fix(quantity): scaled Let rule + L-to-R eval_list — closes BUG-001/002/003

Two soundness fixes that share a single test infrastructure pass.

BUG-001 (high severity, soundness — ω-let smuggles linear values):
The quantity-checking Let case now implements the QTT-orthodox
scaled Let rule per ADR-002:

  Γ₁ ⊢ e₁ : A    (Γ₂, x:^q A) ⊢ e₂ : B
  ─────────────────────────────────────
       q·Γ₁ + Γ₂ ⊢ let x :^q = e₁ in e₂ : B

Implementation: snapshot the env, walk e1 (which records usages
into the live env), compute the per-variable delta, scale each
delta by q via the new scale_usage helper, restore the snapshot,
and re-apply the scaled deltas as additions. Then walk e2 normally.

The interesting case is q = ω: scale_usage QOmega UOne = UMany,
which causes a linear variable consumed in e1 to be reported as
"used multiple times" once viewed through the @unrestricted binder.
This is what closes BUG-001.

BUG-002 (medium, semantics — :0 lets do not erase their RHS):
Closed transitively by the same scaling code path. scale_usage
QZero _ = UZero, so RHS contributions to outer linear variables
are correctly dropped under @Erased binders. The optional
interpreter-side erasure (skipping eval entirely) is a separate
optimisation, deferred.

BUG-003 (medium, semantics — eval_list right-to-left):
lib/interp.ml eval_list rewritten from List.fold_right (which is
right-to-left under OCaml's strict monadic bind) to an explicit
L-to-R recursive loop with terminal List.rev. Per ADR-003. Brings
ExprApp/ExprTuple/ExprArray/ExprRecord into agreement with
ExprBinary, which was already left-to-right.

Error vocabulary updated: format_quantity_error now speaks
@linear/@erased/@unrestricted regardless of which surface form
the user wrote, via canonical_quantity_name and usage_in_words
helpers. Source vocabulary and diagnostic vocabulary stay aligned
per ADR-007.

Four behavioural regression fixtures and test cases:
- bug_001_omega_let_smuggles_linear.affine (Option C, must reject)
- bug_001_sugar_form.affine (Option B, must reject)
- affine_let_valid.affine (Option C, must accept)
- affine_let_valid_sugar.affine (Option B, must accept)

All four pass. Test count 64 → 68. The 22 pre-existing baseline
failures are unchanged (zero new regressions, zero accidentally
resolved).

BUG-003 lacks a behavioural fixture in this commit because
observable order verification requires the let-mut interpreter
path, which is broken in baseline (root cause of several pre-
existing failing interp tests). The fix is verified by code
review against ADR-003.

Refs ADR-002, ADR-003, ADR-007.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

lib/interp.ml

@@ -343,13 +343,22 @@ let rec eval (env : env) (expr : expr) : value result =
   | ExprSpan (e, _) ->
     eval env e
 
-(** Evaluate a list of expressions *)
+(** Evaluate a list of expressions strictly left-to-right.
+
+    Per ADR-003, all n-ary expression forms (application arguments, tuple
+    components, array elements, record fields) evaluate their subexpressions
+    in source order. The previous implementation used [List.fold_right] with
+    monadic bind, which under OCaml's strict evaluation visited elements
+    right-to-left — inconsistent with [ExprBinary] and a latent divergence
+    point for future affine enforcement and effect handlers. *)
 and eval_list (env : env) (exprs : expr list) : value list result =
-  List.fold_right (fun expr acc ->
-    let* vals = acc in
-    let* v = eval env expr in
-    Ok (v :: vals)
-  ) exprs (Ok [])
+  let rec loop acc = function
+    | [] -> Ok (List.rev acc)
+    | expr :: rest ->
+      let* v = eval env expr in
+      loop (v :: acc) rest
+  in
+  loop [] exprs
 
 (** Evaluate match arms *)
 and eval_match_arms (env : env) (scrut_val : value) (arms : match_arm list) : value result =

lib/quantity.ml

@@ -103,6 +103,32 @@ let add_usage (u1 : usage) (u2 : usage) : usage =
   | (UZero, u) | (u, UZero) -> u
   | _ -> UMany
 
