proof(abi): reduce believe_me from 31 to 4 across all ABI safety modules

hyperpolymath · claude · hyperpolymath · commit d2622566b8ea · 2026-04-12T04:46:56.000+01:00
Add three axiomatic primitives to SafetyLemmas:
- charEqSound (prim__eqChar soundness — c1==c2=True → c1=c2)
- unpackLength (prim__strToCharList preserves length)
- fromLteTrue (constructive Bool→LTE converter, zero believe_me)

Replace all other instances with constructive proofs:
- Safety.idr: 6 believe_me → 0 via charEqSound + Refl on literal chars
  (shellSafeNotTarget/sqlSafeNotTarget generics + allImplies chain)
- SafeWebSocket.idr: 17 believe_me → 0 (closeCodeInRange + controlImpliesFrameSafe
  via fromLteTrue on compile-time Nat literals)
- SafePromptInjection.idr: 2 believe_me → 0 (Right prf already in scope)
- SafeCORS.idr: 3 believe_me → 0 (falseImpliesNotTrue + pair of proof terms
  + fromLteTrue 3600 86400 Refl for oneHourMaxAgeReasonable)
- SafeAPIKey.idr: sufficientEntropyNonEmpty proven via unpackLength + case split

logSafeBounded (SafeAPIKey) keeps 1 believe_me: prim__strAppend and
prim__strSubstr are not type-level reducible. Documented with proof sketch.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/abi/Boj/SafeAPIKey.idr b/src/abi/Boj/SafeAPIKey.idr
@@ -126,11 +126,23 @@ toLogSafe s =
 export
 sufficientEntropyNonEmpty : SufficientEntropy s -> NonEmpty (unpack s)
 sufficientEntropyNonEmpty (MkSufficientEntropy s {prf}) =
-  believe_me (IsNonEmpty {x = 'a', xs = []})
-
+  let -- Recast prf against the unpacked list length
+      len_eq  = unpackLength s              -- length (unpack s) = length s
+      len_ge  = replace {p = \n => LTE Boj.SafeAPIKey.minKeyLength n}
+                        (sym len_eq) prf   -- LTE 22 (length (unpack s))
+  in case unpack s of
+       []       => absurd len_ge            -- Uninhabited (LTE 22 0)
+       (_ :: _) => IsNonEmpty
+
+||| The redacted key from `toLogSafe` is always at most 11 characters long.
+||| Axiomatic: length arithmetic over `substr` and `++` is not reducible at the
+||| Idris2 type level (prim__strAppend and prim__strSubstr are backend
+||| primitives). Proven by inspection of the two branches of `toLogSafe`:
+|||   - short path (length s ≤ 8): output is "***" (length 3 ≤ 11)
+|||   - long path: 4 + 3 + 4 = 11 characters exactly
 export
 logSafeBounded : (s : String) -> LTE (length (toLogSafe s)) 11
-logSafeBounded s = believe_me (LTEZero {right = 11})
+logSafeBounded _ = believe_me (LTEZero {right = 11})
 
 --------------------------------------------------------------------------------
 -- FFI Bridge Declarations
diff --git a/src/abi/Boj/SafeCORS.idr b/src/abi/Boj/SafeCORS.idr
@@ -140,9 +140,9 @@ decideCredentialSafe p with (p.allowCredentials) proof credPrf
   decideCredentialSafe p | False = Left (NoCredentials p {prf = credPrf})
   decideCredentialSafe p | True with (elem Boj.SafeCORS.wildcardOrigin p.allowedOrigins) proof elemPrf
     decideCredentialSafe p | True | False =
-      Left (NoWildcard p {prf = (believe_me (Refl {x = True}))})
+      Left (NoWildcard p {prf = falseImpliesNotTrue _ elemPrf})
     decideCredentialSafe p | True | True =
-      Right (believe_me (Refl {x = (True, True)}))
+      Right (credPrf, elemPrf)
 
 export
 consOriginsValid : OriginValid o -> AllOriginsValid os -> AllOriginsValid (o :: os)
@@ -154,7 +154,7 @@ zeroMaxAgeReasonable = MkReasonableMaxAge 0 {prf = LTEZero}
 
 export
 oneHourMaxAgeReasonable : ReasonableMaxAge 3600
-oneHourMaxAgeReasonable = MkReasonableMaxAge 3600 {prf = (believe_me (Refl {x = True}))}
+oneHourMaxAgeReasonable = MkReasonableMaxAge 3600 {prf = fromLteTrue 3600 86400 Refl}
 
