Quick conventions for contributing. See README.md for project overview, docs/ROADMAP.md for status.
Title: [Category] Brief description
Categories: [Layer 3] [Trust Reduction] [Property Coverage] [Compiler Enhancement] [Documentation] [Infrastructure]
Labels: Use layer-3 lean proof enhancement bug documentation help-wanted good-first-issue
Structure: Use issue templates in .github/ISSUE_TEMPLATE/
- Goal (what needs doing)
- Effort estimate (hours/weeks)
- Implementation approach
- Acceptance criteria
- References (file paths, issues)
Title: Same [Category] prefix as issues
Body:
## Summary
- Bullet points of changes
## Test Plan
How you verified it works
## Related Issues
Closes #X, addresses #YBefore submitting:
lake build # Must pass — verifies all proofs
FOUNDRY_PROFILE=difftest forge test # Must pass — runs all Foundry tests
# FOUNDRY_PROFILE=difftest is required because property and differential
# tests use vm.ffi() to invoke the Lean-based interpreter
# No new `sorry` without documentation
# No new `axiom` without documenting in AXIOMS.md
# Update docs/ROADMAP.md if architectural changes
# If adding a new contract, run the checklist belowWhen adding a new contract, also update:
- Author the contract with
verity_contract; do not add a separate hand-writtenCompiler.Specsbody unless the workflow truly requires a special case like external linking. - Add the macro-generated
<Name>.specalias/list entry inCompiler/Specs.leanif the contract should ship through the default compiler manifest. test/property_manifest.json— Runpython3 scripts/extract_property_manifest.pyREADME.md— Contracts table (theorem count and description)docs/VERIFICATION_STATUS.md— Contract table and coverage statsdocs-site/public/llms.txt— Quick Facts and theorem breakdown tabledocs-site/content/verification.mdx— Snapshot sectiondocs-site/content/examples.mdx— Contract descriptions and count- Plus any other files that reference theorem/test/contract counts (e.g.,
compiler.mdx,research.mdx,index.mdx,layout.tsx,ROADMAP.md,TRUST_ASSUMPTIONS.md,test/README.md) - Run
python3 scripts/check_contract_structure.pyto verify file structure is complete - Run
python3 scripts/generate_verification_status.py --checkto verify the machine-readable status artifact is current - Run
python3 scripts/check_lean_hygiene.pyto verify no#evalin proof files andallowUnsafeReducibilitycount is correct
Every PR that touches proof files must satisfy all of the following. Each requirement is enforced by CI and cannot be bypassed without updating the corresponding enforcement script.
-
Zero
sorry:lake buildrejects incomplete proofs at the Lean kernel level. CI runs an independent grep scan as defense in depth (check_lean_hygiene.py). -
Zero new axioms without a same-commit update to AXIOMS.md including: justification, risk rating, CI validation strategy, and elimination path. Enforced by
check_axioms.py. -
Axiom dependency freshness: If theorems are added or removed,
PrintAxioms.leanmust be regenerated (python3 scripts/generate_print_axioms.py). CI validates via--checkmode. -
Proof size: Proofs should be under 30 lines. Proofs over 50 lines require an entry in the allowlist in
check_proof_length.pywith a PR comment explaining why decomposition is not feasible. Enforced by CI. -
No
native_decidein contract proofs:native_decidebypasses the Lean kernel checker. It is allowed only in smoke tests (Compiler/Proofs/YulGeneration/SmokeTests.lean). Enforced bycheck_lean_hygiene.py. -
No debug commands in proofs:
#eval,#check,#print,#reduceare forbidden in proof files (they slow incremental builds). Enforced bycheck_lean_hygiene.py. -
Verification status freshness: Regenerate and commit
artifacts/verification_status.jsonwhen theorem/test/axiom counts change. Enforced bygenerate_verification_status.py.
Lean:
- 2-space indentation
- Meaningful names (
irStatenots) - Proofs under 30 lines when possible (see Proof Hygiene above)
- Document complex proof strategies
Commits:
type: description
[optional body]
Co-Authored-By: Claude <noreply@anthropic.com>
Types: feat fix proof docs refactor test chore
Follow these conventions to keep documentation accurate and maintainable.
