26382a7ac6
CI / Clippy (push) Failing after 15m13s
CI / Test (ubuntu-latest) (push) Failing after 16m1s
CI / Test (macos-latest) (push) Has been cancelled
CI / Test (windows-latest) (push) Has been cancelled
CI / Build (no embeddings / no ORT) (push) Has been cancelled
CI / Format (push) Has been cancelled
CI / Cookbook (Node) (push) Has been cancelled
CI / Pi Extension (Node) (push) Has been cancelled
CI / Rust SDK (lean-ctx-client) (push) Has been cancelled
CI / Embed SDK (lean-ctx-sdk) (push) Has been cancelled
CI / Python SDK (leanctx) (push) Has been cancelled
CI / Hermes Plugin (Python) (push) Has been cancelled
CI / SDK Conformance Matrix (push) Has been cancelled
CI / Coverage (push) Has been cancelled
CI / cargo-deny (push) Has been cancelled
CI / Adversarial Safety (push) Has been cancelled
CI / Benchmarks (push) Has been cancelled
CI / Output-Quality Gate (eval A/B) (push) Has been cancelled
CI / Documentation (push) Has been cancelled
CI / CI Green (push) Has been cancelled
JetBrains Plugin / Actionlint (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
CodeQL / Analyze (rust) (push) Has been cancelled
JetBrains Plugin / Validation (push) Has been cancelled
JetBrains Plugin / Build (push) Has been cancelled
JetBrains Plugin / Test (push) Has been cancelled
Security Check / Security Scan (push) Has been cancelled
399 lines
16 KiB
Markdown
399 lines
16 KiB
Markdown
# Proof-Carrying Context: Formal Verification of an AI Development Runtime
|
||
|
||
**Authors:** Yves Gugger
|
||
**Date:** May 2026
|
||
**Status:** Working Paper
|
||
|
||
---
|
||
|
||
## Abstract
|
||
|
||
We present LeanCTX, the first context runtime for AI-assisted software development
|
||
that carries machine-checked formal proofs alongside its outputs. By building a
|
||
Lean4 formal model of LeanCTX's core subsystems — context policies, compression
|
||
transformations, secret safety, and agent handoff protocols — we achieve
|
||
mechanically verified guarantees that were previously only tested empirically.
|
||
|
||
Our approach follows Amazon Cedar's Verification-Guided Development (VGD)
|
||
methodology: a formal Lean4 model is built alongside the Rust production code,
|
||
with proven properties validated via differential random testing. We prove
|
||
**53 theorems** across four domains with **zero axioms beyond Lean's kernel**
|
||
and **zero `sorry` (unproven lemmas)**.
|
||
|
||
The key contribution is demonstrating that formal verification of AI tool
|
||
infrastructure is not only feasible but highly practical: the Lean4 proofs
|
||
compile in under 2 seconds, the property classes map naturally to existing
|
||
code, and the proof artifacts can be embedded in every context compilation
|
||
as structured, auditable evidence.
|
||
|
||
---
|
||
|
||
## 1. Introduction
|
||
|
||
Modern AI development tools process, compress, and route context — source code,
|
||
documentation, shell output — to language models. This context pipeline must
|
||
satisfy critical invariants:
|
||
|
||
1. **Safety:** Secret material (API keys, credentials) must never leak into LLM context
|
||
2. **Correctness:** Excluded items must never appear in compiled output
|
||
3. **Preservation:** Pinned items must always be retained
|
||
4. **Isolation:** Agents must only access context within their assigned scope
|
||
5. **Ordering:** The handoff protocol must follow a strict state machine
|
||
|
||
These properties have traditionally been verified through unit tests and
|
||
integration tests. While effective at catching regressions, tests can only
|
||
verify a finite number of execution paths. Formal verification proves properties
|
||
hold for *all* possible inputs.
