Theorem Inventory

Every theorem reachable from formal/lean4/Chio/Chio.lean appears below, copied verbatim from formal/theorem-inventory.json. The inventory schema is chio.theorem-inventory.v1. Each row names the Lean identifier, the file it lives in, the claim class, and the property IDs from the proof manifest that it helps discharge.

Reading the claim class

bounded_model means the theorem is over a finite Lean model, not the running Rust binary. aeneas_equivalence means the theorem links the handwritten Lean model to a model extracted from Rust by Aeneas. symbolic_crypto means the theorem is over a symbolic Merkle/sign/verify model rather than the concrete primitive. audited_axiom marks an explicit axiom listed in allowed_axioms.

Axioms

The inventory contains exactly one explicit axiom. It is the signature-verification predicate over the trusted-key set.

ID	Lean name	File	Class
`assumption.crypto.verify_capability_signature`	`Chio.Core.verifyCapabilitySignature`	`formal/lean4/Chio/Chio/Core/Revocation.lean`	audited_axiom

The axiom is the only allowed one. The proof manifest's allowed_axioms list contains exactly this entry. Any new axiom would have to be added there in the same PR or the gate fails.

Capability Algebra Theorems

The capability algebra is the heart of chio's attenuation story. P1 (capability monotonicity) is the headline property: a child capability can only be a subset of its parent, never wider.

ID	Lean name	File	Maps to
`core.scope.empty_isSubsetOf`	`Chio.Core.ChioScope.empty_isSubsetOf`	Core/Scope.lean	P1
`core.tool_grant.isSubsetOf_refl`	`Chio.Core.ToolGrant.isSubsetOf_refl`	Core/Scope.lean	P1
`spec.capability_monotonicity`	`Chio.Spec.capability_monotonicity`	Spec/Properties.lean	P1
`spec.empty_scope_monotonicity`	`Chio.Spec.empty_scope_monotonicity`	Spec/Properties.lean	P1
`spec.scope_budgets_nonnegative`	`Chio.Spec.scope_budgets_nonnegative`	Spec/Properties.lean	P1
`proof.list_isSubsetOf_trans`	`Chio.Proofs.list_isSubsetOf_trans`	Proofs/Monotonicity.lean	P1
`proof.scope_subset_of_grants_subset`	`Chio.Proofs.scope_subset_of_grants_subset`	Proofs/Monotonicity.lean	P1
`proof.wildcard_subsumes`	`Chio.Proofs.wildcard_subsumes`	Proofs/Monotonicity.lean	P1
`proof.reduced_budget_is_subset`	`Chio.Proofs.reduced_budget_is_subset`	Proofs/Monotonicity.lean	P1
`proof.added_constraint_is_subset`	`Chio.Proofs.added_constraint_is_subset`	Proofs/Monotonicity.lean	P1
`proof.delegation_chain_integrity`	`Chio.Proofs.delegation_chain_integrity`	Proofs/Monotonicity.lean	P5

The headline theorem statement is short. Verbatim from Spec/Properties.lean:

formal/lean4/Chio/Chio/Spec/Properties.lean

/-- P1: Capability monotonicity -- if a child scope is a subset of a parent
    scope, then every grant in the child is covered by some grant in the
    parent.

    This is the core Chio safety property: delegation can only attenuate,
    never amplify. -/
theorem capability_monotonicity (parent child : ChioScope)
    (h : child.isSubsetOf parent = true) :
    forall g, g in child.grants ->
      exists pg, pg in parent.grants /\ g.isSubsetOf pg = true := by
  intro g h_mem
  unfold ChioScope.isSubsetOf at h
  exact List.any_eq_true.mp (List.all_eq_true.mp h g h_mem)