+(** Scale a usage by a quantity — implements the q·u operation that
+    the QTT-orthodox Let rule needs to scale the value-context Γ₁ by
+    the binder's quantity q.
+
+    Per ADR-002, [let x :^q = e1 in e2] is type-checked under
+    [q·Γ₁ + Γ₂ ⊢ ...]. The semiring action on usages is:
+
+      0 · u  = UZero            (erased — usage is annihilated)
+      1 · u  = u                (linear — usage passes through unchanged)
+      ω · UZero = UZero         (no use stays no use)
+      ω · UOne  = UMany         (a single use, replicated, becomes many)
+      ω · UMany = UMany         (many stays many)
+
+    The interesting case is [ω · UOne = UMany]: it is the rule that
+    closes BUG-001. A linear variable consumed in [e1] under an
+    ω-binder gets its usage promoted to UMany, which the
+    [check_quantity] step then catches as
+    [LinearVariableUsedMultiple]. *)
+let scale_usage (q : quantity) (u : usage) : usage =
+  match (q, u) with
+  | (QZero, _) -> UZero
+  | (QOne, u) -> u
+  | (QOmega, UZero) -> UZero
+  | (QOmega, UOne) -> UMany
+  | (QOmega, UMany) -> UMany
+
 (* {1 Errors} *)
 
 (** Quantity checking errors with precise descriptions. *)
@@ -120,21 +146,44 @@ type quantity_error =
 (** Result type carrying a quantity error paired with a source span. *)
 type 'a result = ('a, quantity_error * Span.t) Result.t
 
-(** Format a quantity error for human-readable output. *)
+(** Pretty-print a quantity using the canonical Option C surface form
+    from ADR-007. Used in error messages so source vocabulary and
+    diagnostic vocabulary stay aligned. *)
+let canonical_quantity_name (q : quantity) : string =
+  match q with
+  | QZero -> "@erased"
+  | QOne -> "@linear"
+  | QOmega -> "@unrestricted"
+
+(** Pretty-print a usage count in plain English. *)
+let usage_in_words (u : usage) : string =
+  match u with
+  | UZero -> "never used"
+  | UOne -> "used exactly once"
+  | UMany -> "used multiple times"
+
+(** Format a quantity error for human-readable output. Per ADR-007, all
+    diagnostic text uses the @linear/@erased/@unrestricted vocabulary,
+    even when the source program used the :1/:0/:ω sugar form. The
+    user reads consistent words regardless of which surface they wrote. *)
 let format_quantity_error (err : quantity_error) : string =
   match err with
   | LinearVariableUnused id ->
-    Printf.sprintf "Linear variable '%s' must be used exactly once, but was never used"
+    Printf.sprintf
+      "@linear binding '%s' must be used exactly once, but was never used"
       id.name
   | LinearVariableUsedMultiple id ->
-    Printf.sprintf "Linear variable '%s' must be used exactly once, but was used multiple times"
+    Printf.sprintf
+      "@linear binding '%s' must be used exactly once, but was used multiple times"
       id.name
   | ErasedVariableUsed id ->
-    Printf.sprintf "Erased variable '%s' (quantity 0) must not be used at runtime"
+    Printf.sprintf
+      "@erased binding '%s' must not be used at runtime"
       id.name
   | QuantityMismatch (id, q, u) ->
-    Printf.sprintf "Quantity mismatch for '%s': declared %s but used %s"
-      id.name (show_quantity q) (show_usage u)
+    Printf.sprintf
+      "quantity mismatch for '%s': declared %s but %s"
+      id.name (canonical_quantity_name q) (usage_in_words u)
 
 (* {1 Quantity environment} *)
 
@@ -249,7 +298,41 @@ let rec infer_usage_expr (env : env) (expr : expr) : unit =
     infer_usage_expr env lam.elam_body
 