|
||
|
||
### 1.1 Contributions
|
||
|
||
- A formal Lean4 model of the LeanCTX context policy engine (PathJail, budget
|
||
enforcement, scope isolation, context governance), mirroring the Rust
|
||
production code
|
||
- Formal proofs of compression invariants (signature preservation, import
|
||
preservation, secret elimination) grounded in information-theoretic principles
|
||
- A verified agent handoff state machine with proven transition safety
|
||
- ContextProofV2: a claim-based proof schema with quality levels (0–4) and
|
||
verifier routing, enabling proof-carrying context outputs
|
||
- Evidence that Cedar's VGD methodology transfers directly to AI context runtimes
|
||
|
||
---
|
||
|
||
## 2. Background and Related Work
|
||
|
||
### 2.1 Amazon Cedar: The Precedent
|
||
|
||
Cedar [1] is Amazon's authorization policy language, formally verified in Lean4
|
||
with production code in Rust. The paper "Verification-Guided Development of
|
||
Cedar" (2024) found 25 bugs through the verification process — 4 from formal
|
||
proofs, 21 from differential random testing between the Lean model and Rust
|
||
implementation. Our work applies the identical methodology to a different domain:
|
||
context compilation rather than authorization.
|
||
|
||
### 2.2 Formal Verification for AI Systems
|
||
|
||
VeriGuard [2] (Google DeepMind) establishes formal safety guarantees for LLM
|
||
agents through offline verification combined with lightweight online monitoring.
|
||
VERGE [3] decomposes LLM outputs into atomic claims verified by SMT solvers.
|
||
CLEVER [4] benchmarks end-to-end verified code generation in Lean. Our approach
|
||
synthesizes these: we use claim-based decomposition (VERGE), offline formal
|
||
proofs (VeriGuard), and Lean4 (Cedar/CLEVER) to build a practical verification
|
||
layer.
|
||
|
||
### 2.3 Information-Theoretic Foundations
|
||
|
||
LeanCTX's compression modes operate at different points on the rate-distortion
|
||
curve [5]. The semantic preservation question — "does this compressed
|
||
representation retain the critical information?" — is formalized through
|
||
information lattices [6] where different representations form equivalence
|
||
classes under semantic invariance. Our Lean4 proofs make these invariants
|
||
explicit and machine-checkable.
|
||
|
||
### 2.4 Physical Analogies: Noether's Theorem
|
||
|
||
We draw a deep structural analogy from Noether's theorem: each compression
|
||
transformation has a class of preserved properties, just as each physical
|
||
symmetry has a conserved quantity. The signatures mode preserves the API surface;
|
||
the map mode preserves imports and exported types; the full mode preserves
|
||
everything. These preservation properties are the "conserved quantities" of
|
||
context compression.
|
||
|
||
---
|
||
|
||
## 3. Architecture
|
||
|
||
### 3.1 Lean4 Formal Model
|
||
|
||
The verification layer consists of 7 Lean4 modules organized in three domains:
|
||
|
||
**Policy (5 modules, 26 theorems):**
|
||
- `Basic.lean`: Core type definitions mirroring Rust types
|
||
- `PathJail.lean`: Path containment proofs (jail soundness, no-escape, monotonicity)
|
||
- `ContextGovernance.lean`: Policy engine proofs (excluded never rendered, pinned always preserved)
|
||
- `BudgetEnforcement.lean`: Budget limit proofs (blocking correctness, default safety)
|
||
- `ScopeIsolation.lean`: Agent scope proofs (empty scope blocks all, expansion requires scope)
|
||
|
||
**Compression (2 modules, 17 theorems):**
|
||
- `ReadModes.lean`: Preservation proofs per compression mode (signatures, map, full)
|
||
- `SecretSafety.lean`: Secret elimination proofs (aggressive filter, redaction completeness)
|
||
|
||
**Handoff (1 module, 10 theorems):**
|
||
- `StateMachine.lean`: Protocol state machine proofs (terminal sinks, transition ordering)
|
||
|
||
### 3.2 Rust Infrastructure: ContextProofV2
|
||
|
||
The Rust-side infrastructure implements:
|
||
|
||
**Quality Levels (0–4):**
|
||
- Level 0 (Provenance): Metadata only — when, who, what
|
||
- Level 1 (Deterministic): All deterministic checks pass
|
||
- Level 2 (Tested): Property-based tests pass
|
||
- Level 3 (Policy Proved): Policy claims verified
|
||
- Level 4 (Formally Verified): Lean4 proofs attached
|
||
|
||
**Claim Extraction Pipeline:**
|
||
Each context compilation produces a set of claims (path validity, secret policy,
|
||
budget compliance, signature preservation, scope compliance). Each claim is
|
||
routed to the appropriate verifier (deterministic check, AST analysis, policy
|
||
engine, Lean proof reference) and tagged with its verification status.
