Theoretical Model

This document establishes the complete mathematical foundation for Aura's distributed system architecture. It presents the formal calculus, algebraic/session types, and semilattice semantics that underlie all system components.

Overview

Aura's theoretical foundation rests on four mathematical pillars:

Aura Calculus ( $A$ ) provides the core computational model for communication, state, and trust.
Algebraic Types structure state as semilattices with monotonic properties.
Multi-Party Session Types specify choreographic protocols with safety guarantees.
CRDT Semantics enable conflict-free replication with convergence proofs.

The combination forms a privacy-preserving, spam-resistant, capability-checked distributed λ-calculus that enforces information flow budget across all operations.

Shared Terms and Notation

This section defines shared terminology and notation for core contracts. Use this section when writing Theoretical Model, Privacy and Information Flow Contract, and Distributed Systems Contract.

Core Entities

Symbol / Term	Type	Description
$‘ a ‘$ , $‘ b ‘$	`AuthorityId`	Authority identifiers
$‘ κ ‘$	`ContextId`	Context identifier
$‘ e ‘$	`Epoch`	Epoch number
authority	—	An account authority
context	—	A relational or authority namespace keyed by `ContextId`
peer authority	—	A remote authority in a context
member	—	An authority in a home's threshold authority set
participant	—	An authority granted home access but not in the threshold set
moderator	—	A member with moderation designation for a home

Access and Topology

Term	Description
`Full`	Same-home access (0 hops)
`Partial`	1-hop neighborhood access
`Limited`	2-hop-or-greater and disconnected access
1-hop link	Direct home-to-home neighborhood edge
n-hop	Multi-edge path (2-hop, 3-hop, etc.)
Shared Storage	Community storage pool
pinned	Fact attribute for retained content

Flow Budget and Receipts

Use $‘ B [κ, a] ‘$ for a flow budget for context $‘ κ ‘$ and peer authority $‘ a ‘$ .

Field	Type / Storage	Description
FlowBudget
`spent`	Replicated fact	Monotone counter of consumed budget
`epoch`	Replicated fact	Current epoch identifier
`limit`	Derived at runtime	From capability evaluation and policy
Receipt
`ctx`	`ContextId`	Context scope
`src`	`AuthorityId`	Sending authority
`dst`	`AuthorityId`	Receiving authority
`epoch`	`Epoch`	Validity window
`cost`	`u32`	Budget charge
`nonce`	`u64`	Replay prevention
`prev_hash`	`Hash32`	Links receipts in per-hop chain
`sig`	`Signature`	Cryptographic proof

Observers, Time, and Delay

Symbol	Category	Description
$‘ ℓ_{rel} ‘$	Observer	Relationship (direct relationship observer)
$‘ ℓ_{grp} ‘$	Observer	Group (group member observer)
$‘ ℓ_{ngh} ‘$	Observer	Neighbor (neighborhood observer)
$‘ ℓ_{ext} ‘$	Observer	External (external/network observer)
$‘ δ ‘$	CRDT/state	Local state deltas (NOT network delay)
$‘ Δ_{net} ‘$	Network	Network delay bounds under partial synchrony
`GST`	Timing	Global Stabilization Time

Leakage tuple order: $‘ (ℓ_{rel}, ℓ_{grp}, ℓ_{ngh}, ℓ_{ext}) ‘$

Invariant Naming

Use InvariantXxx names for implementation and proof references. If a prose alias exists, include it once, then reference the invariant name.

Guard Chain Order

Order	Component	Role
1	`CapGuard`	Capability verification
2	`FlowGuard`	Budget enforcement
3	`JournalCoupler`	Fact commitment
4	`TransportEffects`	Message transmission

This order defines ChargeBeforeSend.

1. Aura Calculus ( $‘ A ‘$ )

1.1 Syntax

We define programs as effectful, session-typed processes operating over semilattice-structured state.

Terms:

$e ::= v ∣ e_{1} e_{2} ∣ handle e with H ∣ send κ m ∣ recv κ ∣ merge δ ∣ refine γ$

Facts (Join-Semilattice):

$(F, ⊔, ⊥) where x ⊔ y = y ⊔ x, x ⊔ (y ⊔ z) = (x ⊔ y) ⊔ z, x ⊔ x = x$

Capabilities (Meet-Semilattice):

$(C, ⊓, ⊤) where x ⊓ y = y ⊓ x, x ⊓ (y ⊓ z) = (x ⊓ y) ⊓ z, x ⊓ x = x$

Contexts:

$κ \in Ctx = {ContextId}$

Contexts are opaque UUIDs representing authority journals or relational contexts. Keys for transport sessions and DKD outputs are scoped to these identifiers. The identifier itself never leaks participants. See Identifiers and Boundaries for canonical definitions.