P1: capability_monotonicity in this catalog

P1 says a child capability's bounds are tighter than its parent's; delegation attenuates and never amplifies. This catalog records P1 in fourteen rows spread across four files. The headline row is spec.capability_monotonicity; every other P1 row either supports it (subset transitivity, wildcard subsumption, budget tightening, added constraints) or pins a corner case (empty scope, reflexivity, non-negative budgets). Verbatim from formal/theorem-inventory.json:

formal/theorem-inventory.json

{
  "id": "spec.capability_monotonicity",
  "leanName": "Chio.Spec.capability_monotonicity",
  "file": "formal/lean4/Chio/Chio/Spec/Properties.lean",
  "kind": "theorem",
  "rootImported": true,
  "claimClass": "bounded_model",
  "mapsTo": ["P1"],
  "notes": "Primary attenuation theorem over ChioScope grants only; no Rust refinement proof yet."
}

Field by field:

id · stable inventory ID. The gate scripts/check-formal-proofs.sh fails if any ID is renamed without an accompanying entry change.
leanName · the fully qualified Lean identifier. The gate elaborates the root module and asserts this name resolves.
file · path relative to the repo root. P1 sits under Spec/ rather than Proofs/ because the theorem statement is the Chio spec, not a derived helper.
rootImported · true means the gate checks the import graph closure from Chio.lean reaches this file. A theorem that elaborates but is not root-imported fails the gate.
claimClass · bounded_model. The theorem reasons about the Lean ChioScope definition, not the Rust binary. The Aeneas equivalence theorem aeneas_optionalCapIsSubset_preserves_parent_cap (also tagged P1) is what ties the bounded model to the executable code.
mapsTo · the property IDs from the proof manifest this row helps discharge. P1 is the only one here.

Continue the tour at Lean 4 Proofs: P1 the canonical proof or jump back to the P1 Tour.

Revocation Theorems

Revocation surfaces in two places: the bounded revocation-store model, and the projected snapshot used by the evaluator.

ID	File	Maps to
`proof.revoke_marks_capability_revoked`	Proofs/Revocation.lean	P2
`proof.revoke_preserves_existing_revocation`	Proofs/Revocation.lean	P2
`proof.checkRevocation_revoked_token_errors`	Proofs/Revocation.lean	P2
`proof.checkRevocation_revoked_ancestor_never_ok`	Proofs/Revocation.lean	P2
`proof.checkRevocation_ok_implies_not_revoked`	Proofs/Revocation.lean	P2
`proof.revocationSnapshot_revoked_token_denies`	Proofs/Protocol.lean	P2, P3
`proof.revocationSnapshot_revoked_ancestor_denies`	Proofs/Protocol.lean	P2, P3

Evaluation Theorems

The bounded evaluator covers signature, time, scope, and revocation checks. P3 is the master fail-closed property.

ID	File	Maps to
`proof.evalToolCall_total`	Proofs/Evaluation.lean	P3
`proof.evalToolCall_invalid_signature_denies`	Proofs/Evaluation.lean	P3
`proof.evalToolCall_not_yet_valid_denies`	Proofs/Evaluation.lean	P3
`proof.evalToolCall_expired_denies`	Proofs/Evaluation.lean	P3
`proof.evalToolCall_revoked_token_never_allows`	Proofs/Evaluation.lean	P2, P3
`proof.evalToolCall_revoked_ancestor_never_allows`	Proofs/Evaluation.lean	P2, P3
`proof.evalToolCall_out_of_scope_denies`	Proofs/Evaluation.lean	P3
`proof.evalToolCall_all_checks_pass_allow`	Proofs/Evaluation.lean	P3

Receipt Theorems

Receipt theorems live across two files. The Merkle and signing theorems are in Proofs/Receipt.lean; the field-coupling theorem is in Proofs/Protocol.lean.

ID	File	Class	Maps to
`proof.applyProof_append`	Proofs/Receipt.lean	symbolic_crypto	P4
`proof.membership_proof_sound`	Proofs/Receipt.lean	symbolic_crypto	P4
`proof.membership_proof_verifies`	Proofs/Receipt.lean	symbolic_crypto	P4
`proof.checkpoint_consistency`	Proofs/Receipt.lean	symbolic_crypto	P4
`proof.receipt_sign_then_verify`	Proofs/Receipt.lean	symbolic_crypto	P4
`proof.receipt_immutability`	Proofs/Receipt.lean	symbolic_crypto	P4
`proof.receiptFieldsCoupled_preserves_all_fields`	Proofs/Protocol.lean	bounded_model	P4

Protocol-Layer Theorems

Theorems in Proofs/Protocol.lean and Proofs/FormalClosure.lean cover guard-pipeline composition, DPoP nonce admission, budget commits, governed approvals, session continuity, lineage soundness, registry behavior, path-prefix safety, and report truthfulness.

ID	File	Maps to
`proof.admitSession_invalid_dpop_rejects`	Proofs/Protocol.lean	P3, P8
`proof.admitSession_invalid_anchor_rejects`	Proofs/Protocol.lean	P3, P8
`proof.budgetPrecheck_commit_preserves_bounds`	Proofs/Protocol.lean	P3
`proof.budgetCommit_none_when_precheck_fails`	Proofs/Protocol.lean	P3
`proof.budgetTwoCommit_preserves_bounds`	Proofs/Protocol.lean	P3
`proof.clusterOverrun_bound_is_explicit`	Proofs/Protocol.lean	P3
`proof.governedApproval_required_without_token_fails`	Proofs/Protocol.lean	P3
`proof.governedApproval_valid_token_passes`	Proofs/Protocol.lean	P3
`proof.dpop_required_missing_proof_rejects`	Proofs/Protocol.lean	P3, P8
`proof.dpop_required_invalid_proof_rejects`	Proofs/Protocol.lean	P3, P8
`proof.dpop_reused_nonce_rejects`	Proofs/Protocol.lean	P8
`proof.guardPipeline_deny_dominates`	Proofs/Protocol.lean	P3
`proof.guardPipeline_error_dominates`	Proofs/Protocol.lean	P3
`proof.guardPipeline_allow_requires_core_authorized`	Proofs/Protocol.lean	P3
`proof.observed_parent_edge_sound`	Proofs/Protocol.lean	P6
`proof.verified_receipt_lineage_sound`	Proofs/Protocol.lean	P7
`proof.session_continuity_sound`	Proofs/Protocol.lean	P8
`proof.capability_lineage_consistency_sound`	Proofs/Protocol.lean	P9
`proof.report_truthfulness_asserted_not_verified`	Proofs/Protocol.lean	P10
`proof.report_truthfulness_observed_not_verified`	Proofs/Protocol.lean	P10
`proof.registry_publish_requires_valid_signature`	Proofs/Protocol.lean	P10
`proof.registry_resolve_published_valid_record`	Proofs/Protocol.lean	P10
`proof.registry_revoke_deactivates_published_record`	Proofs/Protocol.lean	P10
`proof.delegation_step_allow_requires_attenuation`	Proofs/FormalClosure.lean	P5
`proof.delegation_step_allow_requires_subject_continuity`	Proofs/FormalClosure.lean	P5
`proof.delegation_step_allow_requires_expiry_monotonicity`	Proofs/FormalClosure.lean	P5
`proof.delegation_revoked_ancestor_denies`	Proofs/FormalClosure.lean	P5
`proof.delegation_max_depth_failure_denies`	Proofs/FormalClosure.lean	P3, P5
`proof.dpop_binding_allows_only_when_all_fields_match`	Proofs/FormalClosure.lean	P8
`proof.path_prefix_rejects_sibling_prefix`	Proofs/FormalClosure.lean	P3
`proof.path_prefix_rejects_normalized_traversal_escape`	Proofs/FormalClosure.lean	P3

Aeneas Equivalence Theorems

These theorems live in Proofs/AeneasEquivalence.lean. Each one says: the Aeneas-extracted Lean mirror of a function in crates/chio-kernel-core/src/formal_aeneas.rs is equivalent to the handwritten model the rest of the proofs depend on. The class is aeneas_equivalence.

