Formal methods are only useful if you know where the proofs end. dafny-replay proves correctness for its verified transition logic, but that logic runs inside larger systems — JavaScript runtimes, databases, networks — that are not modeled. This document draws the line precisely so you can reason about your application’s trust boundary with confidence. Throughout this document:Documentation Index
Fetch the complete documentation index at: https://mintlify.com/metareflection/dafny-replay/llms.txt
Use this file to discover all available pages before exploring further.
- Verified means proved in Dafny.
- Assumed / obligated means must be proved by each concrete domain to instantiate a kernel.
- Trusted (integration boundary) means not modeled or proved, even though verified code may execute inside it.
Notation
| Symbol | Meaning |
|---|---|
Model, Action | Vary by domain |
Inv : Model → bool | Domain invariant |
Init : () → Model | Initial state constructor |
Ok(_) / Err(_) | Result constructors |
History | { past, present, future } |
ServerState | { version, present } |
How to read the guarantees
For each kernel, this document lists:- Domain obligations — properties that each concrete domain must prove to use the kernel.
- Kernel theorems — properties proved once by the generic kernel, assuming the obligations.
- Integration boundary (trusted) — system-level behavior that is not modeled or proved.
Replay kernel
State space:History over Model
Domain obligations
Each domain must prove:- (R1)
Inv(Init()) - (R2)
Inv(m) ⇒ Inv(Normalize(Apply(m, a)))
Kernel theorems
Assuming (R1–R2):- (RK1) For all reachable histories
h,Inv(Present(h))holds. - (RK2)
Do,Undo, andRedopreserveInvon the present state.
Integration boundary (trusted)
- JavaScript runtime and Dafny → JS compilation
- UI wiring and rendering
- Persistence, serialization, and I/O
Authority kernel
State space:ServerState = { version, present }
Domain obligations
Each domain must prove:- (A1)
Inv(Init()) - (A2)
Inv(m) ∧ TryStep(m, a) = Ok(m′) ⇒ Inv(m′)
Kernel theorems
Assuming (A1–A2):- (AK1) For any protocol trace (arbitrary client behavior), the authoritative server state always satisfies
Inv. - (AK2) Rejected requests leave server state unchanged.
Integration boundary (trusted)
- Networking, authentication, authorization
- Database persistence
- Concurrency beyond the modeled protocol
- JS/edge wiring
Multi-Collaboration kernel
State space: server-authoritative model + operation log + client stateDomain obligations
Each domain must provide and prove:- (MC1)
Inv(Init()) - (MC2)
Inv(m) ∧ TryStep(m, a) = Ok(m′) ⇒ Inv(m′) - (MC3) Total rebasing and candidate interface:
Rebase,Candidates,Explains,CandidatesComplete
Kernel theorems
Assuming (MC1–MC3):- (MCK1) Safety: all accepted server states satisfy
Inv. - (MCK2) Intent-relative minimal rejection: if a request is rejected, then there exists no action
aGoodsuch thatExplains(rebased, aGood)andTryStep(present, aGood) = Ok(_).
The MCK2 guarantee is relative to the domain-defined intent envelope (
Explains). The domain chooses what “meaning-preserving” means; the kernel guarantees rejection only when the entire envelope fails.Integration boundary (trusted)
- Ordering and delivery of realtime updates
- Database atomicity and transactions
- Edge/server orchestration around verified transitions
- Liveness beyond the modeled protocol
Effect State Machine
State space:EffectState = { network, mode, client, serverVersion }
Assumptions
- The embedded
clientcomponent itself satisfies the obligations of the client protocol kernel it instantiates.
Kernel theorems
- (ESM1)
StepPreservesInv— all effect-state transitions preserve the invariant. - (ESM2) Bounded retries (
RetriesAreBounded) — retries never exceedMaxRetries. - (ESM3) FIFO processing — pending actions are processed in order; only the first can leave.
- (ESM4) Pending preservation —
pending' == pendingorpending' == pending[1..].
System-level properties (proved)
| Property | Meaning |
|---|---|
NoSilentDataLoss | Every action in pending either stays in pending or is explicitly accepted/rejected |
UserActionEntersPending | User actions are guaranteed to enter the pending queue |
FIFOProcessing | Actions are processed in submission order |
OnlineIdlePendingMakesProgress | System makes progress when online with pending actions |
Integration boundary (trusted)
- Mapping browser/network events to effect-machine events
- Actual I/O execution of commands
- End-to-end liveness assumptions
Multi-Project kernel
State space: multi-project model + per-project client state + effect orchestrationDomain obligations
Each concrete multi-project domain must prove:Kernel theorems
Assuming the obligation above:- (MPK1) All effect-state invariants proved for the single-project Effect State Machine lift to the multi-project setting.
- (MPK2) Pending preservation across projects — pending actions are never silently lost; accept/reject removes exactly one action; conflicts preserve pending exactly.
- (MPK3) Bounded retries and mode consistency.
Integration boundary (trusted)
- Atomic application of verified multi-project transitions to storage
- Realtime skew (partial arrival of multi-project updates)
- Edge-function orchestration around verified transitions
- Semantics of
TouchedProjectsbeyond what is proved in the concrete domain
Domain- and application-level guarantees
Kernels are generic: they prove how invariants are preserved. Concrete domains determine what invariants mean by discharging the kernel obligations.| Domain / App | Primary invariants proved by the domain | Kernels lifting these invariants |
|---|---|---|
| Counter | Non-negativity (m ≥ 0) | Replay, Authority |
| Kanban | Exact card partition (no duplication or loss); per-column WIP limits | Replay, Multi-Collaboration, Effect State Machine |
| Canon | Referential integrity of nodes/edges/constraints; allocator freshness | Replay |
| ColorWheel | Mood bounds (S/L ranges); harmony coherence; graceful degradation to Custom | Replay |
| ClearSplit | Conservation of money (sum of balances = 0); delta laws for expenses and settlements | Replay, Multi-Collaboration, Effect State Machine |
| Delegation Auth | Referential integrity of grants/delegations; freshness of delegation IDs | Replay |
| CollabTodo | Exact task partition; unique list names; membership constraints; referential integrity; soft-delete semantics | Multi-Project, Effect State Machine |
How to interpret these guarantees
This document draws a precise boundary around what is proved and what is not. What is claimed:If a concrete domain discharges the stated obligations, then all kernel theorems apply to the Dafny-generated transition logic, independent of where that logic executes (CLI, browser, server, or edge function).In particular:
- Invariants proved at the domain level are preserved by kernel transitions.
- Protocol and effect-machine properties hold for the verified state machines.
- Rejection and retry guarantees are exactly those stated by the kernels.
- That the entire application or deployment is verified end-to-end.
- That networking, databases, realtime delivery, or authentication are correct.
- That the specifications themselves are complete or free of modeling error.
Domain obligations guide
Step-by-step walkthrough of writing and discharging domain obligations.
Type mappings reference
Complete Dafny-to-JavaScript type conversion reference with code examples.