Messages:

$m ::= ⟨ κ, T, σ, β ⟩ // context, typed payload, signature/auth tag, optional Biscuit token$

Message extraction functions (used by operational rules):

$facts (m) : Fact // join-contribution carried by message payload$

$token (m) : Biscuit // attenuated capability presented alongside the message$

A process configuration:

$⟨ P, F, C, κ ⟩$

This represents a running session with fact-state $‘ F ‘$ , capability frontier $‘ C ‘$ derived from verified Biscuit tokens and local policy, and privacy context $‘ κ ‘$ .

1.2 Judgments

$Γ ⊢ e : T ∣ ϵ$

Under typing context $‘Γ‘$ , expression $‘ e ‘$ has type $‘ T ‘$ and may perform effects $‘ ϵ ‘$ .

Effect set:

$ϵ ::= \emptyset ∣ ϵ \cup {Merge Δ F} ∣ ϵ \cup {Refine Δ C} ∣ ϵ \cup {Send κ m} ∣ ϵ \cup {Recv κ}$

1.3 Operational Semantics

State evolution:

$(M er g e) ⟨ merge δ, F, C, κ ⟩ \to ⟨ unit, F ⊔ δ, C, κ ⟩$

$(R e f in e) ⟨ refine γ, F, C, κ ⟩ \to ⟨ unit, F, C ⊓ γ, κ ⟩$

Capability-guarded actions:

Each side effect or message action $‘ a ‘$ carries a required capability predicate $‘ need (a) ‘$ .

$(S e n d) if need (m) \leq C \land headroom (κ, cost, F, C) then ⟨ send κ m, F, C, κ ⟩ \to ⟨ unit, F, C, κ ⟩$

$else block$

$(R ec v) ⟨ recv κ, F, C, κ ⟩ \to ⟨ m, F ⊔ facts (m), C ⊓ attn (token (m)), κ ⟩$

The function attn applies the Biscuit token's caveats to the local frontier. Biscuit attenuation never widens authority. The operation remains meet-monotone even though the token data lives outside the journal.

Context isolation:

No reduction may combine messages of distinct contexts:

$if κ_{1} \neq = κ_{2} then send κ_{1} m ∥ recv κ_{2} \equiv blocked$

Here $‘ headroom (κ, cost, F, C) ‘$ is shorthand for the budget predicate derived from journal facts and Biscuit-imposed limits for context $‘ κ ‘$ :

$headroom (κ, cost, F, C) ≜ spent_{κ} (F) + cost \leq limit_{κ} (policy ⊓ C)$

Implementations realize this by merging a FlowBudget charge fact before send (see §2.3 and §5.3) while evaluating Biscuit caveats inside the guard chain. The side condition is enforced by the same monotone laws as other effects even though capability data itself is not stored in the CRDT.

1.4 Algebraic Laws (Invariants)

Monotonic Growth: $‘ F_{t + 1} = F_{t} ⊔ δ ⟹ F_{t} \leq F_{t + 1} ‘$
Monotonic Restriction: $‘ C_{t + 1} = C_{t} ⊓ γ ⟹ C_{t + 1} \leq C_{t} ‘$
Safety: Every side effect $‘ σ ‘$ requires $‘ need (σ) \leq C ‘$ .
Context Separation: For any two contexts $‘ κ_{1}, κ_{2} ‘$ , no observable trace relates their internal state unless a bridge protocol is typed for $‘ (κ_{1}, κ_{2}) ‘$ .
Compositional Confluence: $‘ (merge δ_{1}; merge δ_{2}) \equiv merge (δ_{1} ⊔ δ_{2}) ‘$ and $‘ (refine γ_{1}; refine γ_{2}) \equiv refine (γ_{1} ⊓ γ_{2}) ‘$

2. Core Algebraic Types

2.1 Foundation Objects

#![allow(unused)]
fn main() {
// Capabilities describe Biscuit caveats. They form a meet-semilattice but are evaluated outside the CRDT.
type Cap        // partially ordered set (≤), with meet ⊓ and top ⊤
type Policy     // same carrier as Cap, representing sovereign policy

// Facts are join-semilattice elements (accumulation only grows them).
type Fact       // partially ordered set (≤), with join ⊔ and bottom ⊥

// Journal state is only a Cv/Δ/CmRDT over facts.
struct Journal {
  facts: Fact,            // Cv/Δ/CmRDT carrier with ⊔
}

// Context identifiers are opaque (authority namespace or relational context).
struct ContextId(Uuid);
struct Epoch(u64);  // monotone, context-scoped
struct FlowBudget { limit: u64, spent: u64, epoch: Epoch };
struct Receipt { ctx: ContextId, src: AuthorityId, dst: AuthorityId, epoch: Epoch, cost: u32, nonce: u64, prev_hash: Hash32, sig: Signature };

// Typed messages carry effects and proofs under a context.
struct Msg<Ctx, Payload, Version> {
  ctx: Ctx,                 // ContextId chosen by relationship
  payload: Payload,         // typed by protocol role/state
  ver: Version,             // semantic version nego
  auth: AuthTag,            // signatures/MACs/AEAD tags
  biscuit: Option<Biscuit>, // optional attenuated capability
}
}

These type definitions establish the foundation for Aura's formal model. The Cap and Policy types form meet-semilattices for capability evaluation. The Fact type forms a join-semilattice for accumulating evidence. The Journal contains only facts and inherits join-semilattice properties. Messages are typed and scoped to contexts to ensure isolation.

