject) <> subject → + store.store_compliant = true → + (forall pd, In pd store.store_data → pd.pd_subject = subject → + ¬In pd store'.(store_data)) ∧ + (forall pd, In pd store.store_data → pd.pd_subject ≠ subject → In pd store'.(store_data)) /-- portability_holds (matches Coq: Definition portability_holds) -/ def portability_holds (store : DataStore) : Prop := - store.(store_compliant) = true → - forall pd, In pd store.(store_data) → pd.(pd_exportable) = true + store.store_compliant = true → + forall pd, In pd store.store_data → pd.pd_exportable = true /-- consent_valid_holds (matches Coq: Definition consent_valid_holds) -/ def consent_valid_holds (store : DataStore) : Prop := - store.(store_compliant) = true → - forall pd, In pd store.(store_data) → pd.(pd_consent) = true + store.store_compliant = true → + forall pd, In pd store.store_data → pd.pd_consent = true /-- phi_protected (matches Coq: Definition phi_protected) -/ def phi_protected (phi : PHI) : Prop := - phi.(phi_in_system) = true → - phi.(phi_encrypted) = true /\ phi.(phi_access_controlled) = true + phi.phi_in_system = true → + phi.phi_encrypted = true ∧ phi.phi_access_controlled = true /-- hipaa_access_control_holds (matches Coq: Definition hipaa_access_control_holds) -/ def hipaa_access_control_holds (phi : PHI) : Prop := - phi.(phi_in_system) = true → phi.(phi_access_controlled) = true + phi.phi_in_system = true → phi.phi_access_controlled = true /-- hipaa_audit_holds (matches Coq: Definition hipaa_audit_holds) -/ def hipaa_audit_holds (phi : PHI) : Prop := - phi.(phi_in_system) = true → phi.(phi_logged) = true + phi.phi_in_system = true → phi.phi_logged = true /-- minimum_necessary_holds (matches Coq: Definition minimum_necessary_holds) -/ def minimum_necessary_holds (phi : PHI) : Prop := - phi.(phi_in_system) = true → phi.(phi_access_controlled) = true + phi.phi_in_system = true → phi.phi_access_controlled = true /-- hipaa_encryption_holds (matches Coq: Definition hipaa_encryption_holds) -/ def hipaa_encryption_holds (phi : PHI) : Prop := - phi.(phi_in_system) = true → phi.(phi_encrypted) = true + phi.phi_in_system = true → phi.phi_encrypted = true /-- hipaa_integrity_holds (matches Coq: Definition hipaa_integrity_holds) -/ def hipaa_integrity_holds (phi : PHI) : Prop := - phi.(phi_in_system) = true → phi.(phi_integrity_protected) = true + phi.phi_in_system = true → phi.phi_integrity_protected = true /-- hipaa_availability_holds (matches Coq: Definition hipaa_availability_holds) -/ def hipaa_availability_holds (phi : PHI) : Prop := - phi.(phi_in_system) = true → phi.(phi_available) = true + phi.phi_in_system = true → phi.phi_available = true /-- breach_notification_holds (matches Coq: Definition breach_notification_holds) -/ def breach_notification_holds (phi : PHI) : Prop := - phi.(phi_in_system) = true → phi.(phi_logged) = true + phi.phi_in_system = true → phi.phi_logged = true /-- network_segmented_holds (matches Coq: Definition network_segmented_holds) -/ def network_segmented_holds (net : Network) : Prop := - net.(net_segmented) = true → - forall n1 n2, In n1 net.(net_cde) → In n2 net.(net_non_cde) → - n1 <> n2 + net.net_segmented = true → + forall n1 n2, In n1 net.net_cde → In n2 net.net_non_cde → + n1 ≠ n2 /-- chd_protected (matches Coq: Definition chd_protected) -/ def chd_protected (chd : CardholderData) : Prop := - chd.(chd_in_cde) = true → - chd.(chd_pan_encrypted) = true /\ chd.(chd_cvv_stored) = false + chd.chd_in_cde = true → + chd.chd_pan_encrypted = true ∧ chd.chd_cvv_stored = false /-- pci_encryption_holds (matches Coq: Definition pci_encryption_holds) -/ def pci_encryption_holds (chd : CardholderData) : Prop := - chd.(chd_in_cde) = true → chd.(chd_pan_encrypted) = true + chd.chd_in_cde = true → chd.chd_pan_encrypted = true /-- access_restricted_holds (matches Coq: Definition access_restricted_holds) -/ def access_restricted_holds (chd : CardholderData) (user : User) : Prop := - chd.(chd_in_cde) = true → - user.(user_business_need) = true /\ user.(user_unique) = true + chd.chd_in_cde = true → + user.user_business_need = true ∧ user.user_unique = true /-- unique_ids_holds (matches Coq: Definition unique_ids_holds) -/ def unique_ids_holds (users : List User) : Prop := - forall u, In u users → u.(user_unique) = true + forall u, In u users → u.user_unique = true /-- physical_security_holds (matches Coq: Definition physical_security_holds) -/ def physical_security_holds (pc : PhysicalControl) : Prop := - pc.(phys_secured) = true /\ pc.(phys_logged) = true + pc.phys_secured = true ∧ pc.phys_logged = true /-- logging_holds (matches Coq: Definition logging_holds) -/ def logging_holds (events : List SecurityEvent) : Prop := - forall e, In e events → e.(event_security_relevant) = true → - e.(event_logged) = true + forall e, In e events → e.event_security_relevant = true → + e.event_logged = true /-- testing_holds (matches Coq: Definition testing_holds) -/ def testing_holds (tests : List SecurityTest) : Prop := - forall t, In t tests → t.(test_performed) = true + forall t, In t tests → t.test_performed = true /-- control_mapping_complete_holds (matches Coq: Definition control_mapping_complete_holds) -/ def control_mapping_complete_holds (policy : CompliancePolicy) : Prop := - forall ctrl, In ctrl policy.(policy_controls) → - exists m, In m policy.(policy_mappings) /\ m.(mapping_control) = ctrl + forall ctrl, In ctrl policy.policy_controls → + exists m, In m policy.policy_mappings ∧ m.mapping_control = ctrl /-- evidence_chain_valid (matches Coq: Definition evidence_chain_valid) -/ def evidence_chain_valid (ec : EvidenceChain) : Prop := - ec.(evidence_valid_flag) = true + ec.evidence_valid_flag = true /-- continuous_monitoring_holds (matches Coq: Definition continuous_monitoring_holds) -/ def continuous_monitoring_holds (policy : CompliancePolicy) : Prop := - policy.(policy_compliant) = true → - forall ctrl, In ctrl policy.(policy_controls) → - ctrl.(control_monitored) = true /\ ctrl.(control_has_alert) = true + policy.policy_compliant = true → + forall ctrl, In ctrl policy.policy_controls → + ctrl.control_monitored = true ∧ ctrl.control_has_alert = true /-- proof_as_evidence_holds (matches Coq: Definition proof_as_evidence_holds) -/ def proof_as_evidence_holds (ctrl : Control) : Prop := - ctrl.(control_satisfied) = true → + ctrl.control_satisfied = true → exists ec : EvidenceChain, - ec.(evidence_control) = ctrl /\ ec.(evidence_valid_flag) = true + ec.evidence_control = ctrl ∧ ec.evidence_valid_flag = true /-- audit_trail_complete_holds (matches Coq: Definition audit_trail_complete_holds) -/ def audit_trail_complete_holds (policy : CompliancePolicy) : Prop := - policy.(policy_compliant) = true → - forall ctrl, In ctrl policy.(policy_controls) → - ctrl.(control_monitored) = true + policy.policy_compliant = true → + forall ctrl, In ctrl policy.policy_controls → + ctrl.control_monitored = true /-- compose_policies (matches Coq: Definition compose_policies) -/ def compose_policies (p1 p2 : CompliancePolicy) : CompliancePolicy := mkPolicy - p1.(policy_regulation) - (p1.(policy_controls) ++ p2.(policy_controls)) - (p1.(policy_mappings) ++ p2.(policy_mappings)) - (p1.(policy_compliant) && p2.(policy_compliant)) + p1.policy_regulation + (p1.policy_controls ++ p2.policy_controls) + (p1.policy_mappings ++ p2.policy_mappings) + (p1.policy_compliant && p2.policy_compliant) /-- policy_compliant_prop (matches Coq: Definition policy_compliant_prop) -/ def policy_compliant_prop (p : CompliancePolicy) : Prop := - p.(policy_compliant) = true + p.policy_compliant = true /-- regulation_coverage_holds (matches Coq: Definition regulation_coverage_holds) -/ def regulation_coverage_holds (policy : CompliancePolicy) (reqs : List Control) : Prop := - policy.(policy_compliant) = true → - forall req, In req reqs → In req policy.(policy_controls) + policy.policy_compliant = true → + forall req, In req reqs → In req policy.policy_controls /-- control_effectiveness_holds (matches Coq: Definition control_effectiveness_holds) -/ def control_effectiveness_holds (ctrl : Control) : Prop := - ctrl.(control_satisfied) = true → ctrl.(control_monitored) = true + ctrl.control_satisfied = true → ctrl.control_monitored = true /-- gap_detection_holds (matches Coq: Definition gap_detection_holds) -/ def gap_detection_holds (ga : GapAnalysis) : Prop := - ga.(gap_analysis_complete) = true → - forall ctrl, In ctrl ga.(gap_policy).(policy_controls) → - ctrl.(control_satisfied) = false → In ctrl ga.(gap_detected) + ga.gap_analysis_complete = true → + forall ctrl, In ctrl ga.gap_policy.policy_controls → + ctrl.control_satisfied = false → In ctrl ga.gap_detected /-- remediation_tracked_holds (matches Coq: Definition remediation_tracked_holds) -/ def remediation_tracked_holds (rems : List Remediation) : Prop := - forall r, In r rems → r.(rem_tracked) = true + forall r, In r rems → r.rem_tracked = true /-- make_compliant_store (matches Coq: Definition make_compliant_store) -/ -def make_compliant_store (data : List PersonalData) (purpose : string) : DataStore := mkStore data purpose true true +def make_compliant_store (data : List PersonalData) (purpose : String) : DataStore := mkStore data purpose true true /-- make_system_phi (matches Coq: Definition make_system_phi) -/ def make_system_phi (patient_id : Nat) (data : List Nat) (created : Nat) (accessed_by : List Nat) : PHI := mkPHI patient_id data created accessed_by true true true true true true /-- make_cde_chd (matches Coq: Definition make_cde_chd) -/ -def make_cde_chd (pan : List Nat) (expiry : Nat) (name : string) : CardholderData := mkCHD pan true expiry false name true +def make_cde_chd (pan : List Nat) (expiry : Nat) (name : String) : CardholderData := mkCHD pan true expiry false name true /-- make_proven_control (matches Coq: Definition make_proven_control) -/ -def make_proven_control (id desc : string) (reg : Regulation) : Control := mkControl id reg desc true true true +def make_proven_control (id desc : String) (reg : Regulation) : Control := mkControl id reg desc true true true /-- make_compliant_policy (matches Coq: Definition make_compliant_policy) -/ def make_compliant_policy (reg : Regulation) (ctrls : List Control) (maps : List ControlMapping) : CompliancePolicy := mkPolicy reg ctrls maps true +/-- make_valid_evidence (matches Coq: Definition make_valid_evidence) -/ +def make_valid_evidence (ctrl : Control) (items : List Nat) (ts : Nat) (sig : List Nat) : EvidenceChain := mkEvidence ctrl items ts sig true + /-- AJ_001_01_gdpr_data_minimization (matches Coq) -/ -theorem AJ_001_01_gdpr_data_minimization : ∀ data purpose, (∀ pd, In pd data → pd.(pd_necessary) = true) → let store := make_compliant_store data purpose in data_minimization_holds store := by - omega +theorem AJ_001_01_gdpr_data_minimization : ∀ data purpose, (∀ pd, In pd data → pd.pd_necessary = true) → let store := make_compliant_store data purpose in data_minimization_holds store := by + intro data purpose h _; exact h /-- AJ_001_02_gdpr_purpose_limitation (matches Coq) -/ -theorem AJ_001_02_gdpr_purpose_limitation : ∀ data purpose, (∀ pd, In pd data → pd.(pd_purpose) = purpose) → let store := make_compliant_store data purpose in purpose_limitation_holds store := by - omega +theorem AJ_001_02_gdpr_purpose_limitation : ∀ data purpose, (∀ pd, In pd data → pd.pd_purpose = purpose) → let store := make_compliant_store data purpose in purpose_limitation_holds store := by + intro data purpose h _; exact h /-- AJ_001_03_gdpr_storage_limitation (matches Coq) -/ -theorem AJ_001_03_gdpr_storage_limitation : ∀ data purpose now, (∀ pd, In pd data → pd.(pd_collected) + pd.(pd_retention) ≥ now) → let store := make_compliant_store data purpose in storage_limitation_holds store now := by - omega +theorem AJ_001_03_gdpr_storage_limitation : ∀ data purpose now, (∀ pd, In pd data → pd.pd_collected + pd.pd_retention ≥ now) → let store := make_compliant_store data purpose in storage_limitation_holds store now := by + intro data purpose now h _; exact h /-- AJ_001_04_gdpr_accuracy (matches Coq) -/ -theorem AJ_001_04_gdpr_accuracy : ∀ data purpose, (∀ pd, In pd data → pd.(pd_accurate) = true) → let store := make_compliant_store data purpose in accuracy_holds store := by - omega +theorem AJ_001_04_gdpr_accuracy : ∀ data purpose, (∀ pd, In pd data → pd.pd_accurate = true) → let store := make_compliant_store data purpose in accuracy_holds store := by + intro data purpose h _; exact h /-- AJ_001_05_gdpr_integrity (matches Coq) -/ -theorem AJ_001_05_gdpr_integrity : ∀ data purpose, (∀ pd, In pd data → pd.(pd_integrity_protected) = true) → let store := make_compliant_store data purpose in integrity_holds store := by - omega +theorem AJ_001_05_gdpr_integrity : ∀ data purpose, (∀ pd, In pd data → pd.pd_integrity_protected = true) → let store := make_compliant_store data purpose in integrity_holds store := by + intro data purpose h _; exact h /-- AJ_001_06_gdpr_access_right (matches Coq) -/ -theorem AJ_001_06_gdpr_access_right : ∀ data purpose subject, (∀ pd, In pd data → pd.(pd_subject) = subject → pd.(pd_exportable) = true) → let store := make_compliant_store data purpose in access_right_holds store subject := by - omega +theorem AJ_001_06_gdpr_access_right : ∀ data purpose subject, (∀ pd, In pd data → pd.pd_subject = subject → pd.pd_exportable = true) → let store := make_compliant_store data purpose in access_right_holds store subject := by + intro data purpose subject h _; exact h /-- AJ_001_07_gdpr_erasure_right (matches Coq) -/ -theorem AJ_001_07_gdpr_erasure_right : ∀ data purpose subject, let store := make_compliant_store data purpose in let store' := make_compliant_store (filter (fun pd => negb (Nat.eqb pd.(pd_subject) subject)) data) purpose in (∀ pd, In pd data → pd.(pd_subject) = subject → ~ In pd (filter (fun pd => negb (Nat.eqb pd.(pd_subject) subject)) data)) → (∀ pd, In pd data → pd.(pd_subject) ≠ subject → In pd (filter (fun pd => negb (Nat.eqb pd.(pd_subject) subject)) data)) → erasure_right_holds store store' subject := by - omega +theorem AJ_001_07_gdpr_erasure_right : ∀ data purpose subject, let store := make_compliant_store data purpose in let store' := make_compliant_store (filter (fun pd => negb (Nat.eqb pd.pd_subject subject)) data) purpose in (∀ pd, In pd data → pd.pd_subject = subject → ¬In pd (filter (fun pd => negb (Nat.eqb pd.pd_subject subject)) data)) → (∀ pd, In pd data → pd.pd_subject ≠ subject → In pd (filter (fun pd => negb (Nat.eqb pd.pd_subject subject)) data)) → erasure_right_holds store store' subject := by + intro data purpose subject h1 h2 _; exact ⟨h1, h2⟩ /-- AJ_001_08_gdpr_portability (matches Coq) -/ -theorem AJ_001_08_gdpr_portability : ∀ data purpose, (∀ pd, In pd data → pd.(pd_exportable) = true) → let store := make_compliant_store data purpose in portability_holds store := by - omega +theorem AJ_001_08_gdpr_portability : ∀ data purpose, (∀ pd, In pd data → pd.pd_exportable = true) → let store := make_compliant_store data purpose in portability_holds store := by + intro data purpose h _; exact h /-- AJ_001_09_gdpr_consent_valid (matches Coq) -/ -theorem AJ_001_09_gdpr_consent_valid : ∀ data purpose, (∀ pd, In pd data → pd.(pd_consent) = true) → let store := make_compliant_store data purpose in consent_valid_holds store := by - omega +theorem AJ_001_09_gdpr_consent_valid : ∀ data purpose, (∀ pd, In pd data → pd.pd_consent = true) → let store := make_compliant_store data purpose in consent_valid_holds store := by + intro data purpose h _; exact h /-- AJ_001_10_hipaa_phi_protected (matches Coq) -/ theorem AJ_001_10_hipaa_phi_protected : ∀ patient_id data created accessed_by, let phi := make_system_phi patient_id data created accessed_by in phi_protected phi := by @@ -606,7 +623,7 @@ theorem AJ_001_21_pci_access_restricted : ∀ pan expiry name user_id, let chd : simp /-- AJ_001_22_pci_unique_ids (matches Coq) -/ -theorem AJ_001_22_pci_unique_ids : ∀ users, (∀ u, In u users → u.(user_unique) = true) → unique_ids_holds users := by +theorem AJ_001_22_pci_unique_ids : ∀ users, (∀ u, In u users → u.user_unique = true) → unique_ids_holds users := by intro h; exact h /-- AJ_001_23_pci_physical_security (matches Coq) -/ @@ -614,51 +631,51 @@ theorem AJ_001_23_pci_physical_security : ∀ location, let pc := mkPhysical loc simp /-- AJ_001_24_pci_logging (matches Coq) -/ -theorem AJ_001_24_pci_logging : ∀ events, (∀ e, In e events → e.(event_security_relevant) = true → e.(event_logged) = true) → logging_holds events := by +theorem AJ_001_24_pci_logging : ∀ events, (∀ e, In e events → e.event_security_relevant = true → e.event_logged = true) → logging_holds events := by intro h; exact h /-- AJ_001_25_pci_testing (matches Coq) -/ -theorem AJ_001_25_pci_testing : ∀ tests, (∀ t, In t tests → t.(test_performed) = true) → testing_holds tests := by +theorem AJ_001_25_pci_testing : ∀ tests, (∀ t, In t tests → t.test_performed = true) → testing_holds tests := by intro h; exact h /-- AJ_001_26_control_mapping_complete (matches Coq) -/ -theorem AJ_001_26_control_mapping_complete : ∀ reg controls mappings, (∀ ctrl, In ctrl controls → ∃ m, In m mappings ∧ m.(mapping_control) = ctrl) → let policy := make_compliant_policy reg controls mappings in control_mapping_complete_holds policy := by - omega +theorem AJ_001_26_control_mapping_complete : ∀ reg controls mappings, (∀ ctrl, In ctrl controls → ∃ m, In m mappings ∧ m.mapping_control = ctrl) → let policy := make_compliant_policy reg controls mappings in control_mapping_complete_holds policy := by + intro reg controls mappings h _; exact h /-- AJ_001_27_evidence_chain_valid (matches Coq) -/ theorem AJ_001_27_evidence_chain_valid : ∀ ctrl items ts sig, let ec := make_valid_evidence ctrl items ts sig in evidence_chain_valid ec := by simp /-- AJ_001_28_continuous_monitoring (matches Coq) -/ -theorem AJ_001_28_continuous_monitoring : ∀ reg controls mappings, (∀ ctrl, In ctrl controls → ctrl.(control_monitored) = true ∧ ctrl.(control_has_alert) = true) → let policy := make_compliant_policy reg controls mappings in continuous_monitoring_holds policy := by - omega +theorem AJ_001_28_continuous_monitoring : ∀ reg controls mappings, (∀ ctrl, In ctrl controls → ctrl.control_monitored = true ∧ ctrl.control_has_alert = true) → let policy := make_compliant_policy reg controls mappings in continuous_monitoring_holds policy := by + intro reg controls mappings h _; exact h /-- AJ_001_29_proof_as_evidence (matches Coq) -/ theorem AJ_001_29_proof_as_evidence : ∀ id desc reg, let ctrl := make_proven_control id desc reg in proof_as_evidence_holds ctrl := by simp /-- AJ_001_30_audit_trail_complete (matches Coq) -/ -theorem AJ_001_30_audit_trail_complete : ∀ reg controls mappings, (∀ ctrl, In ctrl controls → ctrl.(control_monitored) = true) → let policy := make_compliant_policy reg controls mappings in audit_trail_complete_holds policy := by - omega +theorem AJ_001_30_audit_trail_complete : ∀ reg controls mappings, (∀ ctrl, In ctrl controls → ctrl.control_monitored = true) → let policy := make_compliant_policy reg controls mappings in audit_trail_complete_holds policy := by + intro reg controls mappings h _; exact h /-- AJ_001_31_compliance_composition (matches Coq) -/ theorem AJ_001_31_compliance_composition : ∀ p1 p2, policy_compliant_prop p1 → policy_compliant_prop p2 → policy_compliant_prop (compose_policies p1 p2) := by - omega + intro h1 h2; simp [compose_policies, policy_compliant_prop, mkPolicy] at *; exact ⟨h1, h2⟩ /-- AJ_001_32_regulation_coverage (matches Coq) -/ theorem AJ_001_32_regulation_coverage : ∀ reg controls mappings reqs, (∀ req, In req reqs → In req controls) → let policy := make_compliant_policy reg controls mappings in regulation_coverage_holds policy reqs := by - omega + intro reg controls mappings reqs h _; exact h /-- AJ_001_33_control_effectiveness (matches Coq) -/ theorem AJ_001_33_control_effectiveness : ∀ id desc reg, let ctrl := make_proven_control id desc reg in control_effectiveness_holds ctrl := by simp /-- AJ_001_34_gap_detection (matches Coq) -/ -theorem AJ_001_34_gap_detection : ∀ policy detected, (∀ ctrl, In ctrl policy.(policy_controls) → ctrl.(control_satisfied) = false → In ctrl detected) → let ga := mkGapAnalysis policy detected true in gap_detection_holds ga := by +theorem AJ_001_34_gap_detection : ∀ policy detected, (∀ ctrl, In ctrl policy.policy_controls → ctrl.control_satisfied = false → In ctrl detected) → let ga := mkGapAnalysis policy detected true in gap_detection_holds ga := by simp_all [Bool.and_eq_true] /-- AJ_001_35_remediation_tracked (matches Coq) -/ -theorem AJ_001_35_remediation_tracked : ∀ rems, (∀ r, In r rems → r.(rem_tracked) = true) → remediation_tracked_holds rems := by +theorem AJ_001_35_remediation_tracked : ∀ rems, (∀ r, In r rems → r.rem_tracked = true) → remediation_tracked_holds rems := by intro h; exact h -end RIINA +end RIINA.Compliance.VerifiedCompliance diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/AnimationSystem.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/AnimationSystem.lean index 2c1706b3..1ec26c0f 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/AnimationSystem.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/AnimationSystem.lean @@ -65,7 +65,7 @@ Generated by scripts/generate-multiprover.py | animation_group_non_empty | animation_group_non_empty | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.AnimationSystem /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -73,20 +73,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: safe list index -/ +def nth_error {α : Type} (xs : List α) (n : Nat) : Option α := xs.get? n /-- AnimationType (matches Coq: Inductive AnimationType) -/ inductive AnimationType where @@ -120,8 +122,8 @@ abbrev mkSpring := SpringParams.mk /-- SpringAnimation (matches Coq: Record SpringAnimation) -/ structure SpringAnimation where spring_params : SpringParams - spring_positions : List - spring_velocities : List + spring_positions : List Nat + spring_velocities : List Nat spring_duration : Time deriving DecidableEq, Repr /-- Coq constructor alias for SpringAnimation. -/ @@ -144,7 +146,7 @@ abbrev mkAnimControl := AnimationControl.mk /-- AnimationGroup (matches Coq: Record AnimationGroup) -/ structure AnimationGroup where - ag_animations : List + ag_animations : List Nat ag_synchronized : Bool ag_duration : Nat deriving DecidableEq, Repr @@ -213,9 +215,9 @@ def physics_simulation (sa : SpringAnimation) (t : Time) : Option Position := /-- positions_smooth (matches Coq: Definition positions_smooth) -/ def positions_smooth (positions : List Position) : Prop := forall i p1 p2, - nth_error positions i = Some p1 → - nth_error positions (S i) = Some p2 → - (p1 <= p2 + 10 /\ p2 <= p1 + 10) + nth_error positions i = some p1 → + nth_error positions (S i) = some p2 → + (p1 <= p2 + 10 ∧ p2 <= p1 + 10) /-- second_derivative_continuous (matches Coq: Definition second_derivative_continuous) -/ def second_derivative_continuous (positions : List Position) : Prop := @@ -223,10 +225,10 @@ def second_derivative_continuous (positions : List Position) : Prop := /-- well_formed_spring (matches Coq: Definition well_formed_spring) -/ def well_formed_spring (sa : SpringAnimation) : Prop := - spring_stiffness (spring_params sa) > 0 /\ - spring_mass (spring_params sa) > 0 /\ - length (spring_positions sa) = spring_duration sa + 1 /\ - length (spring_velocities sa) = spring_duration sa + 1 /\ + spring_stiffness (spring_params sa) > 0 ∧ + spring_mass (spring_params sa) > 0 ∧ + length (spring_positions sa) = spring_duration sa + 1 ∧ + length (spring_velocities sa) = spring_duration sa + 1 ∧ positions_smooth (spring_positions sa) /-- reaches_target (matches Coq: Definition reaches_target) -/ @@ -236,7 +238,7 @@ def reaches_target (sa : SpringAnimation) : Prop := /-- FRAME_BUDGET_60HZ_US (matches Coq: Definition FRAME_BUDGET_60HZ_US) -/ def FRAME_BUDGET_60HZ_US : Nat := - Z.to_nat 16667%Z + 16667 /-- frame_budget_60hz (matches Coq: Definition frame_budget_60hz) -/ def frame_budget_60hz : Nat := @@ -244,7 +246,7 @@ def frame_budget_60hz : Nat := /-- FRAME_BUDGET_120HZ_US (matches Coq: Definition FRAME_BUDGET_120HZ_US) -/ def FRAME_BUDGET_120HZ_US : Nat := - Z.to_nat 8333%Z + 8333 /-- frame_budget_120hz (matches Coq: Definition frame_budget_120hz) -/ def frame_budget_120hz : Nat := @@ -256,16 +258,16 @@ def meets_frame_budget (f : Frame) : Prop := /-- well_formed_anim_control (matches Coq: Definition well_formed_anim_control) -/ def well_formed_anim_control (ac : AnimationControl) : Prop := - anim_speed ac > 0 /\ - anim_speed ac <= 1000 /\ - (anim_autoreverses ac = true → anim_repeat_count ac > 0) /\ - anim_current_repeat ac <= anim_repeat_count ac /\ + anim_speed ac > 0 ∧ + anim_speed ac <= 1000 ∧ + (anim_autoreverses ac = true → anim_repeat_count ac > 0) ∧ + anim_current_repeat ac <= anim_repeat_count ac ∧ anim_fill_mode ac <= 3 /-- well_formed_anim_group (matches Coq: Definition well_formed_anim_group) -/ def well_formed_anim_group (ag : AnimationGroup) : Prop := - ag_synchronized ag = true /\ - ag_duration ag > 0 /\ + ag_synchronized ag = true ∧ + ag_duration ag > 0 ∧ length (ag_animations ag) > 0 /-- well_formed_layer_anim (matches Coq: Definition well_formed_layer_anim) -/ @@ -274,8 +276,8 @@ def well_formed_layer_anim (la : LayerAnimation) : Prop := /-- keyframe_in_range (matches Coq: Definition keyframe_in_range) -/ def keyframe_in_range (kf : Keyframe) (from to : Nat) : Prop := - (from <= to → from <= kf_value kf /\ kf_value kf <= to) /\ - (to <= from → to <= kf_value kf /\ kf_value kf <= from) + (from <= to → from <= kf_value kf ∧ kf_value kf <= to) ∧ + (to <= from → to <= kf_value kf ∧ kf_value kf <= from) /-- spring_converges (matches Coq: Definition spring_converges) -/ def spring_converges (sa : SpringAnimation) : Prop := @@ -283,11 +285,11 @@ def spring_converges (sa : SpringAnimation) : Prop := | v => v = 0 /-- nth_error_In_bounds (matches Coq) -/ -theorem nth_error_In_bounds : ∀ A (l : list A) n, n < length l → ∃ x, nth_error l n = Some x := by +theorem nth_error_In_bounds : ∀ A (l : List A) n, n < length l → ∃ x, nth_error l n = some x := by cases ‹_› <;> simp /-- spring_physics_accurate (matches Coq) -/ -theorem spring_physics_accurate : ∀ (spring : SpringAnimation) (t : Time), well_formed_spring spring → t < length (spring_positions spring) → ∃ p, position_at spring t = Some p := by +theorem spring_physics_accurate : ∀ (spring : SpringAnimation) (t : Time), well_formed_spring spring → t < length (spring_positions spring) → ∃ p, position_at spring t = some p := by simp_all [Bool.and_eq_true] /-- animation_mathematically_smooth (matches Coq) -/ @@ -303,7 +305,7 @@ theorem position_velocity_match : ∀ (spring : SpringAnimation), well_formed_sp rfl /-- nth_error_Some_length (matches Coq) -/ -theorem nth_error_Some_length : ∀ {A : Type} (l : list A) (n : nat), n < length l → ∃ a, nth_error l n = Some a := by +theorem nth_error_Some_length : ∀ {A : Type} (l : List A) (n : Nat), n < length l → ∃ a, nth_error l n = some a := by cases ‹_› <;> simp /-- animation_frame_budget_met (matches Coq) -/ @@ -331,7 +333,7 @@ theorem animation_timing_precise : ∀ (ag : AnimationGroup), well_formed_anim_g intro h; exact h /-- keyframe_values_interpolated (matches Coq) -/ -theorem keyframe_values_interpolated : ∀ (kf : Keyframe) (from to : nat), from ≤ to → keyframe_in_range kf from to → from ≤ kf_value kf ∧ kf_value kf ≤ to := by +theorem keyframe_values_interpolated : ∀ (kf : Keyframe) (from to : Nat), from ≤ to → keyframe_in_range kf from to → from ≤ kf_value kf ∧ kf_value kf ≤ to := by simp_all [Bool.and_eq_true] /-- spring_animation_converges (matches Coq) -/ @@ -370,4 +372,4 @@ theorem animation_repeat_count_honored : ∀ (ac : AnimationControl), well_forme theorem animation_group_non_empty : ∀ (ag : AnimationGroup), well_formed_anim_group ag → length (ag_animations ag) > 0 := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.AnimationSystem diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/AppDistribution.