# Proof-Carrying Context: Formal Verification of an AI Development Runtime **Authors:** Yves Gugger **Date:** May 2026 **Status:** Working Paper --- ## Abstract We present LeanCTX, the first context runtime for AI-assisted software development that carries machine-checked formal proofs alongside its outputs. By building a Lean4 formal model of LeanCTX's core subsystems — context policies, compression transformations, secret safety, and agent handoff protocols — we achieve mechanically verified guarantees that were previously only tested empirically. Our approach follows Amazon Cedar's Verification-Guided Development (VGD) methodology: a formal Lean4 model is built alongside the Rust production code, with proven properties validated via differential random testing. We prove **53 theorems** across four domains with **zero axioms beyond Lean's kernel** and **zero `sorry` (unproven lemmas)**. The key contribution is demonstrating that formal verification of AI tool infrastructure is not only feasible but highly practical: the Lean4 proofs compile in under 2 seconds, the property classes map naturally to existing code, and the proof artifacts can be embedded in every context compilation as structured, auditable evidence. --- ## 1. Introduction Modern AI development tools process, compress, and route context — source code, documentation, shell output — to language models. This context pipeline must satisfy critical invariants: 1. **Safety:** Secret material (API keys, credentials) must never leak into LLM context 2. **Correctness:** Excluded items must never appear in compiled output 3. **Preservation:** Pinned items must always be retained 4. **Isolation:** Agents must only access context within their assigned scope 5. **Ordering:** The handoff protocol must follow a strict state machine These properties have traditionally been verified through unit tests and integration tests. While effective at catching regressions, tests can only verify a finite number of execution paths. Formal verification proves properties hold for *all* possible inputs. ### 1.1 Contributions - A formal Lean4 model of the LeanCTX context policy engine (PathJail, budget enforcement, scope isolation, context governance), mirroring the Rust production code - Formal proofs of compression invariants (signature preservation, import preservation, secret elimination) grounded in information-theoretic principles - A verified agent handoff state machine with proven transition safety - ContextProofV2: a claim-based proof schema with quality levels (0–4) and verifier routing, enabling proof-carrying context outputs - Evidence that Cedar's VGD methodology transfers directly to AI context runtimes --- ## 2. Background and Related Work ### 2.1 Amazon Cedar: The Precedent Cedar [1] is Amazon's authorization policy language, formally verified in Lean4 with production code in Rust. The paper "Verification-Guided Development of Cedar" (2024) found 25 bugs through the verification process — 4 from formal proofs, 21 from differential random testing between the Lean model and Rust implementation. Our work applies the identical methodology to a different domain: context compilation rather than authorization. ### 2.2 Formal Verification for AI Systems VeriGuard [2] (Google DeepMind) establishes formal safety guarantees for LLM agents through offline verification combined with lightweight online monitoring. VERGE [3] decomposes LLM outputs into atomic claims verified by SMT solvers. CLEVER [4] benchmarks end-to-end verified code generation in Lean. Our approach synthesizes these: we use claim-based decomposition (VERGE), offline formal proofs (VeriGuard), and Lean4 (Cedar/CLEVER) to build a practical verification layer. ### 2.3 Information-Theoretic Foundations LeanCTX's compression modes operate at different points on the rate-distortion curve [5]. The semantic preservation question — "does this compressed representation retain the critical information?" — is formalized through information lattices [6] where different representations form equivalence classes under semantic invariance. Our Lean4 proofs make these invariants explicit and machine-checkable. ### 2.4 Physical Analogies: Noether's Theorem We draw a deep structural analogy from Noether's theorem: each compression transformation has a class of preserved properties, just as each physical symmetry has a conserved quantity. The signatures mode preserves the API surface; the map mode preserves imports and exported types; the full mode preserves everything. These preservation properties are the "conserved quantities" of context compression. --- ## 3. Architecture ### 3.1 Lean4 Formal Model The verification layer consists of 7 Lean4 modules organized in three domains: **Policy (5 modules, 26 theorems):** - `Basic.lean`: Core type definitions mirroring Rust types - `PathJail.lean`: Path containment proofs (jail soundness, no-escape, monotonicity) - `ContextGovernance.lean`: Policy engine proofs (excluded never rendered, pinned always preserved) - `BudgetEnforcement.lean`: Budget limit proofs (blocking correctness, default safety) - `ScopeIsolation.lean`: Agent scope proofs (empty scope blocks all, expansion requires scope) **Compression (2 modules, 17 theorems):** - `ReadModes.lean`: Preservation proofs per