feat(Query): query complexity framework with sorting lower bound

Add a framework for proving upper and lower bounds on query complexity
of comparison-based algorithms, using `Prog` (free monad over query
types) with oracle-parametric evaluation and structural query counting.

Results:
- Insertion sort: correctness + O(n²) upper bound
- Merge sort: correctness + n·⌈log₂ n⌉ upper bound
- Lower bound: any correct comparison sort on an infinite type
  needs ≥ ⌈log₂(n!)⌉ queries (via adversarial pigeonhole on
  QueryTree depth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: kim-em

Cslib.lean

@@ -1,6 +1,17 @@
 module  -- shake: keep-all
 
 public import Cslib.Algorithms.Lean.MergeSort.MergeSort
+public import Cslib.Algorithms.Lean.Query.Bounds
+public import Cslib.Algorithms.Lean.Query.Prog
+public import Cslib.Algorithms.Lean.Query.QueryTree
+public import Cslib.Algorithms.Lean.Query.Sort.Insertion.Defs
+public import Cslib.Algorithms.Lean.Query.Sort.Insertion.Lemmas
+public import Cslib.Algorithms.Lean.Query.Sort.IsSort
+public import Cslib.Algorithms.Lean.Query.Sort.LEQuery
+public import Cslib.Algorithms.Lean.Query.Sort.LowerBound
+public import Cslib.Algorithms.Lean.Query.Sort.Merge.Defs
+public import Cslib.Algorithms.Lean.Query.Sort.Merge.Lemmas
+public import Cslib.Algorithms.Lean.Query.Sort.QueryTree
 public import Cslib.Algorithms.Lean.TimeM
 public import Cslib.Computability.Automata.Acceptors.Acceptor
 public import Cslib.Computability.Automata.Acceptors.OmegaAcceptor

Cslib/Algorithms/Lean/Query/Bounds.lean

@@ -0,0 +1,37 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Kim Morrison, Sebastian Graf
+-/
+module
+
+public import Cslib.Algorithms.Lean.Query.Prog
+
+/-! # Upper and Lower Bounds for Query Complexity
+
+Definitions of upper and lower bounds on the number of queries a program makes,
+quantified over oracles.
+-/
+
+open Cslib.Query
+
+public section
+
+namespace Cslib.Query
+
+/-- Upper bound: for all oracles, inputs of size ≤ n make at most `bound n` queries. -/
+@[expose] def UpperBound (prog : α → Prog Q β)
+    (size : α → Nat) (bound : Nat → Nat) : Prop :=
+  ∀ (oracle : {ι : Type} → Q ι → ι) (n : Nat) (x : α),
+    size x ≤ n → (prog x).queriesOn oracle ≤ bound n
+
+/-- Lower bound: for every size n, there exists an input and oracle
+    making the program perform ≥ `bound n` queries. -/
+@[expose] def LowerBound (prog : α → Prog Q β)
+    (size : α → Nat) (bound : Nat → Nat) : Prop :=
+  ∀ (n : Nat), ∃ (x : α), size x ≤ n ∧
+    ∃ (oracle : {ι : Type} → Q ι → ι), bound n ≤ (prog x).queriesOn oracle
+
+end Cslib.Query
+
+end -- public section

