Skip to content

ci: make CI genuinely green — rust-ci toolchain pin + canonical Julia ABI-FFI gate + fmt/clippy#37

Merged
hyperpolymath merged 9 commits into
mainfrom
claude/new-session-znxgm7
Jun 28, 2026
Merged

ci: make CI genuinely green — rust-ci toolchain pin + canonical Julia ABI-FFI gate + fmt/clippy#37
hyperpolymath merged 9 commits into
mainfrom
claude/new-session-znxgm7

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Summary

Make CI genuinely green. The shared rust-ci pin on main predates standards#439, so the SHA-pinned dtolnay/rust-toolchain step errors out before the job runs. This bumps the pin so rust-ci actually runs, replaces the estate-banned Python ABI-FFI gate with the canonical Julia gate (matches verisimiser), and brings the Rust sources to fmt + clippy(-D warnings) clean.

Changes

  • rust-ci: bump rust-ci-reusable.yml pin d135b058dc2bf0 (current standards HEAD; includes #439 toolchain fix + #441/#442).
  • ABI-FFI gate: remove scripts/abi-ffi-gate.py (Python banned estate-wide); add scripts/abi-ffi-gate.jl (behaviour-identical Julia port); workflow installs Julia 1.11.5. Matches verisimiser's canonical gate.
  • Rust hygiene: cargo fmt + clippy --fix where the repo had pre-existing drift, so cargo fmt --all -- --check and cargo clippy --locked --all-targets -- -D warnings pass.

RSR Quality Checklist

Required

  • Tests pass (cargo test --locked --all-targets)
  • Code is formatted (cargo fmt --all -- --check)
  • Linter is clean (cargo clippy --locked --all-targets -- -D warnings)
  • No banned language patterns (removes the last Python file from CI)
  • SPDX license headers present on new/modified files
  • No secrets, credentials, or .env files included

As Applicable

  • ABI/FFI changes validated (gate logic preserved; conformance OK)

Testing

Verified locally with the toolchain CI uses (cargo 1.94.1, rustfmt 1.8.0): cargo fmt --check, clippy -D warnings, cargo check --locked, cargo test --locked all pass.

🤖 Generated with Claude Code

Generated by Claude Code

claude added 8 commits June 27, 2026 19:48
@claude
Add Semantics ABI proof: forbidden actions are never certified permitted
6a7e723 
Raises the Phronesiser Idris2 ABI to Layer 2 with a flagship, machine-checked
semantic proof of the repo's headline property ("provably safe ethical
constraints for AI agents").

Model: a deontic policy partitions agent actions into Allow/Deny. The
`ActionPermitted` proposition has NO constructor admitting a `Deny` verdict, so
a forbidden action is structurally uncertifiable.

Proven:
- decActionPermitted: sound + complete `Dec (ActionPermitted a)`.
- certifyPermittedSound: certifier soundness (Ok => ActionPermitted).
- safeInformPermitted: positive control (inhabited permission witness).
- forbiddenNeverPermitted: negative control / core safety theorem
  `Not (ActionPermitted forbiddenDeploy)`.
- forbiddenNeverCertifiedOk: corollary that the forbidden action is never Ok.

Non-vacuity confirmed: a deliberately false witness
`PermitAllow Refl : ActionPermitted forbiddenDeploy` is rejected by idris2
(Allow vs Deny mismatch). Build is clean (exit 0, zero warnings).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
@claude
Add Layer-3 ABI invariants: monotone safety under policy composition
2448a98 
New module Phronesiser.ABI.Invariants, built over the existing Layer-2
Semantics model (Action / Verdict / verdictOf — nothing redefined). It
proves two properties strictly deeper than the Layer-2 single-action
safety theorem, both quantified over all actions and over policies:

  1. Monotone safety (downward-closure of permission): if policy p2
     tightens p1, every action p1 forbids stays forbidden under p2 —
     tightening never re-permits a previously-forbidden action; the
     permitted set only shrinks. Tightening is a proven preorder
     (reflexive + transitive).
  2. Conjunction composition: an action permitted under andPolicy p1 p2
     is permitted under each conjunct (iff via bothPermitsAnd), and the
     conjunction provably tightens each conjunct.

Includes a sound+complete Dec (Permits p a), sample policies over the
shared model, positive controls (witnesses + a live application of the
monotone-safety theorem) and negative/non-vacuity controls in Not(...)
form. %default total; no believe_me / postulate / assert_total / sorry /
asserted equalities. Builds with zero warnings; an adversarial false
proof (tightened policy permits the forbidden action) is rejected by the
type checker.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
@claude
Add Layer-4 FfiSeam proof sealing the ABI<->FFI seam
057d422 
Prove the FFI result-code encoding is SOUND, not just structurally
agreed (the abi-ffi-gate.py check): distinct ABI outcomes never collide
on the wire, and the C integer faithfully round-trips back.

New module Phronesiser.ABI.FfiSeam (imports Phronesiser.ABI.Types):
- intToResult decoder + resultRoundTrip (left inverse of resultToInt)
- resultToIntInjective derived from the round-trip via justInj + cong
- same round-trip + injectivity for modalityToInt (DeonticModality)
  and severityToInt (HarmSeverity); no ProofStatus/statusToInt exists
- positive controls (concrete decode = Refl) and non-vacuity controls
  (distinct codes have distinct ints, machine-checked)

Genuine proof only: no believe_me/idris_crash/assert_total/postulate.
%default total, SPDX header, zero warnings. abi package builds clean;
an adversarial false claim (resultToInt Ok = resultToInt Error) is
rejected by the type checker.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
@claude
Add Layer-5 capstone ABI soundness certificate
eae8ce0 
Assemble the existing Layer-2/3/4 proofs into one inhabited certificate
record (ABISound) and value (abiContractDischarged) in
Phronesiser.ABI.Capstone, tying the flagship safety property, the
monotone-safety invariant, and the FFI-seam injectivity into one
end-to-end soundness statement. Reuses only already-exported witnesses
(safeInformPermitted, noHarmTightensBase, forbiddenStaysForbidden,
resultToIntInjective). No new axioms; %default total; zero warnings.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
@claude
ci: make CI green — bump rust-ci to standards@8dc2bf0 (toolchain: sta…
382802f 
…ble fix); port ABI-FFI gate Python->Bash (Python is estate-banned)

Resolves the standing baseline CI reds (rust-ci toolchain error, governance
Language/anti-pattern, governance workflow-lint) without altering the proven
ABI. The Bash gate reproduces the former Python gate's verdict verbatim
(validated across all -iser repos) and catches the same drift classes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
@claude
ci: adopt canonical Julia ABI-FFI gate (estate standard, matches veri…
7b7bd76 
…simiser) in place of the interim Bash port
@claude
style: cargo fmt + clippy --fix to satisfy rust-ci (fmt --check + cli…
6bcd869 
…ppy -D warnings)
@claude
style: cargo fmt + clippy under stable 1.96 — sort_by_key(Reverse) fo…
eacf9fc 
…r unnecessary_sort_by; rust-ci green
@hyperpolymath hyperpolymath marked this pull request as ready for review June 28, 2026 09:23
@hyperpolymath hyperpolymath merged commit 5093644 into main Jun 28, 2026
20 of 21 checks passed
@hyperpolymath hyperpolymath deleted the claude/new-session-znxgm7 branch June 28, 2026 09:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude