Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Verification Coverage Report

This document provides an overview of the formal verification, model checking, and conformance testing infrastructure in Aura.

Verification Boundary Statement

Aura keeps consensus and CRDT domain proof ownership in Quint models and Lean theorems. Telltale parity lanes validate runtime conformance behavior from replay artifacts. Telltale parity success does not count as new domain theorem coverage. See Formal Verification Reference for the assurance classification and limits.

Summary Metrics

MetricCount
Quint Specifications42
Quint Invariants191
Quint Temporal Properties11
Quint Type Definitions362
Lean Source Files38
Lean Theorems118
Conformance Fixtures4
ITF Trace Harnesses9
Testkit Tests118
Bridge Modules4
CI Verification Gates11
Telltale Parity Modules1
Bridge Pipeline Fixtures3

Verification Layers

Layer 1: Quint Specifications

Formal protocol specifications in verification/quint/ organized by subsystem.

SubsystemFilesContents
Root11core, authorization, recovery, invitation, interaction, leakage, sbb, time_system, transport, epochs, cli_recovery_demo
consensus/4core, liveness, adversary, frost
journal/3core, counter, anti_entropy
keys/3dkg, dkd, resharing
sessions/4core, choreography, groups, locking
amp/1channel
liveness/3connectivity, timing, properties
harness/9amp_channel, counter, dkg, flows, groups, locking, recovery, resharing, semantic_observation_smoke
tui/4demo_recovery, flows, signals, state

Harness modules generate ITF traces on demand via just quint-generate-traces. Traces are not checked into the repository. CI runs just ci-conformance-itf to generate traces and replay them through Rust handlers.

Key Specifications

SpecificationPurposeKey Properties
consensus/core.qntFast-path consensus protocolUniqueCommitPerInstance, CommitRequiresThreshold, EquivocatorsExcluded
consensus/liveness.qntProgress guaranteesProgressUnderSynchrony, RetryBound, CommitRequiresHonestParticipation
consensus/adversary.qntByzantine toleranceByzantineThreshold, EquivocationDetected, HonestMajorityCanCommit
consensus/frost.qntThreshold signaturesShare aggregation, commitment validation
journal/core.qntCRDT journal semanticsNonceUnique, FactsOrdered, NonceMergeCommutative, LamportMonotonic
journal/anti_entropy.qntSync protocolFactsMonotonic, EventualConvergence, VectorClockConsistent
authorization.qntGuard chain securityNoCapabilityWidening, ChargeBeforeSend
time_system.qntTimestamp orderingTimeStamp domain semantics and comparison

Layer 2: Rust Integration

Files implementing Quint-Rust correspondence and model-based testing.

Core Integration (aura-core)

  • effects/quint.rs - QuintMappable trait for bidirectional type mapping
  • effects/mod.rs - Effect trait definitions with Quint correspondence

Quint Crate (aura-quint)

  • runner.rs - QuintRunner with property caching and verification statistics
  • properties.rs - PropertySpec, PropertySuite, and property categorization
  • evaluator.rs - QuintEvaluator subprocess wrapper for Quint CLI
  • handler.rs - Effect handler integration

Telltale Bridge (aura-quint)

Cross-validation modules for Lean↔Quint correspondence:

ModulePurpose
bridge_export.rsExport Quint state to Lean-readable format
bridge_import.rsImport Lean outputs back to Quint structures
bridge_format.rsShared serialization format definitions
bridge_validate.rsCross-validation assertions and checks

Simulator Integration (aura-simulator/src/quint/)

17 modules implementing generative simulation:

ModulePurpose
action_registry.rsMaps Quint action names to Rust handlers
state_mapper.rsBidirectional state conversion (Rust <-> Quint JSON)
generative_simulator.rsOrchestrates ITF trace replay with property checking
itf_loader.rsParses ITF traces from Quint model checking
itf_fuzzer.rsModel-based fuzzing with coverage analysis
trace_converter.rsConverts between trace formats
simulation_evaluator.rsEvaluates properties during simulation
properties.rsProperty extraction and classification
domain_handlers.rsDomain-specific action handlers
amp_channel_handlers.rsAMP reliable channel handlers
byzantine_mapper.rsByzantine fault strategy mapping
chaos_generator.rsChaos/fault scenario generation
aura_state_extractors.rsAura-specific state extraction
cli_runner.rsCLI integration for Quint verification
ast_parser.rsQuint AST parsing for analysis
mod.rsModule exports and re-exports
types.rsShared type definitions