Cslib/Algorithms/Lean/Query/Prog.lean

@@ -0,0 +1,92 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Sorrachai Yingchareonthawornchai, Kim Morrison, Sebastian Graf, Shreyas Srinivas
+-/
+module
+
+public import Cslib.Foundations.Control.Monad.Free
+
+/-! # Prog: Programs as Free Monads over Query Types
+
+`Prog Q α` is an alias for `FreeM Q α`, representing a program that makes queries of type `Q`
+and returns a result of type `α`. A query type `Q : Type → Type` maps each query to its
+response type.
+
+The key operations are:
+- `Prog.eval oracle p`: evaluate `p` by answering each query using `oracle`
+- `Prog.queriesOn oracle p`: count the queries along the oracle-determined path
+
+Because the oracle is supplied *after* the program produces its query plan (the `Prog` tree),
+a sound implementation of `prog` has no way to "guess" what the oracle would respond.
+This is the foundation of the anti-cheating guarantee for both upper and lower bounds.
+
+This provides an alternative to the `TimeM`-based cost analysis in
+`Cslib.Algorithms.Lean.MergeSort`: here query counting is structural (derived from the
+`Prog` tree) rather than annotation-based.
+-/
+
+open Cslib
+
+public section
+
+namespace Cslib.Query
+
+/-- A program that makes queries of type `Q` and returns a result of type `α`.
+    This is `FreeM Q α`, the free monad over the query type. -/
+abbrev Prog (Q : Type → Type) (α : Type) := FreeM Q α
+
+namespace Prog
+
+variable {Q : Type → Type} {α β : Type}
+
+/-- Evaluate a program by answering each query using `oracle`. -/
+@[expose] def eval (oracle : {ι : Type} → Q ι → ι) : Prog Q α → α
+  | .pure a => a
+  | .liftBind op cont => eval oracle (cont (oracle op))
+
+/-- Count the number of queries along the path determined by `oracle`. -/
+@[expose] def queriesOn (oracle : {ι : Type} → Q ι → ι) : Prog Q α → Nat
+  | .pure _ => 0
+  | .liftBind op cont => 1 + queriesOn oracle (cont (oracle op))
+
+-- Simp lemmas for eval
+
+@[simp] theorem eval_pure (oracle : {ι : Type} → Q ι → ι) (a : α) :
+    eval oracle (.pure a : Prog Q α) = a := rfl
+
+@[simp] theorem eval_liftBind (oracle : {ι : Type} → Q ι → ι)
+    {ι : Type} (op : Q ι) (cont : ι → Prog Q α) :
+    eval oracle (.liftBind op cont) = eval oracle (cont (oracle op)) := rfl
+
+@[simp] theorem eval_bind (oracle : {ι : Type} → Q ι → ι)
+    (t : Prog Q α) (f : α → Prog Q β) :
+    eval oracle (t.bind f) = eval oracle (f (eval oracle t)) := by
+  induction t with
+  | pure a => rfl
+  | liftBind op cont ih => exact ih (oracle op)
+
+-- Simp lemmas for queriesOn
+
+@[simp] theorem queriesOn_pure (oracle : {ι : Type} → Q ι → ι) (a : α) :
+    queriesOn oracle (.pure a : Prog Q α) = 0 := rfl
+
+@[simp] theorem queriesOn_liftBind (oracle : {ι : Type} → Q ι → ι)
+    {ι : Type} (op : Q ι) (cont : ι → Prog Q α) :
+    queriesOn oracle (.liftBind op cont) = 1 + queriesOn oracle (cont (oracle op)) := rfl
+
+@[simp] theorem queriesOn_bind (oracle : {ι : Type} → Q ι → ι)
+    (t : Prog Q α) (f : α → Prog Q β) :
+    queriesOn oracle (t.bind f) =
+      queriesOn oracle t + queriesOn oracle (f (eval oracle t)) := by
+  induction t with
+  | pure a => simp [FreeM.bind]
+  | liftBind op cont ih =>
+    simp only [FreeM.bind, queriesOn_liftBind, eval_liftBind, ih (oracle op)]
+    omega
+
+end Prog
+
+end Cslib.Query
+
+end -- public section