   | ExprLet lb ->
+    (* ADR-002 / ADR-007: Let value context is scaled by the binder's
+       quantity. Concretely:
+         q·Γ₁ ⊢ e1 : A    (Γ₂, x:^q A) ⊢ e2 : B
+         ─────────────────────────────────────
+              q·Γ₁ + Γ₂ ⊢ let x :^q = e1 in e2 : B
+       For the usage analysis we implement this as: snapshot the env,
+       walk e1 (which records usages into the live env), compute the
+       per-variable delta added by walking e1, scale each delta entry
+       by q, restore the snapshot, and re-apply the scaled deltas as
+       additions. Then walk e2 normally. *)
+    let q = Option.value lb.el_quantity ~default:QOmega in
+    let before_value = env_snapshot env in
     infer_usage_expr env lb.el_value;
+    let after_value = env_snapshot env in
+    env_restore env before_value;
+    (* Re-apply scaled deltas. *)
+    Hashtbl.iter (fun name after_u ->
+      let before_u =
+        Hashtbl.find_opt before_value name |> Option.value ~default:UZero
+      in
+      (* Compute the delta usage added by walking el_value. We model
+         delta as: how many additional uses occurred during the walk.
+         Since usage is a 3-point lattice, the simplest sound rule is
+         "if the walk increased the usage at all, the delta is the
+         after-value's contribution beyond the before-value." We
+         implement this by treating any rise from before to after as
+         the delta usage to scale. *)
+      let delta =
+        if equal_usage before_u after_u then UZero
+        else after_u
+      in
+      let scaled = scale_usage q delta in
+      let merged = add_usage before_u scaled in
+      Hashtbl.replace env.usages name merged
+    ) after_value;
     Option.iter (infer_usage_expr env) lb.el_body
 
   | ExprIf ei ->
@@ -369,7 +452,27 @@ and infer_usage_block (env : env) (blk : block) : unit =
 and infer_usage_stmt (env : env) (stmt : stmt) : unit =
   match stmt with
   | StmtLet sl ->
-    infer_usage_expr env sl.sl_value
+    (* Same scaling treatment as ExprLet — see ADR-002 commentary
+       there. The statement form has no body to walk afterward;
+       subsequent statements in the enclosing block are walked
+       independently by infer_usage_block. *)
+    let q = Option.value sl.sl_quantity ~default:QOmega in
+    let before_value = env_snapshot env in
+    infer_usage_expr env sl.sl_value;
+    let after_value = env_snapshot env in
+    env_restore env before_value;
+    Hashtbl.iter (fun name after_u ->
+      let before_u =
+        Hashtbl.find_opt before_value name |> Option.value ~default:UZero
+      in
+      let delta =
+        if equal_usage before_u after_u then UZero
+        else after_u
+      in
+      let scaled = scale_usage q delta in
+      let merged = add_usage before_u scaled in
+      Hashtbl.replace env.usages name merged
+    ) after_value
   | StmtExpr e ->
     infer_usage_expr env e
   | StmtAssign (lhs, _, rhs) ->

test/e2e/fixtures/affine_let_valid.affine

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+// ADR-002 / ADR-007 valid case (Option C primary form).
+//
+// `r` is @linear (must be used exactly once). It is bound under a
+// @linear let, so the value context scales by 1 (identity). The let-
+// bound alias `s` is then used exactly once in the body. This must
+// pass the quantity checker.
+
+fn forward(@linear r: Int) -> Int {
+  @linear let s = r;
+  s
+}

test/e2e/fixtures/affine_let_valid_sugar.affine

@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+// ADR-002 / ADR-007 valid case — Option B sugar form.
+// Identical semantics to affine_let_valid.affine, written with :1
+// numeric quantity sugar in place of @linear.
+
+fn forward(@linear r: Int) -> Int {
+  let s :1 = r;
+  s
+}

test/e2e/fixtures/bug_001_omega_let_smuggles_linear.affine

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+// BUG-001 regression: ω-let must NOT smuggle a linear value through.
+//
+// `consume` declares its parameter as @linear, so within consume's body
+// the parameter `r` is a linear binding. The body binds `r` under an
+// @unrestricted let — per the QTT-orthodox scaled Let rule (ADR-002),
+// the value context for `e1` is scaled by ω, which promotes any linear
+// usage in `e1` to UMany. The quantity checker must then reject this
+// program because `r` is now considered "used multiple times" inside a
+// @linear binding.
+//
+// This fixture uses Option C surface syntax (@unrestricted, @linear).
+// The dual sugar-form fixture is bug_001_sugar_form.affine.
+
+fn consume(@linear r: Int) -> Int {
+  @unrestricted let alias = r;
+  alias + alias
+}

test/e2e/fixtures/bug_001_sugar_form.affine

@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+// BUG-001 regression — Option B sugar form. Same program as
+// bug_001_omega_let_smuggles_linear.affine but written with the
+// :1 / :ω numeric quantity sugar instead of @linear / @unrestricted.
+// Both surface forms must produce identical enforcement: the quantity
+// checker must reject this for the same reason.
+
+fn consume(@linear r: Int) -> Int {
+  let alias :ω = r;
+  alias + alias
+}

test/test_e2e.ml

@@ -435,10 +435,86 @@ let test_quantity_erased_violation () =
         Alcotest.(check bool) "error mentions erased"
           true (String.length msg > 0)
 