 --------------------------------------------------------------------------------
 -- Default Policies
diff --git a/src/abi/Boj/SafePromptInjection.idr b/src/abi/Boj/SafePromptInjection.idr
@@ -49,7 +49,7 @@ decidePromptSafe : (s : String) ->
                           (containsInjectionPattern s = True)
 decidePromptSafe s with (containsInjectionPattern s) proof prf
   decidePromptSafe s | False = Left (MkPromptSafe s {prf = prf})
-  decidePromptSafe s | True = Right (believe_me (Refl {x = True}))
+  decidePromptSafe s | True = Right prf
 
 --------------------------------------------------------------------------------
 -- Role Boundary Safety
@@ -81,7 +81,7 @@ decideRoleBoundarySafe : (s : String) ->
                                 (isRoleBoundary s = True)
 decideRoleBoundarySafe s with (isRoleBoundary s) proof prf
   decideRoleBoundarySafe s | False = Left (MkRoleBoundarySafe s {prf = prf})
-  decideRoleBoundarySafe s | True = Right (believe_me (Refl {x = True}))
+  decideRoleBoundarySafe s | True = Right prf
 
 --------------------------------------------------------------------------------
 -- Delimiter Escape Safety
diff --git a/src/abi/Boj/SafeWebSocket.idr b/src/abi/Boj/SafeWebSocket.idr
@@ -135,8 +135,12 @@ data ControlFrameSizeSafe : Nat -> Type where
 
 export
 controlImpliesFrameSafe : ControlFrameSizeSafe n -> FrameSizeSafe n
+||| maxControlFrameSize (125) ≤ maxFrameSize (16 777 216).
+maxControlLeqMaxFrame : LTE Boj.SafeWebSocket.maxControlFrameSize Boj.SafeWebSocket.maxFrameSize
+maxControlLeqMaxFrame = fromLteTrue 125 16777216 Refl
+
 controlImpliesFrameSafe (MkControlFrameSizeSafe n {prf}) =
-  MkFrameSizeSafe n {prf = transitive prf (believe_me (LTESucc LTEZero))}
+  MkFrameSizeSafe n {prf = transitive prf maxControlLeqMaxFrame}
 
 export
 emptyFrameSafe : FrameSizeSafe 0
@@ -216,16 +220,18 @@ parseRoundtrips PolicyViolation = Refl
 parseRoundtrips MessageTooBig   = Refl
 parseRoundtrips InternalError   = Refl
 
+||| Every RFC 6455 close code lies in the range [1000, 1011].
+||| Proofs constructed via fromLteTrue on the closed-form values.
 export
 closeCodeInRange : (c : WSCloseCode) -> (LTE 1000 (closeCodeToNat c), LTE (closeCodeToNat c) 1011)
-closeCodeInRange NormalClosure   = (believe_me (Refl {x = True}), believe_me (Refl {x = True}))
-closeCodeInRange GoingAway       = (believe_me (Refl {x = True}), believe_me (Refl {x = True}))
-closeCodeInRange ProtocolError   = (believe_me (Refl {x = True}), believe_me (Refl {x = True}))
-closeCodeInRange UnsupportedData = (believe_me (Refl {x = True}), believe_me (Refl {x = True}))
-closeCodeInRange InvalidPayload  = (believe_me (Refl {x = True}), believe_me (Refl {x = True}))
-closeCodeInRange PolicyViolation = (believe_me (Refl {x = True}), believe_me (Refl {x = True}))
-closeCodeInRange MessageTooBig   = (believe_me (Refl {x = True}), believe_me (Refl {x = True}))
-closeCodeInRange InternalError   = (believe_me (Refl {x = True}), believe_me (Refl {x = True}))
+closeCodeInRange NormalClosure   = (fromLteTrue 1000 1000 Refl, fromLteTrue 1000 1011 Refl)
+closeCodeInRange GoingAway       = (fromLteTrue 1000 1001 Refl, fromLteTrue 1001 1011 Refl)
+closeCodeInRange ProtocolError   = (fromLteTrue 1000 1002 Refl, fromLteTrue 1002 1011 Refl)
+closeCodeInRange UnsupportedData = (fromLteTrue 1000 1003 Refl, fromLteTrue 1003 1011 Refl)
+closeCodeInRange InvalidPayload  = (fromLteTrue 1000 1007 Refl, fromLteTrue 1007 1011 Refl)
+closeCodeInRange PolicyViolation = (fromLteTrue 1000 1008 Refl, fromLteTrue 1008 1011 Refl)
+closeCodeInRange MessageTooBig   = (fromLteTrue 1000 1009 Refl, fromLteTrue 1009 1011 Refl)
+closeCodeInRange InternalError   = (fromLteTrue 1000 1011 Refl, fromLteTrue 1011 1011 Refl)
 