Differential Verification (aura-simulator)

  • differential_tester.rs - Cross-implementation parity testing between Quint models and Rust handlers
  • telltale_parity.rs - Telltale-backed parity boundary, canonical surface mapping, and report artifact generation

Consensus Verification (aura-consensus)

  • core/verification/mod.rs - Verification module facade
  • core/verification/quint_mapping.rs - Consensus type mappings

Layer 3: Lean Proofs

Lean 4 mathematical proofs in verification/lean/ providing formal guarantees.

Type Modules (10 files)

ModuleContent
Types/ByteArray32.lean32-byte hash representation (6 theorems)
Types/OrderTime.leanOpaque ordering tokens (4 theorems)
Types/TimeStamp.lean4-variant time enum
Types/FactContent.leanStructured fact types
Types/ProtocolFacts.leanProtocol-specific fact types
Types/AttestedOp.leanAttested operation types
Types/TreeOp.leanTree operation types
Types/Namespace.leanAuthority/Context namespaces
Types/Identifiers.leanIdentifier types
Types.leanType module aggregation

Domain Modules (9 files)

ModulePurpose
Domain/Consensus/Types.leanConsensus message types (8 definitions)
Domain/Consensus/Frost.leanFROST signature types
Domain/Journal/Types.leanFact and Journal structures
Domain/Journal/Operations.leanmerge, reduce, factsEquiv (1 theorem)
Domain/FlowBudget.leanBudget types and charging
Domain/GuardChain.leanGuard types and evaluation
Domain/TimeSystem.leanTimestamp comparison
Domain/KeyDerivation.leanKey derivation types
Domain/ContextIsolation.leanContext isolation model

Proof Modules (14 files, 118 theorems)

Consensus Proofs

ModuleTheoremsContent
Proofs/Consensus/Agreement.lean3No two honest parties commit different values
Proofs/Consensus/Validity.lean7Only valid proposals can be committed
Proofs/Consensus/Equivocation.lean5Detection soundness and completeness
Proofs/Consensus/Evidence.lean8Evidence CRDT semilattice properties
Proofs/Consensus/Frost.lean12FROST share aggregation safety
Proofs/Consensus/Liveness.lean3Progress under timing assumptions (axioms)
Proofs/Consensus/Adversary.lean7Byzantine model bounds
Proofs/Consensus/Summary.lean-Master consensus claims bundle

Infrastructure Proofs

ModuleTheoremsContent
Proofs/Journal.lean14CRDT semilattice (commutativity, associativity, idempotence)
Proofs/FlowBudget.lean5Charging correctness
Proofs/GuardChain.lean7Guard evaluation determinism
Proofs/TimeSystem.lean8Timestamp ordering properties
Proofs/KeyDerivation.lean3PRF isolation proofs
Proofs/ContextIsolation.lean16Context separation and bridge authorization

Entry Points (4 files)

  • Aura.lean - Top-level documentation
  • Aura/Proofs.lean - Main reviewer entry with all Claims bundles
  • Aura/Assumptions.lean - Cryptographic axioms (FROST unforgeability, hash collision resistance, PRF security)
  • Aura/Runner.lean - CLI for differential testing

Layer 4: Conformance Testing

Deterministic parity validation infrastructure in aura-testkit.

Conformance Fixtures

FixturePurpose
consensus.jsonConsensus protocol conformance
sync.jsonSynchronization protocol conformance
recovery.jsonGuardian recovery conformance
invitation.jsonInvitation protocol conformance

Conformance Modules

ModulePurpose
conformance.rsArtifact loading, replay, and verification
conformance_diff.rsLaw-aware comparison with envelope classifications

Effect Envelope Classifications

ClassEffect KindsComparison Rule
stricthandle_recv, handle_choose, handle_acquire, handle_releaseByte-exact match required
commutativesend_decision, invoke_stepOrder-insensitive under normalization
algebraictopology_eventReduced via domain-normal form