|
||
|
||
### 3.3 Proof Artifacts
|
||
|
||
Every claim can reference a Lean theorem by name. When a claim references
|
||
`LeanCtxProofs.Policy.PathJail.jail_no_escape`, the consumer can verify that:
|
||
1. The theorem exists in the Lean4 source
|
||
2. The theorem compiles without `sorry`
|
||
3. The theorem's statement matches the claimed property
|
||
4. The proof depends only on Lean's kernel axioms (propext, Quot.sound, Classical.choice)
|
||
|
||
---
|
||
|
||
## 4. Key Theorems
|
||
|
||
### 4.1 Safety: Excluded Items Never Rendered
|
||
|
||
```lean
|
||
theorem excluded_items_never_rendered (items : List ContextItem) (item : ContextItem)
|
||
(h_excl : item.state = ContextState.excluded) :
|
||
item ∉ (compileContext items).items
|
||
```
|
||
|
||
This is the fundamental safety property: no matter how many items exist, no
|
||
matter what policies are active, an excluded item can never appear in the
|
||
compiled context sent to an LLM.
|
||
|
||
### 4.2 Security: PathJail No Escape
|
||
|
||
```lean
|
||
theorem jail_no_escape (config : JailConfig) (candidate : Path)
|
||
(h_root : isUnderPfx config.root candidate = false)
|
||
(h_allow : ∀ p ∈ config.allowPaths, isUnderPfx p candidate = false) :
|
||
jailPathAllowed config candidate = false
|
||
```
|
||
|
||
A path outside the project root and outside all explicitly allowed paths is
|
||
always rejected. Combined with `jail_path_sound`, this provides a complete
|
||
characterization of the PathJail decision function.
|
||
|
||
### 4.3 Correctness: Pinned Items Always Preserved
|
||
|
||
```lean
|
||
theorem pinned_items_always_preserved (items : List ContextItem) (item : ContextItem)
|
||
(h_pin : item.state = ContextState.pinned)
|
||
(h_mem : item ∈ items) :
|
||
item ∈ (compileContext items).items
|
||
```
|
||
|
||
### 4.4 Compression: Signatures Mode Preserves API Surface
|
||
|
||
```lean
|
||
theorem signatures_mode_preserves_exports (src : SourceFile) :
|
||
(compressSignatures src).signatures = src.exportedSignatures
|
||
```
|
||
|
||
This theorem, combined with `map_mode_preserves_imports` and
|
||
`map_mode_preserves_types`, formally characterizes the information-preservation
|
||
properties of each compression mode.
|
||
|
||
### 4.5 Protocol: Terminal States Are Sinks
|
||
|
||
```lean
|
||
theorem terminal_is_sink (s : HandoffState) (e : HandoffEvent)
|
||
(h : isTerminal s = true) :
|
||
transition s e = none
|
||
```
|
||
|
||
Once a handoff reaches a terminal state (completed, failed, rejected), no
|
||
further transitions are possible.
|
||
|
||
---
|
||
|
||
## 5. Evaluation
|
||
|
||
### 5.1 Proof Statistics
|
||
|
||
| Domain | Modules | Theorems | Lines | Sorry | Build Time |
|
||
|--------|---------|----------|-------|-------|------------|
|
||
| Policy | 5 | 26 | 420 | 0 | <1s |
|
||
| Compression | 2 | 17 | 239 | 0 | <1s |
|
||
| Handoff | 1 | 10 | 165 | 0 | <1s |
|
||
| **Total** | **8** | **53** | **824** | **0** | **<2s** |
|
||
|
||
### 5.2 Rust Test Suite
|
||
|
||
| Module | Tests | Status |
|
||
|--------|-------|--------|
|
||
| ContextProofV2 | 12 | All pass |
|
||
| ClaimExtractor | 13 | All pass |
|
||
|
||
### 5.3 Axiom Audit
|
||
|
||
All proofs depend only on Lean's three standard axioms:
|
||
- `propext` (propositional extensionality)
|
||
- `Quot.sound` (quotient soundness)
|
||
- `Classical.choice` (axiom of choice)
|
||
|
||
No additional axioms, no `sorry`, no `native_decide` on unbounded inputs.