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/AppDistribution.lean index 77e88371..2f8a0ee3 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/AppDistribution.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/AppDistribution.lean @@ -87,7 +87,7 @@ Generated by scripts/generate-multiprover.py | app_signature_has_timestamp | app_signature_has_timestamp | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.AppDistribution /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -95,20 +95,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- InstallState (matches Coq: Inductive InstallState) -/ inductive InstallState where @@ -124,7 +126,7 @@ structure AppPackage where package_id : Nat package_version : Nat code_signature : Nat - entitlements : List + entitlements : List Nat sandbox_profile : Nat deriving DecidableEq, Repr /-- Coq constructor alias for AppPackage. -/ @@ -198,8 +200,8 @@ abbrev mkCodeIntegrity := CodeIntegrity.mk /-- EntitlementSet (matches Coq: Record EntitlementSet) -/ structure EntitlementSet where ent_app_id : Nat - ent_requested : List - ent_granted : List + ent_requested : List Nat + ent_granted : List Nat ent_validated : Bool deriving DecidableEq, Repr /-- Coq constructor alias for EntitlementSet. -/ @@ -238,7 +240,7 @@ abbrev mkBinaryReport := BinaryReport.mk /-- AppVersionHistory (matches Coq: Record AppVersionHistory) -/ structure AppVersionHistory where vh_app_id : Nat - vh_versions : List + vh_versions : List Nat vh_monotonic : Bool deriving DecidableEq, Repr /-- Coq constructor alias for AppVersionHistory. -/ @@ -266,8 +268,8 @@ abbrev mkAPIUsage := APIUsage.mk /-- PrivacyManifest (matches Coq: Record PrivacyManifest) -/ structure PrivacyManifest where pm_app_id : Nat - pm_data_types : List - pm_purposes : List + pm_data_types : List Nat + pm_purposes : List Nat pm_manifest_present : Bool deriving DecidableEq, Repr /-- Coq constructor alias for PrivacyManifest. -/ @@ -276,8 +278,8 @@ abbrev mkPrivacyManifest := PrivacyManifest.mk /-- DataDeclaration (matches Coq: Record DataDeclaration) -/ structure DataDeclaration where dd_app_id : Nat - dd_collected_types : List - dd_declared_types : List + dd_collected_types : List Nat + dd_declared_types : List Nat dd_declared : Bool deriving DecidableEq, Repr /-- Coq constructor alias for DataDeclaration. -/ @@ -322,15 +324,15 @@ abbrev mkNotarization := NotarizationStatus.mk /-- passes_security_checks (matches Coq: Definition passes_security_checks) -/ def passes_security_checks (scan : SecurityScan) : Prop := - static_analysis_passed scan = true /\ - dynamic_analysis_passed scan = true /\ - signature_valid scan = true /\ - known_malware_match scan = false /\ + static_analysis_passed scan = true ∧ + dynamic_analysis_passed scan = true ∧ + signature_valid scan = true ∧ + known_malware_match scan = false ∧ behavior_anomaly scan = false /-- no_malware (matches Coq: Definition no_malware) -/ def no_malware (app : StoreApplication) : Prop := - passes_security_checks (scan_result app) /\ + passes_security_checks (scan_result app) ∧ review_approved app = true /-- in_store (matches Coq: Definition in_store) -/ @@ -345,14 +347,14 @@ def store_well_formed (apps : List StoreApplication) : Prop := /-- update_atomic (matches Coq: Definition update_atomic) -/ def update_atomic (inst_before inst_after : Installation) (upd : AppUpdate) : Prop := - (install_state inst_after = Installed /\ - installed_version inst_after = new_version upd) \/ - (install_state inst_after = install_state inst_before /\ + (install_state inst_after = Installed ∧ + installed_version inst_after = new_version upd) ∨ + (install_state inst_after = install_state inst_before ∧ installed_version inst_after = installed_version inst_before) /-- rollback_possible (matches Coq: Definition rollback_possible) -/ def rollback_possible (inst : Installation) : Prop := - rollback_available inst = true /\ + rollback_available inst = true ∧ install_state inst = Installed /-- version_increases (matches Coq: Definition version_increases) -/ @@ -373,20 +375,20 @@ def app_is_safe (app : StoreApplication) : Bool := /-- app_signature_verified (matches Coq: Definition app_signature_verified) -/ def app_signature_verified (s : AppSigNature) : Prop := - sig_verified s = true /\ sig_timestamp s > 0 + sig_verified s = true ∧ sig_timestamp s > 0 /-- code_integrity_checked (matches Coq: Definition code_integrity_checked) -/ def code_integrity_checked (ci : CodeIntegrity) : Prop := - ci_integrity_valid ci = true /\ ci_hash_original ci = ci_hash_current ci + ci_integrity_valid ci = true ∧ ci_hash_original ci = ci_hash_current ci /-- entitlements_validated (matches Coq: Definition entitlements_validated) -/ def entitlements_validated (es : EntitlementSet) : Prop := - ent_validated es = true /\ + ent_validated es = true ∧ length (ent_granted es) <= length (ent_requested es) /-- provisioning_profile_valid (matches Coq: Definition provisioning_profile_valid) -/ def provisioning_profile_valid (pp : ProvisioningProfile) : Prop := - pp_valid pp = true /\ pp_current_date pp <= pp_expiry_date pp + pp_valid pp = true ∧ pp_current_date pp <= pp_expiry_date pp /-- app_review_required (matches Coq: Definition app_review_required) -/ def app_review_required (ar : AppReview) : Prop := @@ -394,18 +396,18 @@ def app_review_required (ar : AppReview) : Prop := /-- binary_size_reported (matches Coq: Definition binary_size_reported) -/ def binary_size_reported (br : BinaryReport) : Prop := - br_size_reported br = true /\ br_size_bytes br = br_reported_size br + br_size_reported br = true ∧ br_size_bytes br = br_reported_size br /-- list_monotonic (matches Coq: Definition list_monotonic) -/ def list_monotonic (l : List Nat) : Prop := match l with | [] => True | [_] => True - | x :: ((y :: _) as rest) => x <= y /\ list_monotonic rest + | x :: ((y :: _) as rest) => x <= y ∧ list_monotonic rest /-- app_version_monotonic (matches Coq: Definition app_version_monotonic) -/ def app_version_monotonic (vh : AppVersionHistory) : Prop := - vh_monotonic vh = true /\ list_monotonic (vh_versions vh) + vh_monotonic vh = true ∧ list_monotonic (vh_versions vh) /-- minimum_os_version_enforced (matches Coq: Definition minimum_os_version_enforced) -/ def minimum_os_version_enforced (req : OSRequirement) : Prop := @@ -418,11 +420,11 @@ def deprecated_api_flagged (au : APIUsage) : Prop := /-- privacy_manifest_required (matches Coq: Definition privacy_manifest_required) -/ def privacy_manifest_required (pm : PrivacyManifest) : Prop := - pm_manifest_present pm = true /\ pm_data_types pm <> [] + pm_manifest_present pm = true ∧ pm_data_types pm ≠ [] /-- data_collection_declared (matches Coq: Definition data_collection_declared) -/ def data_collection_declared (dd : DataDeclaration) : Prop := - dd_declared dd = true /\ + dd_declared dd = true ∧ length (dd_collected_types dd) <= length (dd_declared_types dd) /-- app_clip_size_bounded (matches Coq: Definition app_clip_size_bounded) -/ @@ -431,15 +433,15 @@ def app_clip_size_bounded (ac : AppClip) : Prop := /-- testflight_expiry_enforced (matches Coq: Definition testflight_expiry_enforced) -/ def testflight_expiry_enforced (tf : TestFlightBuild) : Prop := - tf_enforced tf = true /\ tf_expiry_days tf <= tf_max_days tf + tf_enforced tf = true ∧ tf_expiry_days tf <= tf_max_days tf /-- enterprise_certificate_validated (matches Coq: Definition enterprise_certificate_validated) -/ def enterprise_certificate_validated (ec : EnterpriseCert) : Prop := - ec_valid ec = true /\ ec_revoked ec = false + ec_valid ec = true ∧ ec_revoked ec = false /-- notarization_required (matches Coq: Definition notarization_required) -/ def notarization_required (ns : NotarizationStatus) : Prop := - ns_notarized ns = true /\ ns_ticket_stapled ns = true + ns_notarized ns = true ∧ ns_ticket_stapled ns = true /-- store_malware_free (matches Coq) -/ theorem store_malware_free : ∀ (app : StoreApplication), in_store app → store_well_formed [app] → no_malware app := by @@ -549,4 +551,4 @@ theorem notarization_ticket_stapled : ∀ (ns : NotarizationStatus), notarizatio theorem app_signature_has_timestamp : ∀ (s : AppSignature), app_signature_verified s → sig_timestamp s > 0 := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.AppDistribution diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/ApplicationLifecycle.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/ApplicationLifecycle.lean index b8ed2bd2..a980a2cd 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/ApplicationLifecycle.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/ApplicationLifecycle.lean @@ -60,7 +60,7 @@ Generated by scripts/generate-multiprover.py | app_activation_idempotent | app_activation_idempotent | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.ApplicationLifecycle /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -68,15 +68,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -98,7 +98,7 @@ structure Application where app_id : Nat app_state : AppState app_data : AppData - app_saved_state : Option + app_saved_state : Option Nat app_supports_restoration : Bool deriving DecidableEq, Repr /-- Coq constructor alias for Application. -/ @@ -120,7 +120,7 @@ structure AppExtension where ext_id : Nat ext_parent_app_id : Nat ext_sandboxed : Bool - ext_data_types : List + ext_data_types : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for AppExtension. -/ abbrev mkExtension := AppExtension.mk @@ -137,8 +137,8 @@ abbrev mkWidget := Widget.mk /-- AppGroup (matches Coq: Record AppGroup) -/ structure AppGroup where - group_app_ids : List - group_shared_data : List + group_app_ids : List Nat + group_shared_data : List Nat group_access_controlled : Bool deriving DecidableEq, Repr /-- Coq constructor alias for AppGroup. -/ @@ -158,7 +158,7 @@ structure ExtApp where ext_app : Application ext_bg_time_used : Nat ext_memory_level : LowMemoryLevel - ext_scenes : List + ext_scenes : List Nat ext_activation_count : Nat deriving DecidableEq, Repr /-- Coq constructor alias for ExtApp. -/ @@ -178,8 +178,8 @@ def terminated (app : Application) : Prop := /-- relaunched (matches Coq: Definition relaunched) -/ def relaunched (app : Application) : Prop := - app_state app = Foreground /\ - app_saved_state app <> None + app_state app = Foreground ∧ + app_saved_state app ≠ None /-- state (matches Coq: Definition state) -/ def state (app : Application) : AppData := @@ -197,7 +197,7 @@ def state_invariants_hold (app : Application) (s : AppState) : Prop := | NotRunning => app_data app = [] | Launching => True | Foreground => True - | Background => app_saved_state app <> None + | Background => app_saved_state app ≠ None /-- valid_lifecycle_transition (matches Coq: Definition valid_lifecycle_transition) -/ def valid_lifecycle_transition (from to : AppState) : Bool := @@ -221,12 +221,12 @@ def restore_state (app : Application) : Application := /-- well_formed_restorable (matches Coq: Definition well_formed_restorable) -/ def well_formed_restorable (app : Application) : Prop := app_supports_restoration app = true → - app_saved_state app <> None → + app_saved_state app ≠ None → app_data (restore_state app) = previous_state app /-- BG_TIME_LIMIT_MS (matches Coq: Definition BG_TIME_LIMIT_MS) -/ def BG_TIME_LIMIT_MS : Nat := - Z.to_nat 30000%Z + 30000 /-- bg_time_limit (matches Coq: Definition bg_time_limit) -/ def bg_time_limit : Nat := @@ -238,9 +238,9 @@ def LowMemoryLevel : Type := /-- well_formed_ext_app (matches Coq: Definition well_formed_ext_app) -/ def well_formed_ext_app (ea : ExtApp) : Prop := - (app_state (ext_app ea) = Background → ext_bg_time_used ea <= bg_time_limit) /\ - ext_memory_level ea <= 2 /\ - (ext_activation_count ea > 0 → app_state (ext_app ea) <> NotRunning) + (app_state (ext_app ea) = Background → ext_bg_time_used ea <= bg_time_limit) ∧ + ext_memory_level ea <= 2 ∧ + (ext_activation_count ea > 0 → app_state (ext_app ea) ≠ NotRunning) /-- transition_preserves_id (matches Coq: Definition transition_preserves_id) -/ def transition_preserves_id (app_before app_after : Application) : Prop := @@ -271,7 +271,7 @@ theorem background_can_foreground : valid_lifecycle_transition Background Foregr rfl /-- save_captures_current_state (matches Coq) -/ -theorem save_captures_current_state : ∀ (app : Application), app_saved_state (save_state app) = Some (app_data app) := by +theorem save_captures_current_state : ∀ (app : Application), app_saved_state (save_state app) = some (app_data app) := by simp /-- app_state_transition_valid (matches Coq) -/ @@ -283,11 +283,11 @@ theorem background_to_foreground_clean : ∀ (app : Application), app_state app rfl /-- state_saved_on_background (matches Coq) -/ -theorem state_saved_on_background : ∀ (app : Application), app_state app = Foreground → app_saved_state (save_state app) = Some (app_data app) := by +theorem state_saved_on_background : ∀ (app : Application), app_state app = Foreground → app_saved_state (save_state app) = some (app_data app) := by simp /-- state_restored_on_foreground (matches Coq) -/ -theorem state_restored_on_foreground : ∀ (app : Application) (d : AppData), app_saved_state app = Some d → app_state (restore_state app) = Foreground := by +theorem state_restored_on_foreground : ∀ (app : Application) (d : AppData), app_saved_state app = some d → app_state (restore_state app) = Foreground := by simp /-- app_termination_notified (matches Coq) -/ @@ -315,7 +315,7 @@ theorem app_extension_sandboxed : ∀ (ext : AppExtension), ext_sandboxed ext = intro h; exact h /-- widget_update_throttled (matches Coq) -/ -theorem widget_update_throttled : ∀ (w : Widget) (current_time : nat), current_time - widget_last_update w < widget_update_interval w → current_time - widget_last_update w < widget_update_interval w := by +theorem widget_update_throttled : ∀ (w : Widget) (current_time : Nat), current_time - widget_last_update w < widget_update_interval w → current_time - widget_last_update w < widget_update_interval w := by intro h; exact h /-- share_extension_data_typed (matches Coq) -/ @@ -334,4 +334,4 @@ theorem scene_lifecycle_managed : ∀ (s : AppScene), scene_active s = true → theorem app_activation_idempotent : ∀ (app : Application), app_state app = Foreground → app_state app = Foreground → app_state app = Foreground := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.ApplicationLifecycle diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/BiometricSystem.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/BiometricSystem.lean index 039d1700..a3a0df14 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/BiometricSystem.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/BiometricSystem.lean @@ -66,7 +66,7 @@ Generated by scripts/generate-multiprover.py | biometric_not_sole_factor | biometric_not_sole_factor | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.BiometricSystem /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -74,15 +74,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -175,11 +175,11 @@ def rejected (a : BiometricAttempt) : Prop := /-- MATCH_THRESHOLD_FAR_1_IN_1M (matches Coq: Definition MATCH_THRESHOLD_FAR_1_IN_1M) -/ def MATCH_THRESHOLD_FAR_1_IN_1M : Nat := - Z.to_nat 999999%Z + 999999 /-- BIOMETRIC_TIMEOUT_MAX_MS (matches Coq: Definition BIOMETRIC_TIMEOUT_MAX_MS) -/ def BIOMETRIC_TIMEOUT_MAX_MS : Nat := - Z.to_nat 30000%Z + 30000 /-- match_threshold (matches Coq: Definition match_threshold) -/ def match_threshold : Nat := @@ -191,9 +191,9 @@ def liveness_threshold : Nat := /-- secure_biometric_system (matches Coq: Definition secure_biometric_system) -/ def secure_biometric_system (a : BiometricAttempt) : Prop := - (~ authentic a → ~ accepted a) /\ - (is_spoof a → rejected a) /\ - (accepted a → attempt_match_score a >= match_threshold) /\ + (¬authentic a → ¬accepted a) ∧ + (is_spoof a → rejected a) ∧ + (accepted a → attempt_match_score a >= match_threshold) ∧ (accepted a → attempt_liveness_score a >= liveness_threshold) /-- false_acceptance_probability (matches Coq: Definition false_acceptance_probability) -/ @@ -205,7 +205,7 @@ def false_acceptance_probability (a : BiometricAttempt) : Nat := /-- well_formed_attempt (matches Coq: Definition well_formed_attempt) -/ def well_formed_attempt (a : BiometricAttempt) : Prop := - ~ (accepted a /\ rejected a) + ¬(accepted a ∧ rejected a) /-- biometric_data_never_exported (matches Coq: Definition biometric_data_never_exported) -/ def biometric_data_never_exported (t : BiometricTemplate) : Prop := @@ -213,9 +213,9 @@ def biometric_data_never_exported (t : BiometricTemplate) : Prop := /-- far_bounded (matches Coq: Definition far_bounded) -/ def far_bounded (cfg : BiometricConfig) (attempt : BiometricAttempt) : Prop := - ~ authentic attempt → + ¬authentic attempt → secure_biometric_system attempt → - ~ accepted attempt + ¬accepted attempt /-- frr_bounded (matches Coq: Definition frr_bounded) -/ def frr_bounded (cfg : BiometricConfig) : Prop := @@ -239,7 +239,7 @@ def enrollment_requires_auth_prop (e : BiometricEnrollment) : Prop := /-- timeout_enforced (matches Coq: Definition timeout_enforced) -/ def timeout_enforced (s : BiometricSession) : Prop := - bio_session_timeout_ms s > 0 /\ bio_session_timeout_ms s <= BIOMETRIC_TIMEOUT_MAX_MS + bio_session_timeout_ms s > 0 ∧ bio_session_timeout_ms s <= BIOMETRIC_TIMEOUT_MAX_MS /-- anti_spoofing_active_prop (matches Coq: Definition anti_spoofing_active_prop) -/ def anti_spoofing_active_prop (cfg : BiometricConfig) : Prop := @@ -247,7 +247,7 @@ def anti_spoofing_active_prop (cfg : BiometricConfig) : Prop := /-- on_device_only (matches Coq: Definition on_device_only) -/ def on_device_only (t : BiometricTemplate) : Prop := - tmpl_on_device t = true /\ tmpl_exportable t = false + tmpl_on_device t = true ∧ tmpl_exportable t = false /-- multi_factor_supported_prop (matches Coq: Definition multi_factor_supported_prop) -/ def multi_factor_supported_prop (s : BiometricSession) : Prop := @@ -265,16 +265,16 @@ def presentation_attack_detected_prop (attempt : BiometricAttempt) (cfg : Biomet /-- template_update_secure (matches Coq: Definition template_update_secure) -/ def template_update_secure (old_t new_t : BiometricTemplate) : Prop := - tmpl_type old_t = tmpl_type new_t /\ - tmpl_version new_t > tmpl_version old_t /\ + tmpl_type old_t = tmpl_type new_t ∧ + tmpl_version new_t > tmpl_version old_t ∧ tmpl_encrypted new_t = true /-- biometric_not_sole_factor_prop (matches Coq: Definition biometric_not_sole_factor_prop) -/ def biometric_not_sole_factor_prop (s : BiometricSession) : Prop := - bio_session_multi_factor s = true \/ bio_session_fallback_available s = true + bio_session_multi_factor s = true ∨ bio_session_fallback_available s = true /-- biometric_false_acceptance_bounded (matches Coq) -/ -theorem biometric_false_acceptance_bounded : ∀ (attempt : BiometricAttempt), secure_biometric_system attempt → ~ authentic attempt → ~ accepted attempt := by +theorem biometric_false_acceptance_bounded : ∀ (attempt : BiometricAttempt), secure_biometric_system attempt → ¬authentic attempt → ¬accepted attempt := by simp_all [Bool.and_eq_true] /-- liveness_detection_accurate (matches Coq) -/ @@ -290,7 +290,7 @@ theorem accepted_requires_liveness : ∀ (attempt : BiometricAttempt), secure_bi simp_all [Bool.and_eq_true] /-- spoof_not_accepted (matches Coq) -/ -theorem spoof_not_accepted : ∀ (attempt : BiometricAttempt), secure_biometric_system attempt → well_formed_attempt attempt → is_spoof attempt → ~ accepted attempt := by +theorem spoof_not_accepted : ∀ (attempt : BiometricAttempt), secure_biometric_system attempt → well_formed_attempt attempt → is_spoof attempt → ¬accepted attempt := by simp_all [Bool.and_eq_true] /-- biometric_data_never_exported_thm (matches Coq) -/ @@ -298,7 +298,7 @@ theorem biometric_data_never_exported_thm : ∀ (t : BiometricTemplate), biometr intro h; exact h /-- false_acceptance_rate_bounded (matches Coq) -/ -theorem false_acceptance_rate_bounded : ∀ (cfg : BiometricConfig) (attempt : BiometricAttempt), far_bounded cfg attempt → ~ authentic attempt → secure_biometric_system attempt → ~ accepted attempt := by +theorem false_acceptance_rate_bounded : ∀ (cfg : BiometricConfig) (attempt : BiometricAttempt), far_bounded cfg attempt → ¬authentic attempt → secure_biometric_system attempt → ¬accepted attempt := by simp_all [Bool.and_eq_true] /-- false_rejection_rate_bounded (matches Coq) -/ @@ -353,4 +353,4 @@ theorem template_update_secure_thm : ∀ (old_t new_t : BiometricTemplate), temp theorem biometric_not_sole_factor : ∀ (s : BiometricSession), biometric_not_sole_factor_prop s → bio_session_multi_factor s = true ∨ bio_session_fallback_available s = true := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.BiometricSystem diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/CameraAudioSystem.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/CameraAudioSystem.lean index 21ee0caa..0660c33a 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/CameraAudioSystem.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/CameraAudioSystem.lean @@ -63,7 +63,7 @@ Generated by scripts/generate-multiprover.py | capture_resolution_bounded | capture_resolution_bounded | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.CameraAudioSystem /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -71,15 +71,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -115,7 +115,7 @@ abbrev mkRawPhoto := RawPhoto.mk /-- VideoRecording (matches Coq: Record VideoRecording) -/ structure VideoRecording where video_id : Nat - video_frames : List + video_frames : List Nat video_duration_ms : Nat video_fps : Nat deriving DecidableEq, Repr @@ -125,7 +125,7 @@ abbrev mkVideo := VideoRecording.mk /-- AudioSample (matches Coq: Record AudioSample) -/ structure AudioSample where audio_id : Nat - audio_data : List + audio_data : List Nat audio_input_time : Microseconds audio_output_time : Microseconds deriving DecidableEq, Repr @@ -205,11 +205,11 @@ def SensorData : Type := /-- AUDIO_SAMPLE_RATE_MIN (matches Coq: Definition AUDIO_SAMPLE_RATE_MIN) -/ def AUDIO_SAMPLE_RATE_MIN : Nat := - Z.to_nat 8000%Z + 8000 /-- AUDIO_SAMPLE_RATE_MAX (matches Coq: Definition AUDIO_SAMPLE_RATE_MAX) -/ def AUDIO_SAMPLE_RATE_MAX : Nat := - Z.to_nat 192000%Z + 192000 /-- sensor_data (matches Coq: Definition sensor_data) -/ def sensor_data (s : Scene) : SensorData := @@ -251,24 +251,24 @@ def lossless_capture_system : Prop := /-- well_formed_recording (matches Coq: Definition well_formed_recording) -/ def well_formed_recording (rs : RecordingSession) : Prop := - (rec_state rs = Recording → indicator_visible (rec_indicator rs) = true) /\ - (rec_state rs = Recording → indicator_persistent (rec_indicator rs) = true) /\ - (rec_background rs = true → rec_state rs = NotRecording) /\ + (rec_state rs = Recording → indicator_visible (rec_indicator rs) = true) ∧ + (rec_state rs = Recording → indicator_persistent (rec_indicator rs) = true) ∧ + (rec_background rs = true → rec_state rs = NotRecording) ∧ (camera_granted (rec_permission rs) = false → rec_state rs = NotRecording) /-- well_formed_audio (matches Coq: Definition well_formed_audio) -/ def well_formed_audio (ac : AudioConfig) : Prop := - sample_rate ac >= AUDIO_SAMPLE_RATE_MIN /\ - sample_rate ac <= AUDIO_SAMPLE_RATE_MAX /\ - audio_level ac <= 100 /\ + sample_rate ac >= AUDIO_SAMPLE_RATE_MIN ∧ + sample_rate ac <= AUDIO_SAMPLE_RATE_MAX ∧ + audio_level ac <= 100 ∧ channels ac >= 1 /-- well_formed_video_config (matches Coq: Definition well_formed_video_config) -/ def well_formed_video_config (vc : VideoConfig) : Prop := - video_frame_rate vc >= 1 /\ - video_frame_rate vc <= 240 /\ - video_width vc >= 1 /\ - video_height vc >= 1 /\ + video_frame_rate vc >= 1 ∧ + video_frame_rate vc <= 240 ∧ + video_width vc >= 1 ∧ + video_height vc >= 1 ∧ stabilization_offset vc <= 50 /-- raw_capture_lossless (matches Coq) -/ @@ -355,4 +355,4 @@ theorem video_stabilization_bounded : ∀ (vc : VideoConfig), well_formed_video_ theorem capture_resolution_bounded : ∀ (vc : VideoConfig), well_formed_video_config vc → video_width vc ≥ 1 ∧ video_height vc ≥ 1 := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.CameraAudioSystem diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/CellularStack.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/CellularStack.lean index 52b4c8e7..669e0780 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/CellularStack.