The type Cap represents the evaluation lattice used by Biscuit. Refinement operations (caveats, delegation) can only reduce authority through the meet operation.

The type Fact represents facts as join-semilattice elements. Accumulation operations can only add information through the join operation.

Journals replicate only facts. Capability evaluations run locally by interpreting Biscuit tokens plus policy. This keeps authorization independent of the replicated CRDT while preserving the same meet monotonicity at runtime.

Contexts (ContextId) define privacy partitions. Messages never cross partition boundaries without explicit protocol support. See Identifiers and Boundaries for precise identifier semantics and Relational Contexts for implementation patterns.

2.2 Content Addressing Contract

All Aura artifacts are identified by the hash of their canonical encoding. This includes facts, snapshot blobs, cache metadata, and upgrade manifests.

Structures are serialized using canonical CBOR with sorted maps and deterministic integer width. The helper function hash_canonical(bytes) computes digests when needed.

Once a digest is published, the bytes for that artifact cannot change. New content requires a new digest and a new fact in the journal.

Snapshots and upgrade bundles stored outside the journal are referenced solely by their digest. Downloaders verify the digest before accepting the payload. Journal merges compare digests and reject mismatches before updating state. See Distributed Maintenance Architecture for the complete fact-to-state pipeline.

2.3 Effect Signatures

Core effect families provide the runtime contract:

-- Read/append mergeable state
class JournalEffects (m : Type → Type) where
  read_facts  : m Fact
  merge_facts : Fact → m Unit

-- Biscuit verification + guard evaluation
class AuthorizationEffects (m : Type → Type) where
  evaluate_guard : Biscuit → CapabilityPredicate → m Cap
  derive_cap     : ContextId → m Cap  -- cached policy frontier

-- Cryptography and key mgmt (abstracted to swap FROST, AEAD, DR, etc.)
class CryptoEffects (m : Type → Type) where
  sign_threshold  : Bytes → m SigWitness
  aead_seal       : K_box → Plain → m Cipher
  aead_open       : K_box → Cipher → m (Option Plain)
  commitment_step : ContextId → m ContextId

-- Transport (unified)
class TransportEffects (m : Type → Type) where
  send    : PeerId → Msg Ctx P V → m Unit
  recv    : m (Msg Ctx Any V)
  connect : PeerId → m Channel

These effect signatures define the interface between protocols and the runtime. The JournalEffects family handles state operations. The AuthorizationEffects family verifies Biscuit tokens and fuses them with local policy. The CryptoEffects family handles cryptographic operations. The TransportEffects family handles network communication.

2.4 Guards and Observability Invariants

Every observable side effect is mediated by a guard chain fully described in Authorization:

CapGuard: $‘ need (σ) \leq Caps (ctx) ‘$
FlowGuard: headroom(ctx, cost) where charge(ctx, peer, cost, epoch) succeeds and yields a Receipt
JournalCoupler: commit of attested facts is atomic with the send

Named invariants used across documents:

Charge-Before-Send: FlowGuard must succeed before any transport send.
No-Observable-Without-Charge: there is no $‘ send (ctx, peer, \dots) ‘$ event without a preceding successful $‘ charge (ctx, peer, cost, epoch) ‘$ .
Deterministic-Replenishment: limit(ctx) is computed deterministically from capability evaluation. The value spent (stored as journal facts) is join-monotone. Epochs gate resets.

-- Time & randomness for simulation/proofs
class TimeEffects (m : Type → Type) where
  now   : m Instant
  sleep : Duration → m Unit

class RandEffects (m : Type → Type) where
  sample : Dist → m Val

-- Privacy budgets (relationship, group, neighbor, external observers)
class LeakageEffects (m : Type → Type) where
  record_leakage   : ObserverClass → Number → m Unit
  remaining_budget : ObserverClass → m Number

The TimeEffects and RandEffects families support simulation and testing. The LeakageEffects family enforces privacy budget constraints.

The LeakageEffects implementation is the runtime hook that enforces the $‘ [leak : (ℓ_{rel}, ℓ_{grp}, ℓ_{ngh}, ℓ_{ext})] ‘$ annotations introduced in the session grammar. The system wires it through the effect system so choreographies cannot exceed configured budgets.

Information Flow Budgets (Spam + Privacy)

Each context and peer authority pair $‘ (κ, a) ‘$ carries a flow budget to couple spam resistance with privacy guarantees. This pair is written as $‘ B [κ, a] ‘$ . Keys and receipts are authority-scoped. Devices are internal to an authority and never appear in flow-budget state.

