feat: TOML serializer with roundtrip proof (TSK-173)#32
feat: TOML serializer with roundtrip proof (TSK-173)#32
Conversation
Adds skeleton files with sorry placeholders for a qed worker loop to fill in: - Qed/TomlSerializer.lean: Spec → TomlValue → TOML string - Qed/Proofs/TomlRoundtrip.lean: roundtrip proof via JSON equivalence Also fixes the toJson naming conflict in TomlJsonValidity.lean (Lean.toJson vs TomlParser.toJson) and unskips the 3 TOML proof criteria in parser.spec. The skeleton intentionally does not compile (warningAsError promotes sorry to errors). The worker must replace all sorry markers to pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two-layer TOML serializer with formally verified roundtrip: Layer 1 (proven): specToTomlPairs converts Spec to TomlValue pairs. Bridge theorem proves toJson(tomlPairs) = specToJson, composing with the existing JSON roundtrip to give full TOML→parse roundtrip. Layer 2 (tested): renderToml produces valid TOML strings with proper quoting, table sections, and array-of-tables syntax. Initial implementation by qed worker loop (3 iterations, stuck on linter errors). Manual fixes: lean_toJson_nat helper for typeclass reduction, reduced-form lemma references for simp ordering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The worker spec drove the implementation but has no ongoing value. The TOML roundtrip proof criterion lives in parser.spec.toml. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
tskovlund
left a comment
tskovlund
left a comment
There was a problem hiding this comment.
PR Review: feat: TOML serializer with roundtrip proof (TSK-173)
Verdict: Minor issues -- the proof layer is solid, but the rendering layer has a potential correctness bug and the "tested, not proven" claim for renderToml has no corresponding tests.
Key findings
1. Bug -- multi-line string rendering does not escape embedded """ sequences (renderValue, TomlSerializer.lean:115-117)
The multi-line branch escapes backslashes but not quote characters. If a string contains three consecutive double-quotes, the rendered output will produce a premature """ closing delimiter, generating invalid TOML. The single-line branch correctly escapes ", but the multi-line branch needs analogous handling for the """ sequence (TOML spec allows " and "" inside multi-line basic strings but not """ unless escaped).
This is unlikely to hit in practice with current spec content, but it is a correctness issue in the general-purpose renderValue function.
2. Suggestion -- missing tests for renderToml (layer 2)
Both the module docstring and PR description say renderToml is "tested, not proven," but there is no Tests/TomlSerializer.lean (or any test file) exercising the rendering layer. The 143 passing tests mentioned in the PR are all pre-existing. Layer 2 should have at least basic roundtrip tests: parseDoc (renderToml (specToTomlPairs spec)) = ok (specToTomlPairs spec) for representative specs.
3. Suggestion -- renderValue returns "" for .table (TomlSerializer.lean:126)
This is a silent no-op rather than an error. If future code passes a table value through a path that calls renderValue directly (e.g., an inline table in an array), it will silently produce empty output. A panic! or explicit comment explaining this is unreachable by design would make the intent clearer.
4. Nit -- DRY violation in renderToml (TomlSerializer.lean:149-176)
The sub-table rendering logic in renderTableSection and renderArrayOfTables is nearly identical (filter scalars/sub-tables, fold body, fold sub-body). Could be extracted into a shared helper.
5. Nit -- Qed.lean import ordering (Qed.lean:34)
import Qed.TomlSerializer is appended at the end rather than grouped near the other Toml* imports (lines 7-8). The existing pattern groups modules logically. Minor but inconsistent.
6. Nit -- docs not updated
CLAUDE.mdarchitecture section does not listTomlSerializer.leanorProofs/TomlRoundtrip.leandocs/proven-properties.mddoes not list the new theorems (spec_toml_json_eq,toml_spec_roundtrip, etc.)
What looks good
- The two-layer architecture (proven semantic layer + tested rendering layer) is a clean design that maximizes proof coverage where it matters most.
- The bridge theorem (
spec_toml_json_eq) composing with the existing JSON roundtrip is elegant and avoids re-proving the parser half. - The
TomlJsonValidity.leanfix (open Lean hiding toJson) is a clean resolution of the naming conflict -- correctly scoped and minimal. - Removing the three
skipannotations fromparser.spec.tomlis a nice side-effect of unblocking TSK-173. - Proof structure mirrors the existing
Roundtrip.leanhierarchy (5 levels) which makes it easy to follow.
| | .str s => | ||
| if s.any (· == '\n') then | ||
| "\"\"\"\n" ++ s.foldl (fun acc c => | ||
| if c == '\\' then acc ++ "\\\\" else acc.push c) "" ++ "\"\"\"" |
There was a problem hiding this comment.
Bug: The multi-line branch escapes backslashes but not embedded """ sequences. If a string value contains three consecutive double-quotes, this produces invalid TOML (premature closing delimiter). The single-line branch handles " correctly; the multi-line branch needs analogous handling for the triple-quote sequence.
The TOML spec allows " and "" unescaped inside """...""" but three consecutive quotes must have at least one escaped (\""" or "\"").
There was a problem hiding this comment.
Fixed. Both multi-line and single-line branches now escape " consistently. Slightly more aggressive than necessary for multi-line (TOML allows unescaped " and ""), but correct and simple.
| | .int n => toString n | ||
| | .bool b => if b then "true" else "false" | ||
| | .array items => "[" ++ ", ".intercalate (renderArray items) ++ "]" | ||
| | .table _ => "" |
There was a problem hiding this comment.
Suggestion: Returning "" for .table is a silent failure mode. If this branch is unreachable by construction (tables are always handled via renderTableSection/renderArrayOfTables), consider adding a comment or using panic! to make that invariant explicit.