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/CellularStack.lean @@ -80,7 +80,7 @@ Generated by scripts/generate-multiprover.py | esim_activation_code_valid_thm | esim_activation_code_valid_thm | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.CellularStack /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -88,20 +88,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- CellularGeneration (matches Coq: Inductive CellularGeneration) -/ inductive CellularGeneration where @@ -123,7 +125,7 @@ abbrev mkMemory := Memory.mk /-- BasebandProcessor (matches Coq: Record BasebandProcessor) -/ structure BasebandProcessor where bb_id : Nat - bb_accessible_memory : List + bb_accessible_memory : List Nat bb_isolated : Bool deriving DecidableEq, Repr /-- Coq constructor alias for BasebandProcessor. -/ @@ -307,7 +309,7 @@ def can_access_mem (bb : BasebandProcessor) (m : Memory) : Prop := /-- baseband_properly_isolated (matches Coq: Definition baseband_properly_isolated) -/ def baseband_properly_isolated (bb : BasebandProcessor) : Prop := bb_isolated bb = true → - forall m, is_ap_memory m → ~ can_access_mem bb m + forall m, is_ap_memory m → ¬can_access_mem bb m /-- during_call (matches Coq: Definition during_call) -/ def during_call (c : Call) (h : Handoff) : Prop := @@ -319,22 +321,22 @@ def no_audio_gap (c : Call) : Prop := /-- seamless_handoff_system (matches Coq: Definition seamless_handoff_system) -/ def seamless_handoff_system (c : Call) (h : Handoff) : Prop := - during_call c h /\ handoff_seamless h = true → no_audio_gap c + during_call c h ∧ handoff_seamless h = true → no_audio_gap c /-- imsi_protected (matches Coq: Definition imsi_protected) -/ def imsi_protected (ip : IMSIProtection) : Prop := - imsi_encrypted ip = true /\ imsi_exposed ip = false + imsi_encrypted ip = true ∧ imsi_exposed ip = false /-- baseband_fully_isolated (matches Coq: Definition baseband_fully_isolated) -/ def baseband_fully_isolated (bbi : BasebandIsolation) : Prop := - bbi_memory_isolated bbi = true /\ - bbi_dma_blocked bbi = true /\ + bbi_memory_isolated bbi = true ∧ + bbi_dma_blocked bbi = true ∧ bbi_firmware_verified bbi = true /-- sim_authentication_complete (matches Coq: Definition sim_authentication_complete) -/ def sim_authentication_complete (sa : SIMAuth) : Prop := - sim_auth_complete sa = true /\ - sim_mutual_auth sa = true /\ + sim_auth_complete sa = true ∧ + sim_mutual_auth sa = true ∧ sim_key_agreement sa = true /-- data_roaming_permitted (matches Coq: Definition data_roaming_permitted) -/ @@ -343,7 +345,7 @@ def data_roaming_permitted (rc : RoamingConfig) : Prop := /-- cellular_encryption_enforced (matches Coq: Definition cellular_encryption_enforced) -/ def cellular_encryption_enforced (ce : CellularEncryption) : Prop := - cell_encrypted ce = true /\ cell_integrity_protected ce = true + cell_encrypted ce = true ∧ cell_integrity_protected ce = true /-- stingray_detection (matches Coq: Definition stingray_detection) -/ def stingray_detection (ct : CellTowerInfo) : Prop := @@ -355,20 +357,20 @@ def sms_encryption_available (sms : SMSMessage) : Prop := /-- volte_quality_guaranteed (matches Coq: Definition volte_quality_guaranteed) -/ def volte_quality_guaranteed (vc : VoLTECall) : Prop := - volte_hd_voice vc = true /\ volte_quality_score vc >= volte_min_quality vc + volte_hd_voice vc = true ∧ volte_quality_score vc >= volte_min_quality vc /-- esim_activation_secure (matches Coq: Definition esim_activation_secure) -/ def esim_activation_secure (ea : eSIMActivation) : Prop := - esim_profile_encrypted ea = true /\ + esim_profile_encrypted ea = true ∧ esim_activation_code_valid ea = true /-- carrier_settings_validated (matches Coq: Definition carrier_settings_validated) -/ def carrier_settings_validated (cs : CarrierSettings) : Prop := - carrier_validated cs = true /\ carrier_version cs > 0 + carrier_validated cs = true ∧ carrier_version cs > 0 /-- data_usage_tracked (matches Coq: Definition data_usage_tracked) -/ def data_usage_tracked (du : DataUsage) : Prop := - du_tracked du = true /\ + du_tracked du = true ∧ (du_bytes_used du > du_bytes_limit du → du_warning_sent du = true) /-- cellular_failover_handled (matches Coq: Definition cellular_failover_handled) -/ @@ -377,18 +379,18 @@ def cellular_failover_handled (cf : CellularFailover) : Prop := /-- signal_strength_accurate (matches Coq: Definition signal_strength_accurate) -/ def signal_strength_accurate (sm : SignalMeasurement) : Prop := - sm_accurate sm = true /\ sm_timestamp sm > 0 + sm_accurate sm = true ∧ sm_timestamp sm > 0 /-- emergency_call_always_available (matches Coq: Definition emergency_call_always_available) -/ def emergency_call_always_available (ec : EmergencyCall) : Prop := - ec_available ec = true /\ ec_any_network ec = true + ec_available ec = true ∧ ec_any_network ec = true /-- carrier_lock_enforced (matches Coq: Definition carrier_lock_enforced) -/ def carrier_lock_enforced (cl : CarrierLock) : Prop := cl_locked cl = true → cl_enforced cl = true /-- baseband_isolation (matches Coq) -/ -theorem baseband_isolation : ∀ (baseband : BasebandProcessor) (ap_mem : Memory), baseband_properly_isolated baseband → bb_isolated baseband = true → is_ap_memory ap_mem → ~ can_access_mem baseband ap_mem := by +theorem baseband_isolation : ∀ (baseband : BasebandProcessor) (ap_mem : Memory), baseband_properly_isolated baseband → bb_isolated baseband = true → is_ap_memory ap_mem → ¬can_access_mem baseband ap_mem := by simp_all [Bool.and_eq_true] /-- call_handoff_is_seamless (matches Coq) -/ @@ -396,11 +398,11 @@ theorem call_handoff_is_seamless : ∀ (call : Call) (handoff : Handoff), seamle constructor <;> simp_all [Bool.and_eq_true] /-- isolation_preserves_separation (matches Coq) -/ -theorem isolation_preserves_separation : ∀ (bb : BasebandProcessor), bb_isolated bb = true → bb_accessible_memory bb = [] → ∀ m, ~ can_access_mem bb m := by +theorem isolation_preserves_separation : ∀ (bb : BasebandProcessor), bb_isolated bb = true → bb_accessible_memory bb = [] → ∀ m, ¬can_access_mem bb m := by simp_all [Bool.and_eq_true] /-- baseband_isolation_contrapositive (matches Coq) -/ -theorem baseband_isolation_contrapositive : ∀ (bb : BasebandProcessor) (m : Memory), baseband_properly_isolated bb → bb_isolated bb = true → can_access_mem bb m → ~ is_ap_memory m := by +theorem baseband_isolation_contrapositive : ∀ (bb : BasebandProcessor) (m : Memory), baseband_properly_isolated bb → bb_isolated bb = true → can_access_mem bb m → ¬is_ap_memory m := by simp_all /-- imsi_protected_thm (matches Coq) -/ @@ -483,4 +485,4 @@ theorem emergency_call_any_network : ∀ (ec : EmergencyCall), emergency_call_al theorem esim_activation_code_valid_thm : ∀ (ea : eSIMActivation), esim_activation_secure ea → esim_activation_code_valid ea = true := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.CellularStack diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/ComputerVision.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/ComputerVision.lean index 86fe9801..3e32e19f 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/ComputerVision.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/ComputerVision.lean @@ -79,7 +79,7 @@ Generated by scripts/generate-multiprover.py | empty_detections_always_bounded | empty_detections_always_bounded | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.ComputerVision /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -87,15 +87,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -133,7 +133,7 @@ abbrev mkDetection := Detection.mk /-- ObjectDetectionResult (matches Coq: Record ObjectDetectionResult) -/ structure ObjectDetectionResult where - od_detections : List + od_detections : List Nat od_processed_on_device : Bool od_latency_ms : Nat deriving DecidableEq, Repr @@ -152,7 +152,7 @@ abbrev mkFaceDetection := FaceDetection.mk /-- OCRResult (matches Coq: Record OCRResult) -/ structure OCRResult where - ocr_text : List + ocr_text : List Nat ocr_confidence : Nat ocr_language : Nat ocr_accuracy_bound : Nat @@ -182,7 +182,7 @@ abbrev mkClassResult := ClassificationResult.mk /-- BarcodeResult (matches Coq: Record BarcodeResult) -/ structure BarcodeResult where barcode_format : BarcodeFormat - barcode_data : List + barcode_data : List Nat barcode_valid : Bool deriving DecidableEq, Repr /-- Coq constructor alias for BarcodeResult. -/ @@ -191,7 +191,7 @@ abbrev mkBarcodeResult := BarcodeResult.mk /-- PhotoAnalysis (matches Coq: Record PhotoAnalysis) -/ structure PhotoAnalysis where photo_id : Nat - analysis_result : List + analysis_result : List Nat permission_granted : Bool processed_on_device : Bool deriving DecidableEq, Repr @@ -210,7 +210,7 @@ abbrev mkDepthEstimate := DepthEstimate.mk /-- PoseEstimate (matches Coq: Record PoseEstimate) -/ structure PoseEstimate where - pose_joints : List + pose_joints : List Nat pose_stable : Bool pose_frame_count : Nat deriving DecidableEq, Repr @@ -228,9 +228,9 @@ abbrev mkSceneClass := SceneClassification.mk /-- TextRecognition (matches Coq: Record TextRecognition) -/ structure TextRecognition where - text_content : List + text_content : List Nat text_language : Nat - text_supported_languages : List + text_supported_languages : List Nat text_language_supported : Bool deriving DecidableEq, Repr /-- Coq constructor alias for TextRecognition. -/ @@ -290,20 +290,20 @@ def Confidence : Type := /-- valid_detection (matches Coq: Definition valid_detection) -/ def valid_detection (d : Detection) : Prop := - det_valid d = true /\ det_confidence d >= 50 + det_valid d = true ∧ det_confidence d >= 50 /-- accurate_detection (matches Coq: Definition accurate_detection) -/ def accurate_detection (d : Detection) (ground_truth : BoundingBox) : Prop := let box := det_box d in (max (bbox_x box) (bbox_x ground_truth) - min (bbox_x box) (bbox_x ground_truth)) <= - (bbox_w box + bbox_w ground_truth) / 2 /\ + (bbox_w box + bbox_w ground_truth) / 2 ∧ (max (bbox_y box) (bbox_y ground_truth) - min (bbox_y box) (bbox_y ground_truth)) <= (bbox_h box + bbox_h ground_truth) / 2 /-- detection_bounded (matches Coq: Definition detection_bounded) -/ def detection_bounded (r : ObjectDetectionResult) : Prop := - length (od_detections r) <= 100 /\ + length (od_detections r) <= 100 ∧ od_latency_ms r <= 100 /-- cv_private (matches Coq: Definition cv_private) -/ @@ -312,7 +312,7 @@ def cv_private (r : ObjectDetectionResult) : Prop := /-- face_privacy_preserving (matches Coq: Definition face_privacy_preserving) -/ def face_privacy_preserving (fd : FaceDetection) : Prop := - face_data_on_device fd = true /\ face_anonymized fd = true + face_data_on_device fd = true ∧ face_anonymized fd = true /-- ocr_accuracy_within_bound (matches Coq: Definition ocr_accuracy_within_bound) -/ def ocr_accuracy_within_bound (r : OCRResult) : Prop := @@ -320,7 +320,7 @@ def ocr_accuracy_within_bound (r : OCRResult) : Prop := /-- confidence_properly_reported (matches Coq: Definition confidence_properly_reported) -/ def confidence_properly_reported (od : ObjectDetection) : Prop := - obj_confidence_reported od = true /\ obj_confidence od <= 100 + obj_confidence_reported od = true ∧ obj_confidence od <= 100 /-- classification_deterministic (matches Coq: Definition classification_deterministic) -/ def classification_deterministic (cr : ClassificationResult) : Prop := @@ -328,7 +328,7 @@ def classification_deterministic (cr : ClassificationResult) : Prop := /-- barcode_format_known (matches Coq: Definition barcode_format_known) -/ def barcode_format_known (br : BarcodeResult) : Prop := - barcode_format br <> UnknownFormat /\ barcode_valid br = true + barcode_format br ≠ UnknownFormat ∧ barcode_valid br = true /-- photo_analysis_permitted (matches Coq: Definition photo_analysis_permitted) -/ def photo_analysis_permitted (pa : PhotoAnalysis) : Prop := @@ -336,23 +336,23 @@ def photo_analysis_permitted (pa : PhotoAnalysis) : Prop := /-- depth_within_bounds (matches Coq: Definition depth_within_bounds) -/ def depth_within_bounds (de : DepthEstimate) : Prop := - depth_min de <= depth_value de /\ depth_value de <= depth_max de + depth_min de <= depth_value de ∧ depth_value de <= depth_max de /-- pose_is_stable (matches Coq: Definition pose_is_stable) -/ def pose_is_stable (pe : PoseEstimate) : Prop := - pose_stable pe = true /\ pose_frame_count pe >= 3 + pose_stable pe = true ∧ pose_frame_count pe >= 3 /-- scene_is_consistent (matches Coq: Definition scene_is_consistent) -/ def scene_is_consistent (sc : SceneClassification) : Prop := - scene_consistent sc = true /\ scene_confidence sc >= 50 + scene_consistent sc = true ∧ scene_confidence sc >= 50 /-- language_is_supported (matches Coq: Definition language_is_supported) -/ def language_is_supported (tr : TextRecognition) : Prop := - text_language_supported tr = true /\ In (text_language tr) (text_supported_languages tr) + text_language_supported tr = true ∧ In (text_language tr) (text_supported_languages tr) /-- request_cancellable (matches Coq: Definition request_cancellable) -/ def request_cancellable (vr : VisionRequest) : Prop := - vr_completed vr = false → vr_cancelled vr = true \/ vr_cancelled vr = false + vr_completed vr = false → vr_cancelled vr = true ∨ vr_cancelled vr = false /-- similarity_symmetric_pair (matches Coq: Definition similarity_symmetric_pair) -/ def similarity_symmetric_pair (p1 p2 : ImagePair) : Prop := @@ -365,7 +365,7 @@ def pipeline_stages_ordered (stages : List PipelineStage) : Prop := match stages with | [] => True | [_] => True - | s1 :: ((s2 :: _) as rest) => stage_order s1 <= stage_order s2 /\ pipeline_stages_ordered rest + | s1 :: ((s2 :: _) as rest) => stage_order s1 <= stage_order s2 ∧ pipeline_stages_ordered rest /-- frame_rate_limited (matches Coq: Definition frame_rate_limited) -/ def frame_rate_limited (f1 f2 : FrameAnalysis) : Prop := @@ -471,4 +471,4 @@ theorem language_in_supported_list : ∀ (tr : TextRecognition), language_is_sup theorem empty_detections_always_bounded : ∀ (r : ObjectDetectionResult), od_detections r = [] → length (od_detections r) ≤ 100 := by omega -end RIINA +end RIINA.Domains.MobileOS.ComputerVision diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/ConcurrencyFramework.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/ConcurrencyFramework.lean index 47ee64bc..eb917ff3 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/ConcurrencyFramework.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/ConcurrencyFramework.lean @@ -63,7 +63,7 @@ Generated by scripts/generate-multiprover.py | future_has_value_when_resolved | future_has_value_when_resolved | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.ConcurrencyFramework /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -71,20 +71,24 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: safe list index -/ +def nth_error {α : Type} (xs : List α) (n : Nat) : Option α := xs.get? n +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- ConcurrencyType (matches Coq: Inductive ConcurrencyType) -/ inductive ConcurrencyType where @@ -121,8 +125,8 @@ abbrev mkResource := Resource.mk /-- Actor (matches Coq: Record Actor) -/ structure Actor where actor_id : ActorId - actor_owned_data : List - actor_mailbox : List + actor_owned_data : List Nat + actor_mailbox : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for Actor. -/ abbrev mkActor := Actor.mk @@ -169,7 +173,7 @@ abbrev mkBarrier := Barrier.mk structure Future where future_id : Nat future_resolved : Bool - future_value : Option + future_value : Option Nat future_resolve_count : Nat deriving DecidableEq, Repr /-- Coq constructor alias for Future. -/ @@ -178,7 +182,7 @@ abbrev mkFuture := Future.mk /-- Channel (matches Coq: Record Channel) -/ structure Channel where chan_id : Nat - chan_buffer : List + chan_buffer : List Nat chan_capacity : Nat chan_closed : Bool deriving DecidableEq, Repr @@ -188,7 +192,7 @@ abbrev mkChannel_ := Channel.mk /-- ExtActor (matches Coq: Record ExtActor) -/ structure ExtActor where ea_id : ActorId - ea_mailbox : List + ea_mailbox : List Nat ea_processed : Nat deriving DecidableEq, Repr /-- Coq constructor alias for ExtActor. -/ @@ -216,14 +220,14 @@ def well_typed (p : Program) : Prop := /-- respects_lock_order (matches Coq: Definition respects_lock_order) -/ def respects_lock_order (acquired : List Resource) : Prop := forall r1 r2 i j, - nth_error acquired i = Some r1 → - nth_error acquired j = Some r2 → + nth_error acquired i = some r1 → + nth_error acquired j = some r2 → i < j → resource_order r1 < resource_order r2 /-- can_deadlock (matches Coq: Definition can_deadlock) -/ def can_deadlock (p : Program) : Prop := - ~ well_typed p + ¬well_typed p /-- Data (matches Coq: Definition Data) -/ def Data : Type := @@ -235,54 +239,54 @@ def owns (a : Actor) (d : Data) : Prop := /-- can_access (matches Coq: Definition can_access) -/ def can_access (a : Actor) (d : Data) : Prop := - In d (actor_owned_data a) \/ In d (actor_mailbox a) + In d (actor_owned_data a) ∨ In d (actor_mailbox a) /-- has_data_race (matches Coq: Definition has_data_race) -/ def has_data_race (p : Program) : Prop := - ~ well_typed p + ¬well_typed p /-- well_formed_pool (matches Coq: Definition well_formed_pool) -/ def well_formed_pool (tp : ThreadPool) : Prop := - pool_active_count tp <= pool_max_size tp /\ - pool_size tp <= pool_max_size tp /\ + pool_active_count tp <= pool_max_size tp ∧ + pool_size tp <= pool_max_size tp ∧ pool_max_size tp > 0 /-- well_formed_semaphore (matches Coq: Definition well_formed_semaphore) -/ def well_formed_semaphore (s : Semaphore) : Prop := - sem_count s <= sem_max_count s /\ + sem_count s <= sem_max_count s ∧ sem_max_count s > 0 /-- well_formed_barrier (matches Coq: Definition well_formed_barrier) -/ def well_formed_barrier (b : Barrier) : Prop := - barrier_count b <= barrier_total b /\ - barrier_total b > 0 /\ + barrier_count b <= barrier_total b ∧ + barrier_total b > 0 ∧ (barrier_released b = true <→ barrier_count b = barrier_total b) /-- well_formed_future (matches Coq: Definition well_formed_future) -/ def well_formed_future (f : Future) : Prop := - future_resolve_count f <= 1 /\ - (future_resolved f = true <→ future_resolve_count f = 1) /\ - (future_resolved f = true → future_value f <> None) + future_resolve_count f <= 1 ∧ + (future_resolved f = true <→ future_resolve_count f = 1) ∧ + (future_resolved f = true → future_value f ≠ Option.none) /-- well_formed_channel (matches Coq: Definition well_formed_channel) -/ def well_formed_channel (c : Channel) : Prop := - length (chan_buffer c) <= chan_capacity c /\ + length (chan_buffer c) <= chan_capacity c ∧ chan_capacity c > 0 /-- no_deadlock (matches Coq) -/ -theorem no_deadlock : ∀ (program : Program), well_typed program → ~ can_deadlock program := by +theorem no_deadlock : ∀ (program : Program), well_typed program → ¬can_deadlock program := by simp_all [Bool.and_eq_true] /-- no_data_race (matches Coq) -/ -theorem no_data_race : ∀ (program : Program), well_typed program → ~ has_data_race program := by +theorem no_data_race : ∀ (program : Program), well_typed program → ¬has_data_race program := by simp_all [Bool.and_eq_true] /-- actor_isolation_complete (matches Coq) -/ -theorem actor_isolation_complete : ∀ (actor1 actor2 : Actor) (data : Data), actor_id actor1 ≠ actor_id actor2 → owns actor1 data → ~ In data (actor_owned_data actor2) → ~ owns actor2 data := by +theorem actor_isolation_complete : ∀ (actor1 actor2 : Actor) (data : Data), actor_id actor1 ≠ actor_id actor2 → owns actor1 data → ¬In data (actor_owned_data actor2) → ¬owns actor2 data := by intro h; exact h /-- ownership_exclusive (matches Coq) -/ -theorem ownership_exclusive : ∀ (a1 a2 : Actor) (d : Data), owns a1 d → actor_owned_data a1 ≠ actor_owned_data a2 → ~ In d (actor_owned_data a2) → ~ owns a2 d := by +theorem ownership_exclusive : ∀ (a1 a2 : Actor) (d : Data), owns a1 d → actor_owned_data a1 ≠ actor_owned_data a2 → ¬In d (actor_owned_data a2) → ¬owns a2 d := by intro h; exact h /-- well_typed_all_annotated (matches Coq) -/ @@ -290,11 +294,11 @@ theorem well_typed_all_annotated : ∀ (program : Program), well_typed program intro h; exact h /-- lock_order_no_cycles (matches Coq) -/ -theorem lock_order_no_cycles : ∀ (acquired : list Resource), respects_lock_order acquired → ∀ r, In r acquired → ~ (∃ r', In r' acquired ∧ resource_order r < resource_order r' ∧ resource_order r' < resource_order r) := by +theorem lock_order_no_cycles : ∀ (acquired : List Resource), respects_lock_order acquired → ∀ r, In r acquired → ¬(∃ r', In r' acquired ∧ resource_order r < resource_order r' ∧ resource_order r' < resource_order r) := by simp_all [Bool.and_eq_true] /-- deadlock_free (matches Coq) -/ -theorem deadlock_free : ∀ (program : Program), well_typed program → ~ can_deadlock program := by +theorem deadlock_free : ∀ (program : Program), well_typed program → ¬can_deadlock program := by simp_all [Bool.and_eq_true] /-- priority_inversion_prevented (matches Coq) -/ @@ -310,7 +314,7 @@ theorem async_task_cancellable : ∀ (t : AsyncTask), task_cancellable t = true intro h; exact h /-- atomic_operation_linearizable (matches Coq) -/ -theorem atomic_operation_linearizable : ∀ (before after : nat), after = before + 1 → after = before + 1 := by +theorem atomic_operation_linearizable : ∀ (before after : Nat), after = before + 1 → after = before + 1 := by intro h; exact h /-- lock_ordering_enforced (matches Coq) -/ @@ -330,7 +334,7 @@ theorem future_resolved_once : ∀ (f : Future), well_formed_future f → future intro h; exact h /-- actor_message_ordered (matches Coq) -/ -theorem actor_message_ordered : ∀ (a : ExtActor) (seq1 seq2 : nat) (m1 m2 : nat) (i j : nat), nth_error (ea_mailbox a) i = Some (seq1, m1) → nth_error (ea_mailbox a) j = Some (seq2, m2) → i < j → seq1 ≤ seq2 → seq1 ≤ seq2 := by +theorem actor_message_ordered : ∀ (a : ExtActor) (seq1 seq2 : Nat) (m1 m2 : Nat) (i j : Nat), nth_error (ea_mailbox a) i = some (seq1, m1) → nth_error (ea_mailbox a) j = some (seq2, m2) → i < j → seq1 ≤ seq2 → seq1 ≤ seq2 := by intro h; exact h /-- channel_bounded (matches Coq) -/ @@ -350,7 +354,7 @@ theorem concurrent_modification_detected : ∀ (a1 a2 : Actor) (d : Data), owns intro h; exact h /-- future_has_value_when_resolved (matches Coq) -/ -theorem future_has_value_when_resolved : ∀ (f : Future), well_formed_future f → future_resolved f = true → future_value f ≠ None := by +theorem future_has_value_when_resolved : ∀ (f : Future), well_formed_future f → future_resolved f = true → future_value f ≠ Option.none := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Domains.MobileOS.ConcurrencyFramework diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/DataPersistence.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/DataPersistence.lean index 5ce719f1..0880d007 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/DataPersistence.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/DataPersistence.lean @@ -71,7 +71,7 @@ Generated by scripts/generate-multiprover.py | data_export_sanitized_thm | data_export_sanitized_thm | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.DataPersistence /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -79,26 +79,39 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: list map -/ +@[inline] def map {α β : Type} (f : α → β) (xs : List α) : List β := xs.map f +/-- Coq compatibility shim: left fold -/ +def fold_left {α β : Type} (f : α → β → α) (init : α) (xs : List β) : α := xs.foldl f init +/-- Coq compatibility shim: addition -/ +def plus (a b : Nat) : Nat := a + b +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b + +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs +/-- Coq compatibility shim: List filter -/ +@[inline] def filter {α : Type} (f : α → Bool) (xs : List α) : List α := xs.filter f /-- Schema (matches Coq: Record Schema) -/ structure Schema where schema_version : Nat - schema_fields : List - schema_required : List + schema_fields : List Nat + schema_required : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for Schema. -/ abbrev mkSchema := Schema.mk @@ -106,7 +119,7 @@ abbrev mkSchema := Schema.mk /-- Database (matches Coq: Record Database) -/ structure Database where db_schema : Schema - db_records : List + db_records : List Nat db_checksum : Nat deriving DecidableEq, Repr /-- Coq constructor alias for Database. -/ @@ -116,8 +129,8 @@ abbrev mkDB := Database.mk structure SyncState where local_version : Nat remote_version : Nat - pending_changes : List - conflicts : List + pending_changes : List Nat + conflicts : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for SyncState. -/ abbrev mkSync := SyncState.mk @@ -127,7 +140,7 @@ structure EncryptedStore where store_id : Nat store_encrypted : Bool store_key_id : Nat - store_records : List + store_records : List Nat store_checksum : Nat deriving DecidableEq, Repr /-- Coq constructor alias for EncryptedStore. -/ @@ -138,7 +151,7 @@ structure Backup where backup_id : Nat backup_encrypted : Bool backup_timestamp : Nat - backup_records : List + backup_records : List Nat backup_checksum : Nat deriving DecidableEq, Repr /-- Coq constructor alias for Backup. -/ @@ -149,8 +162,8 @@ structure Migration where mig_id : Nat mig_from_version : Nat mig_to_version : Nat - mig_records_before : List - mig_records_after : List + mig_records_before : List Nat + mig_records_after : List Nat mig_atomic : Bool deriving DecidableEq, Repr /-- Coq constructor alias for Migration. -/ @@ -159,7 +172,7 @@ abbrev mkMigration := Migration.mk /-- Transaction (matches Coq: Record Transaction) -/ structure Transaction where txn_id : Nat - txn_operations : List + txn_operations : List Nat txn_committed : Bool txn_rolled_back : Bool deriving DecidableEq, Repr @@ -188,7 +201,7 @@ abbrev mkStorageQuota := StorageQuota.mk /-- SerializedData (matches Coq: Record SerializedData) -/ structure SerializedData where ser_format : Nat - ser_data : List + ser_data : List Nat ser_checksum : Nat ser_validated : Bool deriving DecidableEq, Repr @@ -198,7 +211,7 @@ abbrev mkSerialized := SerializedData.mk /-- DataExport (matches Coq: Record DataExport) -/ structure DataExport where export_id : Nat - export_records : List + export_records : List Nat export_sanitized : Bool export_encrypted : Bool deriving DecidableEq, Repr @@ -233,7 +246,7 @@ def record_field_count (r : Record) : Nat := /-- all_fields_present (matches Coq: Definition all_fields_present) -/ def all_fields_present (old_schema new_schema : Schema) (r : Record) : Prop := forall fn, In fn (schema_fields old_schema) → - In fn (schema_fields new_schema) \/ + In fn (schema_fields new_schema) ∨ exists fv, In (fn, fv) r /-- migrate_record (matches Coq: Definition migrate_record) -/ @@ -242,7 +255,7 @@ def migrate_record (old_s new_s : Schema) (r : Record) : Record := /-- migrates (matches Coq: Definition migrates) -/ def migrates (db : Database) (old_s new_s : Schema) : Prop := - db_schema db = old_s /\ + db_schema db = old_s ∧ schema_version new_s > schema_version old_s /-- no_data_loss (matches Coq: Definition no_data_loss) -/ @@ -258,7 +271,7 @@ def migration_preserves_data (old_s new_s : Schema) (r : Record) : Prop := /-- sync_correct (matches Coq: Definition sync_correct) -/ def sync_correct (s : SyncState) : Prop := - local_version s = remote_version s /\ + local_version s = remote_version s ∧ conflicts s = [] /-- data_encrypted_at_rest_prop (matches Coq: Definition data_encrypted_at_rest_prop) -/ @@ -280,7 +293,7 @@ def schema_version_tracked_prop (m : Migration) : Prop := /-- corruption_detected_prop (matches Coq: Definition corruption_detected_prop) -/ def corruption_detected_prop (s : EncryptedStore) (expected : Nat) : Prop := - store_checksum s <> expected → store_checksum s <> expected + store_checksum s ≠ expected → store_checksum s ≠ expected /-- data_integrity_verified_prop (matches Coq: Definition data_integrity_verified_prop) -/ def data_integrity_verified_prop (s : EncryptedStore) : Prop := @@ -288,13 +301,13 @@ def data_integrity_verified_prop (s : EncryptedStore) : Prop := /-- transaction_acid (matches Coq: Definition transaction_acid) -/ def transaction_acid (txn : Transaction) : Prop := - (txn_committed txn = true → txn_rolled_back txn = false) /\ + (txn_committed txn = true → txn_rolled_back txn = false) ∧ (txn_rolled_back txn = true → txn_committed txn = false) /-- concurrent_access_safe_prop (matches Coq: Definition concurrent_access_safe_prop) -/ def concurrent_access_safe_prop (txn1 txn2 : Transaction) : Prop := - txn_id txn1 <> txn_id txn2 → - ~ (txn_committed txn1 = true /\ txn_rolled_back txn1 = true) + txn_id txn1 ≠ txn_id txn2 → + ¬(txn_committed txn1 = true ∧ txn_rolled_back txn1 = true) /-- data_deletion_complete_prop (matches Coq: Definition data_deletion_complete_prop) -/ def data_deletion_complete_prop (s : EncryptedStore) : Prop := @@ -325,7 +338,7 @@ def storage_quota_respected (sq : StorageQuota) : Prop := /-- data_export_sanitized (matches Coq: Definition data_export_sanitized) -/ def data_export_sanitized (de : DataExport) : Prop := - export_sanitized de = true /\ export_encrypted de = true + export_sanitized de = true ∧ export_encrypted de = true /-- migration_lossless (matches Coq) -/ theorem migration_lossless : ∀ (data : Database) (schema1 schema2 : Schema), migrates data schema1 schema2 → (∀ fn, In fn (schema_fields schema1) → In fn (schema_fields schema2)) → no_data_loss data → no_data_loss data := by @@ -364,7 +377,7 @@ theorem schema_version_tracked : ∀ (m : Migration), schema_version_tracked_pro intro h; exact h /-- corruption_detected (matches Coq) -/ -theorem corruption_detected : ∀ (s : EncryptedStore) (expected : nat), store_checksum s ≠ expected → corruption_detected_prop s expected := by +theorem corruption_detected : ∀ (s : EncryptedStore) (expected : Nat), store_checksum s ≠ expected → corruption_detected_prop s expected := by intro h; exact h /-- data_integrity_verified (matches Coq) -/ @@ -376,7 +389,7 @@ theorem transaction_acid_compliant : ∀ (txn : Transaction), transaction_acid t simp_all [Bool.and_eq_true] /-- concurrent_access_safe (matches Coq) -/ -theorem concurrent_access_safe : ∀ (txn1 txn2 : Transaction), concurrent_access_safe_prop txn1 txn2 → txn_id txn1 ≠ txn_id txn2 → ~ (txn_committed txn1 = true ∧ txn_rolled_back txn1 = true) := by +theorem concurrent_access_safe : ∀ (txn1 txn2 : Transaction), concurrent_access_safe_prop txn1 txn2 → txn_id txn1 ≠ txn_id txn2 → ¬(txn_committed txn1 = true ∧ txn_rolled_back txn1 = true) := by simp_all [Bool.and_eq_true] /-- data_deletion_complete (matches Coq) -/ @@ -384,11 +397,11 @@ theorem data_deletion_complete : ∀ (s : EncryptedStore), data_deletion_complet simp_all [Bool.and_eq_true] /-- index_consistent (matches Coq) -/ -theorem index_consistent : ∀ (idx : IndexEntry) (records : list Record), index_consistent_prop idx records → idx_valid idx = true → idx_record_id idx < length records := by +theorem index_consistent : ∀ (idx : IndexEntry) (records : List Record), index_consistent_prop idx records → idx_valid idx = true → idx_record_id idx < length records := by simp_all [Bool.and_eq_true] /-- cache_invalidation_correct_thm (matches Coq) -/ -theorem cache_invalidation_correct_thm : ∀ (c : CacheEntry) (current_time : nat), cache_invalidation_correct c current_time → cache_valid c = true → cache_timestamp c ≤ current_time := by +theorem cache_invalidation_correct_thm : ∀ (c : CacheEntry) (current_time : Nat), cache_invalidation_correct c current_time → cache_valid c = true → cache_timestamp c ≤ current_time := by simp_all [Bool.and_eq_true] /-- serialization_safe (matches Coq) -/ @@ -407,4 +420,4 @@ theorem storage_quota_respected_thm : ∀ (sq : StorageQuota), storage_quota_res theorem data_export_sanitized_thm : ∀ (de : DataExport), data_export_sanitized de → export_sanitized de = true ∧ export_encrypted de = true := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.DataPersistence diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/EncryptionSystem.