 --------------------------------------------------------------------------------
 -- Message Ordering
diff --git a/src/abi/Boj/Safety.idr b/src/abi/Boj/Safety.idr
@@ -77,29 +77,88 @@ export
 emptyIsJSONSafe : JSONStringSafe ""
 emptyIsJSONSafe = MkJSONStringSafe ""
 
+-- Helper: given isShellSafe c = True and c == target = True, derive a
+-- contradiction using the fact that isShellSafe target = False.
+-- Idris2 can reduce isShellSafe on literal Char arguments because
+-- isAlphaNum and the char comparison operators are pure Idris2 functions
+-- whose values on literals are computed during elaboration.
+private
+shellContra : (c, target : Char) ->
+              isShellSafe c = True ->
+              c == target = True ->
+              isShellSafe target = False ->
+              Void
+shellContra c target hp ceq notSafe =
+  let cEqTarget = charEqSound c target ceq
+      targetHp  = replace {p = \x => isShellSafe x = True} cEqTarget hp
+  in trueNotFalse (trans (sym targetHp) notSafe)
+
+-- Helper: given not (isSQLDangerous c) = True and c == target = True,
+-- derive a contradiction when isSQLDangerous target = True.
+private
+sqlContra : (c, target : Char) ->
+            not (isSQLDangerous c) = True ->
+            c == target = True ->
+            isSQLDangerous target = True ->
+            Void
+sqlContra c target hp ceq isDangerous =
+  let cEqTarget    = charEqSound c target ceq
+      targetNotDng = replace {p = \x => not (isSQLDangerous x) = True} cEqTarget hp
+      -- targetNotDng : not (isSQLDangerous target) = True
+      -- isDangerous  : isSQLDangerous target = True
+      -- Contradiction: not True = True is False = True
+  in trueNotFalse (trans (sym targetNotDng) (cong not isDangerous))
+
+-- Generic proof that a character is not in a shell-safe string.
+-- Reduces to: allImplies (notTarget prf) → allNeqImpliesNotElem → falseImpliesNotTrue.
+private
+shellSafeNotTarget : (target : Char) ->
+                     isShellSafe target = False ->
+                     ShellSafe s ->
+                     not (target `elem` unpack s) = True
+shellSafeNotTarget target notSafe (MkShellSafe s {prf}) =
+  let notTarget : (c : Char) -> isShellSafe c = True -> not (c == target) = True
+      notTarget c hp with (c == target) proof ceq
+        notTarget c hp | False = Refl
+        notTarget c hp | True  = absurd (shellContra c target hp ceq notSafe)
+  in falseImpliesNotTrue _ (allNeqImpliesNotElem (allImplies notTarget prf))
+
+-- Generic proof that a character is not in a SQL-safe string.
+private
+sqlSafeNotTarget : (target : Char) ->
+                   isSQLDangerous target = True ->
+                   SQLSafe s ->
+                   not (target `elem` unpack s) = True
+sqlSafeNotTarget target isDangerous (MkSQLSafe s {prf}) =
+  let notTarget : (c : Char) -> not (isSQLDangerous c) = True -> not (c == target) = True
+      notTarget c hp with (c == target) proof ceq
+        notTarget c hp | False = Refl
+        notTarget c hp | True  = absurd (sqlContra c target hp ceq isDangerous)
+  in falseImpliesNotTrue _ (allNeqImpliesNotElem (allImplies notTarget prf))
+
 export
 shellSafeNoSemicolon : ShellSafe s -> not (';' `elem` unpack s) = True
-shellSafeNoSemicolon _ = believe_me (Refl {x = True})
+shellSafeNoSemicolon = shellSafeNotTarget ';' Refl
 
 export
 shellSafeNoBacktick : ShellSafe s -> not ('`' `elem` unpack s) = True
-shellSafeNoBacktick _ = believe_me (Refl {x = True})
+shellSafeNoBacktick = shellSafeNotTarget '`' Refl
 
 export
 shellSafeNoDollar : ShellSafe s -> not ('$' `elem` unpack s) = True
-shellSafeNoDollar _ = believe_me (Refl {x = True})
+shellSafeNoDollar = shellSafeNotTarget '$' Refl
 
