vcl-ut #25 P5b (step 1): C-ABI wire codec for Statement#27
Closed
hyperpolymath wants to merge 1 commit into
Closed
vcl-ut #25 P5b (step 1): C-ABI wire codec for Statement#27hyperpolymath wants to merge 1 commit into
hyperpolymath wants to merge 1 commit into
Conversation
The marshalling layer between the trusted Rust parser (P5a) and the
Idris2 certifier. Adds, in the standalone vcltotal-parse crate:
- WIRE-FORMAT.adoc: normative spec for a deterministic, versioned,
length-prefixed binary TLV (magic "VCLW" + u16 ver). Discriminants
reuse Grammar.idr's *ToInt maps where they exist (modality/agent/
epReq/epistemicOp) and Types.idr safetyLevelToInt, so the P5b-step-2
Idris2 decoder is a direct match. Chosen over CBOR: no dependency /
no extra trust surface, fully auditable, byte-exact.
- src/wire.rs: to_wire / from_wire for the full Statement AST. Same
SPARK-grade posture as the parser (crate lint-set): to_wire total +
deterministic (canonical one-byte-string-per-value); from_wire
TOTAL — bounds-checked cursor, no panic, no unbounded pre-allocation
from untrusted counts (anti-OOM), every malformed input a typed
WireError.
Machine witnesses (tests/wire.rs, proptest 2048 cases):
- roundtrip: from_wire(to_wire(s)) == s over arbitrary Statements
(bijection on the Rust AST mirror).
- decoder_total_on_garbage / _with_valid_header: arbitrary bytes
never panic — Ok/Err only (trusted-boundary totality contract).
- encoder_deterministic; golden vectors incl. bit-exact non-finite
float preservation (inf structural, NaN by bits).
Verified standalone, CI-faithful (--manifest-path --locked):
clippy --all-targets -D warnings clean (SPARK lint set), 17/17 tests
(6 lib + 5 parse + 6 wire), fmt clean.
Step 2 (separate): the total Idris2 decoder of this identical format
into Grammar.idr's certified Statement, %default total, no proof
escape, with shared golden vectors for cross-language conformance —
gated by the proof-corpus CI (now healthy post-#24).
Stacked on the P5a branch. Refs #25.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
P5b (step 1) — C-ABI wire codec for
StatementThe marshalling seam between the trusted Rust parser (P5a, #26) and the
Idris2 certifier. Stacked on #26 (base = the P5a branch); review/merge
#26 first.
What this adds (in the standalone
vcltotal-parsecrate)WIRE-FORMAT.adoc— normative spec: a deterministic, versioned,length-prefixed binary TLV (
"VCLW"+u16ver). Discriminantsreuse
Grammar.idr's*ToIntmaps where they exist andTypes.idrsafetyLevelToInt, so the P5b-step-2 Idris2 decoder isa direct match. Chosen over CBOR: zero dependency / no extra trust
surface, fully auditable, byte-exact.
src/wire.rs—to_wire/from_wirefor the fullStatementAST, same SPARK-grade posture as the parser (crate lint-set):
to_wire: total, deterministic, canonical (one byte string pervalue).
from_wire: total — bounds-checked cursor, no panic, nounbounded pre-allocation from untrusted counts (anti-OOM), every
malformed input a typed
WireError.Machine witnesses (
tests/wire.rs, proptest 2048 cases)roundtrip:from_wire(to_wire(s)) == sover arbitraryStatements — the codec is a bijection on the Rust AST mirror.decoder_total_on_garbage/_with_valid_header: arbitrary bytesnever panic —
Ok/Erronly (trusted-boundary totality).encoder_deterministic; golden vectors incl. bit-exactnon-finite float preservation (inf structural, NaN by bits).
Verified (standalone, CI-faithful:
--manifest-path … --locked)cargo clippy --all-targets -- -D warningsclean (SPARK lint set);cargo test17/17 (6 lib + 5 parse + 6 wire);cargo fmt --checkclean.
parse-gateCI applies (the crate is its own workspace root,decoupled from the pre-existing parent-workspace external-path-dep
breakage).
Next (P5b step 2, separate PR)
The total Idris2 decoder of this identical byte format into
Grammar.idr's certifiedStatement(%default total, zeroproof-escape), with the golden vectors shared as cross-language
conformance fixtures — gated by the proof-corpus CI (now healthy after
#24's pinned-source idris2 build).
Refs #25.
🤖 Generated with Claude Code