This document provides an overview of the formal verification, model checking, and conformance testing infrastructure in Aura.
Aura keeps consensus and CRDT domain proof ownership in Quint models and Lean theorems.
Telltale parity lanes validate runtime conformance behavior from replay artifacts.
Telltale parity success does not count as new domain theorem coverage.
See Formal Verification Reference for the assurance classification and limits.
Metric Count
Quint Specifications 41 Quint Invariants 191 Quint Temporal Properties 11 Quint Type Definitions 362 Lean Source Files 38 Lean Theorems 118 Conformance Fixtures 4 ITF Trace Harnesses 8 Testkit Tests 113 Bridge Modules 4 CI Verification Gates 11 Telltale Parity Modules 1 Bridge Pipeline Fixtures 3
Formal protocol specifications in verification/quint/ organized by subsystem.
Subsystem Files Contents
Root 11 core, authorization, recovery, invitation, interaction, leakage, sbb, time_system, transport, epochs, cli_recovery_demo consensus/ 4 core, liveness, adversary, frost journal/ 3 core, counter, anti_entropy keys/ 3 dkg, dkd, resharing sessions/ 4 core, choreography, groups, locking amp/ 1 channel liveness/ 3 connectivity, timing, properties harness/ 8 amp_channel, counter, dkg, flows, groups, locking, recovery, resharing tui/ 4 demo_recovery, flows, signals, state
Harness modules generate ITF traces on demand via just quint-generate-traces. Traces are not checked into the repository. CI runs just ci-conformance-itf to generate traces and replay them through Rust handlers.
Specification Purpose Key Properties
consensus/core.qntFast-path consensus protocol UniqueCommitPerInstance, CommitRequiresThreshold, EquivocatorsExcluded consensus/liveness.qntProgress guarantees ProgressUnderSynchrony, RetryBound, CommitRequiresHonestParticipation consensus/adversary.qntByzantine tolerance ByzantineThreshold, EquivocationDetected, HonestMajorityCanCommit consensus/frost.qntThreshold signatures Share aggregation, commitment validation journal/core.qntCRDT journal semantics NonceUnique, FactsOrdered, NonceMergeCommutative, LamportMonotonic journal/anti_entropy.qntSync protocol FactsMonotonic, EventualConvergence, VectorClockConsistent authorization.qntGuard chain security NoCapabilityWidening, ChargeBeforeSend time_system.qntTimestamp ordering TimeStamp domain semantics and comparison
Files implementing Quint-Rust correspondence and model-based testing.
effects/quint.rs - QuintMappable trait for bidirectional type mappingeffects/mod.rs - Effect trait definitions with Quint correspondence
runner.rs - QuintRunner with property caching and verification statisticsproperties.rs - PropertySpec, PropertySuite, and property categorizationevaluator.rs - QuintEvaluator subprocess wrapper for Quint CLIhandler.rs - Effect handler integration
Cross-validation modules for Lean↔Quint correspondence:
Module Purpose
bridge_export.rsExport Quint state to Lean-readable format bridge_import.rsImport Lean outputs back to Quint structures bridge_format.rsShared serialization format definitions bridge_validate.rsCross-validation assertions and checks
17 modules implementing generative simulation:
Module Purpose
action_registry.rsMaps Quint action names to Rust handlers state_mapper.rsBidirectional state conversion (Rust <-> Quint JSON) generative_simulator.rsOrchestrates ITF trace replay with property checking itf_loader.rsParses ITF traces from Quint model checking itf_fuzzer.rsModel-based fuzzing with coverage analysis trace_converter.rsConverts between trace formats simulation_evaluator.rsEvaluates properties during simulation properties.rsProperty extraction and classification domain_handlers.rsDomain-specific action handlers amp_channel_handlers.rsAMP reliable channel handlers byzantine_mapper.rsByzantine fault strategy mapping chaos_generator.rsChaos/fault scenario generation aura_state_extractors.rsAura-specific state extraction cli_runner.rsCLI integration for Quint verification ast_parser.rsQuint AST parsing for analysis mod.rsModule exports and re-exports types.rsShared type definitions
differential_tester.rs - Cross-implementation parity testing between Quint models and Rust handlerstelltale_parity.rs - Telltale-backed parity boundary, canonical surface mapping, and report artifact generation
core/verification/mod.rs - Verification module facadecore/verification/quint_mapping.rs - Consensus type mappings
Lean 4 mathematical proofs in verification/lean/ providing formal guarantees.