#![allow(unused)]
fn main() {
struct FlowBudget {
    spent: u64,   // monotone counter (join = max)
    limit: u64,   // capability-style guard (meet = min)
}

// Logical key: (ContextId, AuthorityId) -> FlowBudget
// Receipts: (ctx, src_authority, dst_authority, epoch, cost, nonce)
}

The FlowBudget struct tracks message emission through two components:

The spent field is stored in the journal as facts and increases through join operations
The limit field is derived from capability evaluation (Biscuit tokens + local policy) and decreases through meet operations

Only spent counters live in the journal as facts, inheriting join-semilattice properties. The limit is computed at runtime by evaluating Biscuit tokens and local policy through the capability meet-semilattice, consistent with the principle that capabilities are evaluated outside the CRDT.

Sending a message deducts a fixed flow_cost from the local budget before the effect executes. If $‘ spent + flow_cost > limit ‘$ , the effect runtime blocks the send.

Budget charge facts (incrementing spent) are emitted to the journal during send operations. The limit value is deterministically computed from the current capability frontier, ensuring all replicas with the same tokens and policy derive the same limit. Receipts bind to AuthorityId for both src/dst and use nonce chains per (ctx, src, epoch) to maintain charge-before-send proofs without leaking device structure.

Multi-hop forwarding charges budgets hop-by-hop. Relays attach a signed Receipt that proves the previous hop still had headroom. Receipts are scoped to the same context so they never leak to unrelated observers.

2.5 Semantic Laws

Join laws apply to facts. These operations are associative, commutative, and idempotent. If $‘ F_{0} = read_facts () ‘$ and after $‘ merge_facts (f) ‘$ we have $‘ F_{1} ‘$ , then $‘ F_{0} \leq F_{1} ‘$ with respect to the facts partial order.

Meet laws apply to capabilities. These operations are associative, commutative, and idempotent. Applying Biscuit caveats corresponds to multiplying by $‘ c ‘$ under $‘ ⊓ ‘$ and never increases authority.

Cap-guarded effects enforce non-interference. For any effect $‘ e ‘$ guarded by capability predicate $‘Γ ⊢ e : allowed ‘$ , executing $‘ e ‘$ from $‘ caps = C ‘$ is only permitted if $‘ C ⊓ need (e) = need (e) ‘$ .

Context isolation prevents cross-context flow. If two contexts $‘ Ctx_{1} \neq = Ctx_{2} ‘$ are not explicitly bridged by a typed protocol, no $‘ Msg ⟨ Ctx_{1}, \dots ⟩ ‘$ flows into $‘ Ctx_{2} ‘$ .

3. Multi-Party Session Type Algebra

3.1 Global Type Grammar (G)

The global choreography type describes the entire protocol from a bird's-eye view. Aura extends vanilla MPST with capability guards, journal coupling, and leakage budgets:

$G ::= r_{1} \to r_{2} : T [guard : Γ, ▹ Δ, leak : L] . G (Point-to-point send)$

$∣ r \to * : T [guard : Γ, ▹ Δ, leak : L] . G (Broadcast)$

$∣ G ∥ G (Parallel composition)$

$∣ r ▹ {ℓ_{i} : G_{i}}_{i \in I} (Choice)$

$∣ μ X . G (Recursion)$

$∣ X (Recursion variable)$

$∣ end (Termination)$

$T ::= Unit ∣ Bool ∣ Int ∣ String ∣ \dots (Message types)$

$r ::= Role identifiers (Alice, Bob, \dots)$

$ℓ ::= Label identifiers (accept, reject, \dots)$

$Γ ::= meet-closed predicate need (m) \leq caps_{r} (ctx)$

$Δ ::= journal delta (facts) merged around the message$

$L ::= leakage tuple (ℓ_{rel}, ℓ_{grp}, ℓ_{ngh}, ℓ_{ext})$

Conventions:

$‘ r_{1} \to r_{2} : T [guard : Γ, ▹ Δ, leak : L] . G ‘$ means "role $‘ r_{1} ‘$ checks $‘Γ‘$ , applies $‘Δ‘$ , records leakage $‘ L ‘$ , sends $‘ T ‘$ to $‘ r_{2} ‘$ , then continues with $‘ G ‘$ ."
$‘ r \to * : \dots ‘$ performs the same sequence for broadcasts.
$‘ G_{1} ∥ G_{2} ‘$ means "execute $‘ G_{1} ‘$ and $‘ G_{2} ‘$ concurrently."
$‘ r ▹ {ℓ_{i} : G_{i}} ‘$ means "role $‘ r ‘$ decides which branch $‘ ℓ_{i} ‘$ to take, affecting all participants."
$‘ μ X . G ‘$ binds recursion variable $‘ X ‘$ in $‘ G ‘$ .

Note on $‘Δ‘$ : the journal delta may include budget-charge updates (incrementing spent for the active epoch) and receipt acknowledgments. Projection ensures these updates occur before any transport effect so "no observable without charge" holds operationally.