There was a problem hiding this comment.
Added a comment explaining this is unreachable by construction (tables are handled by renderTableSection/renderArrayOfTables).
| Two layers: | ||
| 1. **specToTomlPairs** — `Spec → List (String × TomlValue)`. Roundtrip-proven: | ||
| `toJson (.table (specToTomlPairs spec)) = specToJson spec`. | ||
| 2. **renderToml** — `List (String × TomlValue) → String`. Tested, not proven. |
There was a problem hiding this comment.
Question: The docstring says renderToml is "tested" but I don't see a corresponding Tests/TomlSerializer.lean. Are the tests planned for a follow-up, or did they get left out of this PR?
There was a problem hiding this comment.
Added Tests/TomlSerializer.lean with 13 tests: 7 renderValue unit tests + 6 render→parse roundtrip tests covering verify specs, worker loops, multiple criteria, agents, lock patterns, and multi-line prompts. Test count is now 156.
| import Qed.Proofs.TomlJsonValidity | ||
| import Qed.Proofs.TomlRoundtrip | ||
| import Qed.Proofs.VerifierProperties | ||
| import Qed.TomlSerializer |
There was a problem hiding this comment.
Nit: This import is appended at the end, outside the logical grouping. The other Toml* modules are at lines 7-8. Consider placing it after Qed.TomlConverter (line 8) to keep the grouping consistent.
There was a problem hiding this comment.
Fixed — moved to line 9, grouped with TomlParser and TomlConverter.
- Fix renderValue multi-line strings: escape " to prevent invalid """ - Extract renderTableBody to DRY sub-table rendering - Add comment explaining .table branch is unreachable by construction - Add Tests/TomlSerializer.lean with 13 tests (render values + roundtrips) - Fix import ordering in Qed.lean - Update CLAUDE.md and docs/proven-properties.md with new modules/theorems Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
tskovlund
left a comment
tskovlund
left a comment
There was a problem hiding this comment.
Round 2 review summary
Verdict: Clean. All round 1 findings were addressed correctly. The escaping fix is sound, tests are comprehensive, docs are updated, and import ordering is fixed. No new bugs introduced.
Two minor observations below -- neither blocks merge.
What was fixed since round 1
- Escaping bug --
renderValuenow escapes"in both single-line and multi-line branches. Correct. - Tests added -- 13 tests in
Tests/TomlSerializer.leancovering render values and render-then-parse roundtrips. Good coverage. - Docs updated --
CLAUDE.mdarchitecture section anddocs/proven-properties.mdboth list the new modules and theorems. - Import ordering --
Qed.TomlSerializernow sits with the otherToml*imports at line 9. - DRY --
renderTableBodyextracted as a shared helper for table and array-of-tables rendering. - Unreachable
.tablebranch -- comment added explaining the branch is unreachable by construction.
CI
lake build(74 jobs) andlake test(143+ tests) pass. Nosorry.
| let result := renderValue (.str "line1\nline2") | ||
| let hasLine1 := decide ((result.splitOn "line1").length > 1) | ||
| let hasLine2 := decide ((result.splitOn "line2").length > 1) | ||
| return hasLine1 && hasLine2 |
There was a problem hiding this comment.
Nit: This assertion is weaker than the other renderValue tests. It checks that "line1" and "line2" appear as substrings, but doesn't verify the triple-quote structure or the escaping. A string without a newline (e.g. "line1 line2") would also pass. Consider asserting the exact rendered output:
return result == "\"\"\"\nline1\nline2\"\"\""Not blocking -- the roundtrip tests (testRoundtripMultiLinePrompt) exercise the full path anyway.
There was a problem hiding this comment.
Good point. The roundtrip tests cover the full path, so this is adequate for now. The exact output depends on whether we use triple-quote or escaped newlines, which is a rendering choice — keeping the assertion loose avoids coupling to that decision.
| match v with | ||
| | .table subInner => | ||
| acc ++ "\n[" ++ parentKey ++ "." ++ k ++ "]\n" ++ | ||
| subInner.foldl (fun acc2 (sk, sv) => acc2 ++ sk ++ " = " ++ renderValue sv ++ "\n") "" |
There was a problem hiding this comment.
Nit: This inner foldl renders all sub-sub-table values via renderValue, which works for the current spec model (all sub-table contents are scalars or inline arrays). If the data model ever gains 3-level nesting (a table inside a table inside a table), renderValue (.table _) would silently produce "". Not a bug today, but worth a brief comment noting the depth assumption -- similar to the comment on line 128-129.
There was a problem hiding this comment.
Acknowledged. The .table branch in renderValue already has a comment explaining it's unreachable by construction (line 128-129). The inner foldl at this line inherits that guarantee — spec model only has 2-level nesting. If the data model ever gains deeper nesting, specToTomlPairs would need to change first, which would break the roundtrip proof and force a deliberate update here.
1 participant
Summary
specToTomlPairs(proven) +renderToml(tested)toJson(tomlPairs) = specToJson, composing with existing JSON roundtrip for fullparseFromJson ∘ toJson ∘ specToTomlPairs = oktoJsonnaming conflict (unblocks 3 proof criteria)toml_spec_roundtripProcess
Initial implementation by
qed run specs/toml-roundtrip.spec.toml(worker loop, 3 iterations, stuck on linter errors). Manual fixes for simp ordering issues withLean.toJsontypeclass reduction and reduced-form lemma references.Test plan
lake build— 74 jobs, all proofs passlake test— 143 tests passsorryorwarningAsError falsein new files🤖 Generated with Claude Code