Module Content
Types/ByteArray32.lean32-byte hash representation (6 theorems) Types/OrderTime.leanOpaque ordering tokens (4 theorems) Types/TimeStamp.lean4-variant time enum Types/FactContent.leanStructured fact types Types/ProtocolFacts.leanProtocol-specific fact types Types/AttestedOp.leanAttested operation types Types/TreeOp.leanTree operation types Types/Namespace.leanAuthority/Context namespaces Types/Identifiers.leanIdentifier types Types.leanType module aggregation
Module Purpose
Domain/Consensus/Types.leanConsensus message types (8 definitions) Domain/Consensus/Frost.leanFROST signature types Domain/Journal/Types.leanFact and Journal structures Domain/Journal/Operations.leanmerge, reduce, factsEquiv (1 theorem) Domain/FlowBudget.leanBudget types and charging Domain/GuardChain.leanGuard types and evaluation Domain/TimeSystem.leanTimestamp comparison Domain/KeyDerivation.leanKey derivation types Domain/ContextIsolation.leanContext isolation model
Consensus Proofs:
Module Theorems Content
Proofs/Consensus/Agreement.lean3 No two honest parties commit different values Proofs/Consensus/Validity.lean7 Only valid proposals can be committed Proofs/Consensus/Equivocation.lean5 Detection soundness and completeness Proofs/Consensus/Evidence.lean8 Evidence CRDT semilattice properties Proofs/Consensus/Frost.lean12 FROST share aggregation safety Proofs/Consensus/Liveness.lean3 Progress under timing assumptions (axioms) Proofs/Consensus/Adversary.lean7 Byzantine model bounds Proofs/Consensus/Summary.lean- Master consensus claims bundle
Infrastructure Proofs:
Module Theorems Content
Proofs/Journal.lean14 CRDT semilattice (commutativity, associativity, idempotence) Proofs/FlowBudget.lean5 Charging correctness Proofs/GuardChain.lean7 Guard evaluation determinism Proofs/TimeSystem.lean8 Timestamp ordering properties Proofs/KeyDerivation.lean3 PRF isolation proofs Proofs/ContextIsolation.lean16 Context separation and bridge authorization
Aura.lean - Top-level documentationAura/Proofs.lean - Main reviewer entry with all Claims bundlesAura/Assumptions.lean - Cryptographic axioms (FROST unforgeability, hash collision resistance, PRF security)Aura/Runner.lean - CLI for differential testing
Deterministic parity validation infrastructure in aura-testkit.