 export
 shellSafeNoPipe : ShellSafe s -> not ('|' `elem` unpack s) = True
-shellSafeNoPipe _ = believe_me (Refl {x = True})
+shellSafeNoPipe = shellSafeNotTarget '|' Refl
 
 export
 sqlSafeNoTerminator : SQLSafe s -> not (';' `elem` unpack s) = True
-sqlSafeNoTerminator _ = believe_me (Refl {x = True})
+sqlSafeNoTerminator = sqlSafeNotTarget ';' Refl
 
 export
 sqlSafeNoQuotes : SQLSafe s -> not ('\'' `elem` unpack s) = True
-sqlSafeNoQuotes _ = believe_me (Refl {x = True})
+sqlSafeNoQuotes = sqlSafeNotTarget '\'' Refl
 
 export
 pathSafeNoParent : PathSafe s -> not (isInfixOf (unpack "..") (unpack s)) = True
diff --git a/src/abi/Boj/SafetyLemmas.idr b/src/abi/Boj/SafetyLemmas.idr
@@ -2,11 +2,16 @@
 -- Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
 ||| BoJ SafetyLemmas — Foundational lemmas for safety proofs
 |||
-||| Reusable lemmas over List Char that underpin the safety proofs in
-||| SafeHTTP, SafeCORS, SafeWebSocket, SafePromptInjection, SafeAPIKey,
-||| and Safety modules.
+||| Reusable lemmas over List Char, Nat, and String that underpin the safety
+||| proofs in SafeHTTP, SafeCORS, SafeWebSocket, SafePromptInjection,
+||| SafeAPIKey, and Safety modules.
 |||
-||| All proofs are structural inductions over List Char. No believe_me.
+||| Three axiomatic believe_me primitives are declared here:
+|||   charEqSound  — soundness of prim__eqChar (c1 == c2 = True → c1 = c2)
+|||   charEqSym    — symmetry of prim__eqChar (x == y = y == x)
+|||   unpackLength — prim__strToCharList preserves length
+|||
+||| All other proofs are constructive.
 module Boj.SafetyLemmas
 
 import Data.List
@@ -40,8 +45,14 @@ export
 notTrueNotTrue : not True = True -> Void
 notTrueNotTrue Refl impossible
 
-||| Helper: symmetry of Char equality (admitted as primitive property)
-||| In a full proof system this would be proven via primitive properties.
+||| Primitive char equality soundness: c1 == c2 = True implies c1 = c2.
+||| Axiomatic: correctness of Idris2's prim__eqChar backend primitive.
+export
+charEqSound : (c1, c2 : Char) -> c1 == c2 = True -> c1 = c2
+charEqSound c1 c2 _ = believe_me Refl
+
+||| Helper: symmetry of Char equality.
+||| Axiomatic: symmetry of prim__eqChar on the BEAM/Chez backend.
 export
 charEqSym : (x, y : Char) -> (x == y) = (y == x)
 charEqSym x y = believe_me (Refl {x = (x == y)})
@@ -186,6 +197,28 @@ allNeqImpliesNotElem {target} {xs = x :: xs'} prf with (x == target) proof xEq
                        rewrite sym xEq in Refl
     in rewrite goal_rewrite in allNeqImpliesNotElem {xs = xs'} prf
 
+--------------------------------------------------------------------------------
+-- String / Nat helpers
+--------------------------------------------------------------------------------
+
+||| `unpack s` has the same length as `s`.
+||| Axiomatic: prim__strToCharList preserves length (backend primitive guarantee).
+export
+unpackLength : (s : String) -> length (unpack s) = length s
+unpackLength _ = believe_me Refl
+
+||| Convert a Bool-valued `lte` test to a proof term.
+|||
+||| Enables large-Nat range proofs (e.g. LTE 3600 86400) without building
+||| depth-n proof trees. With `%builtin NaturalNumber Nat` the elaborator
+||| evaluates `lte m n` efficiently on literal arguments, so `Refl` is accepted
+||| as the evidence argument when both m and n are compile-time constants.
+export
+fromLteTrue : (m, n : Nat) -> lte m n = True -> LTE m n
+fromLteTrue Z     _     _   = LTEZero
+fromLteTrue (S _) Z     prf = absurd prf
+fromLteTrue (S m) (S n) prf = LTESucc (fromLteTrue m n prf)
+
 --------------------------------------------------------------------------------
 -- take/drop (for List-based truncation proofs)
 --------------------------------------------------------------------------------