Note on $‘Γ‘$ : check_caps and refine_caps are implemented via AuthorizationEffects. Sends verify Biscuit chains (with optional cached evaluations) before touching transport. Receives cache new tokens by refining the local capability frontier. Neither operation mutates the journal. All capability semantics stay outside the CRDT.

3.2 Local Type Grammar (L)

After projection, each role executes a local session type (binary protocol) augmented with effect sequencing:

$L ::= do E . L (Perform effect)$

$∣! T . L (Send)$

$∣ ? T . L (Receive)$

$∣ \oplus {ℓ_{i} : L_{i}}_{i \in I} (Internal choice)$

$∣ & {ℓ_{i} : L_{i}}_{i \in I} (External choice)$

$∣ μ X . L (Recursion)$

$∣ X (Recursion variable)$

$∣ end (Termination)$

$E ::= merge (Δ) ∣ check_caps (Γ) ∣ refine_caps (Γ) ∣ record_leak (L) ∣ noop$

3.3 Projection Function ( $‘ π ‘$ )

The projection function $‘ π_{r} (G) ‘$ extracts role $‘ r ‘$ 's local view from global choreography $‘ G ‘$ :

By convention, an annotation $‘ ▹ Δ‘$ at a global step induces per-side deltas $‘ Δ_{send} ‘$ and $‘ Δ_{recv} ‘$ . Unless otherwise specified by a protocol, we take $‘ Δ_{send} = Δ_{recv} = Δ‘$ (symmetric journal updates applied at both endpoints).

Point-to-point projection:

If $‘ r = r_{1} ‘$ (sender): $‘ π_{r} (r_{1} \to r_{2} : T [\dots]) = do merge (Δ_{send}); do check_caps (Γ); do record_leak (L);! T . π_{r} (G) ‘$
If $‘ r = r_{2} ‘$ (receiver): $‘ π_{r} (r_{1} \to r_{2} : T [\dots]) = do merge (Δ_{recv}); do refine_caps (Γ); do record_leak (L); ? T . π_{r} (G) ‘$
Otherwise: $‘ π_{r} (r_{1} \to r_{2} : T [\dots]) = π_{r} (G) ‘$

Broadcast projection:

If $‘ r = s ‘$ (sender): $‘ π_{r} (s \to * : T [\dots]) = do merge (Δ_{send}); do check_caps (Γ); do record_leak (L);! T . π_{r} (G) ‘$
Otherwise (receiver): $‘ π_{r} (s \to * : T [\dots]) = do merge (Δ_{recv}); do refine_caps (Γ); do record_leak (L); ? T . π_{r} (G) ‘$

Parallel composition:

$π_{r} (G_{1} ∥ G_{2}) = π_{r} (G_{1}) ⊙ π_{r} (G_{2})$

where $‘ ⊙ ‘$ is the merge operator (sequential interleaving if no conflicts)

Choice projection:

If $‘ r = r^{'} ‘$ (decider): $‘ π_{r} (r^{'} ▹ {ℓ_{i} : G_{i}}) = \oplus {ℓ_{i} : π_{r} (G_{i})} ‘$
If $‘ r \neq = r^{'} ‘$ (observer): $‘ π_{r} (r^{'} ▹ {ℓ_{i} : G_{i}}) = & {ℓ_{i} : π_{r} (G_{i})} ‘$

Recursion projection:

If $‘ π_{r} (G) \neq = end ‘$ : $‘ π_{r} (μ X . G) = μ X . π_{r} (G) ‘$
If $‘ π_{r} (G) = end ‘$ : $‘ π_{r} (μ X . G) = end ‘$

Base cases:

$π_{r} (X) = X$

$π_{r} (end) = end$

3.4 Duality and Safety

For binary session types, duality ensures complementary behavior:

$dual (! T . L) = ? T . dual (L)$

$dual (? T . L) =! T . dual (L)$

$dual (\oplus {ℓ_{i} : L_{i}}) = & {ℓ_{i} : dual (L_{i})}$

$dual (& {ℓ_{i} : L_{i}}) = \oplus {ℓ_{i} : dual (L_{i})}$

$dual (μ X . L) = μ X . dual (L)$

$dual (X) = X$

$dual (end) = end$

Property: If Alice's local type is $‘ L ‘$ , then Bob's local type is $‘ dual (L) ‘$ for their communication to be type-safe.

3.5 Session Type Safety Guarantees

The projection process ensures:

Deadlock Freedom: No circular dependencies in communication
Type Safety: Messages have correct types at send/receive
Communication Safety: Every send matches a receive
Progress: Protocols always advance (no livelocks)
Agreement: All participants agree on the chosen branch and protocol state (modulo permitted interleavings of independent actions)

3.6 Turing Completeness vs Safety Restrictions

The MPST algebra is Turing complete when recursion ( $Rec / Var$ ) is unrestricted. However, well-typed programs intentionally restrict expressivity to ensure critical safety properties:

Termination: Protocols that always complete (no infinite loops)
Deadlock Freedom: No circular waiting on communication
Progress: Protocols always advance to next state

Telltale-backed session runtimes balance expressivity and safety through guarded recursion constructs.