Verified Invariants

Consensus Invariants

InvariantLocation
InvariantUniqueCommitPerInstanceconsensus/core.qnt
InvariantCommitRequiresThresholdconsensus/core.qnt
InvariantCommittedHasCommitFactconsensus/core.qnt
InvariantEquivocatorsExcludedconsensus/core.qnt
InvariantProposalsFromWitnessesconsensus/core.qnt
InvariantProgressUnderSynchronyconsensus/liveness.qnt
InvariantRetryBoundconsensus/liveness.qnt
InvariantCommitRequiresHonestParticipationconsensus/liveness.qnt
InvariantQuorumPossibleconsensus/liveness.qnt
InvariantByzantineThresholdconsensus/adversary.qnt
InvariantEquivocationDetectedconsensus/adversary.qnt
InvariantCompromisedNoncesExcludedconsensus/adversary.qnt
InvariantHonestMajorityCanCommitconsensus/adversary.qnt

Journal Invariants

InvariantLocation
InvariantNonceUniquejournal/core.qnt
InvariantFactsOrderedjournal/core.qnt
InvariantFactsMatchNamespacejournal/core.qnt
InvariantLifecycleCompletedImpliesStablejournal/core.qnt
InvariantNonceMergeCommutativejournal/core.qnt
InvariantLamportMonotonicjournal/core.qnt
InvariantReduceDeterministicjournal/core.qnt
InvariantPhaseRegisteredjournal/counter.qnt
InvariantCountersRegisteredjournal/counter.qnt
InvariantLifecycleStatusDefinedjournal/counter.qnt
InvariantOutcomeWhenCompletedjournal/counter.qnt
InvariantFactsMonotonicjournal/anti_entropy.qnt
InvariantFactsSubsetOfGlobaljournal/anti_entropy.qnt
InvariantVectorClockConsistentjournal/anti_entropy.qnt
InvariantEventualConvergencejournal/anti_entropy.qnt
InvariantDeltasFromSourcejournal/anti_entropy.qnt
InvariantCompletedSessionsConvergedjournal/anti_entropy.qnt

Temporal Properties

PropertyLocation
livenessEventualCommitconsensus/core.qnt
safetyImmutableCommitconsensus/core.qnt
authorizationSoundnessauthorization.qnt
budgetMonotonicityauthorization.qnt
flowBudgetFairnessauthorization.qnt
canAlwaysExittui/state.qnt
modalEventuallyClosestui/state.qnt
insertModeEventuallyExitstui/state.qnt
InvariantLeakageBoundedleakage.qnt
InvariantObserverHierarchyMaintainedleakage.qnt
InvariantBudgetsPositiveleakage.qnt

Contract Coverage Mapping

This section maps the contract clauses in Privacy and Information Flow Contract and Distributed Systems Contract to the current verification and assurance evidence.

Coverage status uses three classes:

  • Verified: directly covered by Quint invariants, Lean proofs, or both
  • Conformance-backed: covered by replay, parity, or deterministic conformance lanes rather than domain theorem proofs
  • Specified only: documented as a contract requirement, but not yet directly mapped to a proof or conformance artifact in this report

Privacy and Information Flow Contract Coverage

Contract AreaStatusEvidence
Context-specific identity separationVerifiedAura.Proofs.KeyDerivation, Aura.Proofs.ContextIsolation
Budgeted send invariantVerifiedauthorization.qnt, transport.qnt, Aura.Proofs.FlowBudget, Aura.Proofs.GuardChain
Epoch-scoped receipt validityVerifiedepochs.qnt
Observer-budgeted metadata leakageVerifiedleakage.qnt
Cross-context isolationVerifiedAura.Proofs.ContextIsolation, transport.qnt
Physical vs logical time privacy boundaryVerifiedtime_system.qnt, Aura.Proofs.TimeSystem
Error-channel privacy boundarySpecified onlyNo direct proof or conformance mapping recorded here
Retrieval not identity-addressedConformance-backedcrates/aura-simulator/tests/adaptive_privacy_phase_six.rs, selector-based Hold retrieval scenarios
Custody remains opaque and non-authoritativeConformance-backedcrates/aura-simulator/tests/adaptive_privacy_phase_six.rs, Hold custody and cache-replica validation
Accountability evidence verified before local consequencesConformance-backedcrates/aura-simulator/tests/adaptive_privacy_phase_six.rs, reply-block accountability control-plane lanes
External observer protection level varies by deployment modeSpecified onlyNo direct proof or conformance mapping recorded here

