{ "capsule_hash": "03aba488bc8360fb510ced3396ca2ef1e1e71d56e0ea172fe0b70790ba9f27dc", "diagnostics": [], "module": "examples.change_approval", "obligations": [ { "description": "Initial state, transition targets, event names, guards, assignments, and declared effects are checked for the implemented machine subset.", "evidence": { "events": [ "SubmitChange", "RiskReviewed", "SecurityApprove", "ManagerApprove", "Reject", "Deploy", "Rollback" ], "initial": "idle", "states": [ "awaiting_approvals", "awaiting_risk_review", "deployed", "idle", "ready_to_deploy", "rejected", "rolled_back" ] }, "id": "ChangeApproval.stategraph", "kind": "stategraph-wellformedness", "status": "checked-for-current-subset", "subject": "ChangeApproval", "target": "checker" }, { "description": "Prove that the generated finite-state model starts in the checked initial state.", "evidence": { "initial": "idle" }, "id": "ChangeApproval.initial-state", "kind": "machine-invariant", "status": "open", "subject": "ChangeApproval", "target": "lean4" }, { "description": "Replay through the reference machine interpreter must reconstruct this transition deterministically from the event stream.", "evidence": { "effects": [ { "args": [ "operational.change_requests" ], "name": "db.write" }, { "args": [ "security_reviewer.review_change" ], "name": "a2a.task" }, { "args": [ "change_status" ], "name": "a2ui.emit" } ], "event": "SubmitChange", "target": "awaiting_risk_review" }, "id": "ChangeApproval.idle.transition.0", "kind": "transition-semantics", "status": "runtime-checkable", "subject": "ChangeApproval.idle", "target": "reference-interpreter-replay" }, { "description": "Replay through the reference machine interpreter must reconstruct this transition deterministically from the event stream.", "evidence": { "effects": [ { "args": [ "operational.change_reviews" ], "name": "db.write" }, { "args": [ "change_approval" ], "name": "a2ui.emit" } ], "event": "RiskReviewed", "target": "awaiting_approvals" }, "id": "ChangeApproval.awaiting_risk_review.transition.0", "kind": "transition-semantics", "status": "runtime-checkable", "subject": "ChangeApproval.awaiting_risk_review", "target": "reference-interpreter-replay" }, { "description": "Replay through the reference machine interpreter must reconstruct this transition deterministically from the event stream.", "evidence": { "effects": [ { "args": [ "operational.approvals" ], "name": "db.write" }, { "args": [ "change_approval" ], "name": "a2ui.emit" } ], "event": "SecurityApprove", "target": "awaiting_approvals" }, "id": "ChangeApproval.awaiting_approvals.transition.0", "kind": "transition-semantics", "status": "runtime-checkable", "subject": "ChangeApproval.awaiting_approvals", "target": "reference-interpreter-replay" }, { "description": "Replay through the reference machine interpreter must reconstruct this transition deterministically from the event stream.", "evidence": { "effects": [ { "args": [ "operational.approvals" ], "name": "db.write" }, { "args": [ "change_deployment" ], "name": "a2ui.emit" } ], "event": "ManagerApprove", "target": "ready_to_deploy" }, "id": "ChangeApproval.awaiting_approvals.transition.1", "kind": "transition-semantics", "status": "runtime-checkable", "subject": "ChangeApproval.awaiting_approvals", "target": "reference-interpreter-replay" }, { "description": "Replay through the reference machine interpreter must reconstruct this transition deterministically from the event stream.", "evidence": { "effects": [ { "args": [ "operational.approvals" ], "name": "db.write" }, { "args": [ "change_status" ], "name": "a2ui.emit" } ], "event": "Reject", "target": "rejected" }, "id": "ChangeApproval.awaiting_approvals.transition.2", "kind": "transition-semantics", "status": "runtime-checkable", "subject": "ChangeApproval.awaiting_approvals", "target": "reference-interpreter-replay" }, { "description": "Replay through the reference machine interpreter must reconstruct this transition deterministically from the event stream.", "evidence": { "effects": [ { "args": [ "operational.deployments" ], "name": "db.write" }, { "args": [ "ci.deploy" ], "name": "mcp.call" }, { "args": [ "change_deployment" ], "name": "a2ui.emit" } ], "event": "Deploy", "target": "deployed" }, "id": "ChangeApproval.ready_to_deploy.transition.0", "kind": "transition-semantics", "status": "runtime-checkable", "subject": "ChangeApproval.ready_to_deploy", "target": "reference-interpreter-replay" }, { "description": "Replay through the reference machine interpreter must reconstruct this transition deterministically from the event stream.", "evidence": { "effects": [ { "args": [ "operational.approvals" ], "name": "db.write" }, { "args": [ "change_status" ], "name": "a2ui.emit" } ], "event": "Reject", "target": "rejected" }, "id": "ChangeApproval.ready_to_deploy.transition.1", "kind": "transition-semantics", "status": "runtime-checkable", "subject": "ChangeApproval.ready_to_deploy", "target": "reference-interpreter-replay" }, { "description": "Replay through the reference machine interpreter must reconstruct this transition deterministically from the event stream.", "evidence": { "effects": [ { "args": [ "operational.deployments" ], "name": "db.write" }, { "args": [ "ci.rollback" ], "name": "mcp.call" }, { "args": [ "change_deployment" ], "name": "a2ui.emit" } ], "event": "Rollback", "target": "rolled_back" }, "id": "ChangeApproval.deployed.transition.0", "kind": "transition-semantics", "status": "runtime-checkable", "subject": "ChangeApproval.deployed", "target": "reference-interpreter-replay" }, { "description": "Prove that the generated finite-state model has no outgoing transitions from this final state.", "evidence": { "state": "rolled_back" }, "id": "ChangeApproval.rolled_back.final-no-outgoing", "kind": "machine-invariant", "status": "open", "subject": "ChangeApproval.rolled_back", "target": "lean4" }, { "description": "Prove that the generated finite-state model has no outgoing transitions from this final state.", "evidence": { "state": "rejected" }, "id": "ChangeApproval.rejected.final-no-outgoing", "kind": "machine-invariant", "status": "open", "subject": "ChangeApproval.rejected", "target": "lean4" }, { "description": "Persisted event streams should replay to the stored snapshots for the same capsule hash.", "evidence": { "event_log": "authoritative", "replay": true, "snapshot": "every-transition", "store": "operational" }, "id": "ChangeApproval.persistence", "kind": "replay-consistency", "status": "runtime-checkable", "subject": "ChangeApproval", "target": "ledger-replay" } ], "recommended_targets": { "lean4": "Use for pure function semantics, invariants, and proof-carrying status.", "smt": "Use for bounded arithmetic/refinement obligations that can be discharged automatically.", "tla_plus": "Use for state-machine liveness/safety exploration when the state space is finite or abstracted." }, "status": "checked", "verification_levels": [ { "level": "V0", "name": "parsed", "status": "passed" }, { "level": "V1", "name": "typed-and-effect-checked", "status": "passed" }, { "level": "V2", "name": "examples-and-replay", "note": "examples and ledger replay are executable checks, not proofs", "status": "available" }, { "level": "V3", "name": "proof-obligations", "status": "generated" }, { "level": "V4", "name": "kernel-checked-proof", "note": "requires Lean 4 or another proof checker to accept generated/completed obligations", "status": "not-yet-proven" }, { "level": "V5", "name": "backend-refinement", "note": "caps refinement-report records evidence and open backend-behavior proof claims", "status": "claim-reporting" } ] }