Fixture Purpose
consensus.jsonConsensus protocol conformance sync.jsonSynchronization protocol conformance recovery.jsonGuardian recovery conformance invitation.jsonInvitation protocol conformance
Module Purpose
conformance.rsArtifact loading, replay, and verification conformance_diff.rsLaw-aware comparison with envelope classifications
Class Effect Kinds Comparison Rule
stricthandle_recv, handle_choose, handle_acquire, handle_release Byte-exact match required commutativesend_decision, invoke_step Order-insensitive under normalization algebraictopology_event Reduced via domain-normal form
Invariant Location
InvariantUniqueCommitPerInstanceconsensus/core.qnt InvariantCommitRequiresThresholdconsensus/core.qnt InvariantCommittedHasCommitFactconsensus/core.qnt InvariantEquivocatorsExcludedconsensus/core.qnt InvariantProposalsFromWitnessesconsensus/core.qnt InvariantProgressUnderSynchronyconsensus/liveness.qnt InvariantRetryBoundconsensus/liveness.qnt InvariantCommitRequiresHonestParticipationconsensus/liveness.qnt InvariantQuorumPossibleconsensus/liveness.qnt InvariantByzantineThresholdconsensus/adversary.qnt InvariantEquivocationDetectedconsensus/adversary.qnt InvariantCompromisedNoncesExcludedconsensus/adversary.qnt InvariantHonestMajorityCanCommitconsensus/adversary.qnt
Invariant Location
InvariantNonceUniquejournal/core.qnt InvariantFactsOrderedjournal/core.qnt InvariantFactsMatchNamespacejournal/core.qnt InvariantLifecycleCompletedImpliesStablejournal/core.qnt InvariantNonceMergeCommutativejournal/core.qnt InvariantLamportMonotonicjournal/core.qnt InvariantReduceDeterministicjournal/core.qnt InvariantPhaseRegisteredjournal/counter.qnt InvariantCountersRegisteredjournal/counter.qnt InvariantLifecycleStatusDefinedjournal/counter.qnt InvariantOutcomeWhenCompletedjournal/counter.qnt InvariantFactsMonotonicjournal/anti_entropy.qnt InvariantFactsSubsetOfGlobaljournal/anti_entropy.qnt InvariantVectorClockConsistentjournal/anti_entropy.qnt InvariantEventualConvergencejournal/anti_entropy.qnt InvariantDeltasFromSourcejournal/anti_entropy.qnt InvariantCompletedSessionsConvergedjournal/anti_entropy.qnt
Property Location
livenessEventualCommitconsensus/core.qnt safetyImmutableCommitconsensus/core.qnt authorizationSoundnessauthorization.qnt budgetMonotonicityauthorization.qnt flowBudgetFairnessauthorization.qnt canAlwaysExittui/state.qnt modalEventuallyClosestui/state.qnt insertModeEventuallyExitstui/state.qnt InvariantLeakageBoundedleakage.qnt InvariantObserverHierarchyMaintainedleakage.qnt InvariantBudgetsPositiveleakage.qnt
Automated verification lanes wired into CI pipelines.
Gate Command Purpose
Property Monitor just ci-property-monitorRuntime property assertion monitoring Simulator Telltale Parity just ci-simulator-telltale-parityArtifact-driven telltale vs Aura simulator differential comparison Choreography Parity just ci-choreo-paritySession type projection consistency Quint Typecheck just ci-quint-typecheckQuint specification type safety
Gate Command Purpose
Conformance Policy just ci-conformance-policyPolicy rule validation Conformance Contracts just ci-conformance-contractsContract satisfaction checks Golden Fixtures conformance_golden_fixturesDeterministic replay against known-good traces
Gate Command Purpose
Lean Build just ci-lean-buildCompile Lean proofs Lean Completeness just ci-lean-check-sorryCheck for incomplete proofs (sorry) Lean-Quint Bridge just ci-lean-quint-bridgeCross-validation between Lean and Quint Kani BMC just ci-kaniBounded model checking for unsafe code
Conformance artifacts upload to CI for failure triage:
artifacts/conformance/
├── native_coop/
│ └── scenario_seed_artifact.json
├── wasm_coop/
│ └── scenario_seed_artifact.json
└── diff_report.json
The diff report highlights specific mismatches for investigation.
Telltale parity and bridge lanes emit additional artifacts:
artifacts/telltale-parity/
└── report.json
artifacts/lean-quint-bridge/
├── bridge.log
├── bridge_discrepancy_report.json
└── report.json
artifacts/telltale-parity/report.json uses schema aura.telltale-parity.report.v1.
artifacts/lean-quint-bridge/bridge_discrepancy_report.json uses schema aura.lean-quint-bridge.discrepancy.v1.
aura-quint bridge pipeline checks use deterministic fixture inputs:
Fixture Purpose
positive_bundle.jsonExpected consistent cross-validation outcome negative_bundle.jsonExpected discrepancy detection outcome quint_ir_fixture.jsonExport/import pipeline coverage for Quint IR
Fixtures live in crates/aura-quint/tests/fixtures/bridge/.