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/EncryptionSystem.lean index d24770ff..1d53a87f 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/EncryptionSystem.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/EncryptionSystem.lean @@ -73,7 +73,7 @@ Generated by scripts/generate-multiprover.py | encryption_algorithm_approved_thm | encryption_algorithm_approved_thm | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.EncryptionSystem /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -81,20 +81,24 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: list map -/ +@[inline] def map {α β : Type} (f : α → β) (xs : List α) : List β := xs.map f +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- EncryptionKey (matches Coq: Record EncryptionKey) -/ structure EncryptionKey where @@ -111,7 +115,7 @@ abbrev mkEncryptionKey := EncryptionKey.mk structure EncryptedMessage where msg_id : Nat encryption_key_used : EncryptionKey - ciphertext : List + ciphertext : List Nat plaintext_hash : Nat is_e2e : Bool deriving DecidableEq, Repr @@ -122,7 +126,7 @@ abbrev mkEncryptedMessage := EncryptedMessage.mk structure DecryptedMessage where dec_msg_id : Nat decryption_key : EncryptionKey - plaintext : List + plaintext : List Nat integrity_verified : Bool deriving DecidableEq, Repr /-- Coq constructor alias for DecryptedMessage. -/ @@ -153,8 +157,8 @@ abbrev mkSecureChannel := SecureChannel.mk /-- EncryptionOperation (matches Coq: Record EncryptionOperation) -/ structure EncryptionOperation where enc_op_id : Nat - enc_op_plaintext : List - enc_op_ciphertext : List + enc_op_plaintext : List Nat + enc_op_ciphertext : List Nat enc_op_key : EncryptionKey enc_op_iv : Nat enc_op_aead_tag : Nat @@ -186,7 +190,7 @@ abbrev mkKeyRotation := KeyRotation.mk /-- IVTracker (matches Coq: Record IVTracker) -/ structure IVTracker where iv_current : Nat - iv_used_list : List + iv_used_list : List Nat iv_unique : Bool deriving DecidableEq, Repr /-- Coq constructor alias for IVTracker. -/ @@ -203,17 +207,17 @@ abbrev mkTimingTest := TimingTest.mk /-- PASSWORD_HASH_MIN_ITERS (matches Coq: Definition PASSWORD_HASH_MIN_ITERS) -/ def PASSWORD_HASH_MIN_ITERS : Nat := - Z.to_nat 10000%Z + 10000 /-- strong_encryption (matches Coq: Definition strong_encryption) -/ def strong_encryption (key : EncryptionKey) : Prop := - key_bits key >= 256 /\ - (key_algorithm key = 0 \/ key_algorithm key = 1) + key_bits key >= 256 ∧ + (key_algorithm key = 0 ∨ key_algorithm key = 1) /-- e2e_encrypted (matches Coq: Definition e2e_encrypted) -/ def e2e_encrypted (msg : EncryptedMessage) : Prop := - is_e2e msg = true /\ - strong_encryption (encryption_key_used msg) /\ + is_e2e msg = true ∧ + strong_encryption (encryption_key_used msg) ∧ key_stored_in_se (encryption_key_used msg) = true /-- securely_managed (matches Coq: Definition securely_managed) -/ @@ -223,8 +227,8 @@ def securely_managed (key : EncryptionKey) : Prop := /-- provides_confidentiality (matches Coq: Definition provides_confidentiality) -/ def provides_confidentiality (ch : SecureChannel) : Prop := - channel_encrypted ch = true /\ - strong_encryption (sender_key ch) /\ + channel_encrypted ch = true ∧ + strong_encryption (sender_key ch) ∧ strong_encryption (receiver_key ch) /-- provides_integrity (matches Coq: Definition provides_integrity) -/ @@ -233,14 +237,14 @@ def provides_integrity (ch : SecureChannel) : Prop := /-- full_e2e_security (matches Coq: Definition full_e2e_security) -/ def full_e2e_security (ch : SecureChannel) : Prop := - provides_confidentiality ch /\ - provides_integrity ch /\ + provides_confidentiality ch ∧ + provides_integrity ch ∧ forward_secrecy ch = true /-- correct_decryption (matches Coq: Definition correct_decryption) -/ def correct_decryption (enc : EncryptedMessage) (dec : DecryptedMessage) : Prop := - msg_id enc = dec_msg_id dec /\ - integrity_verified dec = true /\ + msg_id enc = dec_msg_id dec ∧ + integrity_verified dec = true ∧ key_id (encryption_key_used enc) = key_id (decryption_key dec) /-- key_bits_sufficient (matches Coq: Definition key_bits_sufficient) -/ @@ -273,8 +277,8 @@ def key_length_sufficient_prop (key : EncryptionKey) : Prop := /-- iv_never_reused (matches Coq: Definition iv_never_reused) -/ def iv_never_reused (tracker : IVTracker) : Prop := - iv_unique tracker = true /\ - ~ In (iv_current tracker) (iv_used_list tracker) + iv_unique tracker = true ∧ + ¬In (iv_current tracker) (iv_used_list tracker) /-- aead_verified (matches Coq: Definition aead_verified) -/ def aead_verified (op : EncryptionOperation) : Prop := @@ -289,11 +293,11 @@ def key_derivation_deterministic_prop (kd1 kd2 : KeyDerivation) : Prop := /-- password_hash_one_way (matches Coq: Definition password_hash_one_way) -/ def password_hash_one_way (h : PasswordHash) : Prop := - pwd_hash_value h > 0 /\ pwd_iterations h >= PASSWORD_HASH_MIN_ITERS + pwd_hash_value h > 0 ∧ pwd_iterations h >= PASSWORD_HASH_MIN_ITERS /-- salt_unique (matches Coq: Definition salt_unique) -/ def salt_unique (h1 h2 : PasswordHash) : Prop := - pwd_salt h1 <> pwd_salt h2 + pwd_salt h1 ≠ pwd_salt h2 /-- key_rotation_seamless (matches Coq: Definition key_rotation_seamless) -/ def key_rotation_seamless (kr : KeyRotation) : Prop := @@ -325,7 +329,7 @@ def hardware_key_storage_prop (key : EncryptionKey) : Prop := /-- encryption_algorithm_approved (matches Coq: Definition encryption_algorithm_approved) -/ def encryption_algorithm_approved (key : EncryptionKey) : Prop := - key_algorithm key = 0 \/ key_algorithm key = 1 + key_algorithm key = 0 ∨ key_algorithm key = 1 /-- e2e_encryption_verified (matches Coq) -/ theorem e2e_encryption_verified : ∀ (msg : EncryptedMessage), e2e_encrypted msg → strong_encryption (encryption_key_used msg) := by @@ -356,7 +360,7 @@ theorem key_derivation_preserves_strength : ∀ (kd : KeyDerivation), strong_enc simp_all [Bool.and_eq_true] /-- encryption_decryption_inverse (matches Coq) -/ -theorem encryption_decryption_inverse : ∀ (key : nat) (plaintext : list nat), (∀ x, In x plaintext → x ≥ key) → decrypt_data key (encrypt_data key plaintext) = plaintext := by +theorem encryption_decryption_inverse : ∀ (key : Nat) (plaintext : List Nat), (∀ x, In x plaintext → x ≥ key) → decrypt_data key (encrypt_data key plaintext) = plaintext := by omega /-- key_generation_random (matches Coq) -/ @@ -368,7 +372,7 @@ theorem key_length_sufficient : ∀ (key : EncryptionKey), strong_encryption key intro h; exact h /-- iv_never_reused_thm (matches Coq) -/ -theorem iv_never_reused_thm : ∀ (tracker : IVTracker), iv_never_reused tracker → ~ In (iv_current tracker) (iv_used_list tracker) := by +theorem iv_never_reused_thm : ∀ (tracker : IVTracker), iv_never_reused tracker → ¬In (iv_current tracker) (iv_used_list tracker) := by intro h; exact h /-- aead_authentication_verified (matches Coq) -/ @@ -415,4 +419,4 @@ theorem hardware_key_storage : ∀ (key : EncryptionKey), hardware_key_storage_p theorem encryption_algorithm_approved_thm : ∀ (key : EncryptionKey), encryption_algorithm_approved key → key_algorithm key = 0 ∨ key_algorithm key = 1 := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.EncryptionSystem diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/FileSystem.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/FileSystem.lean index ac162bf4..6a18d4c8 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/FileSystem.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/FileSystem.lean @@ -68,7 +68,7 @@ Generated by scripts/generate-multiprover.py | access_time_updated | access_time_updated | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.FileSystem /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -76,20 +76,29 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: left fold -/ +def fold_left {α β : Type} (f : α → β → α) (init : α) (xs : List β) : α := xs.foldl f init +/-- Coq compatibility shim: addition -/ +def plus (a b : Nat) : Nat := a + b +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b + +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- FilePermission (matches Coq: Inductive FilePermission) -/ inductive FilePermission where @@ -119,8 +128,8 @@ abbrev mkFile := File.mk /-- FileSystem (matches Coq: Record FileSystem) -/ structure FileSystem where - fs_files : List - fs_journal : List + fs_files : List Nat + fs_journal : List Nat fs_consistent : Bool fs_last_checkpoint : Time deriving DecidableEq, Repr @@ -202,7 +211,7 @@ def after_recovery (fs : FileSystem) (t : Time) : FileSystem := /-- consistent (matches Coq: Definition consistent) -/ def consistent (fs : FileSystem) : Prop := - fs_consistent fs = true /\ + fs_consistent fs = true ∧ forall f, In f (fs_files fs) → file_integrity_valid f /-- journaled_write (matches Coq: Definition journaled_write) -/ @@ -243,12 +252,12 @@ def file_perm_allows_write (p : FilePermission) : Bool := /-- permission_enforced (matches Coq: Definition permission_enforced) -/ def permission_enforced (f : ExtFile) (requester : Nat) (mode : FilePermission) : Prop := - efile_owner f = requester \/ - (mode = ReadOnly /\ file_perm_allows_read (efile_permission f) = true) + efile_owner f = requester ∨ + (mode = ReadOnly ∧ file_perm_allows_read (efile_permission f) = true) /-- no_directory_traversal (matches Coq: Definition no_directory_traversal) -/ def no_directory_traversal (path : List Nat) : Prop := - ~ In 0 path + ¬In 0 path /-- symlink_safe (matches Coq: Definition symlink_safe) -/ def symlink_safe (f : ExtFile) : Prop := @@ -271,7 +280,7 @@ def fd_bounded (fd : FileDescriptor) (max_fd : Nat) : Prop := /-- inode_ref_positive (matches Coq: Definition inode_ref_positive) -/ def inode_ref_positive (f : ExtFile) : Prop := - efile_inode_ref_count f > 0 → efile_permission f <> NoAccess + efile_inode_ref_count f > 0 → efile_permission f ≠ NoAccess /-- quota_enforced_prop (matches Coq: Definition quota_enforced_prop) -/ def quota_enforced_prop (q : Quota) : Prop := @@ -283,7 +292,7 @@ def ext_file_integrity (f : ExtFile) : Prop := /-- path_canonical (matches Coq: Definition path_canonical) -/ def path_canonical (path : List Nat) : Prop := - ~ In 0 path /\ length path > 0 + ¬In 0 path ∧ length path > 0 /-- file_type_valid (matches Coq: Definition file_type_valid) -/ def file_type_valid (f : ExtFile) : Prop := @@ -311,11 +320,11 @@ theorem commit_establishes_consistency : ∀ (fs : FileSystem), fs_consistent (c simp /-- file_permissions_enforced (matches Coq) -/ -theorem file_permissions_enforced : ∀ (f : ExtFile) (requester : nat), permission_enforced f requester ReadOnly → efile_owner f = requester ∨ file_perm_allows_read (efile_permission f) = true := by +theorem file_permissions_enforced : ∀ (f : ExtFile) (requester : Nat), permission_enforced f requester ReadOnly → efile_owner f = requester ∨ file_perm_allows_read (efile_permission f) = true := by intro h; exact h /-- directory_traversal_prevented (matches Coq) -/ -theorem directory_traversal_prevented : ∀ (path : list nat), no_directory_traversal path → ~ In 0 path := by +theorem directory_traversal_prevented : ∀ (path : List Nat), no_directory_traversal path → ¬In 0 path := by intro h; exact h /-- symlink_attack_prevented (matches Coq) -/ @@ -339,11 +348,11 @@ theorem no_partial_write : ∀ (f : File) (d : Data), reads (writes f d) = d := simp /-- path_canonicalization (matches Coq) -/ -theorem path_canonicalization : ∀ (path : list nat), path_canonical path → ~ In 0 path ∧ length path > 0 := by +theorem path_canonicalization : ∀ (path : List Nat), path_canonical path → ¬In 0 path ∧ length path > 0 := by intro h; exact h /-- file_descriptor_bounded (matches Coq) -/ -theorem file_descriptor_bounded : ∀ (fd : FileDescriptor) (max_fd : nat), fd_bounded fd max_fd → fd_number fd < max_fd := by +theorem file_descriptor_bounded : ∀ (fd : FileDescriptor) (max_fd : Nat), fd_bounded fd max_fd → fd_number fd < max_fd := by intro h; exact h /-- inode_reference_count_correct (matches Coq) -/ @@ -359,7 +368,7 @@ theorem quota_enforced : ∀ (q : Quota), quota_enforced_prop q → quota_used q intro h; exact h /-- temp_file_cleanup (matches Coq) -/ -theorem temp_file_cleanup : ∀ (f : ExtFile), efile_inode_ref_count f = 0 → ~ (efile_inode_ref_count f > 0) := by +theorem temp_file_cleanup : ∀ (f : ExtFile), efile_inode_ref_count f = 0 → ¬(efile_inode_ref_count f > 0) := by omega /-- file_type_validated (matches Coq) -/ @@ -370,4 +379,4 @@ theorem file_type_validated : ∀ (f : ExtFile), file_type_valid f := by theorem access_time_updated : ∀ (f : ExtFile) (new_time : Time), new_time ≥ efile_access_time f → new_time ≥ efile_access_time f := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.FileSystem diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/GraphicsEngine.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/GraphicsEngine.lean index 8674caa0..f47603b8 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/GraphicsEngine.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/GraphicsEngine.lean @@ -62,7 +62,7 @@ Generated by scripts/generate-multiprover.py | render_thread_priority | render_thread_priority | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.GraphicsEngine /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -70,20 +70,24 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs +/-- Coq compatibility shim: List filter -/ +@[inline] def filter {α : Type} (f : α → Bool) (xs : List α) : List α := xs.filter f /-- RenderStage (matches Coq: Inductive RenderStage) -/ inductive RenderStage where @@ -124,7 +128,7 @@ abbrev mkFrame := Frame.mk /-- Animation (matches Coq: Record Animation) -/ structure Animation where anim_id : Nat - anim_frames : List + anim_frames : List Nat anim_duration : Nat anim_fps : Nat deriving DecidableEq, Repr @@ -208,7 +212,7 @@ def Microseconds : Type := /-- FRAME_BUDGET_120HZ_US (matches Coq: Definition FRAME_BUDGET_120HZ_US) -/ def FRAME_BUDGET_120HZ_US : Microseconds := - Z.to_nat 8333%Z + 8333 /-- frame_budget_120hz (matches Coq: Definition frame_budget_120hz) -/ def frame_budget_120hz : Microseconds := @@ -233,12 +237,12 @@ def frames_expected (a : Animation) : Nat := /-- well_formed_animation (matches Coq: Definition well_formed_animation) -/ def well_formed_animation (a : Animation) : Prop := forall f, In f (anim_frames a) → - frame_rendered f = true /\ + frame_rendered f = true ∧ meets_frame_budget f /-- has_frame_drop (matches Coq: Definition has_frame_drop) -/ def has_frame_drop (a : Animation) : Prop := - exists f, In f (anim_frames a) /\ frame_rendered f = false + exists f, In f (anim_frames a) ∧ frame_rendered f = false /-- render_pipeline (matches Coq: Definition render_pipeline) -/ def render_pipeline : List RenderStage := @@ -246,30 +250,30 @@ def render_pipeline : List RenderStage := /-- well_formed_gpu_mem (matches Coq: Definition well_formed_gpu_mem) -/ def well_formed_gpu_mem (m : GPUMemory) : Prop := - gpu_used_bytes m <= gpu_max_bytes m /\ - gpu_texture_bytes m + gpu_buffer_bytes m <= gpu_used_bytes m /\ + gpu_used_bytes m <= gpu_max_bytes m ∧ + gpu_texture_bytes m + gpu_buffer_bytes m <= gpu_used_bytes m ∧ gpu_max_bytes m > 0 /-- well_formed_shader (matches Coq: Definition well_formed_shader) -/ def well_formed_shader (s : Shader) : Prop := - shader_compiled s = true /\ shader_validated s = true + shader_compiled s = true ∧ shader_validated s = true /-- well_formed_framebuffer (matches Coq: Definition well_formed_framebuffer) -/ def well_formed_framebuffer (fb : FrameBuffer) : Prop := - fb_width fb > 0 /\ - fb_height fb > 0 /\ - fb_double_buffered fb = true /\ - fb_front fb <> fb_back fb + fb_width fb > 0 ∧ + fb_height fb > 0 ∧ + fb_double_buffered fb = true ∧ + fb_front fb ≠ fb_back fb /-- well_formed_batch (matches Coq: Definition well_formed_batch) -/ def well_formed_batch (b : DrawBatch) : Prop := - batch_merged_calls b <= batch_draw_calls b /\ + batch_merged_calls b <= batch_draw_calls b ∧ batch_overdraw_ratio b >= 100 /-- well_formed_render_thread (matches Coq: Definition well_formed_render_thread) -/ def well_formed_render_thread (rt : RenderThread) : Prop := - rt_priority rt > 0 /\ - rt_vsync_aligned rt = true /\ + rt_priority rt > 0 ∧ + rt_vsync_aligned rt = true ∧ rt_frame_time_us rt <= frame_budget_120hz /-- frame_rate_120hz_guaranteed (matches Coq) -/ @@ -277,7 +281,7 @@ theorem frame_rate_120hz_guaranteed : ∀ (frame : Frame), well_optimized_frame simp_all [Bool.and_eq_true] /-- no_frame_drops (matches Coq) -/ -theorem no_frame_drops : ∀ (animation : Animation), well_formed_animation animation → ~ has_frame_drop animation := by +theorem no_frame_drops : ∀ (animation : Animation), well_formed_animation animation → ¬has_frame_drop animation := by simp_all [Bool.and_eq_true] /-- well_formed_renders_all (matches Coq) -/ @@ -289,7 +293,7 @@ theorem render_pipeline_complete : length render_pipeline = 5 := by simp /-- pipeline_starts_geometry (matches Coq) -/ -theorem pipeline_starts_geometry : hd_error render_pipeline = Some Geometry := by +theorem pipeline_starts_geometry : hd_error render_pipeline = some Geometry := by simp /-- pipeline_ends_display (matches Coq) -/ @@ -356,4 +360,4 @@ theorem gpu_timeout_handled : ∀ (rt : RenderThread), well_formed_render_thread theorem render_thread_priority : ∀ (rt : RenderThread), well_formed_render_thread rt → rt_priority rt > 0 := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.GraphicsEngine diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/LocationServices.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/LocationServices.lean index 75e7688e..c8c93656 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/LocationServices.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/LocationServices.lean @@ -55,7 +55,7 @@ Generated by scripts/generate-multiprover.py | distance_triangle_inequality | distance_triangle_inequality | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.LocationServices /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -63,15 +63,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -128,7 +128,7 @@ abbrev mkLocationConfig := LocationConfig.mk /-- LocationHistory (matches Coq: Record LocationHistory) -/ structure LocationHistory where - history_entries : List + history_entries : List Nat history_max_entries : Nat history_deletable : Bool deriving DecidableEq, Repr @@ -188,7 +188,7 @@ def accurate_geofence_system (fence : Geofence) (pos : Position) : Prop := /-- valid_coordinate (matches Coq: Definition valid_coordinate) -/ def valid_coordinate (c : CoordiNate) : Prop := - fst c <= 180 /\ snd c <= 360 + fst c <= 180 ∧ snd c <= 360 /-- cache_expired (matches Coq: Definition cache_expired) -/ def cache_expired (config : LocationConfig) (current_time entry_time : Nat) : Bool := @@ -196,10 +196,10 @@ def cache_expired (config : LocationConfig) (current_time entry_time : Nat) : Bo /-- well_formed_location_config (matches Coq: Definition well_formed_location_config) -/ def well_formed_location_config (config : LocationConfig) : Prop := - (loc_permission config = PermWhenInUse → loc_background_enabled config = false) /\ - (loc_permission config = PermNone → loc_background_enabled config = false) /\ - loc_cache_ttl config > 0 /\ - loc_update_interval config > 0 /\ + (loc_permission config = PermWhenInUse → loc_background_enabled config = false) ∧ + (loc_permission config = PermNone → loc_background_enabled config = false) ∧ + loc_cache_ttl config > 0 ∧ + loc_update_interval config > 0 ∧ loc_significant_change_meters config > 0 /-- location_accuracy_bounded (matches Coq) -/ @@ -251,7 +251,7 @@ theorem no_location_tracking_without_consent : ∀ (config : LocationConfig), lo simp_all [Bool.and_eq_true] /-- location_cache_expiry (matches Coq) -/ -theorem location_cache_expiry : ∀ (config : LocationConfig) (current entry : nat), loc_cache_ttl config < current - entry → cache_expired config current entry = true := by +theorem location_cache_expiry : ∀ (config : LocationConfig) (current entry : Nat), loc_cache_ttl config < current - entry → cache_expired config current entry = true := by simp_all [Bool.and_eq_true] /-- altitude_accuracy_bounded (matches Coq) -/ @@ -290,4 +290,4 @@ theorem mock_location_detectable : ∀ (config : LocationConfig), loc_mock_detec theorem distance_triangle_inequality : ∀ (a b c : Coordinate), distance a c ≤ distance a b + distance b c := by cases ‹_› <;> simp <;> omega -end RIINA +end RIINA.Domains.MobileOS.LocationServices diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/MemoryManagement.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/MemoryManagement.lean index fe10dd5f..48815eb5 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/MemoryManagement.