ID	Maps to
`proof.aeneas_timeWindowValid_equiv_model`	P3
`proof.aeneas_optionalCapIsSubset_preserves_parent_cap`	P1
`proof.aeneas_budgetCommit_equiv_model`	P3
`proof.aeneas_dpopAdmits_equiv_model`	P8
`proof.aeneas_revocationSnapshot_equiv_model`	P2
`proof.aeneas_guardStep_equiv_model`	P3
`proof.aeneas_receiptCoupling_equiv_model`	P4

Proof-to-Rust Mapping

formal/MAPPING.md is the cross-reference from named TLA+ invariants and Kani harnesses to the Rust call sites they constrain. The script scripts/check-mapping.sh greps the source for each name and fails the build if any appear in source but not in the mapping.

TLA+ Invariants

Invariant	Rust path constrained	Assumption discharge
`NoAllowAfterRevoke`	`chio-kernel-core/src/evaluate.rs::evaluate`, `chio-kernel/src/capability_lineage.rs`	`ASSUME-SQLITE-ATOMICITY` (per-row)
`MonotoneLog`	`chio-kernel/src/receipt_store.rs`	`ASSUME-SQLITE-ATOMICITY`; jointly discharges `RETIRED-SQLITE-CROSS-ROW`
`AttenuationPreserving`	`chio-core-types/src/capability.rs` (`ChioScope::is_subset_of`), `chio-kernel-core/src/normalized.rs`	n/a (structural; bounded by `DEPTH_MAX`)
`RevocationEventuallySeen`	`chio-kernel/src/capability_lineage.rs`, `chio-kernel/src/receipt_store.rs`	`ASSUME-PROPAGATE-FAIRNESS` (weak fairness on `PropagateAny`)

Public Kani Harnesses

Source: crates/chio-kernel-core/src/kani_public_harnesses.rs. The mapping script extracts every function name following a #[kani::proof] attribute and asserts each appears in the table below.

Harness	Rust path constrained
`public_verify_capability_rejects_untrusted_issuer_before_signature`	`capability_verify::verify_capability`
`public_normalized_scope_subset_rejects_widened_child`	`NormalizedScope::is_subset_of`
`public_normalized_scope_subset_rejects_value_widened_child`	`NormalizedScope::is_subset_of`
`public_normalized_scope_subset_rejects_identity_mismatch`	`NormalizedScope::is_subset_of`
`public_resolve_matching_grants_rejects_out_of_scope_request`	`scope::resolve_matching_grants`
`public_resolve_matching_grants_preserves_wildcard_matching`	`scope::resolve_matching_grants`
`public_evaluate_rejects_untrusted_issuer_before_dispatch`	`evaluate::evaluate`
`public_sign_receipt_rejects_kernel_key_mismatch_before_signing`	`receipts::sign_receipt`
`public_sign_receipt_accepts_matching_kernel_key`	`receipts::sign_receipt`
`verify_scope_intersection_associative`	`formal_core::optional_u32_cap_is_subset`
`verify_revocation_predicate_idempotent`	`formal_core::revocation_snapshot_denies`
`verify_delegation_chain_step`	`formal_core::*` (one delegation step composition)
`verify_receipt_roundtrip`	`receipts::sign_receipt`, `ChioReceipt::verify_signature`
`verify_budget_checked_add_no_overflow`	`chio_kernel::budget_store::BudgetUsageRecord` (additive cap update)

Status

Every theorem in the inventory above is rootImported: true. That means each one is reachable from the canonical root module formal/lean4/Chio/Chio.lean and the Lean kernel has type-checked it without sorry placeholders. The gate scripts/check-formal-proofs.sh rejects any theorem that drops out of the root import graph or that introduces a sorry.

Bounded models, not Rust

With one exception (the Aeneas equivalence theorems), every theorem here is over a Lean model, not over the running Rust binary. The Aeneas equivalence theorems plus the Kani public harnesses plus the Creusot contracts are what tie the Lean guarantees to executable code. None of these on its own replaces the others.

Aeneas Pipeline · how the equivalence theorems are produced and checked.
Lean 4 Proofs · per-file structure of the proofs in this inventory.
Kani Harnesses · full per-harness inventory with wall clocks.
TLA+ Specs · the four named invariants in detail.