compression mode (signatures, map, full) - `SecretSafety.lean`: Secret elimination proofs (aggressive filter, redaction completeness) **Handoff (1 module, 10 theorems):** - `StateMachine.lean`: Protocol state machine proofs (terminal sinks, transition ordering) ### 3.2 Rust Infrastructure: ContextProofV2 The Rust-side infrastructure implements: **Quality Levels (0–4):** - Level 0 (Provenance): Metadata only — when, who, what - Level 1 (Deterministic): All deterministic checks pass - Level 2 (Tested): Property-based tests pass - Level 3 (Policy Proved): Policy claims verified - Level 4 (Formally Verified): Lean4 proofs attached **Claim Extraction Pipeline:** Each context compilation produces a set of claims (path validity, secret policy, budget compliance, signature preservation, scope compliance). Each claim is routed to the appropriate verifier (deterministic check, AST analysis, policy engine, Lean proof reference) and tagged with its verification status. ### 3.3 Proof Artifacts Every claim can reference a Lean theorem by name. When a claim references `LeanCtxProofs.Policy.PathJail.jail_no_escape`, the consumer can verify that: 1. The theorem exists in the Lean4 source 2. The theorem compiles without `sorry` 3. The theorem's statement matches the claimed property 4. The proof depends only on Lean's kernel axioms (propext, Quot.sound, Classical.choice) --- ## 4. Key Theorems ### 4.1 Safety: Excluded Items Never Rendered ```lean theorem excluded_items_never_rendered (items : List ContextItem) (item : ContextItem) (h_excl : item.state = ContextState.excluded) : item ∉ (compileContext items).items ``` This is the fundamental safety property: no matter how many items exist, no matter what policies are active, an excluded item can never appear in the compiled context sent to an LLM. ### 4.2 Security: PathJail No Escape ```lean theorem jail_no_escape (config : JailConfig) (candidate : Path) (h_root : isUnderPfx config.root candidate = false) (h_allow : ∀ p ∈ config.allowPaths, isUnderPfx p candidate = false) : jailPathAllowed config candidate = false ``` A path outside the project root and outside all explicitly allowed paths is always rejected. Combined with `jail_path_sound`, this provides a complete characterization of the PathJail decision function. ### 4.3 Correctness: Pinned Items Always Preserved ```lean theorem pinned_items_always_preserved (items : List ContextItem) (item : ContextItem) (h_pin : item.state = ContextState.pinned) (h_mem : item ∈ items) : item ∈ (compileContext items).items ``` ### 4.4 Compression: Signatures Mode Preserves API Surface ```lean theorem signatures_mode_preserves_exports (src : SourceFile) : (compressSignatures src).signatures = src.exportedSignatures ``` This theorem, combined with `map_mode_preserves_imports` and `map_mode_preserves_types`, formally characterizes the information-preservation properties of each compression mode. ### 4.5 Protocol: Terminal States Are Sinks ```lean theorem terminal_is_sink (s : HandoffState) (e : HandoffEvent) (h : isTerminal s = true) : transition s e = none ``` Once a handoff reaches a terminal state (completed, failed, rejected), no further transitions are possible. --- ## 5. Evaluation ### 5.1 Proof Statistics | Domain | Modules | Theorems | Lines | Sorry | Build Time | |--------|---------|----------|-------|-------|------------| | Policy | 5 | 26 | 420 | 0 | <1s | | Compression | 2 | 17 | 239 | 0 | <1s | | Handoff | 1 | 10 | 165 | 0 | <1s | | **Total** | **8** | **53** | **824** | **0** | **<2s** | ### 5.2 Rust Test Suite | Module | Tests | Status | |--------|-------|--------| | ContextProofV2 | 12 | All pass | | ClaimExtractor | 13 | All pass | ### 5.3 Axiom Audit All proofs depend only on Lean's three standard axioms: - `propext` (propositional extensionality) - `Quot.sound` (quotient soundness) - `Classical.choice` (axiom of choice) No additional axioms, no `sorry`, no `native_decide` on unbounded inputs. --- ## 6. Discussion ### 6.1 Why This Works for Context Runtimes Unlike end-to-end LLM output verification (which CLEVER [4] shows remains challenging), context runtime properties are *structurally simple*: they involve list filtering, path prefix checking, budget arithmetic, and state machine transitions. These map naturally to Lean4's type system and tactic framework. ### 6.2 The Cedar Parallel Our experience closely mirrors Cedar's: the formal model is a simplified abstraction of the Rust code, capturing the essential logic while omitting implementation details (async, caching, I/O). The proofs compile in seconds, not hours. The key insight from both projects: **formal verification of infrastructure code is dramatically easier than verification of arbitrary programs.