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/MemoryManagement.lean @@ -69,7 +69,7 @@ Generated by scripts/generate-multiprover.py | memory_zeroed_on_free | memory_zeroed_on_free | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.MemoryManagement /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -77,20 +77,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- SystemEvent (matches Coq: Inductive SystemEvent) -/ inductive SystemEvent where @@ -131,7 +133,7 @@ structure SystemMemory where total_memory : Nat used_memory : Nat reserved_memory : Nat - pages : List + pages : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for SystemMemory. -/ abbrev mkSysMem := SystemMemory.mk @@ -150,7 +152,7 @@ abbrev mkBlock := MemoryBlock.mk /-- Heap (matches Coq: Record Heap) -/ structure Heap where - heap_blocks : List + heap_blocks : List Nat heap_total_size : Nat heap_used_size : Nat heap_fragmentation_ratio : Nat @@ -169,7 +171,7 @@ abbrev mkStackFrame := StackFrame.mk /-- Stack (matches Coq: Record Stack) -/ structure Stack where - stack_frames : List + stack_frames : List Nat stack_max_depth : Nat stack_current_depth : Nat deriving DecidableEq, Repr @@ -207,7 +209,7 @@ def decompress (p : MemoryPage) : MemoryPage := mkPage (page_id p) (decompress_d /-- well_behaved_app (matches Coq: Definition well_behaved_app) -/ def well_behaved_app (app : Application) : Prop := - app_well_behaved app = true /\ + app_well_behaved app = true ∧ app_current_memory app <= app_memory_limit app /-- system_out_of_memory (matches Coq: Definition system_out_of_memory) -/ @@ -223,8 +225,8 @@ def can_cause (app : Application) (event : SystemEvent) : Prop := /-- pages_isolated (matches Coq: Definition pages_isolated) -/ def pages_isolated (pages : List MemoryPage) : Prop := forall p1 p2, In p1 pages → In p2 pages → - page_owner p1 <> page_owner p2 → - page_id p1 <> page_id p2 + page_owner p1 ≠ page_owner p2 → + page_id p1 ≠ page_id p2 /-- VirtualPage (matches Coq: Definition VirtualPage) -/ def VirtualPage : Type := @@ -244,7 +246,7 @@ def allocation_bounded (h : Heap) : Prop := /-- no_double_free_prop (matches Coq: Definition no_double_free_prop) -/ def no_double_free_prop (blocks : List MemoryBlock) (bid : Nat) : Prop := - forall b, In b blocks → block_id b = bid → block_state b <> Freed → + forall b, In b blocks → block_id b = bid → block_state b ≠ Freed → block_state b = Allocated /-- no_use_after_free_prop (matches Coq: Definition no_use_after_free_prop) -/ @@ -261,12 +263,12 @@ def stack_within_bounds (s : Stack) : Prop := /-- page_aligned (matches Coq: Definition page_aligned) -/ def page_aligned (vm : VirtualMapping) : Prop := - vmap_page_size vm > 0 /\ + vmap_page_size vm > 0 ∧ Nat.modulo (vmap_virtual_page vm) (vmap_page_size vm) = 0 /-- mappings_non_overlapping (matches Coq: Definition mappings_non_overlapping) -/ def mappings_non_overlapping (vm1 vm2 : VirtualMapping) : Prop := - vmap_virtual_page vm1 + vmap_page_size vm1 <= vmap_virtual_page vm2 \/ + vmap_virtual_page vm1 + vmap_page_size vm1 <= vmap_virtual_page vm2 ∨ vmap_virtual_page vm2 + vmap_page_size vm2 <= vmap_virtual_page vm1 /-- block_zeroed_on_free (matches Coq: Definition block_zeroed_on_free) -/ @@ -286,7 +288,7 @@ def oom_graceful (h : Heap) (request : Nat) : Prop := /-- shared_memory_sync (matches Coq: Definition shared_memory_sync) -/ def shared_memory_sync (b1 b2 : MemoryBlock) : Prop := block_id b1 = block_id b2 → - block_start b1 = block_start b2 /\ block_size b1 = block_size b2 + block_start b1 = block_start b2 ∧ block_size b1 = block_size b2 /-- dma_buffer_protected_prop (matches Coq: Definition dma_buffer_protected_prop) -/ def dma_buffer_protected_prop (b : MemoryBlock) : Prop := @@ -305,11 +307,11 @@ theorem compression_preserves_owner : ∀ (page : MemoryPage), page_owner (compr simp /-- no_system_oom_from_app (matches Coq) -/ -theorem no_system_oom_from_app : ∀ (app : Application), well_behaved_app app → ~ can_cause app system_out_of_memory := by +theorem no_system_oom_from_app : ∀ (app : Application), well_behaved_app app → ¬can_cause app system_out_of_memory := by simp_all [Bool.and_eq_true] /-- memory_isolation_sound (matches Coq) -/ -theorem memory_isolation_sound : ∀ (pages : list MemoryPage), pages_isolated pages → ∀ p1 p2, In p1 pages → In p2 pages → page_owner p1 ≠ page_owner p2 → page_id p1 ≠ page_id p2 := by +theorem memory_isolation_sound : ∀ (pages : List MemoryPage), pages_isolated pages → ∀ p1 p2, In p1 pages → In p2 pages → page_owner p1 ≠ page_owner p2 → page_id p1 ≠ page_id p2 := by simp_all [Bool.and_eq_true] /-- decompress_compress_contents (matches Coq) -/ @@ -325,11 +327,11 @@ theorem deallocation_complete : ∀ (b : MemoryBlock), block_state b = Freed → intro h; exact h /-- no_double_free (matches Coq) -/ -theorem no_double_free : ∀ (b : MemoryBlock), block_freed b → ~ block_allocated b := by +theorem no_double_free : ∀ (b : MemoryBlock), block_freed b → ¬block_allocated b := by simp_all [Bool.and_eq_true] /-- no_use_after_free (matches Coq) -/ -theorem no_use_after_free : ∀ (b : MemoryBlock), block_freed b → ~ block_allocated b := by +theorem no_use_after_free : ∀ (b : MemoryBlock), block_freed b → ¬block_allocated b := by simp_all [Bool.and_eq_true] /-- memory_leak_impossible (matches Coq) -/ @@ -341,7 +343,7 @@ theorem stack_overflow_prevented : ∀ (s : Stack), stack_within_bounds s → st intro h; exact h /-- heap_fragmentation_bounded (matches Coq) -/ -theorem heap_fragmentation_bounded : ∀ (h : Heap) (max_frag : nat), heap_fragmentation_bounded_prop h max_frag → heap_fragmentation_ratio h ≤ max_frag := by +theorem heap_fragmentation_bounded : ∀ (h : Heap) (max_frag : Nat), heap_fragmentation_bounded_prop h max_frag → heap_fragmentation_ratio h ≤ max_frag := by intro h; exact h /-- memory_pressure_handled (matches Coq) -/ @@ -349,7 +351,7 @@ theorem memory_pressure_handled : ∀ (h : Heap), memory_pressure_handled_prop h simp_all [Bool.and_eq_true] /-- oom_graceful_recovery (matches Coq) -/ -theorem oom_graceful_recovery : ∀ (h : Heap) (request : nat), oom_graceful h request → heap_used_size h + request > heap_total_size h → heap_used_size h ≤ heap_total_size h := by +theorem oom_graceful_recovery : ∀ (h : Heap) (request : Nat), oom_graceful h request → heap_used_size h + request > heap_total_size h → heap_used_size h ≤ heap_total_size h := by simp_all [Bool.and_eq_true] /-- virtual_memory_page_aligned (matches Coq) -/ @@ -357,7 +359,7 @@ theorem virtual_memory_page_aligned : ∀ (vm : VirtualMapping), page_aligned vm intro h; exact h /-- memory_mapping_non_overlapping (matches Coq) -/ -theorem memory_mapping_non_overlapping : ∀ (vm1 vm2 : VirtualMapping), mappings_non_overlapping vm1 vm2 → ∀ addr, vmap_virtual_page vm1 ≤ addr → addr < vmap_virtual_page vm1 + vmap_page_size vm1 → ~ (vmap_virtual_page vm2 ≤ addr ∧ addr < vmap_virtual_page vm2 + vmap_page_size vm2) := by +theorem memory_mapping_non_overlapping : ∀ (vm1 vm2 : VirtualMapping), mappings_non_overlapping vm1 vm2 → ∀ addr, vmap_virtual_page vm1 ≤ addr → addr < vmap_virtual_page vm1 + vmap_page_size vm1 → ¬(vmap_virtual_page vm2 ≤ addr ∧ addr < vmap_virtual_page vm2 + vmap_page_size vm2) := by cases ‹_› <;> simp <;> omega /-- shared_memory_synchronized (matches Coq) -/ @@ -376,4 +378,4 @@ theorem dma_buffer_protected : ∀ (b : MemoryBlock), dma_buffer_protected_prop theorem memory_zeroed_on_free : ∀ (b : MemoryBlock), block_zeroed_on_free b → block_freed b → block_zeroed b = true := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Domains.MobileOS.MemoryManagement diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/MultiDeviceContinuity.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/MultiDeviceContinuity.lean index 61a9a1ca..a8c9c628 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/MultiDeviceContinuity.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/MultiDeviceContinuity.lean @@ -78,7 +78,7 @@ Generated by scripts/generate-multiprover.py | handoff_data_integrity_checked | handoff_data_integrity_checked | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.MultiDeviceContinuity /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -86,15 +86,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -140,7 +140,7 @@ abbrev mkHandoff := Handoff.mk /-- HandoffData (matches Coq: Record HandoffData) -/ structure HandoffData where - hd_payload : List + hd_payload : List Nat hd_encrypted : Bool hd_integrity_checked : Bool deriving DecidableEq, Repr @@ -149,7 +149,7 @@ abbrev mkHandoffData := HandoffData.mk /-- ClipboardSync (matches Coq: Record ClipboardSync) -/ structure ClipboardSync where - cb_data : List + cb_data : List Nat cb_encrypted : Bool cb_expiry_seconds : Nat cb_max_expiry_seconds : Nat @@ -188,7 +188,7 @@ abbrev mkContPerm := ContinuityPermission.mk /-- UniversalLink (matches Coq: Record UniversalLink) -/ structure UniversalLink where - ul_url : List + ul_url : List Nat ul_app_id : Nat ul_validated : Bool ul_domain_verified : Bool @@ -229,7 +229,7 @@ abbrev mkContFallback := ContinuityFallback.mk /-- SharedKeychain (matches Coq: Record SharedKeychain) -/ structure SharedKeychain where sk_item_id : Nat - sk_access_group : List + sk_access_group : List Nat sk_access_controlled : Bool deriving DecidableEq, Repr /-- Coq constructor alias for SharedKeychain. -/ @@ -246,7 +246,7 @@ abbrev mkNearbyInteraction := NearbyInteraction.mk /-- DeviceDiscovery (matches Coq: Record DeviceDiscovery) -/ structure DeviceDiscovery where - dd_devices_found : List + dd_devices_found : List Nat dd_max_devices : Nat dd_timeout_seconds : Nat deriving DecidableEq, Repr @@ -255,7 +255,7 @@ abbrev mkDeviceDiscovery := DeviceDiscovery.mk /-- RelayTraffic (matches Coq: Record RelayTraffic) -/ structure RelayTraffic where - rt_data : List + rt_data : List Nat rt_encrypted : Bool rt_relay_node : Nat deriving DecidableEq, Repr @@ -286,15 +286,15 @@ def state (app : Application) (dev : Device) : AppState := /-- handoff (matches Coq: Definition handoff) -/ def handoff (app : Application) (d1 d2 : Device) : Prop := - app_supports_handoff app = true /\ - dev_authenticated d1 = true /\ - dev_authenticated d2 = true /\ - dev_paired d1 = true /\ + app_supports_handoff app = true ∧ + dev_authenticated d1 = true ∧ + dev_authenticated d2 = true ∧ + dev_paired d1 = true ∧ dev_paired d2 = true /-- complete_handoff (matches Coq: Definition complete_handoff) -/ def complete_handoff (h : Handoff) : Prop := - handoff_complete h = true /\ + handoff_complete h = true ∧ handoff_encrypted h = true /-- handoff_preserves_state (matches Coq: Definition handoff_preserves_state) -/ @@ -304,7 +304,7 @@ def handoff_preserves_state (h : Handoff) : Prop := /-- handoff_data_encrypted (matches Coq: Definition handoff_data_encrypted) -/ def handoff_data_encrypted (hd : HandoffData) : Prop := - hd_encrypted hd = true /\ hd_integrity_checked hd = true + hd_encrypted hd = true ∧ hd_integrity_checked hd = true /-- clipboard_sync_is_encrypted (matches Coq: Definition clipboard_sync_is_encrypted) -/ def clipboard_sync_is_encrypted (cs : ClipboardSync) : Prop := @@ -312,27 +312,27 @@ def clipboard_sync_is_encrypted (cs : ClipboardSync) : Prop := /-- clipboard_has_expiry (matches Coq: Definition clipboard_has_expiry) -/ def clipboard_has_expiry (cs : ClipboardSync) : Prop := - cb_expiry_seconds cs <= cb_max_expiry_seconds cs /\ cb_expiry_seconds cs > 0 + cb_expiry_seconds cs <= cb_max_expiry_seconds cs ∧ cb_expiry_seconds cs > 0 /-- device_trust_verified (matches Coq: Definition device_trust_verified) -/ def device_trust_verified (dt : DeviceTrust) : Prop := - dt_verified dt = true /\ dt_trust_score dt >= dt_trust_threshold dt + dt_verified dt = true ∧ dt_trust_score dt >= dt_trust_threshold dt /-- proximity_required (matches Coq: Definition proximity_required) -/ def proximity_required (pc : ProximityCheck) : Prop := - pc_within_range pc = true /\ pc_distance_m pc <= pc_max_distance_m pc + pc_within_range pc = true ∧ pc_distance_m pc <= pc_max_distance_m pc /-- continuity_permission_explicit (matches Coq: Definition continuity_permission_explicit) -/ def continuity_permission_explicit (cp : ContinuityPermission) : Prop := - cp_explicit_grant cp = true /\ cp_revocable cp = true + cp_explicit_grant cp = true ∧ cp_revocable cp = true /-- universal_link_validated (matches Coq: Definition universal_link_validated) -/ def universal_link_validated (ul : UniversalLink) : Prop := - ul_validated ul = true /\ ul_domain_verified ul = true + ul_validated ul = true ∧ ul_domain_verified ul = true /-- device_pairing_authenticated (matches Coq: Definition device_pairing_authenticated) -/ def device_pairing_authenticated (dp : DevicePairing) : Prop := - dp_authenticated dp = true /\ dp_encryption_key_exchanged dp = true + dp_authenticated dp = true ∧ dp_encryption_key_exchanged dp = true /-- sync_conflict_resolved (matches Coq: Definition sync_conflict_resolved) -/ def sync_conflict_resolved (sc : SyncConflict) : Prop := @@ -340,11 +340,11 @@ def sync_conflict_resolved (sc : SyncConflict) : Prop := /-- continuity_fallback_available (matches Coq: Definition continuity_fallback_available) -/ def continuity_fallback_available (cf : ContinuityFallback) : Prop := - cf_fallback_available cf = true /\ cf_primary_method cf <> cf_fallback_method cf + cf_fallback_available cf = true ∧ cf_primary_method cf ≠ cf_fallback_method cf /-- shared_keychain_access_controlled (matches Coq: Definition shared_keychain_access_controlled) -/ def shared_keychain_access_controlled (sk : SharedKeychain) : Prop := - sk_access_controlled sk = true /\ sk_access_group sk <> [] + sk_access_controlled sk = true ∧ sk_access_group sk ≠ [] /-- nearby_interaction_consented (matches Coq: Definition nearby_interaction_consented) -/ def nearby_interaction_consented (ni : NearbyInteraction) : Prop := @@ -462,4 +462,4 @@ theorem shared_keychain_has_group : ∀ (sk : SharedKeychain), shared_keychain_a theorem handoff_data_integrity_checked : ∀ (hd : HandoffData), handoff_data_encrypted hd → hd_integrity_checked hd = true := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.MultiDeviceContinuity diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/NetworkSecurity.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/NetworkSecurity.lean index ddc31e84..642c599f 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/NetworkSecurity.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/NetworkSecurity.lean @@ -67,7 +67,7 @@ Generated by scripts/generate-multiprover.py | certificate_revocation_checked | certificate_revocation_checked | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.NetworkSecurity /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -75,15 +75,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -202,24 +202,24 @@ def min_tls_version : ProtocolVersion := /-- vpn_secure (matches Coq: Definition vpn_secure) -/ def vpn_secure (v : VPNConnection) : Prop := - vpn_encrypted v = true /\ - vpn_authenticated v = true /\ - vpn_tunnel_established v = true /\ + vpn_encrypted v = true ∧ + vpn_authenticated v = true ∧ + vpn_tunnel_established v = true ∧ vpn_protocol_version v >= min_tls_version /-- valid_negotiation (matches Coq: Definition valid_negotiation) -/ def valid_negotiation (n : ConnectionNegotiation) : Prop := - neg_selected_version n = min (neg_client_max_version n) (neg_server_max_version n) /\ + neg_selected_version n = min (neg_client_max_version n) (neg_server_max_version n) ∧ neg_selected_version n >= min_tls_version /-- downgrade_attack (matches Coq: Definition downgrade_attack) -/ def downgrade_attack (n : ConnectionNegotiation) : Prop := - neg_selected_version n < neg_client_max_version n /\ + neg_selected_version n < neg_client_max_version n ∧ neg_selected_version n < neg_server_max_version n /-- secure_negotiation (matches Coq: Definition secure_negotiation) -/ def secure_negotiation (n : ConnectionNegotiation) : Prop := - valid_negotiation n → ~ downgrade_attack n + valid_negotiation n → ¬downgrade_attack n /-- packet_inspected_prop (matches Coq: Definition packet_inspected_prop) -/ def packet_inspected_prop (p : Packet) : Prop := @@ -240,7 +240,7 @@ def ddos_mitigated (rl : RateLimiter) : Prop := /-- mitm_detected (matches Coq: Definition mitm_detected) -/ def mitm_detected (p1 p2 : Packet) : Prop := pkt_src_ip p1 = pkt_src_ip p2 → - pkt_payload_hash p1 <> pkt_payload_hash p2 → + pkt_payload_hash p1 ≠ pkt_payload_hash p2 → True /-- replay_prevented (matches Coq: Definition replay_prevented) -/ @@ -251,7 +251,7 @@ def replay_prevented (p1 p2 : Packet) : Prop := /-- session_valid_prop (matches Coq: Definition session_valid_prop) -/ def session_valid_prop (s : Session) : Prop := - session_valid s = true /\ session_token s > 0 + session_valid s = true ∧ session_token s > 0 /-- session_hijack_prevented (matches Coq: Definition session_hijack_prevented) -/ def session_hijack_prevented (s : Session) (claimed_ip : Nat) : Prop := @@ -280,11 +280,11 @@ def port_scan_limited (psd : PortScanDetector) : Prop := /-- ssl_stripping_prevented (matches Coq: Definition ssl_stripping_prevented) -/ def ssl_stripping_prevented (cfg : SSLConfig) : Prop := - ssl_min_version cfg >= min_tls_version /\ ssl_compression_disabled cfg = true + ssl_min_version cfg >= min_tls_version ∧ ssl_compression_disabled cfg = true /-- dns_poisoning_detected (matches Coq: Definition dns_poisoning_detected) -/ def dns_poisoning_detected (q1 q2 : ConnectionNegotiation) : Prop := - neg_selected_version q1 <> neg_selected_version q2 → + neg_selected_version q1 ≠ neg_selected_version q2 → True /-- vpn_verified (matches Coq) -/ @@ -296,7 +296,7 @@ theorem vpn_min_version : ∀ (vpn : VPNConnection), vpn_secure vpn → vpn_prot intro h; exact h /-- no_downgrade_attack (matches Coq) -/ -theorem no_downgrade_attack : ∀ (negotiation : ConnectionNegotiation), valid_negotiation negotiation → neg_selected_version negotiation = min (neg_client_max_version negotiation) (neg_server_max_version negotiation) → ~ (neg_selected_version negotiation < neg_client_max_version negotiation ∧ neg_selected_version negotiation < neg_server_max_version negotiation) := by +theorem no_downgrade_attack : ∀ (negotiation : ConnectionNegotiation), valid_negotiation negotiation → neg_selected_version negotiation = min (neg_client_max_version negotiation) (neg_server_max_version negotiation) → ¬(neg_selected_version negotiation < neg_client_max_version negotiation ∧ neg_selected_version negotiation < neg_server_max_version negotiation) := by simp_all [Bool.and_eq_true] /-- secure_negotiation_highest_common (matches Coq) -/ @@ -320,7 +320,7 @@ theorem rate_limiting_enforced : ∀ (rl : RateLimiter), rate_limit_enforced rl intro h; exact h /-- ddos_mitigation_active (matches Coq) -/ -theorem ddos_mitigation_active : ∀ (rl : RateLimiter), rate_limit_enforced rl → ~ (rl_current_count rl > rl_max_requests rl) := by +theorem ddos_mitigation_active : ∀ (rl : RateLimiter), rate_limit_enforced rl → ¬(rl_current_count rl > rl_max_requests rl) := by omega /-- man_in_middle_detected (matches Coq) -/ @@ -332,7 +332,7 @@ theorem replay_attack_prevented : ∀ (p1 p2 : Packet), replay_prevented p1 p2 simp_all [Bool.and_eq_true] /-- session_hijacking_prevented (matches Coq) -/ -theorem session_hijacking_prevented : ∀ (s : Session) (claimed_ip : nat), session_hijack_prevented s claimed_ip → session_valid s = true → session_ip s = claimed_ip := by +theorem session_hijacking_prevented : ∀ (s : Session) (claimed_ip : Nat), session_hijack_prevented s claimed_ip → session_valid s = true → session_ip s = claimed_ip := by simp_all [Bool.and_eq_true] /-- ssl_stripping_prevented_thm (matches Coq) -/ @@ -367,4 +367,4 @@ theorem cipher_suite_strong : ∀ (cfg : SSLConfig), cipher_strong cfg → ssl_c theorem certificate_revocation_checked : ∀ (cfg : SSLConfig), revocation_checked cfg → ssl_revocation_checked cfg = true := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.NetworkSecurity diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/NetworkingStack.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/NetworkingStack.lean index 62a95684..b82a7197 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/NetworkingStack.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/NetworkingStack.lean @@ -73,7 +73,7 @@ Generated by scripts/generate-multiprover.py | network_change_notified | network_change_notified | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.NetworkingStack /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -81,20 +81,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- EncryptionState (matches Coq: Inductive EncryptionState) -/ inductive EncryptionState where @@ -120,7 +122,7 @@ abbrev mkCert := Certificate.mk /-- Packet (matches Coq: Record Packet) -/ structure Packet where packet_id : Nat - packet_data : List + packet_data : List Nat packet_encryption : EncryptionState packet_transmitted : Bool deriving DecidableEq, Repr @@ -224,7 +226,7 @@ def Signature : Type := /-- NETWORK_TIMEOUT_MAX_MS (matches Coq: Definition NETWORK_TIMEOUT_MAX_MS) -/ def NETWORK_TIMEOUT_MAX_MS : Nat := - Z.to_nat 30000%Z + 30000 /-- current_time (matches Coq: Definition current_time) -/ def current_time : Time := @@ -236,7 +238,7 @@ def valid_chain (c : Certificate) : Prop := /-- not_expired (matches Coq: Definition not_expired) -/ def not_expired (c : Certificate) : Prop := - cert_not_before c <= current_time /\ + cert_not_before c <= current_time ∧ current_time <= cert_not_after c /-- not_revoked (matches Coq: Definition not_revoked) -/ @@ -245,7 +247,7 @@ def not_revoked (c : Certificate) : Prop := /-- acceptable_cert (matches Coq: Definition acceptable_cert) -/ def acceptable_cert (c : Certificate) : Prop := - valid_chain c /\ not_expired c /\ not_revoked c + valid_chain c ∧ not_expired c ∧ not_revoked c /-- accepted (matches Coq: Definition accepted) -/ def accepted (c : Certificate) : Prop := @@ -267,7 +269,7 @@ def secure_stack : Prop := /-- secure_connection (matches Coq: Definition secure_connection) -/ def secure_connection (c : Connection) : Prop := - acceptable_cert (conn_cert c) /\ + acceptable_cert (conn_cert c) ∧ conn_tls_version c >= 13 /-- tls_required (matches Coq: Definition tls_required) -/ @@ -276,11 +278,11 @@ def tls_required (conn : HTTPConnection) : Prop := /-- cert_validation_complete_prop (matches Coq: Definition cert_validation_complete_prop) -/ def cert_validation_complete_prop (cert : Certificate) : Prop := - valid_chain cert /\ not_expired cert /\ not_revoked cert + valid_chain cert ∧ not_expired cert ∧ not_revoked cert /-- dns_validated_prop (matches Coq: Definition dns_validated_prop) -/ def dns_validated_prop (q : DNSQuery) : Prop := - dns_validated q = true /\ dns_dnssec_verified q = true + dns_validated q = true ∧ dns_dnssec_verified q = true /-- no_plaintext_password (matches Coq: Definition no_plaintext_password) -/ def no_plaintext_password (conn : HTTPConnection) : Prop := @@ -288,7 +290,7 @@ def no_plaintext_password (conn : HTTPConnection) : Prop := /-- connection_timeout_enforced_prop (matches Coq: Definition connection_timeout_enforced_prop) -/ def connection_timeout_enforced_prop (sock : Socket) : Prop := - socket_timeout_ms sock > 0 /\ socket_timeout_ms sock <= NETWORK_TIMEOUT_MAX_MS + socket_timeout_ms sock > 0 ∧ socket_timeout_ms sock <= NETWORK_TIMEOUT_MAX_MS /-- socket_cleanup_prop (matches Coq: Definition socket_cleanup_prop) -/ def socket_cleanup_prop (sock : Socket) : Prop := @@ -297,7 +299,7 @@ def socket_cleanup_prop (sock : Socket) : Prop := /-- firewall_applied (matches Coq: Definition firewall_applied) -/ def firewall_applied (rules : List FirewallRule) (src dst port : Nat) : Prop := - exists r, In r rules /\ fw_src_ip r = src /\ fw_dst_ip r = dst /\ fw_port r = port + exists r, In r rules ∧ fw_src_ip r = src ∧ fw_dst_ip r = dst ∧ fw_port r = port /-- vpn_traffic_encrypted_prop (matches Coq: Definition vpn_traffic_encrypted_prop) -/ def vpn_traffic_encrypted_prop (t : VPNTunnel) : Prop := @@ -313,7 +315,7 @@ def cors_enforced (conn : HTTPConnection) : Prop := /-- ws_origin_valid (matches Coq: Definition ws_origin_valid) -/ def ws_origin_valid (ws : WebSocketConn) : Prop := - ws_origin_validated ws = true /\ ws_encrypted ws = true + ws_origin_validated ws = true ∧ ws_encrypted ws = true /-- cert_pinning_holds (matches Coq: Definition cert_pinning_holds) -/ def cert_pinning_holds (pin : CertPin) : Prop := @@ -321,7 +323,7 @@ def cert_pinning_holds (pin : CertPin) : Prop := /-- network_change_notified_prop (matches Coq: Definition network_change_notified_prop) -/ def network_change_notified_prop (old_conn new_conn : Connection) : Prop := - conn_id old_conn <> conn_id new_conn → + conn_id old_conn ≠ conn_id new_conn → acceptable_cert (conn_cert new_conn) /-- network_all_encrypted (matches Coq) -/ @@ -333,15 +335,15 @@ theorem cert_validation_correct : ∀ (cert : Certificate), accepted cert → va intro h; exact h /-- expired_cert_rejected (matches Coq) -/ -theorem expired_cert_rejected : ∀ (cert : Certificate), current_time > cert_not_after cert → ~ not_expired cert := by +theorem expired_cert_rejected : ∀ (cert : Certificate), current_time > cert_not_after cert → ¬not_expired cert := by simp_all [Bool.and_eq_true] /-- revoked_cert_rejected (matches Coq) -/ -theorem revoked_cert_rejected : ∀ (cert : Certificate), cert_revoked cert = true → ~ not_revoked cert := by +theorem revoked_cert_rejected : ∀ (cert : Certificate), cert_revoked cert = true → ¬not_revoked cert := by simp_all [Bool.and_eq_true] /-- invalid_chain_rejected (matches Coq) -/ -theorem invalid_chain_rejected : ∀ (cert : Certificate), cert_chain_valid cert = false → ~ valid_chain cert := by +theorem invalid_chain_rejected : ∀ (cert : Certificate), cert_chain_valid cert = false → ¬valid_chain cert := by simp_all [Bool.and_eq_true] /-- secure_conn_valid_cert (matches Coq) -/ @@ -381,7 +383,7 @@ theorem no_ip_spoofing : ∀ (q : DNSQuery), dns_validated_prop q → dns_dnssec intro h; exact h /-- firewall_rules_applied (matches Coq) -/ -theorem firewall_rules_applied : ∀ (rules : list FirewallRule) (src dst port : nat), firewall_applied rules src dst port → ∃ r, In r rules ∧ fw_src_ip r = src ∧ fw_dst_ip r = dst := by +theorem firewall_rules_applied : ∀ (rules : List FirewallRule) (src dst port : Nat), firewall_applied rules src dst port → ∃ r, In r rules ∧ fw_src_ip r = src ∧ fw_dst_ip r = dst := by intro h; exact h /-- vpn_traffic_encrypted (matches Coq) -/ @@ -408,4 +410,4 @@ theorem certificate_pinning_enforced : ∀ (pin : CertPin), cert_pinning_holds p theorem network_change_notified : ∀ (old_conn new_conn : Connection), network_change_notified_prop old_conn new_conn → conn_id old_conn ≠ conn_id new_conn → acceptable_cert (conn_cert new_conn) := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Domains.MobileOS.NetworkingStack diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/NotificationSystem.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/NotificationSystem.lean index 9ebbb21f..d9f5d31f 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/NotificationSystem.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/NotificationSystem.lean @@ -59,7 +59,7 @@ Generated by scripts/generate-multiprover.py | high_priority_passes_filter | high_priority_passes_filter | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.NotificationSystem /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -67,15 +67,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -114,7 +114,7 @@ structure Notification where notif_state : NotificationState notif_created_at : Time notif_ttl : Time - notif_delivered_at : Option + notif_delivered_at : Option Nat deriving DecidableEq, Repr /-- Coq constructor alias for Notification. -/ abbrev mkNotification := Notification.mk @@ -134,8 +134,8 @@ abbrev mkChannel := NotificationChannel.mk /-- NotificationGroup (matches Coq: Record NotificationGroup) -/ structure NotificationGroup where group_id : Nat - group_notifications : List - group_summary : Option + group_notifications : List Nat + group_summary : Option Nat deriving DecidableEq, Repr /-- Coq constructor alias for NotificationGroup. -/ abbrev mkGroup := NotificationGroup.mk @@ -152,7 +152,7 @@ abbrev mkAction := NotificationAction.mk /-- NotifHistory (matches Coq: Record NotifHistory) -/ structure NotifHistory where - history_notifications : List + history_notifications : List Nat history_max_size : Nat history_dismiss_tracked : Bool deriving DecidableEq, Repr @@ -168,7 +168,7 @@ structure ExtNotification where ext_expiry_time : Nat ext_delivery_confirmed : Bool ext_is_silent : Bool - ext_channel : Option + ext_channel : Option Nat deriving DecidableEq, Repr /-- Coq constructor alias for ExtNotification. -/ abbrev mkExtNotif := ExtNotification.mk @@ -179,13 +179,13 @@ def Time : Type := /-- sent (matches Coq: Definition sent) -/ def sent (n : Notification) : Prop := - notif_state n = Pending \/ - notif_state n = Delivered \/ + notif_state n = Pending ∨ + notif_state n = Delivered ∨ notif_state n = Read /-- delivered (matches Coq: Definition delivered) -/ def delivered (n : Notification) : Prop := - notif_state n = Delivered \/ notif_state n = Read + notif_state n = Delivered ∨ notif_state n = Read /-- expired (matches Coq: Definition expired) -/ def expired (n : Notification) : Prop := @@ -197,7 +197,7 @@ def eventually_state (n : Notification) (target : NotificationState) : Prop := /-- eventually_delivered_or_expired (matches Coq: Definition eventually_delivered_or_expired) -/ def eventually_delivered_or_expired (n : Notification) : Prop := - delivered n \/ expired n + delivered n ∨ expired n /-- passes_focus_filter (matches Coq: Definition passes_focus_filter) -/ def passes_focus_filter (n : Notification) (mode : FocusMode) : Bool := @@ -225,20 +225,20 @@ def notification_permission_granted (granted : Bool) : Prop := /-- well_formed_notification (matches Coq: Definition well_formed_notification) -/ def well_formed_notification (en : ExtNotification) : Prop := - ext_content_sanitized en = true /\ - ext_sound_volume en <= 100 /\ - (ext_is_silent en = true → ext_sound_volume en = 0) /\ + ext_content_sanitized en = true ∧ + ext_sound_volume en <= 100 ∧ + (ext_is_silent en = true → ext_sound_volume en = 0) ∧ (ext_delivery_confirmed en = true → - notif_state (ext_notif en) = Delivered \/ notif_state (ext_notif en) = Read) + notif_state (ext_notif en) = Delivered ∨ notif_state (ext_notif en) = Read) /-- well_formed_group (matches Coq: Definition well_formed_group) -/ def well_formed_group (g : NotificationGroup) : Prop := length (group_notifications g) >= 2 → - group_summary g <> None + group_summary g ≠ Option.none /-- well_formed_history (matches Coq: Definition well_formed_history) -/ def well_formed_history (h : NotifHistory) : Prop := - length (history_notifications h) <= history_max_size h /\ + length (history_notifications h) <= history_max_size h ∧ history_max_size h > 0 /-- notification_delivery_guaranteed (matches Coq) -/ @@ -266,7 +266,7 @@ theorem all_mode_passes_all : ∀ (n : Notification), passes_focus_filter n AllN rfl /-- notification_permission_explicit (matches Coq) -/ -theorem notification_permission_explicit : ∀ (granted : bool), granted = false → ~ notification_permission_granted granted := by +theorem notification_permission_explicit : ∀ (granted : Bool), granted = false → ¬notification_permission_granted granted := by simp_all [Bool.and_eq_true] /-- notification_content_sanitized (matches Coq) -/ @@ -274,7 +274,7 @@ theorem notification_content_sanitized : ∀ (en : ExtNotification), well_formed intro h; exact h /-- no_notification_spam (matches Coq) -/ -theorem no_notification_spam : ∀ (count : nat), count ≤ spam_threshold → is_spam count = false := by +theorem no_notification_spam : ∀ (count : Nat), count ≤ spam_threshold → is_spam count = false := by simp_all [Bool.and_eq_true] /-- notification_priority_respected (matches Coq) -/ @@ -286,7 +286,7 @@ theorem do_not_disturb_enforced : ∀ (n : Notification), passes_focus_filter n rfl /-- notification_grouping_correct (matches Coq) -/ -theorem notification_grouping_correct : ∀ (g : NotificationGroup), well_formed_group g → length (group_notifications g) ≥ 2 → group_summary g ≠ None := by +theorem notification_grouping_correct : ∀ (g : NotificationGroup), well_formed_group g → length (group_notifications g) ≥ 2 → group_summary g ≠ Option.none := by simp_all [Bool.and_eq_true] /-- notification_action_validated (matches Coq) -/ @@ -298,11 +298,11 @@ theorem notification_sound_bounded : ∀ (en : ExtNotification), well_formed_not intro h; exact h /-- notification_badge_accurate (matches Coq) -/ -theorem notification_badge_accurate : ∀ (en : ExtNotification) (expected_count : nat), ext_badge_count en = expected_count → ext_badge_count en = expected_count := by +theorem notification_badge_accurate : ∀ (en : ExtNotification) (expected_count : Nat), ext_badge_count en = expected_count → ext_badge_count en = expected_count := by intro h; exact h /-- notification_expiry_enforced (matches Coq) -/ -theorem notification_expiry_enforced : ∀ (en : ExtNotification) (current_time : nat), current_time > ext_expiry_time en → ext_expiry_time en < current_time := by +theorem notification_expiry_enforced : ∀ (en : ExtNotification) (current_time : Nat), current_time > ext_expiry_time en → ext_expiry_time en < current_time := by omega /-- notification_channel_configurable (matches Coq) -/ @@ -329,4 +329,4 @@ theorem notification_dismiss_tracked : ∀ (h : NotifHistory), history_dismiss_t theorem high_priority_passes_filter : ∀ (n : Notification), notif_priority n = High → passes_focus_filter n PriorityOnly = true := by rfl -end RIINA +end RIINA.Domains.MobileOS.NotificationSystem diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/OnDeviceML.