For Theorems:
sorry- Incomplete proof (blocked by CI in proof files)- No marker - Complete proof
- DON'T use TODO/STUB in proven theorems
-- ✅ GOOD: Complete proof, no marker needed
theorem my_theorem : ... := by
unfold ...
simp [...]
-- ❌ BAD: Complete proof but has misleading TODO
theorem my_theorem : ... := by
-- TODO: This actually works fine
unfold ...
simp [...]For Incomplete Proofs:
-- Only in draft branches, NOT in main
theorem draft_theorem : ... := by
sorry -- Strategy: Use induction on List structure
-- See issue #123 for detailsModule Headers should reflect current status:
/-! ## Module Name
Brief description of what this module does.
**Status**: Complete | Partial | Draft
**Dependencies**: List axioms/external dependencies
**Related**: Links to other relevant modules
-/Status Definitions:
- Complete: All theorems proven, no sorry
- Partial: Some proven, some sorry (specify which)
- Draft: Structural outline only
Example:
/-! ## Layer 3: Statement-Level Equivalence
Proves IR statement execution is equivalent to Yul statement execution
when states are aligned.
**Status**: Complete - All statement types proven
**Dependencies**: Uses keccak256 axiom (see AXIOMS.md)
-/For planned improvements or known limitations:
-- FUTURE: Add support for delegatecall
-- See issue #123 for design discussion
def currentImplementation := ...DON'T use:
TODO:FIXME:HACK:NOTE:with explanation instead)
For non-obvious design choices:
-- NOTE: We use fuel-based recursion here because Lean cannot prove
-- termination for mutually recursive functions with this structure.
-- See Equivalence.lean for the proof strategy this enables.
def execIRStmtFuel (fuel : Nat) : ... := ...All axioms must be documented inline and in AXIOMS.md:
/-- AXIOM: explain the remaining trust boundary
Document why the declaration cannot yet be proved in Lean,
what guards or regression checks keep it honest,
and link to AXIOMS.md for the current trust story.
See AXIOMS.md for full soundness justification.
-/
axiom some_remaining_axiom : PropProperty tests must match Lean theorem names exactly:
/// Property: store_retrieve_roundtrip
function testProp_StoreRetrieveRoundtrip(...) public { ... }Tag format: /// Property: exact_theorem_name
❌ Stale TODOs in completed code ❌ Difficulty estimates after proof is done ❌ Verbose explanations of obvious code ❌ Status claims that don't match reality
✅ Brief descriptions of what code does ✅ Links to related issues for context ✅ Explanations of non-obvious design choices ✅ Accurate status in module headers
Layer 3 proofs: Read Compiler/Proofs/README.md, study completed proofs (assign_equiv, storageStore_equiv), use templates
New contracts: Use python3 scripts/generate_contract.py <Name> to scaffold all boilerplate files, then follow the SimpleStorage pattern: Spec → Invariants → Implementation → Proofs → Tests
Compiler changes: Ensure lake build and make check pass
Axioms should be avoided whenever possible as they introduce trust assumptions. If you must add an axiom:
-
Exhaust all alternatives first:
- Can you prove it? (even if difficult)
- Can you use a weaker lemma?
- Can you refactor to avoid the need?
-
Document in AXIOMS.md:
- State the axiom clearly
- Provide soundness justification
- Explain why a proof isn't feasible
- Note future work to eliminate axiom
- Assess risk level
-
Add inline comment in source:
/-- AXIOM: Brief explanation See AXIOMS.md for full soundness justification -/ axiom my_axiom : ...
-
CI will validate: The CI workflow automatically detects axioms and ensures they're documented in AXIOMS.md. Undocumented axioms will fail the build.
See AXIOMS.md for current axioms and detailed guidelines.
Verity/- EDSL, user-facing specs, and contract-specific specification proofsCompiler/- IR, Yul, codegenCompiler/Proofs/- Layer 2 & 3 proofsdocs/ROADMAP.md- Progress trackingtest/- Foundry tests
Full details: docs/VERIFICATION_STATUS.md