fix(spark): honest-demote dnfinition reversibility claim + theatre gate (P0)#51
Merged
Merged
Conversation
…te (P0)
Closes the P0 of the estate Rust/SPARK audit: ambientops claimed
"reversibility guarantees" / "formally verified" SPARK while GNATprove was
never wired in and the ghost/lemma bodies were stubbed to return True.
Demotion (no false proof claims remain):
* safety_boundary.ads/.adb — banner "(formally verified)" removed,
SPARK_Mode -> Off, honest PROOF STATUS note, obligation O-SAFE-2.
* reversibility_types.ads — SPARK_Mode Off, O-REV-1..4 (prior pass).
* reversibility_types.adb — deleted: the spec is types + expression
functions only, no body-requiring subprogram.
* snapshot_manager.ads — SPARK_Mode Off + HONESTY NOTE (prior pass).
* safety_invariant.ads/.adb — SPARK_Mode Off, broken Refined_State
removed (prior pass).
PROOF-NEEDS.md: O-REV-1..4 / O-SAFE-1..2 now recorded as the authoritative
UNPROVEN obligation list (Idris2 model), so the source honesty notes no
longer dangle.
Regression guard: .github/workflows/spark-proof-gate.yml — self-contained
SPARK Theatre Gate over total-update/ada. T1 (header proof-claim without a
prover) is a hard failure; T2 (zero-contract SPARK_Mode) warns while the
Ada/SPARK->Rust/SPARK migration tail clears. Mirrors the estate reusable
gate (hyperpolymath/standards#141); reduces to a 3-line caller once that
merges.
Verification: the gate scanner passes on the final tree (T2 warn only on
backend_interface.ads, no T1) and fails (T1) if the pre-demotion
safety_boundary banner is restored. A full gprbuild was NOT run: the
dnfinition project has a pre-existing unresolved ncurses import (noted in
PROOF-DEBT-AND-RUST-SPARK-AUDIT-2026-05-18.adoc), unrelated to these
changes, which are limited to SPARK_Mode aspects, comments, a body-less
.adb deletion, a doc, and a CI workflow.
Refs hyperpolymath/standards#124
Refs hyperpolymath/standards#127
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to the honest-demotion commit: the audit said dnfinition "never
compiled" so the SPARK claims were theatre. Confirmed — and now actually
build-verified the demoted units with a scoped, ncurses-free check project.
Fixed 3 real blockers that prevented ANY compilation of the subsystem:
1. backend_interface.ads — record component named `Package` (an Ada
reserved word): a hard legality error, the concrete reason the
subsystem never built. Renamed -> `Pkg` (field is unreferenced; the
rename is purely local).
2. safety_boundary.ads — `Is_Valid` carried `with Ghost` yet the bodies
call it for real runtime defense-in-depth checks. Ghost-without-proof
used in executable code is itself residual theatre AND an Ada legality
error once SPARK_Mode is Off. Aspect removed; it is now an honest
real runtime function.
3. snapshot_manager.adb — fallout of the reversibility_types
`Rollback_Result.Snapshot_ID -> Target_Snapshot` rename (done in the
demotion to break the SPARK name-clash) that had not been propagated
to this consumer. 5 aggregate references updated.
Added checkonly.gpr — a scoped compile-check harness over
reversibility/safety/backends/platform that deliberately omits the
unrelated, unprovided `ncurses` TUI dependency. Verification result:
* safety_boundary.adb — compiles, 0 errors
* safety_invariant.adb — compiles, 0 errors
* reversibility_types.ads — compiles, 0 errors
* snapshot_manager.adb — only 3 residual errors, all pre-existing
undefined Create_{Btrfs,ZFS,LVM}_Snapshot stubs — unrelated to the
SPARK demotion (separate "never implemented" debt, out of P0 scope).
The demotion is therefore proven to be legal Ada, not just asserted.
