Useful but limited polymorphism
This commit is contained in:
122
notes/view-contract-trust-provenance.md
Normal file
122
notes/view-contract-trust-provenance.md
Normal file
@@ -0,0 +1,122 @@
|
||||
# View Contract trust provenance and controlled intensionality
|
||||
|
||||
## Problem
|
||||
|
||||
Tree Calculus / tricu code can perform raw intensional observation through `t` /
|
||||
`triage`-like power. Exact detection of whether an arbitrary term ever reaches
|
||||
rule 3 is undecidable: the SK fragment is already Turing-complete, and a program
|
||||
can construct/apply an intensional observer iff an encoded machine halts.
|
||||
|
||||
Therefore View Contracts must not rely on an exact semantic test for "will this
|
||||
term inspect representation?".
|
||||
|
||||
## Key correction
|
||||
|
||||
A purely syntactic invariant such as "the initial tree contains no
|
||||
`Fork(Fork(_, _), _)`" is not reduction-closed. For example:
|
||||
|
||||
```text
|
||||
Fork (Stem (Fork a b)) c ==> Fork (Fork a b) c
|
||||
```
|
||||
|
||||
So absence of a current rule-3 redex is not enough.
|
||||
|
||||
## Direction
|
||||
|
||||
Use explicit provenance/capability discipline, not exact intensionality
|
||||
decision.
|
||||
|
||||
View Contract checking and parametric checked-subset validation are distinct:
|
||||
|
||||
- View Contract checking: verifies executable tree artifacts against declared
|
||||
boundary Views.
|
||||
- Parametric checked-subset validation: verifies that abstraction/parametricity
|
||||
claims do not depend on raw untrusted intensional observation.
|
||||
|
||||
Unchecked/raw Tree Calculus can always inspect trees. Existential/abstract Views
|
||||
are checker-level opacity: checked clients cannot justify representation-specific
|
||||
operations unless an exported trusted capability/eliminator provides them.
|
||||
|
||||
## Provenance model
|
||||
|
||||
Contract facts/artifacts should carry explicit provenance. Do not rely on module
|
||||
or catalog convention.
|
||||
|
||||
Recommended durable provenance classes:
|
||||
|
||||
```text
|
||||
Checked -- derived by checked lowering / checker validation
|
||||
Trusted -- asserted by a trusted boundary, e.g. a primitive eliminator API
|
||||
Unchecked -- no abstraction/parametricity guarantee; raw/assumed fact if exposed
|
||||
```
|
||||
|
||||
The correct granularity is per exported View fact, not per module. A single
|
||||
module may contain checked definitions, trusted eliminators, and unchecked raw
|
||||
helpers.
|
||||
|
||||
## Controlled intensionality
|
||||
|
||||
Raw intensionality should be tracked by dependency/provenance, not syntax-only.
|
||||
|
||||
- Direct `triage` / arbitrary `t` eliminator use is raw intensional capability.
|
||||
- Trusted eliminators expose controlled observation and do not taint clients.
|
||||
- Calling unchecked/untrusted code taints the caller for parametricity purposes.
|
||||
- Constructors/literals are not automatically tainting unless they expose raw
|
||||
inspection power.
|
||||
|
||||
Parametric checked mode rejects annotated definitions whose derivation depends
|
||||
on raw/untrusted intensionality, while trusted facts may describe raw internals
|
||||
behind explicit contracts.
|
||||
|
||||
## Trusted eliminator kernel
|
||||
|
||||
First trusted observation capabilities should be the smallest useful kernels:
|
||||
|
||||
```text
|
||||
matchBool : forall r. r -> r -> Bool -> r
|
||||
matchMaybe : forall a r. r -> (a -> r) -> Maybe a -> r
|
||||
matchList : forall a r. r -> (a -> List a -> r) -> List a -> r
|
||||
```
|
||||
|
||||
Derived functions should be checked against these trusted capabilities where
|
||||
possible. Raw recursive kernels and other code
|
||||
that passes through fixed-point/intensional machinery should publish explicit
|
||||
`Trusted` facts rather than being treated as checked.
|
||||
|
||||
Current stdlib shape:
|
||||
|
||||
```text
|
||||
Checked annotations where the body checks through trusted capabilities:
|
||||
maybeMap : forall a b. (a -> b) -> Maybe a -> Maybe b
|
||||
maybeBind : forall a b. Maybe a -> (a -> Maybe b) -> Maybe b
|
||||
maybeOr : forall a. a -> Maybe a -> a
|
||||
|
||||
Trusted value-level facts for raw/recursive stdlib boundaries:
|
||||
headMaybe / lastMaybe / nthMaybe
|
||||
append / map / filter / foldl / foldr
|
||||
length / reverse / snoc / count / all? / any? / intersect
|
||||
take / drop / splitAt / concatMap / find / partition / zipWith
|
||||
string/list-byte helpers such as strLength, startsWith?, lines, words
|
||||
```
|
||||
|
||||
Do not assign total contracts to partial APIs such as:
|
||||
|
||||
```text
|
||||
head : List a -> a
|
||||
```
|
||||
|
||||
Prefer `headMaybe : List a -> Maybe a`, or later introduce `NonEmptyList a`.
|
||||
|
||||
## Implementation order
|
||||
|
||||
Most-correct tractable path:
|
||||
|
||||
1. Add contract provenance to the Haskell View model and portable artifacts. ✅
|
||||
2. Preserve provenance through module exports/imports/re-exports. ✅
|
||||
3. Teach checker environments to distinguish checked vs trusted facts. ✅
|
||||
4. Add trusted stdlib eliminator facts. ◐ initial value-level `viewFacts` landed for `matchBool`, `matchMaybe`, `matchList`; Haskell trusted catalog removed
|
||||
5. Add parametric-mode dependency/effect checking. ◐ local raw-dependency and unchecked-import rejection landed
|
||||
6. Annotate/publish derived stdlib Views at the right provenance. ◐ checked `maybeMap`/`maybeBind`/`maybeOr`; trusted value-level facts for recursive list combinators
|
||||
|
||||
Avoid introducing implicit trusted catalogs before provenance exists; that would
|
||||
create semantics that later need to be unwound.
|
||||
Reference in New Issue
Block a user