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/OnDeviceML.lean index b35ad35b..1bb2a5e5 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/OnDeviceML.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/OnDeviceML.lean @@ -78,7 +78,7 @@ Generated by scripts/generate-multiprover.py | failed_update_preserves_version | failed_update_preserves_version | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.OnDeviceML /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -86,20 +86,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: list map -/ +@[inline] def map {α β : Type} (f : α → β) (xs : List α) : List β := xs.map f /-- ModelUpdateState (matches Coq: Inductive ModelUpdateState) -/ inductive ModelUpdateState where @@ -111,7 +113,7 @@ inductive ModelUpdateState where /-- Tensor (matches Coq: Record Tensor) -/ structure Tensor where - tensor_shape : List + tensor_shape : List Nat tensor_data : TensorData deriving DecidableEq, Repr /-- Coq constructor alias for Tensor. -/ @@ -120,7 +122,7 @@ abbrev mkTensor := Tensor.mk /-- MLModel (matches Coq: Record MLModel) -/ structure MLModel where model_id : Nat - model_weights : List + model_weights : List Nat model_version : Nat model_deterministic : Bool deriving DecidableEq, Repr @@ -130,7 +132,7 @@ abbrev mkModel := MLModel.mk /-- UserData (matches Coq: Record UserData) -/ structure UserData where data_id : Nat - data_content : List + data_content : List Nat data_sensitive : Bool deriving DecidableEq, Repr /-- Coq constructor alias for UserData. -/ @@ -194,7 +196,7 @@ abbrev mkModelPolicy := ModelPolicy.mk /-- TrainingData (matches Coq: Record TrainingData) -/ structure TrainingData where - td_records : List + td_records : List Nat td_anonymized : Bool td_pii_removed : Bool deriving DecidableEq, Repr @@ -223,16 +225,16 @@ abbrev mkModelFallback := ModelWithFallback.mk /-- BatchRequest (matches Coq: Record BatchRequest) -/ structure BatchRequest where batch_id : Nat - batch_inputs : List - batch_sequence : List + batch_inputs : List Nat + batch_sequence : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for BatchRequest. -/ abbrev mkBatchReq := BatchRequest.mk /-- QuantizedModel (matches Coq: Record QuantizedModel) -/ structure QuantizedModel where - qm_original_weights : List - qm_quantized_weights : List + qm_original_weights : List Nat + qm_quantized_weights : List Nat qm_max_error : Nat deriving DecidableEq, Repr /-- Coq constructor alias for QuantizedModel. -/ @@ -261,7 +263,7 @@ def used_for_inference (d : UserData) (m : MLModel) : Prop := /-- private_ml_system (matches Coq: Definition private_ml_system) -/ def private_ml_system : Prop := forall (d : UserData) (m : MLModel), - used_for_inference d m → ~ transmitted d + used_for_inference d m → ¬transmitted d /-- input_shape_valid (matches Coq: Definition input_shape_valid) -/ def input_shape_valid (input : Tensor) (expected_shape : List Nat) : Prop := @@ -271,7 +273,7 @@ def input_shape_valid (input : Tensor) (expected_shape : List Nat) : Prop := def all_below (bound : Nat) (l : List Nat) : Prop := match l with | [] => True - | x :: rest => x <= bound /\ all_below bound rest + | x :: rest => x <= bound ∧ all_below bound rest /-- output_bounded (matches Coq: Definition output_bounded) -/ def output_bounded (output : Tensor) (bound : Nat) : Prop := @@ -287,11 +289,11 @@ def model_fits_memory (b : MemoryBudget) : Prop := /-- update_atomic (matches Coq: Definition update_atomic) -/ def update_atomic (u : ModelUpdate) : Prop := - update_state u = UpdateComplete \/ update_state u = UpdateFailed + update_state u = UpdateComplete ∨ update_state u = UpdateFailed /-- within_privacy_budget (matches Coq: Definition within_privacy_budget) -/ def within_privacy_budget (pb : PrivacyBudget) : Prop := - epsilon pb <= max_epsilon pb /\ delta pb <= max_delta pb + epsilon pb <= max_epsilon pb ∧ delta pb <= max_delta pb /-- version_tracked (matches Coq: Definition version_tracked) -/ def version_tracked (m : MLModel) : Prop := @@ -303,19 +305,19 @@ def feature_extract (m : MLModel) (input : Tensor) : List Nat := /-- confidence_calibrated (matches Coq: Definition confidence_calibrated) -/ def confidence_calibrated (p : Prediction) : Prop := - pred_calibrated p = true /\ pred_confidence p <= 100 + pred_calibrated p = true ∧ pred_confidence p <= 100 /-- model_not_exportable (matches Coq: Definition model_not_exportable) -/ def model_not_exportable (mp : ModelPolicy) : Prop := - policy_exportable mp = false /\ policy_on_device_only mp = true + policy_exportable mp = false ∧ policy_on_device_only mp = true /-- data_anonymized (matches Coq: Definition data_anonymized) -/ def data_anonymized (td : TrainingData) : Prop := - td_anonymized td = true /\ td_pii_removed td = true + td_anonymized td = true ∧ td_pii_removed td = true /-- adversarial_detected (matches Coq: Definition adversarial_detected) -/ def adversarial_detected (ia : InputAnalysis) : Prop := - ia_perturbation_score ia > ia_threshold ia /\ ia_flagged ia = true + ia_perturbation_score ia > ia_threshold ia ∧ ia_flagged ia = true /-- fallback_ready (matches Coq: Definition fallback_ready) -/ def fallback_ready (mf : ModelWithFallback) : Prop := @@ -326,23 +328,23 @@ def is_sorted (l : List Nat) : Prop := match l with | [] => True | [_] => True - | x :: ((y :: _) as rest) => x <= y /\ is_sorted rest + | x :: ((y :: _) as rest) => x <= y ∧ is_sorted rest /-- batch_ordered (matches Coq: Definition batch_ordered) -/ def batch_ordered (br : BatchRequest) : Prop := - is_sorted (batch_sequence br) /\ + is_sorted (batch_sequence br) ∧ length (batch_inputs br) = length (batch_sequence br) /-- pointwise_error_bounded (matches Coq: Definition pointwise_error_bounded) -/ def pointwise_error_bounded (orig quant : List Nat) (bound : Nat) : Prop := match orig, quant with | [], [] => True - | x :: xs, y :: ys => (x - y <= bound) /\ (y - x <= bound) /\ pointwise_error_bounded xs ys bound + | x :: xs, y :: ys => (x - y <= bound) ∧ (y - x <= bound) ∧ pointwise_error_bounded xs ys bound | _, _ => False /-- quantization_bounded (matches Coq: Definition quantization_bounded) -/ def quantization_bounded (qm : QuantizedModel) : Prop := - pointwise_error_bounded (qm_original_weights qm) (qm_quantized_weights qm) (qm_max_error qm) /\ + pointwise_error_bounded (qm_original_weights qm) (qm_quantized_weights qm) (qm_max_error qm) ∧ length (qm_original_weights qm) = length (qm_quantized_weights qm) /-- ml_inference_deterministic (matches Coq) -/ @@ -354,7 +356,7 @@ theorem inference_same_input_same_output : ∀ (model : MLModel) (input1 input2 rfl /-- ml_data_private (matches Coq) -/ -theorem ml_data_private : ∀ (data : UserData) (model : MLModel), private_ml_system → used_for_inference data model → ~ transmitted data := by +theorem ml_data_private : ∀ (data : UserData) (model : MLModel), private_ml_system → used_for_inference data model → ¬transmitted data := by simp_all /-- inference_preserves_shape (matches Coq) -/ @@ -362,15 +364,15 @@ theorem inference_preserves_shape : ∀ (model : MLModel) (input : Tensor), tens simp /-- different_model_version_matters (matches Coq) -/ -theorem different_model_version_matters : ∀ (m1 m2 : MLModel) (input : Tensor) (h : nat) (t : list nat), tensor_data input = h :: t → model_version m1 ≠ model_version m2 → tensor_data (infer m1 input) ≠ tensor_data (infer m2 input) := by +theorem different_model_version_matters : ∀ (m1 m2 : MLModel) (input : Tensor) (h : Nat) (t : List Nat), tensor_data input = h :: t → model_version m1 ≠ model_version m2 → tensor_data (infer m1 input) ≠ tensor_data (infer m2 input) := by simp_all [Bool.and_eq_true] /-- model_input_validated (matches Coq) -/ -theorem model_input_validated : ∀ (input : Tensor) (expected : list nat), input_shape_valid input expected → tensor_shape input = expected := by +theorem model_input_validated : ∀ (input : Tensor) (expected : List Nat), input_shape_valid input expected → tensor_shape input = expected := by intro h; exact h /-- model_output_bounded (matches Coq) -/ -theorem model_output_bounded : ∀ (output : Tensor) (bound : nat), output_bounded output bound → all_below bound (tensor_data output) := by +theorem model_output_bounded : ∀ (output : Tensor) (bound : Nat), output_bounded output bound → all_below bound (tensor_data output) := by intro h; exact h /-- inference_latency_bounded (matches Coq) -/ @@ -445,4 +447,4 @@ theorem privacy_budget_epsilon_bounded : ∀ (pb : PrivacyBudget), within_privac theorem failed_update_preserves_version : ∀ (u : ModelUpdate), update_state u = UpdateFailed → model_version (update_old_model u) = model_version (update_old_model u) := by rfl -end RIINA +end RIINA.Domains.MobileOS.OnDeviceML diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/PowerManagement.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/PowerManagement.lean index 10280f28..dbe2eb4d 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/PowerManagement.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/PowerManagement.lean @@ -63,7 +63,7 @@ Generated by scripts/generate-multiprover.py | power_budget_per_app | power_budget_per_app | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.PowerManagement /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -71,15 +71,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -175,15 +175,15 @@ def PowerLevel : Type := /-- critical_temp_const (matches Coq: Definition critical_temp_const) -/ def critical_temp_const : Temperature := - Z.to_nat 9500%Z + 9500 /-- throttle_temp_const (matches Coq: Definition throttle_temp_const) -/ def throttle_temp_const : Temperature := - Z.to_nat 8000%Z + 8000 /-- charge_rate_max_const (matches Coq: Definition charge_rate_max_const) -/ def charge_rate_max_const : Nat := - Z.to_nat 25000%Z + 25000 /-- critical_temp (matches Coq: Definition critical_temp) -/ def critical_temp : Temperature := @@ -199,8 +199,8 @@ def safe_temp : Temperature := /-- thermally_safe (matches Coq: Definition thermally_safe) -/ def thermally_safe (ts : ThermalState) : Prop := - cpu_temp ts <= critical_temp /\ - gpu_temp ts <= critical_temp /\ + cpu_temp ts <= critical_temp ∧ + gpu_temp ts <= critical_temp ∧ battery_temp ts <= critical_temp /-- should_throttle (matches Coq: Definition should_throttle) -/ @@ -248,25 +248,25 @@ def background_power_limit : Nat := /-- well_formed_battery (matches Coq: Definition well_formed_battery) -/ def well_formed_battery (b : BatteryInfo) : Prop := - bat_level b <= 100 /\ - bat_health b <= 100 /\ - bat_temperature b <= battery_safe_temp /\ + bat_level b <= 100 ∧ + bat_health b <= 100 ∧ + bat_temperature b <= battery_safe_temp ∧ bat_charge_rate b <= charge_rate_max /-- well_formed_cpu (matches Coq: Definition well_formed_cpu) -/ def well_formed_cpu (c : CpuState) : Prop := - cpu_min_frequency_mhz c <= cpu_frequency_mhz c /\ - cpu_frequency_mhz c <= cpu_max_frequency_mhz c /\ + cpu_min_frequency_mhz c <= cpu_frequency_mhz c ∧ + cpu_frequency_mhz c <= cpu_max_frequency_mhz c ∧ cpu_min_frequency_mhz c > 0 /-- well_formed_wake_lock (matches Coq: Definition well_formed_wake_lock) -/ def well_formed_wake_lock (w : WakeLock) : Prop := - wake_lock_timeout w > 0 /\ + wake_lock_timeout w > 0 ∧ (wake_lock_active w = true → wake_lock_elapsed w <= wake_lock_timeout w) /-- well_formed_app_power (matches Coq: Definition well_formed_app_power) -/ def well_formed_app_power (a : AppPowerBudget) : Prop := - app_power_actual_mw a <= app_power_budget_mw a /\ + app_power_actual_mw a <= app_power_budget_mw a ∧ (app_is_background a = true → app_power_budget_mw a <= background_power_limit) /-- thermal_bounds_enforced (matches Coq) -/ @@ -353,4 +353,4 @@ theorem discharge_rate_bounded : ∀ (b : BatteryInfo), bat_discharge_rate b ≤ theorem power_budget_per_app : ∀ (a : AppPowerBudget), well_formed_app_power a → app_power_actual_mw a ≤ app_power_budget_mw a := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.PowerManagement diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/SystemApps.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/SystemApps.lean index 96a97440..4ba666a1 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/SystemApps.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/SystemApps.lean @@ -66,7 +66,7 @@ Generated by scripts/generate-multiprover.py | check_app_security_correct | check_app_security_correct | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.SystemApps /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -74,15 +74,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -113,7 +113,7 @@ abbrev mkSystemApp := SystemApp.mk /-- AppState (matches Coq: Record AppState) -/ structure AppState where state_app_id : Nat - state_data : List + state_data : List Nat state_valid : Bool state_hash : Nat deriving DecidableEq, Repr @@ -192,27 +192,27 @@ abbrev mkAppUpdate := AppUpdate.mk /-- RESPONSE_TIME_MAX_US (matches Coq: Definition RESPONSE_TIME_MAX_US) -/ def RESPONSE_TIME_MAX_US : Nat := - Z.to_nat 100000%Z + 100000 /-- system_app_correct (matches Coq: Definition system_app_correct) -/ def system_app_correct (app : SystemApp) : Prop := - is_verified app = true /\ - has_sandbox app = true /\ + is_verified app = true ∧ + has_sandbox app = true ∧ permissions_minimal app = true /-- data_secure (matches Coq: Definition data_secure) -/ def data_secure (app : SystemApp) : Prop := - data_encrypted app = true /\ + data_encrypted app = true ∧ has_sandbox app = true /-- valid_transition (matches Coq: Definition valid_transition) -/ def valid_transition (trans : StateTransition) : Prop := - state_valid (from_state trans) = true /\ + state_valid (from_state trans) = true ∧ state_valid (to_state trans) = true /-- state_preserved (matches Coq: Definition state_preserved) -/ def state_preserved (trans : StateTransition) : Prop := - state_data (from_state trans) = state_data (to_state trans) \/ + state_data (from_state trans) = state_data (to_state trans) ∨ state_valid (to_state trans) = true /-- sync_lossless (matches Coq: Definition sync_lossless) -/ @@ -230,7 +230,7 @@ def app_responds_correctly (resp : AppResponse) : Prop := /-- wellformed_system_app (matches Coq: Definition wellformed_system_app) -/ def wellformed_system_app (app : SystemApp) : Prop := - system_app_correct app /\ data_secure app + system_app_correct app ∧ data_secure app /-- check_app_security (matches Coq: Definition check_app_security) -/ def check_app_security (app : SystemApp) : Bool := @@ -242,14 +242,14 @@ def transition_preserves_validity (trans : StateTransition) : Bool := /-- app_sandbox_holds (matches Coq: Definition app_sandbox_holds) -/ def app_sandbox_holds (app : SystemApp) (perm : AppPermission) : Prop := - has_sandbox app = true /\ - perm_app_id perm = sys_app_id app /\ + has_sandbox app = true ∧ + perm_app_id perm = sys_app_id app ∧ perm_granted_explicitly perm = true /-- no_cross_app_access (matches Coq: Definition no_cross_app_access) -/ def no_cross_app_access (app1 app2 : SystemApp) : Prop := - sys_app_id app1 <> sys_app_id app2 → - has_sandbox app1 = true /\ has_sandbox app2 = true + sys_app_id app1 ≠ sys_app_id app2 → + has_sandbox app1 = true ∧ has_sandbox app2 = true /-- app_permission_runtime_check (matches Coq: Definition app_permission_runtime_check) -/ def app_permission_runtime_check (perm : AppPermission) : Prop := @@ -270,7 +270,7 @@ def install_is_verified (lc : AppLifecycle) : Prop := /-- update_is_atomic (matches Coq: Definition update_is_atomic) -/ def update_is_atomic (upd : AppUpdate) : Prop := upd_applied upd = true → - upd_signature_valid upd = true /\ + upd_signature_valid upd = true ∧ upd_new_version upd > upd_old_version upd /-- uninstall_is_complete (matches Coq: Definition uninstall_is_complete) -/ @@ -373,4 +373,4 @@ theorem notification_permission_explicit : ∀ (perm : AppPermission), perm_noti theorem check_app_security_correct : ∀ (app : SystemApp), check_app_security app = true → is_verified app = true ∧ has_sandbox app = true ∧ permissions_minimal app = true ∧ data_encrypted app = true := by constructor <;> simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Domains.MobileOS.SystemApps diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/SystemArchitecture.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/SystemArchitecture.lean index 0cfee5f7..741b4f6d 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/SystemArchitecture.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/SystemArchitecture.lean @@ -73,7 +73,7 @@ Generated by scripts/generate-multiprover.py | resource_usage_bounded | resource_usage_bounded | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.SystemArchitecture /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -81,20 +81,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- DeviceState (matches Coq: Inductive DeviceState) -/ inductive DeviceState where @@ -145,7 +147,7 @@ abbrev mkUpdate := SystemUpdate.mk structure System where system_version : Nat system_state : DeviceState - update_pending : Option + update_pending : Option Nat deriving DecidableEq, Repr /-- Coq constructor alias for System. -/ abbrev mkSystem := System.mk @@ -154,7 +156,7 @@ abbrev mkSystem := System.mk structure Process where process_id : Nat process_memory_region : Nat - process_permissions : List + process_permissions : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for Process. -/ abbrev mkProcess := Process.mk @@ -198,7 +200,7 @@ abbrev mkIPC := IPCChannel.mk /-- SchedulerState (matches Coq: Record SchedulerState) -/ structure SchedulerState where sched_running_pid : Nat - sched_ready_queue : List + sched_ready_queue : List Nat sched_time_slice : Nat sched_context_saved : Bool deriving DecidableEq, Repr @@ -207,11 +209,11 @@ abbrev mkScheduler := SchedulerState.mk /-- KERNEL_MEM_BOUNDARY (matches Coq: Definition KERNEL_MEM_BOUNDARY) -/ def KERNEL_MEM_BOUNDARY : Nat := - Z.to_nat 1073741824%Z + 1073741824 /-- verified_boot (matches Coq: Definition verified_boot) -/ def verified_boot (d : Device) : Prop := - boot_verified d = true /\ secure_boot_chain d = true + boot_verified d = true ∧ secure_boot_chain d = true /-- boot_time (matches Coq: Definition boot_time) -/ def boot_time (d : Device) : Nat := @@ -230,7 +232,7 @@ def apply_update (sys : System) (upd : SystemUpdate) : System * UpdateResult := /-- update_succeeds (matches Coq: Definition update_succeeds) -/ def update_succeeds (upd : SystemUpdate) : Prop := - update_signature_valid upd = true /\ update_integrity_verified upd = true + update_signature_valid upd = true ∧ update_integrity_verified upd = true /-- system_unchanged (matches Coq: Definition system_unchanged) -/ def system_unchanged (sys : System) (new_sys : System) : Prop := @@ -256,12 +258,12 @@ def valid_boot_device (d : Device) : Prop := def memory_disjoint (p1 p2 : Process) : Prop := let (start1, size1) := process_memory_region p1 in let (start2, size2) := process_memory_region p2 in - start1 + size1 <= start2 \/ start2 + size2 <= start1 + start1 + size1 <= start2 ∨ start2 + size2 <= start1 /-- well_isolated_processes (matches Coq: Definition well_isolated_processes) -/ def well_isolated_processes (procs : List Process) : Prop := forall p1 p2, In p1 procs → In p2 procs → - p1 <> p2 → memory_disjoint p1 p2 + p1 ≠ p2 → memory_disjoint p1 p2 /-- privilege_rank (matches Coq: Definition privilege_rank) -/ def privilege_rank (p : PrivilegeLevel) : Nat := @@ -276,12 +278,12 @@ def privilege_geq (p1 p2 : PrivilegeLevel) : Prop := /-- syscall_authorized (matches Coq: Definition syscall_authorized) -/ def syscall_authorized (sc : Syscall) : Prop := - privilege_geq (syscall_caller_privilege sc) (syscall_required_privilege sc) /\ + privilege_geq (syscall_caller_privilege sc) (syscall_required_privilege sc) ∧ syscall_validated sc = true /-- pid_in_table (matches Coq: Definition pid_in_table) -/ def pid_in_table (pid : Nat) (pt : ProcessTable) : Prop := - exists p, In p pt /\ ext_pid p = pid + exists p, In p pt ∧ ext_pid p = pid /-- all_pids_unique (matches Coq: Definition all_pids_unique) -/ def all_pids_unique (pt : ProcessTable) : Prop := @@ -294,11 +296,11 @@ def all_alive (pt : ProcessTable) : Prop := /-- init_process_present (matches Coq: Definition init_process_present) -/ def init_process_present (pt : ProcessTable) : Prop := - exists p, In p pt /\ ext_pid p = 1 /\ ext_alive p = true + exists p, In p pt ∧ ext_pid p = 1 ∧ ext_alive p = true /-- ext_mem_disjoint (matches Coq: Definition ext_mem_disjoint) -/ def ext_mem_disjoint (p1 p2 : ExtProcess) : Prop := - ext_mem_start p1 + ext_mem_size p1 <= ext_mem_start p2 \/ + ext_mem_start p1 + ext_mem_size p1 <= ext_mem_start p2 ∨ ext_mem_start p2 + ext_mem_size p2 <= ext_mem_start p1 /-- kernel_mem_boundary (matches Coq: Definition kernel_mem_boundary) -/ @@ -319,7 +321,7 @@ def resource_within_limit (p : ExtProcess) : Prop := /-- process_cleanly_terminated (matches Coq: Definition process_cleanly_terminated) -/ def process_cleanly_terminated (p : ExtProcess) : Prop := - ext_alive p = false /\ ext_resource_used p = 0 + ext_alive p = false ∧ ext_resource_used p = 0 /-- boot_time_bounded (matches Coq) -/ theorem boot_time_bounded : ∀ (device : Device), well_formed_device device → verified_boot device → boot_time device ≤ 5000 := by @@ -334,7 +336,7 @@ theorem no_boot_loop : ∀ (device : Device), valid_boot_device device → verif simp_all [Bool.and_eq_true] /-- process_isolation_sound (matches Coq) -/ -theorem process_isolation_sound : ∀ (procs : list Process), well_isolated_processes procs → ∀ p1 p2, In p1 procs → In p2 procs → p1 ≠ p2 → memory_disjoint p1 p2 := by +theorem process_isolation_sound : ∀ (procs : List Process), well_isolated_processes procs → ∀ p1 p2, In p1 procs → In p2 procs → p1 ≠ p2 → memory_disjoint p1 p2 := by simp_all [Bool.and_eq_true] /-- process_isolation_enforced (matches Coq) -/ @@ -342,7 +344,7 @@ theorem process_isolation_enforced : ∀ (pt : ProcessTable), (∀ p1 p2, In p1 simp_all [Bool.and_eq_true] /-- memory_space_disjoint (matches Coq) -/ -theorem memory_space_disjoint : ∀ (p1 p2 : ExtProcess), ext_mem_disjoint p1 p2 → ∀ addr, (ext_mem_start p1 ≤ addr ∧ addr < ext_mem_start p1 + ext_mem_size p1) → ~ (ext_mem_start p2 ≤ addr ∧ addr < ext_mem_start p2 + ext_mem_size p2) := by +theorem memory_space_disjoint : ∀ (p1 p2 : ExtProcess), ext_mem_disjoint p1 p2 → ∀ addr, (ext_mem_start p1 ≤ addr ∧ addr < ext_mem_start p1 + ext_mem_size p1) → ¬(ext_mem_start p2 ≤ addr ∧ addr < ext_mem_start p2 + ext_mem_size p2) := by cases ‹_› <;> simp <;> omega /-- syscall_validation_complete (matches Coq) -/ @@ -350,11 +352,11 @@ theorem syscall_validation_complete : ∀ (sc : Syscall), syscall_authorized sc intro h; exact h /-- privilege_escalation_impossible (matches Coq) -/ -theorem privilege_escalation_impossible : ∀ (sc : Syscall), syscall_caller_privilege sc = UserMode → syscall_required_privilege sc = KernelMode → ~ syscall_authorized sc := by +theorem privilege_escalation_impossible : ∀ (sc : Syscall), syscall_caller_privilege sc = UserMode → syscall_required_privilege sc = KernelMode → ¬syscall_authorized sc := by omega /-- kernel_memory_protected (matches Coq) -/ -theorem kernel_memory_protected : ∀ (p : ExtProcess), in_user_space p → ext_mem_size p > 0 → ~ in_kernel_space (ext_mem_start p) := by +theorem kernel_memory_protected : ∀ (p : ExtProcess), in_user_space p → ext_mem_size p > 0 → ¬in_kernel_space (ext_mem_start p) := by omega /-- user_space_bounded (matches Coq) -/ @@ -386,7 +388,7 @@ theorem pid_uniqueness : ∀ (pt : ProcessTable), all_pids_unique pt → ∀ p1 simp_all [Bool.and_eq_true] /-- scheduler_fairness (matches Coq) -/ -theorem scheduler_fairness : ∀ (sched : SchedulerState) (pid : nat), In pid (sched_ready_queue sched) → sched_time_slice sched > 0 → ∃ ts, ts > 0 ∧ ts = sched_time_slice sched := by +theorem scheduler_fairness : ∀ (sched : SchedulerState) (pid : Nat), In pid (sched_ready_queue sched) → sched_time_slice sched > 0 → ∃ ts, ts > 0 ∧ ts = sched_time_slice sched := by intro h; exact h /-- context_switch_atomic (matches Coq) -/ @@ -394,19 +396,19 @@ theorem context_switch_atomic : ∀ (sched : SchedulerState), sched_context_save intro h; exact h /-- signal_delivery_guaranteed (matches Coq) -/ -theorem signal_delivery_guaranteed : ∀ (pt : ProcessTable) (target_pid : nat), pid_in_table target_pid pt → (∀ p, In p pt → ext_pid p = target_pid → ext_alive p = true) → ∃ p, In p pt ∧ ext_pid p = target_pid ∧ ext_alive p = true := by +theorem signal_delivery_guaranteed : ∀ (pt : ProcessTable) (target_pid : Nat), pid_in_table target_pid pt → (∀ p, In p pt → ext_pid p = target_pid → ext_alive p = true) → ∃ p, In p pt ∧ ext_pid p = target_pid ∧ ext_alive p = true := by simp_all [Bool.and_eq_true] /-- supervisor_cannot_kernel (matches Coq) -/ -theorem supervisor_cannot_kernel : ∀ (sc : Syscall), syscall_caller_privilege sc = SupervisorMode → syscall_required_privilege sc = KernelMode → ~ syscall_authorized sc := by +theorem supervisor_cannot_kernel : ∀ (sc : Syscall), syscall_caller_privilege sc = SupervisorMode → syscall_required_privilege sc = KernelMode → ¬syscall_authorized sc := by omega /-- user_kernel_memory_separation (matches Coq) -/ -theorem user_kernel_memory_separation : ∀ (p : ExtProcess) (kaddr : nat), in_user_space p → in_kernel_space kaddr → ~ (ext_mem_start p ≤ kaddr ∧ kaddr < ext_mem_start p + ext_mem_size p) := by +theorem user_kernel_memory_separation : ∀ (p : ExtProcess) (kaddr : Nat), in_user_space p → in_kernel_space kaddr → ¬(ext_mem_start p ≤ kaddr ∧ kaddr < ext_mem_start p + ext_mem_size p) := by omega /-- resource_usage_bounded (matches Coq) -/ -theorem resource_usage_bounded : ∀ (p : ExtProcess) (extra : nat), resource_within_limit p → ext_resource_used p + extra ≤ ext_resource_limit p → ext_resource_used p + extra ≤ ext_resource_limit p := by +theorem resource_usage_bounded : ∀ (p : ExtProcess) (extra : Nat), resource_within_limit p → ext_resource_used p + extra ≤ ext_resource_limit p → ext_resource_used p + extra ≤ ext_resource_limit p := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.SystemArchitecture diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/TouchGestureSystem.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/TouchGestureSystem.lean index ccd661e6..ba120105 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/TouchGestureSystem.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/TouchGestureSystem.lean @@ -64,7 +64,7 @@ Generated by scripts/generate-multiprover.py | unknown_gesture_lowest_priority | unknown_gesture_lowest_priority | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.TouchGestureSystem /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -72,15 +72,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -121,10 +121,10 @@ abbrev mkTouchEvent := TouchEvent.mk /-- MultiTouchState (matches Coq: Record MultiTouchState) -/ structure MultiTouchState where - active_touches : List + active_touches : List Nat max_simultaneous : Nat - coalesced_events : List - predicted_events : List + coalesced_events : List Nat + predicted_events : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for MultiTouchState. -/ abbrev mkMultiTouch := MultiTouchState.mk @@ -155,11 +155,11 @@ def display_latency (t : TouchEvent) : Microseconds := /-- LATENCY_BOUND_10MS (matches Coq: Definition LATENCY_BOUND_10MS) -/ def LATENCY_BOUND_10MS : Microseconds := - Z.to_nat 10000%Z + 10000 /-- TOUCH_LATENCY_MAX_16MS (matches Coq: Definition TOUCH_LATENCY_MAX_16MS) -/ def TOUCH_LATENCY_MAX_16MS : Microseconds := - Z.to_nat 16000%Z + 16000 /-- latency_bound (matches Coq: Definition latency_bound) -/ def latency_bound : Microseconds := @@ -167,15 +167,15 @@ def latency_bound : Microseconds := /-- touch_system_correct (matches Coq: Definition touch_system_correct) -/ def touch_system_correct (t : TouchEvent) : Prop := - (physical_touch t → registered t) /\ - (registered t → physical_touch t) /\ + (physical_touch t → registered t) ∧ + (registered t → physical_touch t) ∧ (physical_touch t → display_latency t <= latency_bound) /-- intended_gesture (matches Coq: Definition intended_gesture) -/ def intended_gesture (seq : TouchSequence) (g : GestureType) : Prop := match seq, g with - | [t], Tap => touch_pressure t > 0 /\ touch_pressure t < 100 - | [t1; t2], DoubleTap => touch_pressure t1 > 0 /\ touch_pressure t2 > 0 /\ + | [t], Tap => touch_pressure t > 0 ∧ touch_pressure t < 100 + | [t1; t2], DoubleTap => touch_pressure t1 > 0 ∧ touch_pressure t2 > 0 ∧ touch_timestamp t2 - touch_timestamp t1 < 500 | _, _ => False @@ -258,7 +258,7 @@ def multi_touch_count (mt : MultiTouchState) : Nat := /-- well_formed_multi_touch (matches Coq: Definition well_formed_multi_touch) -/ def well_formed_multi_touch (mt : MultiTouchState) : Prop := - length (active_touches mt) <= max_simultaneous mt /\ + length (active_touches mt) <= max_simultaneous mt ∧ max_simultaneous mt > 0 /-- touch_latency_bounded (matches Coq) -/ @@ -326,7 +326,7 @@ theorem touch_prediction_bounded : ∀ (mt : MultiTouchState), well_formed_multi intro h; exact h /-- edge_touch_distinguished (matches Coq) -/ -theorem edge_touch_distinguished : ∀ (t : TouchEvent) (w h : nat), fst (touch_position t) < edge_margin → is_edge_touch t w h = true := by +theorem edge_touch_distinguished : ∀ (t : TouchEvent) (w h : Nat), fst (touch_position t) < edge_margin → is_edge_touch t w h = true := by cases ‹_› <;> simp /-- accidental_touch_rejected (matches Coq) -/ @@ -345,4 +345,4 @@ theorem simultaneous_gesture_resolution : ∀ (g1 g2 : GestureType), gesture_pri theorem unknown_gesture_lowest_priority : ∀ (g : GestureType), g ≠ Unknown → gesture_priority g > gesture_priority Unknown := by cases ‹_› <;> simp <;> omega -end RIINA +end RIINA.Domains.MobileOS.TouchGestureSystem diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/TrackingPrevention.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/TrackingPrevention.lean index 894469d2..2a4038d1 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/TrackingPrevention.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/TrackingPrevention.lean @@ -82,7 +82,7 @@ Generated by scripts/generate-multiprover.py | ip_masked_via_relay | ip_masked_via_relay | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.TrackingPrevention /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -90,15 +90,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -124,7 +124,7 @@ inductive ReferrerPolicy where structure User where user_id : Nat tracking_consent_given : Bool - consent_scope : List + consent_scope : List Nat consent_timestamp : Nat deriving DecidableEq, Repr /-- Coq constructor alias for User. -/ @@ -134,7 +134,7 @@ abbrev mkUser := User.mk structure Application where app_id : Nat tracking_enabled : Bool - tracking_domains : List + tracking_domains : List Nat app_privacy_policy : Bool deriving DecidableEq, Repr /-- Coq constructor alias for Application. -/ @@ -145,7 +145,7 @@ structure TrackingEvent where tracking_app : Application tracked_user : User tracking_type : Nat - tracking_data : List + tracking_data : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for TrackingEvent. -/ abbrev mkTrackingEvent := TrackingEvent.mk @@ -153,9 +153,9 @@ abbrev mkTrackingEvent := TrackingEvent.mk /-- PrivacyState (matches Coq: Record PrivacyState) -/ structure PrivacyState where tracking_transparency_enabled : Bool - app_tracking_requests : List - approved_tracking : List - denied_tracking : List + app_tracking_requests : List Nat + approved_tracking : List Nat + denied_tracking : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for PrivacyState. -/ abbrev mkPrivacyState := PrivacyState.mk @@ -221,7 +221,7 @@ abbrev mkAppTrackReq := AppTrackingRequest.mk /-- LinkDecoration (matches Coq: Record LinkDecoration) -/ structure LinkDecoration where ld_url_hash : Nat - ld_tracking_params : List + ld_tracking_params : List Nat ld_stripped : Bool deriving DecidableEq, Repr /-- Coq constructor alias for LinkDecoration. -/ @@ -275,7 +275,7 @@ abbrev mkNetworkReq := NetworkRequest.mk /-- DeviceGraphAttempt (matches Coq: Record DeviceGraphAttempt) -/ structure DeviceGraphAttempt where - dg_identifiers_collected : List + dg_identifiers_collected : List Nat dg_prevented : Bool dg_max_identifiers : Nat deriving DecidableEq, Repr @@ -284,7 +284,7 @@ abbrev mkDeviceGraph := DeviceGraphAttempt.mk /-- TrackerList (matches Coq: Record TrackerList) -/ structure TrackerList where - tl_entries : List + tl_entries : List Nat tl_last_updated : Nat tl_max_age_seconds : Nat deriving DecidableEq, Repr @@ -294,7 +294,7 @@ abbrev mkTrackerList := TrackerList.mk /-- TrackingReport (matches Coq: Record TrackingReport) -/ structure TrackingReport where tr_blocked_count : Nat - tr_tracker_domains : List + tr_tracker_domains : List Nat tr_report_available : Bool deriving DecidableEq, Repr /-- Coq constructor alias for TrackingReport. -/ @@ -302,21 +302,21 @@ abbrev mkTrackingReport := TrackingReport.mk /-- consent_scope_invariant (matches Coq: Definition consent_scope_invariant) -/ def consent_scope_invariant (user : User) : Prop := - (consent_scope user <> []) <→ (tracking_consent_given user = true) + (consent_scope user ≠ []) <→ (tracking_consent_given user = true) /-- explicit_consent (matches Coq: Definition explicit_consent) -/ def explicit_consent (user : User) (app : Application) : Prop := - tracking_consent_given user = true /\ + tracking_consent_given user = true ∧ In (app_id app) (consent_scope user) /-- tracks (matches Coq: Definition tracks) -/ def tracks (app : Application) (user : User) : Prop := - tracking_enabled app = true /\ + tracking_enabled app = true ∧ explicit_consent user app /-- privacy_state_well_formed (matches Coq: Definition privacy_state_well_formed) -/ def privacy_state_well_formed (ps : PrivacyState) : Prop := - tracking_transparency_enabled ps = true /\ + tracking_transparency_enabled ps = true ∧ forall aid uid, In (aid, uid) (approved_tracking ps) → In (aid, uid) (app_tracking_requests ps) @@ -341,7 +341,7 @@ def tracking_event_well_formed (event : TrackingEvent) : Prop := /-- cross_site_tracking_blocked (matches Coq: Definition cross_site_tracking_blocked) -/ def cross_site_tracking_blocked (csr : CrossSiteRequest) : Prop := - csr_source_domain csr <> csr_target_domain csr → + csr_source_domain csr ≠ csr_target_domain csr → csr_has_tracking_params csr = true → csr_blocked csr = true @@ -368,7 +368,7 @@ def app_tracking_permission_required (atr : AppTrackingRequest) : Prop := /-- link_decoration_stripped (matches Coq: Definition link_decoration_stripped) -/ def link_decoration_stripped (ld : LinkDecoration) : Prop := - ld_tracking_params ld <> [] → ld_stripped ld = true + ld_tracking_params ld ≠ [] → ld_stripped ld = true /-- bounce_tracking_prevented (matches Coq: Definition bounce_tracking_prevented) -/ def bounce_tracking_prevented (bt : BounceTracking) : Prop := @@ -380,16 +380,16 @@ def cname_cloaking_detected (cr : CNAMERecord) : Prop := /-- storage_access_partitioned (matches Coq: Definition storage_access_partitioned) -/ def storage_access_partitioned (sa : StorageAccess) : Prop := - sa_origin sa <> sa_top_level_origin sa → sa_partitioned sa = true + sa_origin sa ≠ sa_top_level_origin sa → sa_partitioned sa = true /-- referrer_policy_strict (matches Coq: Definition referrer_policy_strict) -/ def referrer_policy_strict (rc : ReferrerConfig) : Prop := - ref_is_strict rc = true /\ - (ref_policy rc = NoReferrer \/ ref_policy rc = StrictOrigin) + ref_is_strict rc = true ∧ + (ref_policy rc = NoReferrer ∨ ref_policy rc = StrictOrigin) /-- ip_address_masked (matches Coq: Definition ip_address_masked) -/ def ip_address_masked (nr : NetworkRequest) : Prop := - nr_ip_masked nr = true \/ nr_uses_relay nr = true + nr_ip_masked nr = true ∨ nr_uses_relay nr = true /-- device_graph_prevented (matches Coq: Definition device_graph_prevented) -/ def device_graph_prevented (dg : DeviceGraphAttempt) : Prop := @@ -398,7 +398,7 @@ def device_graph_prevented (dg : DeviceGraphAttempt) : Prop := /-- tracker_list_updated (matches Coq: Definition tracker_list_updated) -/ def tracker_list_updated (tl : TrackerList) : Prop := - tl_last_updated tl > 0 /\ tl_entries tl <> [] + tl_last_updated tl > 0 ∧ tl_entries tl ≠ [] /-- tracking_report_available (matches Coq: Definition tracking_report_available) -/ def tracking_report_available (tr : TrackingReport) : Prop := @@ -413,11 +413,11 @@ theorem tracking_requires_transparency_prompt : ∀ (ps : PrivacyState) (app : A simp_all [Bool.and_eq_true] /-- denied_tracking_not_approved (matches Coq) -/ -theorem denied_tracking_not_approved : ∀ (ps : PrivacyState) (app : Application) (user : User), In (app_id app, user_id user) (denied_tracking ps) → ~ In (app_id app, user_id user) (approved_tracking ps) → tracking_allowed ps app user = false := by +theorem denied_tracking_not_approved : ∀ (ps : PrivacyState) (app : Application) (user : User), In (app_id app, user_id user) (denied_tracking ps) → ¬In (app_id app, user_id user) (approved_tracking ps) → tracking_allowed ps app user = false := by cases ‹_› <;> simp /-- consent_revocation_effective (matches Coq) -/ -theorem consent_revocation_effective : ∀ (user_before user_after : User) (app : Application), explicit_consent user_before app → tracking_consent_given user_after = false → user_id user_before = user_id user_after → ~ explicit_consent user_after app := by +theorem consent_revocation_effective : ∀ (user_before user_after : User) (app : Application), explicit_consent user_before app → tracking_consent_given user_after = false → user_id user_before = user_id user_after → ¬explicit_consent user_after app := by simp_all [Bool.and_eq_true] /-- no_consent_no_data (matches Coq) -/ @@ -497,11 +497,11 @@ theorem no_tracking_without_permission_request : ∀ (atr : AppTrackingRequest), rfl /-- revocation_prevents_future_tracking (matches Coq) -/ -theorem revocation_prevents_future_tracking : ∀ (user : User) (app : Application), tracking_consent_given user = false → ~ tracks app user := by +theorem revocation_prevents_future_tracking : ∀ (user : User) (app : Application), tracking_consent_given user = false → ¬tracks app user := by simp_all [Bool.and_eq_true] /-- ip_masked_via_relay (matches Coq) -/ theorem ip_masked_via_relay : ∀ (nr : NetworkRequest), nr_uses_relay nr = true → ip_address_masked nr := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.TrackingPrevention diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/UIComponents.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/UIComponents.lean index c105ced3..19f6d683 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/UIComponents.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/UIComponents.lean @@ -85,7 +85,7 @@ Generated by scripts/generate-multiprover.py | text_field_length_bounded | text_field_length_bounded | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.UIComponents /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -93,20 +93,22 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- ScreenState (matches Coq: Inductive ScreenState) -/ inductive ScreenState where @@ -138,7 +140,7 @@ structure UIElement where element_id : Nat element_visible : Bool element_enabled : Bool - element_accessibility_label : Option + element_accessibility_label : Option Nat element_voiceover_navigable : Bool deriving DecidableEq, Repr /-- Coq constructor alias for UIElement. -/ @@ -148,7 +150,7 @@ abbrev mkUIElement := UIElement.mk structure Screen where screen_id : Nat screen_state : ScreenState - screen_elements : List + screen_elements : List Nat deriving DecidableEq, Repr /-- Coq constructor alias for Screen. -/ abbrev mkScreen := Screen.mk @@ -175,7 +177,7 @@ abbrev mkButton := Button.mk /-- TextField (matches Coq: Record TextField) -/ structure TextField where tf_id : Nat - tf_input : List + tf_input : List Nat tf_max_length : Nat tf_sanitized : Bool deriving DecidableEq, Repr @@ -242,7 +244,7 @@ abbrev mkProgressBar := ProgressBar.mk /-- TabBar (matches Coq: Record TabBar) -/ structure TabBar where - tb_tabs : List + tb_tabs : List Nat tb_selected_index : Nat tb_selection_exclusive : Bool deriving DecidableEq, Repr @@ -251,7 +253,7 @@ abbrev mkTabBar := TabBar.mk /-- NavigationStack (matches Coq: Record NavigationStack) -/ structure NavigationStack where - ns_stack : List + ns_stack : List Nat ns_stack_valid : Bool deriving DecidableEq, Repr /-- Coq constructor alias for NavigationStack. -/ @@ -270,7 +272,7 @@ abbrev mkAlertDialog := AlertDialog.mk /-- ActionSheet (matches Coq: Record ActionSheet) -/ structure ActionSheet where as_id : Nat - as_actions : List + as_actions : List Nat as_dismissible : Bool as_cancel_available : Bool deriving DecidableEq, Repr @@ -299,7 +301,7 @@ abbrev mkColorPicker := ColorPicker.mk /-- SearchBar (matches Coq: Record SearchBar) -/ structure SearchBar where - sb_query : List + sb_query : List Nat sb_last_search_ms : Nat sb_debounce_ms : Nat sb_current_ms : Nat @@ -337,7 +339,7 @@ def valid_state_transition (from to : ScreenState) : Bool := /-- valid_source_state (matches Coq: Definition valid_source_state) -/ def valid_source_state (t : Transition) : Prop := - trans_valid t = true /\ + trans_valid t = true ∧ valid_state_transition (trans_from t) (trans_to t) = true /-- apply_transition (matches Coq: Definition apply_transition) -/ @@ -354,7 +356,7 @@ def valid_target_state (s : Screen) : Prop := /-- accessible_element (matches Coq: Definition accessible_element) -/ def accessible_element (e : UIElement) : Prop := - visible e → has_accessibility_label e /\ navigable_by_voiceover e + visible e → has_accessibility_label e ∧ navigable_by_voiceover e /-- well_formed_accessible_ui (matches Coq: Definition well_formed_accessible_ui) -/ def well_formed_accessible_ui (elements : List UIElement) : Prop := @@ -362,70 +364,70 @@ def well_formed_accessible_ui (elements : List UIElement) : Prop := /-- button_state_valid (matches Coq: Definition button_state_valid) -/ def button_state_valid (b : Button) : Prop := - (btn_enabled b = false → btn_state b = BtnDisabled) /\ - (btn_enabled b = true → btn_state b <> BtnDisabled) + (btn_enabled b = false → btn_state b = BtnDisabled) ∧ + (btn_enabled b = true → btn_state b ≠ BtnDisabled) /-- text_field_input_sanitized (matches Coq: Definition text_field_input_sanitized) -/ def text_field_input_sanitized (tf : TextField) : Prop := - tf_sanitized tf = true /\ List.length (tf_input tf) <= tf_max_length tf + tf_sanitized tf = true ∧ List.length (tf_input tf) <= tf_max_length tf /-- list_view_recycling_correct (matches Coq: Definition list_view_recycling_correct) -/ def list_view_recycling_correct (lv : ListView) : Prop := - lv_recycling_correct lv = true /\ + lv_recycling_correct lv = true ∧ lv_visible_items lv <= lv_total_items lv /-- scroll_view_bounds_checked (matches Coq: Definition scroll_view_bounds_checked) -/ def scroll_view_bounds_checked (sv : ScrollView) : Prop := - sv_bounds_checked sv = true /\ + sv_bounds_checked sv = true ∧ sv_content_offset sv <= sv_content_size sv /-- image_view_loading_handled (matches Coq: Definition image_view_loading_handled) -/ def image_view_loading_handled (iv : ImageView) : Prop := - iv_loading_handled iv = true /\ + iv_loading_handled iv = true ∧ (iv_load_state iv = ImgLoading → iv_placeholder_shown iv = true) /-- switch_toggle_atomic (matches Coq: Definition switch_toggle_atomic) -/ def switch_toggle_atomic (sw : SwitchToggle) : Prop := - sw_atomic sw = true /\ - (sw_transitioning sw = false → (sw_on sw = true \/ sw_on sw = false)) + sw_atomic sw = true ∧ + (sw_transitioning sw = false → (sw_on sw = true ∨ sw_on sw = false)) /-- slider_value_bounded (matches Coq: Definition slider_value_bounded) -/ def slider_value_bounded (s : Slider) : Prop := - sl_min_value s <= sl_value s /\ sl_value s <= sl_max_value s + sl_min_value s <= sl_value s ∧ sl_value s <= sl_max_value s /-- progress_bar_monotonic (matches Coq: Definition progress_bar_monotonic) -/ def progress_bar_monotonic (pb : ProgressBar) : Prop := - pb_monotonic pb = true /\ - pb_previous pb <= pb_current pb /\ + pb_monotonic pb = true ∧ + pb_previous pb <= pb_current pb ∧ pb_current pb <= pb_max pb /-- tab_bar_selection_exclusive (matches Coq: Definition tab_bar_selection_exclusive) -/ def tab_bar_selection_exclusive (tb : TabBar) : Prop := - tb_selection_exclusive tb = true /\ + tb_selection_exclusive tb = true ∧ tb_selected_index tb < List.length (tb_tabs tb) /-- navigation_stack_valid (matches Coq: Definition navigation_stack_valid) -/ def navigation_stack_valid (ns : NavigationStack) : Prop := - ns_stack_valid ns = true /\ ns_stack ns <> [] + ns_stack_valid ns = true ∧ ns_stack ns ≠ [] /-- alert_dialog_modal (matches Coq: Definition alert_dialog_modal) -/ def alert_dialog_modal (ad : AlertDialog) : Prop := - ad_modal ad = true /\ ad_blocking_input ad = true + ad_modal ad = true ∧ ad_blocking_input ad = true /-- action_sheet_dismissible (matches Coq: Definition action_sheet_dismissible) -/ def action_sheet_dismissible (a : ActionSheet) : Prop := - as_dismissible a = true /\ as_cancel_available a = true + as_dismissible a = true ∧ as_cancel_available a = true /-- date_picker_range_valid (matches Coq: Definition date_picker_range_valid) -/ def date_picker_range_valid (dp : DatePicker) : Prop := - dp_range_valid dp = true /\ - dp_min_date dp <= dp_selected dp /\ + dp_range_valid dp = true ∧ + dp_min_date dp <= dp_selected dp ∧ dp_selected dp <= dp_max_date dp /-- color_picker_gamut_valid (matches Coq: Definition color_picker_gamut_valid) -/ def color_picker_gamut_valid (cp : ColorPicker) : Prop := - cp_gamut_valid cp = true /\ - cp_red cp <= 255 /\ cp_green cp <= 255 /\ cp_blue cp <= 255 + cp_gamut_valid cp = true ∧ + cp_red cp <= 255 ∧ cp_green cp <= 255 ∧ cp_blue cp <= 255 /-- search_bar_input_debounced (matches Coq: Definition search_bar_input_debounced) -/ def search_bar_input_debounced (sb : SearchBar) : Prop := @@ -535,4 +537,4 @@ theorem action_sheet_has_cancel : ∀ (a : ActionSheet), action_sheet_dismissibl theorem text_field_length_bounded : ∀ (tf : TextField), text_field_input_sanitized tf → List.length (tf_input tf) ≤ tf_max_length tf := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.UIComponents diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/VoiceAssistant.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/VoiceAssistant.lean index ea4dc6d0..070d562a 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/VoiceAssistant.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/VoiceAssistant.lean @@ -78,7 +78,7 @@ Generated by scripts/generate-multiprover.py | accessibility_labels_complete | accessibility_labels_complete | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.VoiceAssistant /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -86,15 +86,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -160,7 +160,7 @@ abbrev mkAudioLifecycle := AudioLifecycle.mk /-- VoiceCommand (matches Coq: Record VoiceCommand) -/ structure VoiceCommand where - vc_transcript : List + vc_transcript : List Nat vc_intent : VoiceIntent vc_intent_validated : Bool vc_confidence : Nat @@ -171,7 +171,7 @@ abbrev mkVoiceCommand := VoiceCommand.mk /-- SpeechRecognition (matches Coq: Record SpeechRecognition) -/ structure SpeechRecognition where sr_language : Nat - sr_supported_languages : List + sr_supported_languages : List Nat sr_language_supported : Bool deriving DecidableEq, Repr /-- Coq constructor alias for SpeechRecognition. -/ @@ -199,7 +199,7 @@ abbrev mkVoicePerm := VoicePermission.mk /-- ConversationContext (matches Coq: Record ConversationContext) -/ structure ConversationContext where - cc_turns : List + cc_turns : List Nat cc_max_turns : Nat cc_context_bounded : Bool deriving DecidableEq, Repr @@ -296,7 +296,7 @@ def private_voice_system : Prop := /-- voice_data_processed_locally (matches Coq: Definition voice_data_processed_locally) -/ def voice_data_processed_locally (vp : VoiceProcessing) : Prop := - vp_processed_locally vp = true /\ vp_data_sent_to_server vp = false + vp_processed_locally vp = true ∧ vp_data_sent_to_server vp = false /-- wake_word_on_device (matches Coq: Definition wake_word_on_device) -/ def wake_word_on_device (ww : WakeWordDetector) : Prop := @@ -304,7 +304,7 @@ def wake_word_on_device (ww : WakeWordDetector) : Prop := /-- not_always_listening (matches Coq: Definition not_always_listening) -/ def not_always_listening (ww : WakeWordDetector) : Prop := - ww_always_listening ww = false /\ ww_buffer_size_ms ww <= ww_max_buffer_ms ww + ww_always_listening ww = false ∧ ww_buffer_size_ms ww <= ww_max_buffer_ms ww /-- audio_deleted_after_processing (matches Coq: Definition audio_deleted_after_processing) -/ def audio_deleted_after_processing (al : AudioLifecycle) : Prop := @@ -312,52 +312,52 @@ def audio_deleted_after_processing (al : AudioLifecycle) : Prop := /-- voice_command_intent_validated (matches Coq: Definition voice_command_intent_validated) -/ def voice_command_intent_validated (vc : VoiceCommand) : Prop := - vc_intent_validated vc = true /\ vc_intent vc <> UnknownIntent + vc_intent_validated vc = true ∧ vc_intent vc ≠ UnknownIntent /-- speech_recognition_language_supported (matches Coq: Definition speech_recognition_language_supported) -/ def speech_recognition_language_supported (sr : SpeechRecognition) : Prop := - sr_language_supported sr = true /\ In (sr_language sr) (sr_supported_languages sr) + sr_language_supported sr = true ∧ In (sr_language sr) (sr_supported_languages sr) /-- voice_feedback_appropriate (matches Coq: Definition voice_feedback_appropriate) -/ def voice_feedback_appropriate (vf : VoiceFeedback) : Prop := - vf_appropriate vf = true /\ vf_volume_level vf <= vf_max_volume vf + vf_appropriate vf = true ∧ vf_volume_level vf <= vf_max_volume vf /-- voice_permission_explicit (matches Coq: Definition voice_permission_explicit) -/ def voice_permission_explicit (vp : VoicePermission) : Prop := - vperm_explicit vp = true /\ - vperm_microphone_granted vp = true /\ + vperm_explicit vp = true ∧ + vperm_microphone_granted vp = true ∧ vperm_speech_granted vp = true /-- conversation_context_bounded (matches Coq: Definition conversation_context_bounded) -/ def conversation_context_bounded (cc : ConversationContext) : Prop := - cc_context_bounded cc = true /\ + cc_context_bounded cc = true ∧ length (cc_turns cc) <= cc_max_turns cc /-- voice_authentication_secure (matches Coq: Definition voice_authentication_secure) -/ def voice_authentication_secure (va : VoiceAuth) : Prop := - va_voiceprint_match va = true /\ va_confidence va >= va_min_confidence va + va_voiceprint_match va = true ∧ va_confidence va >= va_min_confidence va /-- noise_cancellation_bounded (matches Coq: Definition noise_cancellation_bounded) -/ def noise_cancellation_bounded (nc : NoiseCancellation) : Prop := - nc_improvement_bounded nc = true /\ nc_output_snr nc >= nc_input_snr nc + nc_improvement_bounded nc = true ∧ nc_output_snr nc >= nc_input_snr nc /-- voice_synthesis_quality_bounded (matches Coq: Definition voice_synthesis_quality_bounded) -/ def voice_synthesis_quality_bounded (vs : VoiceSynthesis) : Prop := - vs_synthesis_complete vs = true /\ vs_quality_score vs >= vs_min_quality vs + vs_synthesis_complete vs = true ∧ vs_quality_score vs >= vs_min_quality vs /-- voice_command_undo_available (matches Coq: Definition voice_command_undo_available) -/ def voice_command_undo_available (vu : VoiceUndo) : Prop := - vu_undoable vu = true /\ vu_undo_window_seconds vu > 0 + vu_undoable vu = true ∧ vu_undo_window_seconds vu > 0 /-- accessibility_voice_control_complete (matches Coq: Definition accessibility_voice_control_complete) -/ def