Refs hyperpolymath/standards#124
Refs hyperpolymath/standards#127
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 97 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/ambientops/ambientops/_pathroot/ncl/lib/schema.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "getExn on external data -- use pattern matching (1 occurrences, CWE-754)",
"type": "getexn_on_external",
"file": "/home/runner/work/ambientops/ambientops/_pathroot/src/nicaug/NicaugCLI.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "getExn on external data -- use pattern matching (1 occurrences, CWE-754)",
"type": "getexn_on_external",
"file": "/home/runner/work/ambientops/ambientops/_pathroot/src/nicaug/PlatformOrchestrator.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "getExn on external data -- use pattern matching (7 occurrences, CWE-754)",
"type": "getexn_on_external",
"file": "/home/runner/work/ambientops/ambientops/_pathroot/src/Discovery.res",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/ambientops/ambientops/panoptes/src/ollama.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unwrap_or(0) with dangerous default (2 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/ambientops/ambientops/panoptes/src/web/mod.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/ambientops/ambientops/personal-sysadmin/src/correlation.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Closes the P0 of the estate Rust/SPARK audit
(
PROOF-DEBT-AND-RUST-SPARK-AUDIT-2026-05-18.adoc): ambientops bannered thednfinition reversibility subsystem as "formally verified" SPARK while
GNATprove was never wired in, the ghost/lemma bodies were stubbed to
return True/null;, and the subsystem did not even compile — so theproof claims were pure theatre.
Honest demotion (no false proof claims remain)
safety_boundary.ads/.adb(formally verified)→(runtime-enforced; NOT formally verified),SPARK_Mode→Off, honestPROOF STATUSnote,Is_Validde-ghosted (real runtime fn), obligation O-SAFE-2reversibility_types.adsSPARK_Mode Off, O-REV-1..4;Rollback_Result.Snapshot_ID→Target_Snapshot(name-clash)reversibility_types.adbsnapshot_manager.ads/.adbSPARK_Mode Off+ HONESTY NOTE; consumer updated for theTarget_Snapshotrenamesafety_invariant.ads/.adbSPARK_Mode Off, brokenRefined_StateremovedPROOF-NEEDS.mdrecords O-REV-1..4 / O-SAFE-1..2 as the authoritativeUNPROVEN obligation list (Idris2 model).
Build verification — now actually performed
The first revision could not
gprbuild(projectwith "ncurses", noprovider). Resolved by adding
checkonly.gpr, a scoped compile-check overreversibility/safety/backends/platformthat omits the unrelated, unprovidedncurses TUI dependency. Doing so exposed — and this PR fixes — 3 real
legality blockers that were the concrete reason the subsystem never built
(hence why the proof claims could be theatre at all):
backend_interface.ads— record field namedPackage(Ada reservedword). Hard legality error. Renamed →
Pkg(unreferenced; local).safety_boundary.ads—Is_Validwaswith Ghostbut called in realruntime checks: ghost-without-proof in executable code, also illegal once
SPARK_Modeis Off. Aspect removed.snapshot_manager.adb— un-propagated fallout of theRollback_Result.Snapshot_ID → Target_Snapshotdemotion rename. 5 refsfixed.
Result (
gprbuild -gnatcviacheckonly.gpr):safety_boundary.adbsafety_invariant.adbreversibility_types.adssnapshot_manager.adbCreate_{Btrfs,ZFS,LVM}_Snapshotstubs, unrelated to the SPARK demotion (separate "never implemented" debt, out of P0 scope)The demotion is now proven legal Ada, not merely asserted.
Regression guard
.github/workflows/spark-proof-gate.yml— self-contained SPARK Theatre Gateover
total-update/ada: T1 (header proof-claim, no prover) hard-fails;T2 (zero-contract
SPARK_Mode) warns during the migration tail. Mirrorsthe estate reusable gate (hyperpolymath/standards#141); collapses to a
3-line
uses:caller once that merges. Verified to PASS on the final tree andto catch the pre-demotion
safety_boundarybanner regression (T1).Refs hyperpolymath/standards#124
Refs hyperpolymath/standards#127