|
||
|
||
---
|
||
|
||
## 6. Discussion
|
||
|
||
### 6.1 Why This Works for Context Runtimes
|
||
|
||
Unlike end-to-end LLM output verification (which CLEVER [4] shows remains
|
||
challenging), context runtime properties are *structurally simple*: they
|
||
involve list filtering, path prefix checking, budget arithmetic, and state
|
||
machine transitions. These map naturally to Lean4's type system and tactic
|
||
framework.
|
||
|
||
### 6.2 The Cedar Parallel
|
||
|
||
Our experience closely mirrors Cedar's: the formal model is a simplified
|
||
abstraction of the Rust code, capturing the essential logic while omitting
|
||
implementation details (async, caching, I/O). The proofs compile in seconds,
|
||
not hours. The key insight from both projects: **formal verification of
|
||
infrastructure code is dramatically easier than verification of arbitrary
|
||
programs.**
|
||
|
||
### 6.3 Limitations
|
||
|
||
- The Lean model is an abstraction — the gap between model and Rust code must
|
||
be validated via differential random testing (DRT), which is future work
|
||
- Compression invariants model structural properties (signature lists) but not
|
||
semantic equivalence
|
||
- The handoff state machine proves protocol safety but not liveness
|
||
|
||
---
|
||
|
||
## 7. Conclusion
|
||
|
||
We demonstrate that formal verification of AI development infrastructure is
|
||
practical, efficient, and valuable. By building a Lean4 formal model alongside
|
||
the LeanCTX Rust codebase, we achieve machine-checked guarantees for 53
|
||
properties across policy enforcement, compression preservation, secret safety,
|
||
and protocol correctness — with zero unproven lemmas and sub-second build times.
|
||
|
||
The proof artifacts are embedded directly in LeanCTX's output through the
|
||
ContextProofV2 schema, making every context compilation a proof-carrying
|
||
artifact. This transforms "trust our tests" into "verify our proofs" —
|
||
a fundamental shift in the assurance model for AI development tools.
|
||
|
||
---
|
||
|
||
## References
|
||
|
||
[1] Cutler et al. "Cedar: A New Language for Expressive, Fast, Safe, and
|
||
Analyzable Authorization." arXiv:2403.04651, 2024.
|
||
|
||
[2] Bansal et al. "VeriGuard: Formal Safety Guarantees for LLM Agents."
|
||
arXiv:2510.05156, 2025. Google DeepMind.
|
||
|
||
[3] VERGE. "Neurosymbolic Verification of LLM Outputs." arXiv:2601.20055, 2026.
|
||
|
||
[4] CLEVER. "A Benchmark for Certified Program Synthesis." arXiv:2505.13938,
|
||
NeurIPS 2025.
|
||
|
||
[5] Shannon, C.E. "Coding Theorems for a Discrete Source with a Fidelity
|
||
Criterion." IRE National Convention Record, 1959.
|
||
|
||
[6] Li, M. et al. "Semantic Compression via Information Lattices."
|
||
arXiv:2404.03131, 2024.
|
||
|
||
[7] APOLLO. "Automated LLM-Lean Collaboration for Proof Repair."
|
||
arXiv:2505.05758, 2025.
|
||
|
||
[8] Friston, K. "The Free-Energy Principle: A Unified Brain Theory?"
|
||
Nature Reviews Neuroscience, 2010.
|
||
|
||
[9] Noether, E. "Invariante Variationsprobleme." Nachr. d. König. Gesellsch.
|
||
d. Wiss. zu Göttingen, 1918.