3.7 Free Algebra View (Choreography as Initial Object)

You can think of the choreography language as a small set of protocol-building moves:

Generators:

$Send (r_{1}, r_{2}, T, [guard : Γ, ▹ Δ, leak : L])$
$Broadcast (r, R^{*}, T, [guard : Γ, ▹ Δ, leak : L])$
$Parallel (G_{1}, \dots, G_{n})$
$Choice (r, {ℓ_{i} \mapsto G_{i}}_{i \in I})$
$Rec (X, G)$ and $Var (X)$
$End$

Taken together, these moves form a free algebra: the language carries just enough structure to compose protocols, but no extra operational behavior. The effect runtime is the target algebra that gives these moves concrete meaning.

Projection (from a global protocol to each role) followed by interpretation (running it against the effect runtime) yields one canonical way to execute any choreography.

The "free" (initial) property is what keeps this modular. Because the choreographic layer only expresses structure, any effect runtime that respects those composition laws admits exactly one interpretation of a given protocol. This allows swapping or layering handlers without changing choreographies.

The system treats computation and communication symmetrically. A step is the same transform whether it happens locally or across the network. If the sender and receiver are the same role, the projection collapses the step into a local effect call. If they differ, it becomes a message exchange with the same surrounding journal/guard/leak actions. Protocol authors write global transforms, the interpreter decides local versus remote at time of projection.

3.8 Algebraic Effects and the Interpreter

Aura treats protocol execution as interpretation over an algebraic effect interface. After projecting a global choreography to each role, a polymorphic interpreter walks the role's AST and dispatches each operation to AuraEffectSystem via explicit effect handlers. The core actions are exactly the ones defined by the calculus and effect signatures in this document: merge (facts grow by $‘ ⊔ ‘$ ), refine (caps shrink by $‘ ⊓ ‘$ ), send/recv (context-scoped communication), and leakage/budget metering. The interpreter enforces the lattice laws and guard predicates while executing these actions in the order dictated by the session type.

Because the interface is algebraic, there is a single semantics regardless of execution strategy. This enables two interchangeable modes:

Static compilation: choreographies lower to direct effect calls with zero runtime overhead.

Dynamic interpretation: choreographies execute through the runtime interpreter for flexibility and tooling.

Both preserve the same program structure and checks. The choice becomes an implementation detail. This also captures the computation/communication symmetry. A choreographic step describes a typed transform. If the sender and receiver are the same role, projection collapses the step to a local effect invocation. If they differ, the interpreter performs a network send/receive with the same surrounding merge/check_caps/refine/record_leak sequence. Protocol authors reason about transforms. The interpreter decides locality at projection time.

4. CRDT Semantic Foundations

4.1 CRDT Type System

Aura implements four CRDT variants to handle different consistency requirements.

#![allow(unused)]
fn main() {
// State-based (CvRDT) - Full state synchronization
pub trait JoinSemilattice: Clone { fn join(&self, other: &Self) -> Self; }
pub trait Bottom { fn bottom() -> Self; }
pub trait CvState: JoinSemilattice + Bottom {}

// Delta CRDTs - Incremental state synchronization
pub trait Delta: Clone { fn join_delta(&self, other: &Self) -> Self; }
pub trait DeltaProduce<S> { fn delta_from(old: &S, new: &S) -> Self; }

// Operation-based (CmRDT) - Causal operation broadcast
pub trait CausalOp { type Id: Clone; type Ctx: Clone; fn id(&self) -> Self::Id; fn ctx(&self) -> &Self::Ctx; }
pub trait CmApply<Op> { fn apply(&mut self, op: Op); }
pub trait Dedup<I> { fn seen(&self, id: &I) -> bool; fn mark_seen(&mut self, id: I); }

// Meet-based CRDTs - Constraint propagation
pub trait MeetSemilattice: Clone { fn meet(&self, other: &Self) -> Self; }
pub trait Top { fn top() -> Self; }
pub trait MvState: MeetSemilattice + Top {}
}

The type system enforces mathematical properties. CvState types must satisfy associativity, commutativity, and idempotency for join operations. MvState types satisfy the same laws for meet operations.

4.2 Convergence Proofs

Each CRDT type provides specific convergence guarantees:

CvRDT Convergence: Under eventual message delivery, all replicas converge to the least upper bound of their updates.

Proof sketch: Let states $‘ S_{1}, S_{2}, \dots, S_{n} ‘$ be replica states after all updates. The final state is $‘ S_{1} ⊔ S_{2} ⊔ \dots ⊔ S_{n} ‘$ . By associativity and commutativity of join, this value is unique regardless of message ordering.

Delta-CRDT Convergence: Equivalent to CvRDT but with bandwidth optimization through incremental updates.

CmRDT Convergence: Under causal message delivery and deduplication, all replicas apply the same set of operations.

