Files
tricu/notes/view-contract-trust-provenance.md

96 lines
3.9 KiB
Markdown

# View Contracts at the intensionality boundary
## Conclusion
Tree Calculus does not support the abstraction theorem that the former
parametric View design assumed. Views can remain useful as boundary metadata and
as instructions for runtime guard placement, but they must not be presented as
types, proofs of parametricity, or representation-hiding abstraction.
## Fundamental conflicts
### Raw observation defeats representation independence
A parametric contract such as:
```text
forall a. a -> a
```
normally relies on code being unable to learn anything about `a`. A Tree
Calculus term can inspect the tree supplied at `a`, distinguish
representations, and return a representation-dependent value. The View variable
does not hide or seal that tree.
The same breaks existential abstraction. Advertising a payload as
`exists repr. ...` changes no operational capability: a client can still
inspect the representation directly.
### Opaque payloads are asserted, not checked
A typed-value node carries an executable tree beside a View. Metadata validation
deliberately treats that executable field as opaque. Consequently, accepting a
node proves that the envelope and View are well formed; it does not prove that
the tree denotes the advertised `Fn`, `List`, `Maybe`, or other structural
View.
Provenance labels do not change this. `Checked` and `Trusted` record where an
assertion came from, but neither is a derivation that another implementation can
replay to establish the assertion.
### Syntactic taint is not a semantic parametricity proof
Rejecting direct uses of `t` or `triage` is neither complete nor a stable
soundness boundary:
- an observer can be assembled after reduction;
- observation can arrive through higher-order or dynamically selected code;
- unknown external code can hide observation;
- absence of a rule-3 redex is not reduction-closed;
- exact detection would subsume non-trivial termination/reachability questions.
A conservative taint pass can define a programming convention, but it cannot
justify the parametric or abstraction guarantees previously attached to Views.
### Flow checking only checks represented flow
The checker sees frontend-emitted value, application, and requirement nodes. It
can check consistency among those nodes, but it cannot establish that the graph
faithfully represents every use performed by the opaque executable payload.
This is useful artifact validation, not whole-program typing.
## Retained contract
The reduced checker may soundly claim only:
1. View, node, and program envelopes satisfy their declared data schemas.
2. Explicit monomorphic View facts are propagated consistently through the
represented application graph.
3. A `Guarded` View causes its executable predicate to run at represented
boundaries, and guard failure prevents checked execution.
4. Content-addressed references prevent an attached View artifact from silently
drifting to a different stored object.
Items 1, 2, and 4 establish metadata integrity, not semantic membership in an
unguarded View. Item 3 is the only retained mechanism that observes an ordinary
runtime value.
## Code direction
The initial rollback therefore:
- removes View-variable instantiation, substitution, and unification from the
portable checker;
- rejects `Var`, `Forall`, and `Exists` as checker inputs while reserving
their legacy tags for deterministic decoding;
- removes the frontend raw-intensionality taint pass;
- removes polymorphic stdlib annotations and value-level View facts;
- retains monomorphic View flow, artifact plumbing, diagnostics, and executable
guards.
Further simplification should treat unguarded structural Views as descriptive
labels. If stronger guarantees are desired later, they require an operational
mechanism such as runtime recognizers/seals or a genuinely restricted language
whose evaluator enforces the restriction. Metadata provenance alone is
insufficient.