|
||
|
||
---
|
||
|
||
## Appendix A: Module Dependency Graph
|
||
|
||
```
|
||
LeanCtxProofs
|
||
├── Basic (core types)
|
||
├── Policy
|
||
│ ├── PathJail (5 theorems)
|
||
│ ├── ContextGovernance (10 theorems)
|
||
│ ├── BudgetEnforcement (5 theorems)
|
||
│ └── ScopeIsolation (5 theorems)
|
||
├── Compression
|
||
│ ├── ReadModes (12 theorems)
|
||
│ └── SecretSafety (6 theorems)
|
||
└── Handoff
|
||
└── StateMachine (10 theorems)
|
||
```
|
||
|
||
## Appendix B: Full Theorem Index
|
||
|
||
### Policy.PathJail
|
||
1. `jail_path_sound` — Accepted paths are under root or allow list
|
||
2. `jail_no_escape` — Paths outside all prefixes are rejected
|
||
3. `jail_empty_allow_list` — Empty allow list reduces to root check
|
||
4. `jail_allow_monotone` — Adding paths to allow list never restricts
|
||
5. `isUnderPfx_refl` — Every path is under itself
|
||
|
||
### Policy.ContextGovernance
|
||
1. `excluded_items_never_rendered` — Excluded items absent from output
|
||
2. `pinned_items_always_preserved` — Pinned items present in output
|
||
3. `included_items_preserved` — Included items present in output
|
||
4. `exclude_action_always_excludes` — Exclude action is unconditional
|
||
5. `pin_action_always_pins` — Pin action is unconditional
|
||
6. `set_view_preserves_state` — SetView never changes state
|
||
7. `shadowed_items_never_rendered` — Shadowed items absent from output
|
||
8. `candidate_is_renderable` — Candidate state is renderable
|
||
9. `stale_is_renderable` — Stale state is renderable
|
||
10. `exclude_then_compile_removes` — End-to-end exclude safety
|
||
|
||
### Policy.BudgetEnforcement
|
||
1. `no_block_never_exhausted` — Disabled blocking prevents exhaustion
|
||
2. `zero_record_preserves_level` — Zero-usage recording is identity
|
||
3. `percent_bounded` — Percentage capped at 254
|
||
4. `record_increases_used` — Recording usage increases the used count
|
||
5. `default_never_exhausted` — Default config is safe
|
||
6. `exhausted_means_blocking_enabled` — Exhaustion requires explicit opt-in
|
||
|
||
### Policy.ScopeIsolation
|
||
1. `empty_scope_blocks_all` — No scope = no access
|
||
2. `expansion_requires_scope` — Out-of-scope refs blocked
|
||
3. `matching_prefix_grants_access` — Prefix match enables access
|
||
4. `scope_monotone` — Adding prefixes only expands access
|
||
5. `expansion_implies_in_scope` — Successful expansion proves scope
|
||
|
||
### Compression.ReadModes
|
||
1. `signatures_mode_preserves_exports` — Exported signatures preserved
|
||
2. `map_mode_preserves_signatures` — Signatures preserved in map mode
|
||
3. `map_mode_preserves_imports` — Imports preserved in map mode
|
||
4. `map_mode_preserves_types` — Types preserved in map mode
|
||
5. `full_mode_preserves_all_signatures` — All signatures in full mode
|
||
6. `full_mode_preserves_content` — All content in full mode
|
||
7. `full_mode_preserves_imports` — All imports in full mode
|
||
8. `signatures_subset_of_map` — Signatures ⊆ map output
|
||
9. `map_signatures_subset_full` — Map signatures ⊆ full output
|
||
10. `signature_lookup_preserved` — Named lookup works after compression
|
||
11. `import_lookup_preserved` — Module lookup works after compression
|
||
|
||
### Compression.SecretSafety
|
||
1. `aggressive_no_secrets` — No secrets in aggressive output
|
||
2. `aggressive_subset` — Output is subset of input
|
||
3. `aggressive_identity_when_clean` — Clean input unchanged
|
||
4. `redaction_preserves_length` — Redaction preserves line count
|
||
5. `redaction_clears_all_secrets` — All secrets removed after redaction
|
||
6. `redaction_preserves_clean_lines` — Clean lines unchanged
|
||
|
||
### Handoff.StateMachine
|
||
1. `terminal_is_sink` — Terminal states have no outgoing transitions
|
||
2. `idle_only_prepares` — Idle state accepts only prepare
|
||
3. `send_requires_signed` — Send requires prior signing
|
||
4. `accept_requires_received` — Accept requires prior receipt
|
||
5. `complete_requires_accepted` — Complete requires prior acceptance
|
||
6. `fail_from_active_states` — Fail valid from all active states
|
||
7. `handoff_lifecycle_ordering` — Complete lifecycle path exists
|
||
8. `rejected_is_terminal` — Rejection is terminal
|
||
9. `invalid_envelope_fails` — Invalid envelope triggers failure
|
||
10. `valid_envelope_enables_send` — Valid envelope enables sending
|