Proof sketch: Causal delivery ensures operations are applied in a consistent order respecting dependencies. Deduplication prevents double-application. Commutativity ensures that concurrent operations can be applied in any order with the same result.

Meet-CRDT Convergence: All replicas converge to the greatest lower bound of their constraints.

4.3 Authority-Specific Applications

Authority journals use join-semilattice facts for evidence accumulation. Facts include AttestedOp records proving commitment tree operations occurred. Multiple attestations of the same operation join to the same fact.

Relational context journals use both join operations for shared facts and meet operations for consensus constraints. The prestate model ensures all authorities agree on initial conditions before applying operations.

Biscuit capability evaluation uses meet operations outside the CRDT. Token caveats restrict authority through intersection without affecting replicated state.

4.4 Message Schemas for Authority Synchronization

#![allow(unused)]
fn main() {
// Tagged message types for different synchronization patterns
#[derive(Clone)] pub enum SyncMsgKind { FullState, Delta, Op, Constraint }

pub type AuthorityStateMsg = (AuthorityFacts, SyncMsgKind);
pub type ContextStateMsg = (ContextFacts, SyncMsgKind);
pub type FactDelta = (Vec<Fact>, SyncMsgKind);

#[derive(Clone)] pub struct AuthenticatedOp { 
    pub op: TreeOp, 
    pub attestation: ThresholdSig, 
    pub ctx: ContextId 
}

// Anti-entropy protocol support
pub type FactDigest = Vec<Hash32>;
pub type MissingFacts = Vec<Fact>;
}

These message types support different synchronization strategies. Authority namespaces primarily use delta synchronization for efficiency. Relational context namespaces use operation-based synchronization to preserve consensus ordering.

4.5 Authority Synchronization Protocols

Authority Fact Synchronization: Authorities exchange facts using delta-based gossip for efficiency.

$AuthoritySync := μ X . (A \to B : FactDelta ⟨ Δ ⟩ . X) ∥ (B \to A : FactDelta ⟨ Δ ⟩ . X)$

Relational context consensus: Contexts use operation-based synchronization to preserve consensus ordering.

$ContextSync := μ X . (r \to * : AuthenticatedOp ⟨ Op, Ctx ⟩ . X)$

Anti-Entropy Recovery: Peers detect missing facts through digest comparison and request specific items.

$AntiEntropy := Alice \to Bob : FactDigest . Bob \to Alice : MissingFacts . end$

These protocols ensure eventual consistency across authority boundaries while maintaining context isolation. Facts are scoped to their originating authority or relational context.

4.6 Implementation Verification

Aura provides property verification for CRDT implementations through several mechanisms.

Property-Based Testing: Implementations include QuickCheck properties verifying semilattice laws. Tests generate random sequences of operations and verify associativity, commutativity, and idempotency.

Convergence Testing: Integration tests simulate network partitions and verify that replicas converge after partition healing. Tests measure convergence time and verify final state consistency.

Formal Verification: Critical CRDT implementations include formal proofs using the Quint specification language. Proofs verify that implementation behavior matches mathematical specifications.

Safety Guarantees: Session type projection ensures communication safety and deadlock freedom. Semilattice laws guarantee convergence under eventual message delivery. Meet operations ensure that capability restrictions are monotonic and cannot be bypassed.

5. Information Flow Contract (Privacy + Spam)

5.1 Privacy Layers

For any trace $‘ τ ‘$ of observable messages:

Unlinkability: $‘\forall κ_{1} \neq = κ_{2}, τ [κ_{1} \leftrightarrow κ_{2}] \approx_{ext} τ ‘$
Non-amplification: Information visible to observer class $‘ o ‘$ is monotone in authorized capabilities:

$I_{o} (τ_{1}) \leq I_{o} (τ_{2}) ⟺ C_{o} (τ_{1}) \leq C_{o} (τ_{2})$

Leakage Bound: For each observer $‘ o ‘$ , $‘ L (τ, o) \leq Budget (o) ‘$ .
Flow Budget Soundness (Named):
- Charge-Before-Send
- No-Observable-Without-Charge
- Deterministic-Replenishment
- Convergence: Within a fixed epoch and after convergence, $‘ spent_{κ} \leq min_{r} limit_{κ}^{r} ‘$ across replicas $‘ r ‘$ .

5.2 Web-of-Trust Model

Let $‘ W = (V, E) ‘$ where vertices are accounts. Edges carry relationship contexts and delegation fragments.

