aprender-contracts 0.34.0

Papers to Math to Contracts in Code — YAML contract parsing, validation, scaffold generation, and Kani harness codegen for provable Rust kernels
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240

//! Audit trail generator — traceability chain.
//!
//! Traces the full chain from paper reference → equation →
//! proof obligation → falsification test → Kani harness.
//! Detects orphaned obligations and untested equations.

use crate::binding::{BindingRegistry, ImplStatus};
use crate::error::{Severity, Violation};
use crate::schema::Contract;

/// Audit result summarizing traceability coverage.
#[derive(Debug, Clone)]
pub struct AuditReport {
    /// Total equations in the contract.
    pub equations: usize,
    /// Total proof obligations.
    pub obligations: usize,
    /// Total falsification tests.
    pub falsification_tests: usize,
    /// Total Kani harnesses.
    pub kani_harnesses: usize,
    /// Violations found during audit.
    pub violations: Vec<Violation>,
}

/// Run a traceability audit on a contract.
///
/// Checks that every proof obligation is covered by at least
/// one falsification test or Kani harness, and that no
/// harnesses reference non-existent obligations.
pub fn audit_contract(contract: &Contract) -> AuditReport {
    let mut violations = Vec::new();

    // Kernel-only audit checks: skip for registries, model-family schemas,
    // pattern contracts, and reference documents that are exempt from
    // the provability invariant.
    let is_kernel_kind = contract.requires_proofs();

    // Check: contract has at least one falsification test (kernel only)
    if is_kernel_kind && contract.falsification_tests.is_empty() {
        violations.push(Violation {
            severity: Severity::Warning,
            rule: "AUDIT-001".to_string(),
            message: "No falsification tests — contract is \
                      not falsifiable"
                .to_string(),
            location: Some("falsification_tests".to_string()),
        });
    }

    // Check: every Kani harness references a valid obligation ID
    let obligation_props: Vec<&str> = contract
        .proof_obligations
        .iter()
        .map(|o| o.property.as_str())
        .collect();

    for harness in &contract.kani_harnesses {
        // The harness.obligation field should reference an
        // obligation. We do a soft check (warn, not error)
        // since obligation IDs are free-form in current schema.
        if harness.obligation.is_empty() {
            violations.push(Violation {
                severity: Severity::Error,
                rule: "AUDIT-002".to_string(),
                message: format!(
                    "Kani harness {} has empty obligation \
                     reference",
                    harness.id
                ),
                location: Some(format!("kani_harnesses.{}.obligation", harness.id)),
            });
        }
    }

    // Check: contract has proof obligations if it has equations (kernel only)
    if is_kernel_kind && !contract.equations.is_empty() && contract.proof_obligations.is_empty() {
        violations.push(Violation {
            severity: Severity::Warning,
            rule: "AUDIT-003".to_string(),
            message: "Equations defined but no proof obligations \
                      — obligations should be derived from equations"
                .to_string(),
            location: Some("proof_obligations".to_string()),
        });
    }

    // Suppress unused variable warning
    let _ = obligation_props;

    AuditReport {
        equations: contract.equations.len(),
        obligations: contract.proof_obligations.len(),
        falsification_tests: contract.falsification_tests.len(),
        kani_harnesses: contract.kani_harnesses.len(),
        violations,
    }
}

/// Binding audit result — cross-references contracts with implementations.
#[derive(Debug, Clone)]
pub struct BindingAuditReport {
    /// Total equations across all contracts.
    pub total_equations: usize,
    /// Equations with a binding entry.
    pub bound_equations: usize,
    /// Bindings with status = implemented.
    pub implemented: usize,
    /// Bindings with status = partial.
    pub partial: usize,
    /// Bindings with status = `not_implemented`.
    pub not_implemented: usize,
    /// Total proof obligations across matched contracts.
    pub total_obligations: usize,
    /// Obligations covered by implemented bindings.
    pub covered_obligations: usize,
    /// Violations found during binding audit.
    pub violations: Vec<Violation>,
}

/// Audit the binding registry against a set of contracts.
///
/// For each contract, checks whether its equations have a
/// corresponding binding entry and reports coverage gaps.
pub fn audit_binding(
    contracts: &[(&str, &Contract)],
    binding: &BindingRegistry,
) -> BindingAuditReport {
    let mut violations = Vec::new();
    let mut total_equations = 0usize;
    let mut bound_equations = 0usize;
    let mut implemented = 0usize;
    let mut partial = 0usize;
    let mut not_implemented = 0usize;
    let mut total_obligations = 0usize;
    let mut covered_obligations = 0usize;

    for &(contract_file, contract) in contracts {
        let eq_count = contract.equations.len();
        total_equations += eq_count;
        total_obligations += contract.proof_obligations.len();

        for eq_name in contract.equations.keys() {
            let matching = binding.find_binding(contract_file, eq_name);

            match matching {
                Some(b) => {
                    bound_equations += 1;
                    match b.status {
                        ImplStatus::Implemented => {
                            implemented += 1;
                            // All obligations for this equation
                            // are considered covered.
                            covered_obligations += obligations_for_equation(contract);
                        }
                        ImplStatus::Partial => {
                            partial += 1;
                            violations.push(Violation {
                                severity: Severity::Warning,
                                rule: "BIND-002".to_string(),
                                message: format!(
                                    "Equation '{eq_name}' in \
                                     {contract_file} is partially \
                                     implemented"
                                ),
                                location: Some(format!("bindings.{eq_name}")),
                            });
                        }
                        ImplStatus::NotImplemented => {
                            not_implemented += 1;
                            violations.push(Violation {
                                severity: Severity::Warning,
                                rule: "BIND-003".to_string(),
                                message: format!(
                                    "Equation '{eq_name}' in \
                                     {contract_file} has no \
                                     implementation"
                                ),
                                location: Some(format!("bindings.{eq_name}")),
                            });
                        }
                        ImplStatus::Pending => {
                            not_implemented += 1;
                            violations.push(Violation {
                                severity: Severity::Warning,
                                rule: "BIND-004".to_string(),
                                message: format!(
                                    "Equation '{eq_name}' in \
                                     {contract_file} is pending \
                                     implementation"
                                ),
                                location: Some(format!("bindings.{eq_name}")),
                            });
                        }
                    }
                }
                None => {
                    violations.push(Violation {
                        severity: Severity::Error,
                        rule: "BIND-001".to_string(),
                        message: format!(
                            "Equation '{eq_name}' in {contract_file} \
                             has no binding entry"
                        ),
                        location: Some(format!("{contract_file}.equations.{eq_name}")),
                    });
                }
            }
        }
    }

    BindingAuditReport {
        total_equations,
        bound_equations,
        implemented,
        partial,
        not_implemented,
        total_obligations,
        covered_obligations,
        violations,
    }
}

/// Count obligations that are not SIMD-specific for a contract.
///
/// When an equation is implemented, we consider all non-SIMD
/// obligations as covered (SIMD equivalence requires a separate
/// SIMD implementation which is trueno's domain).
fn obligations_for_equation(contract: &Contract) -> usize {
    contract
        .proof_obligations
        .iter()
        .filter(|o| o.applies_to != Some(crate::schema::AppliesTo::Simd))
        .count()
}

#[cfg(test)]
mod tests {
    include!("mod_tests.rs");
}