Cslib/Algorithms/Lean/Query/QueryTree.lean

@@ -0,0 +1,139 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Kim Morrison, Sebastian Graf
+-/
+module
+
+public import Mathlib.Data.Nat.Log
+public import Mathlib.Data.Fintype.Card
+
+/-! # QueryTree: Decision Trees for Query Complexity Lower Bounds
+
+`QueryTree Q R α` is a free monad specialized to a single query type: queries take
+input `Q` and return `R`, with final results of type `α`. It reifies an algorithm's
+query pattern as an explicit decision tree.
+
+The key advantage over `Prog`/`FreeM` for lower bound proofs is that `R` is a fixed type
+parameter (not existentially quantified per query), making structural induction with
+pigeonhole arguments straightforward.
+
+## Main Definitions
+
+- `QueryTree Q R α` — the decision tree type
+- `QueryTree.ask` — the canonical single-query tree
+- `QueryTree.eval` — evaluate with a specific oracle
+- `QueryTree.queriesOn` — count queries along an oracle-determined path
+-/
+
+public section
+
+namespace Cslib.Query
+
+/-- A decision tree over queries of type `Q → R`, with results of type `α`.
+
+This is the free monad specialized to a single fixed-type operation, used to reify
+algorithms as explicit trees for query complexity lower bounds. -/
+inductive QueryTree (Q : Type) (R : Type) (α : Type) where
+  /-- A completed computation returning value `a`. -/
+  | pure (a : α) : QueryTree Q R α
+  /-- A query node: asks query `q`, then continues based on the response. -/
+  | query (q : Q) (cont : R → QueryTree Q R α) : QueryTree Q R α
+
+namespace QueryTree
+
+variable {Q R α β γ : Type}
+
+/-- Lift a single query into the tree. -/
+@[expose] def ask (q : Q) : QueryTree Q R R := .query q .pure
+
+/-- Monadic bind for query trees. -/
+@[expose] protected def bind : QueryTree Q R α → (α → QueryTree Q R β) → QueryTree Q R β
+  | .pure a, f => f a
+  | .query q cont, f => .query q (fun r => (cont r).bind f)
+
+/-- Functorial map for query trees. -/
+@[expose] protected def map (f : α → β) : QueryTree Q R α → QueryTree Q R β
+  | .pure a => .pure (f a)
+  | .query q cont => .query q (fun r => (cont r).map f)
+
+protected theorem bind_pure : ∀ (x : QueryTree Q R α), x.bind .pure = x
+  | .pure _ => rfl
+  | .query _ cont => by simp [QueryTree.bind, QueryTree.bind_pure]
+
+protected theorem bind_assoc :
+    ∀ (x : QueryTree Q R α) (f : α → QueryTree Q R β) (g : β → QueryTree Q R γ),
+      (x.bind f).bind g = x.bind (fun a => (f a).bind g)
+  | .pure _, _, _ => rfl
+  | .query _ cont, f, g => by simp [QueryTree.bind, QueryTree.bind_assoc]
+
+protected theorem bind_pure_comp (f : α → β) :
+    ∀ (x : QueryTree Q R α), x.bind (.pure ∘ f) = x.map f
+  | .pure _ => rfl
+  | .query _ cont => by simp [QueryTree.bind, QueryTree.map, QueryTree.bind_pure_comp]
+
+protected theorem id_map : ∀ (x : QueryTree Q R α), x.map id = x
+  | .pure _ => rfl
+  | .query _ cont => by simp [QueryTree.map, QueryTree.id_map]
+
+instance : Monad (QueryTree Q R) where
+  pure := .pure
+  bind := .bind
+
+instance : LawfulMonad (QueryTree Q R) := LawfulMonad.mk'
+  (bind_pure_comp := fun _ _ => rfl)
+  (id_map := QueryTree.bind_pure)
+  (pure_bind := fun _ _ => rfl)
+  (bind_assoc := QueryTree.bind_assoc)
+
+-- Core operations
+
+/-- Evaluate a query tree with a specific oracle, returning the final result. -/
+@[expose] def eval (oracle : Q → R) : QueryTree Q R α → α
+  | .pure a => a
+  | .query q cont => eval oracle (cont (oracle q))
+
+/-- Count the number of queries along the path determined by `oracle`. -/
+@[expose] def queriesOn (oracle : Q → R) : QueryTree Q R α → Nat
+  | .pure _ => 0
+  | .query q cont => 1 + queriesOn oracle (cont (oracle q))
+
+-- Simp lemmas
+
+@[simp] theorem eval_pure' (oracle : Q → R) (a : α) :
+    (QueryTree.pure a : QueryTree Q R α).eval oracle = a := rfl
+
+@[simp] theorem eval_query (oracle : Q → R) (q : Q) (cont : R → QueryTree Q R α) :
+    (QueryTree.query q cont).eval oracle = (cont (oracle q)).eval oracle := rfl
+
+@[simp] theorem eval_bind (oracle : Q → R) (t : QueryTree Q R α) (f : α → QueryTree Q R β) :
+    (t.bind f).eval oracle = (f (t.eval oracle)).eval oracle := by
+  induction t with
+  | pure a => rfl
+  | query q cont ih => exact ih (oracle q)
+
+@[simp] theorem queriesOn_pure' (oracle : Q → R) (a : α) :
+    (QueryTree.pure a : QueryTree Q R α).queriesOn oracle = 0 := rfl
+
+@[simp] theorem queriesOn_query (oracle : Q → R) (q : Q) (cont : R → QueryTree Q R α) :
+    (QueryTree.query q cont).queriesOn oracle = 1 + (cont (oracle q)).queriesOn oracle := rfl
+
+/-- Queries of `t.bind f` = queries of `t` + queries of the continuation. -/
+@[simp] theorem queriesOn_bind (oracle : Q → R) (t : QueryTree Q R α) (f : α → QueryTree Q R β) :
+    (t.bind f).queriesOn oracle =
+      t.queriesOn oracle + (f (t.eval oracle)).queriesOn oracle := by
+  induction t with
+  | pure a => simp [QueryTree.bind, queriesOn, eval]
+  | query q cont ih => simp only [QueryTree.bind, queriesOn_query, eval_query, ih (oracle q)]; omega
+
+@[simp] theorem queriesOn_ask (oracle : Q → R) (q : Q) :
+    (ask q : QueryTree Q R R).queriesOn oracle = 1 := rfl
+
+@[simp] theorem eval_ask (oracle : Q → R) (q : Q) :
+    (ask q : QueryTree Q R R).eval oracle = oracle q := rfl
+
+end QueryTree
+
+end Cslib.Query
+
+end -- public section

Cslib/Algorithms/Lean/Query/Sort/Insertion/Defs.lean

@@ -0,0 +1,41 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Kim Morrison
+-/
+module
+
+public import Cslib.Algorithms.Lean.Query.Sort.LEQuery
+
+/-! # Insertion Sort as a Query Program
+
+Insertion sort implemented as a `Prog (LEQuery α)`, making all comparison queries explicit.
+-/
+
+open Cslib.Query
+
+public section
+
+namespace Cslib.Query
+
+/-- Insert `x` into a sorted list using comparison queries. -/
+@[expose] def orderedInsert (x : α) : List α → Prog (LEQuery α) (List α)
+  | [] => pure [x]
+  | y :: ys => do
+    let le ← LEQuery.ask x y
+    if le then
+      pure (x :: y :: ys)
+    else do
+      let rest ← orderedInsert x ys
+      pure (y :: rest)
+
+/-- Sort a list using insertion sort with comparison queries. -/
+@[expose] def insertionSort : List α → Prog (LEQuery α) (List α)
+  | [] => pure []
+  | x :: xs => do
+    let sorted ← insertionSort xs
+    orderedInsert x sorted
+
+end Cslib.Query
+
+end -- public section