Each edge $‘ (A, B) ‘$ defines a pairwise context $‘ Ctx_{A B} ‘$ with derived keys
Delegations are meet-closed elements $‘ d \in Cap ‘$ , scoped to contexts
The effective capability at $‘ A ‘$ is:

$Caps_{A} = (LocalGrants_{A} ⊓ (A, x) \in E ⋂ Delegation_{x \to A}) ⊓ Policy_{A}$

WoT invariants:

Compositionality: Combining multiple delegations uses $‘ ⊓ ‘$ (never widens)
Local sovereignty: $‘ Policy_{A} ‘$ is always in the meet. $‘ A ‘$ can only reduce authority further
Projection: For any protocol projection to $‘ A ‘$ , guard checks refer to $‘ Caps_{A} (ctx) ‘$

5.3 Flow Budget Contract

The unified information-flow budget regulates emission rate/volume and observable leakage. The budget system combines join-semilattice facts (for spent counters) with meet-semilattice capability evaluation (for limit computation). For any context $‘ κ ‘$ and peer $‘ p ‘$ :

Charge-Before-Send: A send or forward is permitted only if a budget charge succeeds first. If charging fails, the step blocks locally and emits no network observable.
No-Observable-Without-Charge: For any trace $‘ τ ‘$ , there is no event labeled $‘ send (κ, p, \dots) ‘$ without a preceding successful charge for $‘ (κ, p) ‘$ in the same epoch.
Receipt soundness: A relay accepts a packet only with a valid per-hop Receipt (context-scoped, epoch-bound, signed) and sufficient local headroom. Otherwise it drops locally.
Deterministic limit computation: $‘ limit_{κ} ‘$ is computed deterministically from Biscuit tokens and local policy via meet operations. $‘ spent_{κ} ‘$ is stored as journal facts and is join-monotone. Upon epoch rotation, $‘ spent_{κ} ‘$ resets through new epoch facts.
Context scope: Budget facts and receipts are scoped to $‘ κ ‘$ . They neither leak nor apply across distinct contexts (non-interference).
Composition with caps: A transport effect requires both $‘ need (m) \leq C ‘$ and $‘ headroom (κ, cost, F, C) ‘$ (see §1.3). Either guard failing blocks the effect.
Convergence bound: Within a fixed epoch and after convergence, $‘ spent_{κ} \leq min_{r} limit_{κ}^{r} ‘$ across replicas $‘ r ‘$ , where each replica's limit is computed from its local capability evaluation.

6. Application Model

Every distributed protocol $‘ G ‘$ is defined as a multi-party session type with role projections:

$G ::= μ X . A \to B : m ⟨ T ⟩ [guard need (m) \leq C_{A}, update F_{A} ⊔ = Δ F, refine C_{B} ⊓ = Δ C], X$

When executed, each role $‘ ρ ‘$ instantiates a handler:

$handle protocol (G, ρ) with {on_send, on_recv, on_merge, on_refine}$

Handlers compose algebraically over $‘ (F, C) ‘$ by distributing operations over semilattice state transitions. This yields an effect runtime capable of:

key-ceremony coordination (threshold signatures)
gossip and rendezvous (context-isolated send/recv)
distributed indexing (merge facts, meet constraints)
garbage collection (join-preserving retractions)

7. Interpretation

Under this calculus, we can make the following interpretation:

The Semilattice Layer

The join-semilattice (Facts) captures evidence and observations (trust and information flow). Examples: delegations/attestations, quorum proofs, ceremony transcripts, flow receipts, and monotone spent counters.

The meet-semilattice (Capabilities) captures enforcement limits and constraints (trust and information flow). Examples: the sovereign policy lattice, Biscuit token caveats, leak bounds, and consent gates. See Authorization for implementation details. Flow budget limits are derived from capability evaluation, not stored as facts. This lattice is evaluated locally rather than stored in the journal, but it obeys the same algebra.

Effective authority and headroom are computed from both lattices:

$C_{eff} (tokens, Policy) = (t \in tokens ⋀ attn (t)) ⊓ Policy$

$headroom (F, C) uses limit (C_{eff}) and spent \in F, permitting sends iff spent + cost \leq limit$

The Session-Typed Process Layer

This layer guarantees communication safety and progress. It projects global types with annotations $‘ [guard : Γ, ▹ Δ, leak : L] ‘$ into local programs, ensuring deadlock freedom, communication safety, branch agreement, and aligning capability checks, journal updates, and leakage accounting with each send/recv.

The Effect Handler Layer

The Effect Handler system provides operational semantics and composability. It realizes merge/refine/send/recv as algebraic effects, enforces lattice monotonicity ( $‘ ⊔ ‘$ facts, $‘ ⊓ ‘$ caps), guard predicates, and budget/leakage metering, and composes via explicit dependency injection across crypto, storage, and transport layers.

The Privacy Contract

The privacy contract defines which transitions are observationally equivalent. Under context isolation and budgeted leakage, traces that differ only by in-context reorderings or by merges/refinements preserving observer-class budgets and effective capabilities are indistinguishable. No cross-context flow occurs without a typed bridge.

Together, these form a privacy-preserving, capability-checked distributed λ-calculus.

System Contracts

Privacy and Information Flow Contract - Unified information-flow budgets, privacy layers, leakage tracking, and adversary analysis
Distributed Systems Contract - Safety, liveness, consistency guarantees, synchrony assumptions, and failure handling

Keyboard shortcuts

Aura