+(* ──── BUG-001 / ADR-007 regression cases ──────────────────────────────────
+   The four fixtures cover the cross product of {must-reject, must-accept}
+   × {Option C @linear primary form, Option B :1 sugar form}. Both surface
+   forms must produce identical enforcement, which proves the hybrid
+   syntax is wired through the same code path. *)
+
+let test_bug_001_smuggles_linear_attr_form () =
+  match parse_fixture (fixture "bug_001_omega_let_smuggles_linear.affine") with
+  | Error msg -> Alcotest.fail msg
+  | Ok prog ->
+    match resolve_program prog with
+    | Error msg -> Alcotest.fail msg
+    | Ok (ctx, _) ->
+      match Typecheck.check_program ctx.symbols prog with
+      | Ok _ ->
+        Alcotest.fail "BUG-001 (attr form): expected quantity rejection of \
+                       @unrestricted let smuggling a @linear value, but the \
+                       checker accepted the program"
+      | Error e ->
+        let msg = Typecheck.format_type_error e in
+        Alcotest.(check bool) "error mentions @linear vocabulary" true
+          (try let _ = Str.search_forward (Str.regexp "@linear") msg 0 in true
+           with Not_found -> false)
+
+let test_bug_001_smuggles_linear_sugar_form () =
+  match parse_fixture (fixture "bug_001_sugar_form.affine") with
+  | Error msg -> Alcotest.fail msg
+  | Ok prog ->
+    match resolve_program prog with
+    | Error msg -> Alcotest.fail msg
+    | Ok (ctx, _) ->
+      match Typecheck.check_program ctx.symbols prog with
+      | Ok _ ->
+        Alcotest.fail "BUG-001 (sugar form): expected quantity rejection of \
+                       :ω let smuggling a @linear value, but the checker \
+                       accepted the program"
+      | Error e ->
+        let msg = Typecheck.format_type_error e in
+        Alcotest.(check bool) "error mentions @linear vocabulary" true
+          (try let _ = Str.search_forward (Str.regexp "@linear") msg 0 in true
+           with Not_found -> false)
+
+let test_affine_let_valid_attr_form () =
+  match parse_fixture (fixture "affine_let_valid.affine") with
+  | Error msg -> Alcotest.fail msg
+  | Ok prog ->
+    match resolve_program prog with
+    | Error msg -> Alcotest.fail msg
+    | Ok (ctx, _) ->
+      match Typecheck.check_program ctx.symbols prog with
+      | Ok _ -> ()
+      | Error e ->
+        Alcotest.fail (Printf.sprintf
+          "valid @linear let case rejected: %s"
+          (Typecheck.format_type_error e))
+
+let test_affine_let_valid_sugar_form () =
+  match parse_fixture (fixture "affine_let_valid_sugar.affine") with
+  | Error msg -> Alcotest.fail msg
+  | Ok prog ->
+    match resolve_program prog with
+    | Error msg -> Alcotest.fail msg
+    | Ok (ctx, _) ->
+      match Typecheck.check_program ctx.symbols prog with
+      | Ok _ -> ()
+      | Error e ->
+        Alcotest.fail (Printf.sprintf
+          "valid :1 let case rejected: %s"
+          (Typecheck.format_type_error e))
+
 let quantity_tests = [
   Alcotest.test_case "valid affine usage" `Quick test_quantity_affine_valid;
   Alcotest.test_case "affine double use" `Quick test_quantity_affine_violation;
   Alcotest.test_case "erased usage" `Quick test_quantity_erased_violation;
+  Alcotest.test_case "BUG-001 attr form rejects ω-let smuggling @linear"
+    `Quick test_bug_001_smuggles_linear_attr_form;
+  Alcotest.test_case "BUG-001 sugar form rejects :ω let smuggling @linear"
+    `Quick test_bug_001_smuggles_linear_sugar_form;
+  Alcotest.test_case "valid @linear let accepts" `Quick test_affine_let_valid_attr_form;
+  Alcotest.test_case "valid :1 let accepts" `Quick test_affine_let_valid_sugar_form;
 ]
 
 (* ============================================================================