Distributed Systems Contract Coverage

Contract AreaStatusEvidence
Journal CRDT lawsVerifiedjournal/core.qnt, Aura.Proofs.Journal
Consensus agreement and validityVerifiedconsensus/core.qnt, Aura.Proofs.Consensus.Agreement, Aura.Proofs.Consensus.Validity
Fault-bound consensus safety assumptionsVerifiedconsensus/adversary.qnt, Aura.Proofs.Consensus.Adversary
Evidence CRDT lawsVerifiedAura.Proofs.Consensus.Evidence
Equivocation detectionVerifiedconsensus/adversary.qnt, Aura.Proofs.Consensus.Equivocation
FROST threshold safetyVerifiedconsensus/frost.qnt, Aura.Proofs.Consensus.Frost
Context isolationVerifiedtransport.qnt, Aura.Proofs.ContextIsolation
Anti-entropy convergenceVerifiedjournal/anti_entropy.qnt
Fast-path and fallback liveness under assumptionsVerifiedconsensus/liveness.qnt, Aura.Proofs.Consensus.Liveness
Invitation lifecycle safetyVerifiedinvitation.qnt
Cross-protocol deadlock freedomVerifiedinteraction.qnt
Operation-scoped and journal consistency modelVerifiedjournal/core.qnt, journal/anti_entropy.qnt, consensus/core.qnt
Runtime conformance against formal artifactsConformance-backedITF trace replay, Telltale parity, conformance fixtures
Onion accountability witness return and verificationConformance-backedSimulator Telltale parity and reply_block_accountability control-plane scenarios
Hold availability and custody-failure boundariesConformance-backedcrates/aura-simulator/tests/adaptive_privacy_phase_six.rs, weak-connectivity and sparse-sync Hold scenarios
Failure-class boundaries and local-only failureSpecified onlyNo direct proof or conformance mapping recorded here
Error-channel privacy requirementsSpecified onlyNo direct proof or conformance mapping recorded here

CI Verification Gates

Automated verification lanes wired into CI pipelines.

Core Verification

GateCommandPurpose
Property Monitorjust ci-property-monitorRuntime property assertion monitoring
Simulator Telltale Parityjust ci-simulator-telltale-parityArtifact-driven telltale vs Aura simulator differential comparison
Choreography Parityjust ci-choreo-paritySession type projection consistency
Quint Typecheckjust ci-quint-typecheckQuint specification type safety

Conformance Gates

GateCommandPurpose
Conformance Policyjust ci-conformance-policyPolicy rule validation
Conformance Contractsjust ci-conformance-contractsContract satisfaction checks

Formal Methods

GateCommandPurpose
Lean Buildjust ci-lean-buildCompile Lean proofs
Lean Completenessjust ci-lean-check-sorryCheck for incomplete proofs (sorry)
Telltale Bridgejust ci-telltale-bridgeCross-validation between Lean and Quint
Kani BMCjust ci-kaniBounded model checking for unsafe code

CI Artifacts

Conformance artifacts upload to CI for failure triage:

artifacts/conformance/
├── native_coop/
│   └── scenario_seed_artifact.json
├── wasm_coop/
│   └── scenario_seed_artifact.json
└── diff_report.json

The diff report highlights specific mismatches for investigation.

Telltale parity and bridge lanes emit additional artifacts:

artifacts/telltale-parity/
└── report.json

artifacts/telltale-bridge/
├── bridge.log
├── bridge_discrepancy_report.json
└── report.json

artifacts/telltale-parity/report.json uses schema aura.telltale-parity.report.v1. artifacts/telltale-bridge/bridge_discrepancy_report.json uses schema aura.telltale-bridge.discrepancy.v1.

Bridge Pipeline Fixtures

aura-quint bridge pipeline checks use deterministic fixture inputs:

FixturePurpose
positive_bundle.jsonExpected consistent cross-validation outcome
negative_bundle.jsonExpected discrepancy detection outcome
quint_ir_fixture.jsonExport/import pipeline coverage for Quint IR

Fixtures live in crates/aura-quint/tests/fixtures/bridge/.