accessibility_voice_control_complete (avc : AccessibilityVoiceControl) : Prop := - avc_enabled avc = true /\ - avc_all_elements_reachable avc = true /\ + avc_enabled avc = true ∧ + avc_all_elements_reachable avc = true ∧ avc_labels_complete avc = true /-- dictation_privacy_mode (matches Coq: Definition dictation_privacy_mode) -/ def dictation_privacy_mode (dm : DictationMode) : Prop := - dm_privacy_mode dm = true /\ dm_server_processing dm = false + dm_privacy_mode dm = true ∧ dm_server_processing dm = false /-- voice_recognition_accurate (matches Coq) -/ theorem voice_recognition_accurate : ∀ (result : RecognitionResult), accurate_voice_system result → recog_confidence result ≥ 90 := by @@ -455,4 +455,4 @@ theorem voice_undo_window_positive : ∀ (vu : VoiceUndo), voice_command_undo_av theorem accessibility_labels_complete : ∀ (avc : AccessibilityVoiceControl), accessibility_voice_control_complete avc → avc_labels_complete avc = true := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.VoiceAssistant diff --git a/02_FORMAL/lean/RIINA/Domains/MobileOS/WirelessProtocols.lean b/02_FORMAL/lean/RIINA/Domains/MobileOS/WirelessProtocols.lean index f1f63bc5..ff099a43 100644 --- a/02_FORMAL/lean/RIINA/Domains/MobileOS/WirelessProtocols.lean +++ b/02_FORMAL/lean/RIINA/Domains/MobileOS/WirelessProtocols.lean @@ -73,7 +73,7 @@ Generated by scripts/generate-multiprover.py | coexistence_interference_bounded | coexistence_interference_bounded | OK | -/ -namespace RIINA +namespace RIINA.Domains.MobileOS.WirelessProtocols /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -81,15 +81,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -185,7 +185,7 @@ abbrev mkAirDrop := AirDropSession.mk /-- BTServiceDiscovery (matches Coq: Record BTServiceDiscovery) -/ structure BTServiceDiscovery where - bt_services_found : List + bt_services_found : List Nat bt_discovery_timeout_ms : Nat bt_max_services : Nat deriving DecidableEq, Repr @@ -241,7 +241,7 @@ abbrev mkNFCEmulation := NFCEmulation.mk /-- WirelessCoexistence (matches Coq: Record WirelessCoexistence) -/ structure WirelessCoexistence where - active_protocols : List + active_protocols : List Nat coexistence_managed : Bool interference_level : Nat max_interference : Nat @@ -251,12 +251,12 @@ abbrev mkCoexistence := WirelessCoexistence.mk /-- secure_connection (matches Coq: Definition secure_connection) -/ def secure_connection (c : WirelessConnection) : Prop := - conn_encrypted c = true /\ conn_authenticated c = true + conn_encrypted c = true ∧ conn_authenticated c = true /-- protocol_secure (matches Coq: Definition protocol_secure) -/ def protocol_secure (c : WirelessConnection) : Prop := match conn_protocol c with - | WiFi => conn_security c = WPA3 \/ conn_security c = WPA2 + | WiFi => conn_security c = WPA3 ∨ conn_security c = WPA2 | Bluetooth => conn_security c = SecureBLE | NFC => conn_security c = SecureNFC | UWB => conn_security c = SecureUWB @@ -267,15 +267,15 @@ def well_formed_wireless (c : WirelessConnection) : Prop := /-- bt_pairing_authenticated (matches Coq: Definition bt_pairing_authenticated) -/ def bt_pairing_authenticated (bp : BluetoothPairing) : Prop := - bt_authenticated bp = true /\ bt_pairing_method bp > 0 + bt_authenticated bp = true ∧ bt_pairing_method bp > 0 /-- wifi_connection_encrypted (matches Coq: Definition wifi_connection_encrypted) -/ def wifi_connection_encrypted (wc : WiFiConnection) : Prop := - wifi_encrypted wc = true /\ (wifi_security wc = WPA3 \/ wifi_security wc = WPA2) + wifi_encrypted wc = true ∧ (wifi_security wc = WPA3 ∨ wifi_security wc = WPA2) /-- nfc_range_limited (matches Coq: Definition nfc_range_limited) -/ def nfc_range_limited (tx : NFCTransaction) : Prop := - nfc_range_cm tx <= nfc_max_range_cm tx /\ nfc_max_range_cm tx <= 10 + nfc_range_cm tx <= nfc_max_range_cm tx ∧ nfc_max_range_cm tx <= 10 /-- uwb_distance_accurate (matches Coq: Definition uwb_distance_accurate) -/ def uwb_distance_accurate (ur : UWBRanging) : Prop := @@ -291,7 +291,7 @@ def wifi_password_secure (wc : WiFiConnection) : Prop := /-- airdrop_permitted (matches Coq: Definition airdrop_permitted) -/ def airdrop_permitted (a : AirDropSession) : Prop := - airdrop_permission_granted a = true /\ airdrop_encrypted a = true + airdrop_permission_granted a = true ∧ airdrop_encrypted a = true /-- bt_discovery_bounded (matches Coq: Definition bt_discovery_bounded) -/ def bt_discovery_bounded (sd : BTServiceDiscovery) : Prop := @@ -307,23 +307,23 @@ def nfc_transaction_atomic (tx : NFCTransaction) : Prop := /-- uwb_anchor_is_validated (matches Coq: Definition uwb_anchor_is_validated) -/ def uwb_anchor_is_validated (a : UWBAnchor) : Prop := - anchor_validated a = true /\ anchor_certificate a > 0 + anchor_validated a = true ∧ anchor_certificate a > 0 /-- bt_connection_has_timeout (matches Coq: Definition bt_connection_has_timeout) -/ def bt_connection_has_timeout (bc : BTConnection) : Prop := - bt_conn_timeout_ms bc <= bt_conn_max_timeout_ms bc /\ bt_conn_timeout_ms bc > 0 + bt_conn_timeout_ms bc <= bt_conn_max_timeout_ms bc ∧ bt_conn_timeout_ms bc > 0 /-- wifi_roaming_is_seamless (matches Coq: Definition wifi_roaming_is_seamless) -/ def wifi_roaming_is_seamless (wr : WiFiRoaming) : Prop := - roaming_seamless wr = true /\ roaming_encrypted wr = true + roaming_seamless wr = true ∧ roaming_encrypted wr = true /-- nfc_emulation_is_authorized (matches Coq: Definition nfc_emulation_is_authorized) -/ def nfc_emulation_is_authorized (ne : NFCEmulation) : Prop := - nfc_emu_authorized ne = true /\ nfc_emu_secure_element ne = true + nfc_emu_authorized ne = true ∧ nfc_emu_secure_element ne = true /-- coexistence_is_managed (matches Coq: Definition coexistence_is_managed) -/ def coexistence_is_managed (wc : WirelessCoexistence) : Prop := - coexistence_managed wc = true /\ interference_level wc <= max_interference wc + coexistence_managed wc = true ∧ interference_level wc <= max_interference wc /-- wifi_requires_wpa (matches Coq) -/ theorem wifi_requires_wpa : ∀ (c : WirelessConnection), conn_protocol c = WiFi → protocol_secure c → conn_security c = WPA3 ∨ conn_security c = WPA2 := by @@ -425,4 +425,4 @@ theorem wifi_roaming_preserves_encryption : ∀ (wr : WiFiRoaming), wifi_roaming theorem coexistence_interference_bounded : ∀ (wc : WirelessCoexistence), coexistence_is_managed wc → interference_level wc ≤ max_interference wc := by intro h; exact h -end RIINA +end RIINA.Domains.MobileOS.WirelessProtocols diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryAerospace.lean b/02_FORMAL/lean/RIINA/Industries/IndustryAerospace.lean index cc33b5ad..4ef7a17d 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryAerospace.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryAerospace.lean @@ -50,7 +50,7 @@ Generated by scripts/generate-multiprover.py | dal_max_objectives | dal_max_objectives | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryAerospace /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -58,15 +58,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -294,4 +294,4 @@ theorem dal_max_dominates_right : ∀ d1 d2, dal_le d2 (dal_max d1 d2) = true := theorem dal_max_objectives : ∀ d1 d2, objectives_for_dal (dal_max d1 d2) ≥ objectives_for_dal d1 ∧ objectives_for_dal (dal_max d1 d2) ≥ objectives_for_dal d2 := by constructor <;> simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Industries.IndustryAerospace diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryAgriculture.lean b/02_FORMAL/lean/RIINA/Industries/IndustryAgriculture.lean index 46f12078..c46bcc9f 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryAgriculture.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryAgriculture.lean @@ -49,7 +49,7 @@ Generated by scripts/generate-multiprover.py | all_controls_count_six | all_controls_count_six | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryAgriculture /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -57,15 +57,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -127,8 +127,7 @@ structure CertifiedFarm where farm_organic_certified : Bool farm_gps_lat : Nat farm_gps_lon : Nat - farm_area_valid : farm_min_area - deriving DecidableEq, Repr + farm_area_valid : farm_min_area ≤ farm_area_hectares /-- Coq constructor alias for CertifiedFarm. -/ abbrev mkCertifiedFarm := CertifiedFarm.mk @@ -140,8 +139,7 @@ structure TraceEntry where trace_processing_plant : Nat trace_timestamp : Nat trace_expiry : Nat - trace_valid_dates : trace_timestamp - deriving DecidableEq, Repr + trace_valid_dates : trace_timestamp ≤ trace_expiry /-- Coq constructor alias for TraceEntry. -/ abbrev mkTraceEntry := TraceEntry.mk @@ -277,15 +275,15 @@ theorem all_controls_implies_traceability : ∀ c, all_food_safety_controls c = /-- farm_area_meets_minimum (matches Coq) -/ theorem farm_area_meets_minimum : ∀ f : CertifiedFarm, farm_min_area f ≤ farm_area_hectares f := by - intro h; exact h + intro h; exact h.farm_area_valid /-- traceability_dates_valid (matches Coq) -/ theorem traceability_dates_valid : ∀ t : TraceEntry, trace_timestamp t ≤ trace_expiry t := by - intro h; exact h + intro h; exact h.trace_valid_dates /-- agri_effect_eq_refl (matches Coq) -/ -theorem agri_effect_eq_refl : ∀ e, agri_effect_eq_dec e e = left eq_refl → e = e := by - rfl +theorem agri_effect_eq_refl : ∀ (e : AgricultureEffect), e = e := by + intro _; rfl /-- risk_score_positive (matches Coq) -/ theorem risk_score_positive : ∀ h, risk_score h ≥ 1 := by @@ -303,4 +301,4 @@ theorem count_controls_bounded : ∀ c, count_food_controls c ≤ 6 := by theorem all_controls_count_six : ∀ c, all_food_safety_controls c = true → count_food_controls c = 6 := by cases ‹_› <;> simp -end RIINA +end RIINA.Industries.IndustryAgriculture diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryEducation.lean b/02_FORMAL/lean/RIINA/Industries/IndustryEducation.lean index afc4367a..af766257 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryEducation.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryEducation.lean @@ -50,7 +50,7 @@ Generated by scripts/generate-multiprover.py | directory_info_least_sensitive | directory_info_least_sensitive | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryEducation /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -58,15 +58,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -80,6 +80,9 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat less-than test -/ +def Nat.ltb (a b : Nat) : Bool := decide (a < b) + /-- StudentData (matches Coq: Inductive StudentData) -/ inductive StudentData where | EducationRecord : StudentData @@ -125,9 +128,8 @@ structure StudentRecord where student_min_age : Nat student_grade_level : Nat student_max_grade : Nat - student_age_valid : student_min_age - student_grade_valid : student_grade_level - deriving DecidableEq, Repr + student_age_valid : student_min_age ≤ student_age_years + student_grade_valid : student_grade_level ≤ student_max_grade /-- Coq constructor alias for StudentRecord. -/ abbrev mkStudentRecord := StudentRecord.mk @@ -264,11 +266,11 @@ theorem all_ferpa_implies_access : ∀ c, all_ferpa_controls c = true → access /-- student_age_meets_minimum (matches Coq) -/ theorem student_age_meets_minimum : ∀ s : StudentRecord, student_min_age s ≤ student_age_years s := by - intro h; exact h + intro h; exact h.student_age_valid /-- student_grade_within_bounds (matches Coq) -/ theorem student_grade_within_bounds : ∀ s : StudentRecord, student_grade_level s ≤ student_max_grade s := by - intro h; exact h + intro h; exact h.student_grade_valid /-- retention_positive (matches Coq) -/ theorem retention_positive : ∀ d, retention_years d ≥ 3 := by @@ -299,4 +301,4 @@ theorem adult_classified_correctly : ∀ n, n ≥ 18 → classify_student_age n theorem directory_info_least_sensitive : ∀ d, student_data_sensitivity DirectoryInfo ≤ student_data_sensitivity d := by cases ‹_› <;> simp <;> omega -end RIINA +end RIINA.Industries.IndustryEducation diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryEnergy.lean b/02_FORMAL/lean/RIINA/Industries/IndustryEnergy.lean index a031a28e..d741c953 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryEnergy.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryEnergy.lean @@ -50,7 +50,7 @@ Generated by scripts/generate-multiprover.py | high_medium_same_retention | high_medium_same_retention | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryEnergy /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -58,15 +58,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -80,6 +80,9 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) + /-- CIP_Impact (matches Coq: Inductive CIP_Impact) -/ inductive CIP_Impact where | High_Impact : CIP_Impact @@ -295,4 +298,4 @@ theorem assessment_more_frequent_high : ∀ c1 c2, cip_le c1 c2 = true → asses theorem high_medium_same_retention : access_log_retention_days High_Impact = access_log_retention_days Medium_Impact := by rfl -end RIINA +end RIINA.Industries.IndustryEnergy diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryFinancial.lean b/02_FORMAL/lean/RIINA/Industries/IndustryFinancial.lean index 3830a729..ff6db99f 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryFinancial.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryFinancial.lean @@ -64,7 +64,7 @@ Generated by scripts/generate-multiprover.py | capital_ratio_check | capital_ratio_check | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryFinancial /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -72,15 +72,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -94,6 +94,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) + /-- FinancialData (matches Coq: Inductive FinancialData) -/ inductive FinancialData where | PAN : FinancialData @@ -251,7 +256,7 @@ theorem swift_csp_compliance : pci_cardholder_data PAN = true := by Reference: IND_C_FINANCIAL.md Section 3.3 Internal controls and audit trail together form a valid conjunction. /-- sox_404_compliance (matches Coq) -/ -theorem sox_404_compliance : ∀ (internal_controls : bool) (audit_trail : bool), internal_controls = true → audit_trail = true → internal_controls && audit_trail = true := by +theorem sox_404_compliance : ∀ (internal_controls : Bool) (audit_trail : Bool), internal_controls = true → audit_trail = true → internal_controls && audit_trail = true := by rfl -- Section C04 - GLBA Safeguards Rule @@ -379,4 +384,4 @@ theorem unfrozen_account_active : account_active false = true := by theorem capital_ratio_check : ∀ res liab pct, capital_adequate res liab pct = true → liab * pct ≤ res * 100 := by omega -end RIINA +end RIINA.Industries.IndustryFinancial diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryGovernment.lean b/02_FORMAL/lean/RIINA/Industries/IndustryGovernment.lean index 68882f87..52fcfddc 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryGovernment.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryGovernment.lean @@ -54,7 +54,7 @@ Generated by scripts/generate-multiprover.py | poam_bounded | poam_bounded | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryGovernment /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -62,15 +62,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -84,6 +84,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) + /-- FISMA_Impact (matches Coq: Inductive FISMA_Impact) -/ inductive FISMA_Impact where | FISMA_Low : FISMA_Impact @@ -323,4 +328,4 @@ theorem scan_frequency_decreasing : ∀ f1 f2, fisma_le f1 f2 = true → scan_fr theorem poam_bounded : ∀ f, poam_deadline_days f ≤ 180 := by cases ‹_› <;> simp <;> omega -end RIINA +end RIINA.Industries.IndustryGovernment diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryHealthcare.lean b/02_FORMAL/lean/RIINA/Industries/IndustryHealthcare.lean index 84aa56fa..4ffa910b 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryHealthcare.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryHealthcare.lean @@ -59,7 +59,7 @@ Generated by scripts/generate-multiprover.py | lab_range_bounded | lab_range_bounded | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryHealthcare /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -67,15 +67,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -89,6 +89,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) +/-- Coq compatibility: Nat less-than test -/ +def Nat.ltb (a b : Nat) : Bool := decide (a < b) + /-- PHI_Category (matches Coq: Inductive PHI_Category) -/ inductive PHI_Category where | Demographics : PHI_Category @@ -338,4 +343,4 @@ theorem dose_range_valid : ∀ dose min_d max_d, dose_in_range dose min_d max_d theorem lab_range_bounded : ∀ v lo hi, lab_in_normal_range v lo hi = true → lo ≤ v ∧ v ≤ hi := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Industries.IndustryHealthcare diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryLegal.lean b/02_FORMAL/lean/RIINA/Industries/IndustryLegal.lean index b9c9fb69..f268b902 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryLegal.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryLegal.lean @@ -55,7 +55,7 @@ Generated by scripts/generate-multiprover.py | hold_bounds | hold_bounds | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryLegal /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -63,15 +63,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -85,6 +85,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) + /-- LegalData (matches Coq: Inductive LegalData) -/ inductive LegalData where | AttorneyClientPrivilege : LegalData @@ -314,4 +319,4 @@ theorem trust_balance_correct : ∀ b ct, trust_balanced b ct = true → b = ct theorem hold_bounds : ∀ hs ct he, litigation_hold_active hs ct he = true → hs ≤ ct ∧ ct ≤ he := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Industries.IndustryLegal diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryManufacturing.lean b/02_FORMAL/lean/RIINA/Industries/IndustryManufacturing.lean index b801e6b7..47891354 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryManufacturing.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryManufacturing.lean @@ -56,7 +56,7 @@ Generated by scripts/generate-multiprover.py | patch_window_decreasing | patch_window_decreasing | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryManufacturing /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -64,15 +64,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -86,6 +86,9 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) + /-- SecurityLevel (matches Coq: Inductive SecurityLevel) -/ inductive SecurityLevel where | SL_0 : SecurityLevel @@ -337,4 +340,4 @@ theorem business_level_not_ot : ot_isolated Level_4_Business = false := by theorem patch_window_decreasing : ∀ s1 s2, sl_le s1 s2 = true → patch_window_days s2 ≤ patch_window_days s1 := by cases ‹_› <;> simp <;> omega -end RIINA +end RIINA.Industries.IndustryManufacturing diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryMedia.lean b/02_FORMAL/lean/RIINA/Industries/IndustryMedia.lean index cd1fa63d..2c67a1e8 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryMedia.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryMedia.lean @@ -51,7 +51,7 @@ Generated by scripts/generate-multiprover.py | screener_bounded | screener_bounded | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryMedia /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -59,15 +59,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -81,6 +81,9 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) + /-- ContentType (matches Coq: Inductive ContentType) -/ inductive ContentType where | PreRelease : ContentType @@ -292,4 +295,4 @@ theorem viewing_bounded : ∀ v max_h, viewing_within_window v max_h = true → theorem screener_bounded : ∀ c mc, screener_count_valid c mc = true → c ≤ mc := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Industries.IndustryMedia diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryMilitary.lean b/02_FORMAL/lean/RIINA/Industries/IndustryMilitary.lean index eb00b64b..838dfb88 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryMilitary.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryMilitary.lean @@ -51,7 +51,7 @@ Generated by scripts/generate-multiprover.py | redundancy_monotone | redundancy_monotone | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryMilitary /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -59,20 +59,25 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 /-- Coq compatibility shim: pair second projection -/ @[inline] def snd {α β : Type} (p : α × β) : β := p.2 +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b + +/-- Coq compatibility shim: List membership -/ +@[inline] def In {α : Type} (x : α) (xs : List α) : Prop := x ∈ xs /-- ClassificationLevel (matches Coq: Inductive ClassificationLevel) -/ inductive ClassificationLevel where @@ -95,7 +100,7 @@ inductive MilitaryEffect where /-- MilitarySecurityPolicy (matches Coq: Record MilitarySecurityPolicy) -/ structure MilitarySecurityPolicy where classification : ClassificationLevel - need_to_know : List + need_to_know : List Nat clearance_required : ClassificationLevel comsec_approved : Bool tempest_certified : Bool @@ -291,4 +296,4 @@ theorem weapon_auth_requires_ts : ∀ c, weapon_system_authorized c = true → c theorem redundancy_monotone : ∀ c1 c2, class_le c1 c2 = true → redundancy_factor c1 ≤ redundancy_factor c2 := by cases ‹_› <;> simp <;> omega -end RIINA +end RIINA.Industries.IndustryMilitary diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryRealEstate.lean b/02_FORMAL/lean/RIINA/Industries/IndustryRealEstate.lean index 9ac3ad09..d7552acd 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryRealEstate.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryRealEstate.lean @@ -52,7 +52,7 @@ Generated by scripts/generate-multiprover.py | occupancy_bounded | occupancy_bounded | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryRealEstate /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -60,15 +60,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -82,6 +82,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) +/-- Coq compatibility: Nat less-than test -/ +def Nat.ltb (a b : Nat) : Bool := decide (a < b) + /-- PropertyData (matches Coq: Inductive PropertyData) -/ inductive PropertyData where | OwnerPII : PropertyData @@ -299,4 +304,4 @@ theorem firmware_no_downgrade : ∀ old_v new_v, firmware_version_valid old_v ne theorem occupancy_bounded : ∀ curr max_o, within_occupancy curr max_o = true → curr ≤ max_o := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Industries.IndustryRealEstate diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryRetail.lean b/02_FORMAL/lean/RIINA/Industries/IndustryRetail.lean index 67fd277b..9f7f85fd 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryRetail.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryRetail.lean @@ -50,7 +50,7 @@ Generated by scripts/generate-multiprover.py | inventory_bounded | inventory_bounded | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryRetail /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -58,15 +58,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -80,6 +80,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) +/-- Coq compatibility: Nat less-than test -/ +def Nat.ltb (a b : Nat) : Bool := decide (a < b) + /-- ConsumerData (matches Coq: Inductive ConsumerData) -/ inductive ConsumerData where | PII : ConsumerData @@ -289,4 +294,4 @@ theorem order_amount_bounded : ∀ a ma, order_amount_valid a ma = true → a theorem inventory_bounded : ∀ c mc, inventory_valid c mc = true → c ≤ mc := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Industries.IndustryRetail diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryTelecom.lean b/02_FORMAL/lean/RIINA/Industries/IndustryTelecom.lean index 844d9170..82e8f951 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryTelecom.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryTelecom.lean @@ -54,7 +54,7 @@ Generated by scripts/generate-multiprover.py | li_requires_logging | li_requires_logging | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryTelecom /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -62,15 +62,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -84,6 +84,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat equality test -/ +def Nat.eqb (a b : Nat) : Bool := a == b +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) + /-- TelecomDomain (matches Coq: Inductive TelecomDomain) -/ inductive TelecomDomain where | RAN : TelecomDomain @@ -321,4 +326,4 @@ theorem li_requires_authorization : ∀ li, li_valid li = true → li_authorized theorem li_requires_logging : ∀ li, li_valid li = true → li_logged li = true := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Industries.IndustryTelecom diff --git a/02_FORMAL/lean/RIINA/Industries/IndustryTransportation.lean b/02_FORMAL/lean/RIINA/Industries/IndustryTransportation.lean index 2b4d39a8..5ee54424 100644 --- a/02_FORMAL/lean/RIINA/Industries/IndustryTransportation.lean +++ b/02_FORMAL/lean/RIINA/Industries/IndustryTransportation.lean @@ -51,7 +51,7 @@ Generated by scripts/generate-multiprover.py | version_no_downgrade | version_no_downgrade | OK | -/ -namespace RIINA +namespace RIINA.Industries.IndustryTransportation /-- Coq compatibility shim: boolean negation -/ @[inline] def negb (b : Bool) : Bool := !b @@ -59,15 +59,15 @@ namespace RIINA @[inline] def andb (a b : Bool) : Bool := a && b /-- Coq compatibility shim: boolean disjunction -/ @[inline] def orb (a b : Bool) : Bool := a || b -/-- Coq compatibility shim: list universal predicate -/ +/-- Coq compatibility shim: List universal predicate -/ @[inline] def forallb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.all f -/-- Coq compatibility shim: list existential predicate -/ +/-- Coq compatibility shim: List existential predicate -/ @[inline] def existsb {α : Type} (f : α → Bool) (xs : List α) : Bool := xs.any f -/-- Coq compatibility shim: list length alias -/ +/-- Coq compatibility shim: List length alias -/ @[inline] def length {α : Type} (xs : List α) : Nat := xs.length -/-- Coq compatibility shim: list head option -/ +/-- Coq compatibility shim: List head option -/ @[inline] def hd_error {α : Type} (xs : List α) : Option α := xs.head? -/-- Coq compatibility shim: list find option -/ +/-- Coq compatibility shim: List find option -/ @[inline] def find {α : Type} (p : α → Bool) (xs : List α) : Option α := xs.find? p /-- Coq compatibility shim: pair first projection -/ @[inline] def fst {α β : Type} (p : α × β) : α := p.1 @@ -81,6 +81,11 @@ private theorem andb_true_iff (a b : Bool) : · intro h; cases a <;> cases b <;> simp_all · intro ⟨ha, hb⟩; simp [ha, hb] +/-- Coq compatibility: Nat less-or-equal test -/ +def Nat.leb (a b : Nat) : Bool := decide (a ≤ b) +/-- Coq compatibility: Nat less-than test -/ +def Nat.ltb (a b : Nat) : Bool := decide (a < b) + /-- ASIL (matches Coq: Inductive ASIL) -/ inductive ASIL where | ASIL_A : ASIL @@ -298,4 +303,4 @@ theorem safety_critical_faster_auth : v2x_auth_timeout_ms true < v2x_auth_timeou theorem version_no_downgrade : ∀ old_v new_v, version_valid old_v new_v = true → old_v < new_v := by simp_all [Bool.and_eq_true] -end RIINA +end RIINA.Industries.IndustryTransportation