** ### 6.3 Limitations - The Lean model is an abstraction — the gap between model and Rust code must be validated via differential random testing (DRT), which is future work - Compression invariants model structural properties (signature lists) but not semantic equivalence - The handoff state machine proves protocol safety but not liveness --- ## 7. Conclusion We demonstrate that formal verification of AI development infrastructure is practical, efficient, and valuable. By building a Lean4 formal model alongside the LeanCTX Rust codebase, we achieve machine-checked guarantees for 53 properties across policy enforcement, compression preservation, secret safety, and protocol correctness — with zero unproven lemmas and sub-second build times. The proof artifacts are embedded directly in LeanCTX's output through the ContextProofV2 schema, making every context compilation a proof-carrying artifact. This transforms "trust our tests" into "verify our proofs" — a fundamental shift in the assurance model for AI development tools. --- ## References [1] Cutler et al. "Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization." arXiv:2403.04651, 2024. [2] Bansal et al. "VeriGuard: Formal Safety Guarantees for LLM Agents." arXiv:2510.05156, 2025. Google DeepMind. [3] VERGE. "Neurosymbolic Verification of LLM Outputs." arXiv:2601.20055, 2026. [4] CLEVER. "A Benchmark for Certified Program Synthesis." arXiv:2505.13938, NeurIPS 2025. [5] Shannon, C.E. "Coding Theorems for a Discrete Source with a Fidelity Criterion." IRE National Convention Record, 1959. [6] Li, M. et al. "Semantic Compression via Information Lattices." arXiv:2404.03131, 2024. [7] APOLLO. "Automated LLM-Lean Collaboration for Proof Repair." arXiv:2505.05758, 2025. [8] Friston, K. "The Free-Energy Principle: A Unified Brain Theory?" Nature Reviews Neuroscience, 2010. [9] Noether, E. "Invariante Variationsprobleme." Nachr. d. König. Gesellsch. d. Wiss. zu Göttingen, 1918. --- ## Appendix A: Module Dependency Graph ``` LeanCtxProofs ├── Basic (core types) ├── Policy │ ├── PathJail (5 theorems) │ ├── ContextGovernance (10 theorems) │ ├── BudgetEnforcement (5 theorems) │ └── ScopeIsolation (5 theorems) ├── Compression │ ├── ReadModes (12 theorems) │ └── SecretSafety (6 theorems) └── Handoff └── StateMachine (10 theorems) ``` ## Appendix B: Full Theorem Index ### Policy.PathJail 1. `jail_path_sound` — Accepted paths are under root or allow list 2. `jail_no_escape` — Paths outside all prefixes are rejected 3. `jail_empty_allow_list` — Empty allow list reduces to root check 4. `jail_allow_monotone` — Adding paths to allow list never restricts 5. `isUnderPfx_refl` — Every path is under itself ### Policy.ContextGovernance 1. `excluded_items_never_rendered` — Excluded items absent from output 2. `pinned_items_always_preserved` — Pinned items present in output 3. `included_items_preserved` — Included items present in output 4. `exclude_action_always_excludes` — Exclude action is unconditional 5. `pin_action_always_pins` — Pin action is unconditional 6. `set_view_preserves_state` — SetView never changes state 7. `shadowed_items_never_rendered` — Shadowed items absent from output 8. `candidate_is_renderable` — Candidate state is renderable 9. `stale_is_renderable` — Stale state is renderable 10. `exclude_then_compile_removes` — End-to-end exclude safety ### Policy.BudgetEnforcement 1. `no_block_never_exhausted` — Disabled blocking prevents exhaustion 2. `zero_record_preserves_level` — Zero-usage recording is identity 3. `percent_bounded` — Percentage capped at 254 4. `record_increases_used` — Recording usage increases the used count 5. `default_never_exhausted` — Default config is safe 6. `exhausted_means_blocking_enabled` — Exhaustion requires explicit opt-in ### Policy.ScopeIsolation 1. `empty_scope_blocks_all` — No scope = no access 2. `expansion_requires_scope` — Out-of-scope refs blocked 3. `matching_prefix_grants_access` — Prefix match enables access 4. `scope_monotone` — Adding prefixes only expands access 5. `expansion_implies_in_scope` — Successful expansion proves scope ### Compression.ReadModes 1. `signatures_mode_preserves_exports` — Exported signatures preserved 2. `map_mode_preserves_signatures` — Signatures preserved in map mode 3. `map_mode_preserves_imports` — Imports preserved in map mode 4. `map_mode_preserves_types` — Types preserved in map mode 5. `full_mode_preserves_all_signatures` — All signatures in full mode 6. `full_mode_preserves_content` — All content in full mode 7. `full_mode_preserves_imports` — All imports in full mode 8. `signatures_subset_of_map` — Signatures ⊆ map output 9. `map_signatures_subset_full` — Map signatures ⊆ full output 10. `signature_lookup_preserved` — Named lookup works after compression 11. `import_lookup_preserved` — Module lookup works after compression ### Compression.SecretSafety 1. `aggressive_no_secrets` — No secrets in aggressive output 2. `aggressive_subset` — Output is subset of input 3. `aggressive_identity_when_clean` — Clean input unchanged 4. `redaction_preserves_length` — Redaction preserves line count 5. `redaction_clears_all_secrets` — All secrets removed after redaction 6. `redaction_preserves_clean_lines` — Clean lines unchanged ### Handoff.StateMachine 1. `terminal_is_sink` — Terminal states have no outgoing transitions 2. `idle_only_prepares` — Idle state accepts only prepare 3. `send_requires_signed` — Send requires prior signing 4. `accept_requires_received` — Accept requires prior receipt 5. `complete_requires_accepted` — Complete requires prior acceptance 6. `fail_from_active_states` — Fail valid from all active states 7. `handoff_lifecycle_ordering` — Complete lifecycle path exists 8. `rejected_is_terminal` — Rejection is terminal 9. `invalid_envelope_fails` — Invalid envelope triggers failure 10. `valid_envelope_enables_send` — Valid envelope enables sending