eyeling 1.14.13 → 1.15.0

package/examples/high-trust-rdf-bloom-tamper-contrast.n3

@@ -0,0 +1,395 @@
+# =============================================================================
+# High-trust RDF Bloom filter hardening: trusted artifact vs tampered artifact
+#
+# Why this example exists:
+#   It stresses why the hardening matters. The file contains two artifacts:
+#
+#     1) a trusted artifact with sane parameters and a matching decimal
+#        certificate for exp(-lambda)
+#     2) a tampered artifact with bogus numbers that can still look "cheap"
+#        under weak budget-only checks because a malformed upper bound becomes a
+#        large negative number
+#
+# Main lesson:
+#   Weak checks can be fooled by malformed intermediate values.
+#   Hardened checks make acceptance depend on explicit sanity conditions and on
+#   a certificate that is well-formed and tied to the computed lambda.
+#
+# What the file demonstrates:
+#   * :trustedArtifact is accepted under both the weak and hardened rules
+#   * :tamperedArtifact can pass the weak budget-only path
+#   * :tamperedArtifact is rejected by the hardened path, with explicit reasons
+# =============================================================================
+
+@prefix :     <http://example.org/high-trust-rdf#>.
+@prefix math: <http://www.w3.org/2000/10/swap/math#>.
+@prefix log:  <http://www.w3.org/2000/10/swap/log#>.
+@prefix xsd:  <http://www.w3.org/2001/XMLSchema#>.
+
+# -----------------
+# Trusted artifact
+# -----------------
+
+:trustedArtifact a :HighTrustRdfArtifact;
+  :canonicalTripleCount 1200;
+  :spoIndexTripleCount 1200;
+  :bloomBits 16384;
+  :hashFunctions 7;
+  :negativeLookupsPerBatch 50000;
+  :fpRateBudget 0.002;
+  :extraExactLookupsBudget 100.0;
+  :exactTranscendentalSymbol "exp(-k*n/m)";
+  :certifiedLambda 0.5126953125;
+  :expMinusLambdaLower 0.5988792348;
+  :expMinusLambdaUpper 0.5988792349;
+  :maybePositivePolicy :ConfirmAgainstCanonicalGraph;
+  :definiteNegativePolicy :ReturnAbsent.
+
+# ------------------
+# Tampered artifact
+# ------------------
+
+:tamperedArtifact a :HighTrustRdfArtifact;
+  :canonicalTripleCount 1200;
+  :spoIndexTripleCount 1200;
+  :bloomBits -12;
+  :hashFunctions 7;
+  :negativeLookupsPerBatch 1;
+  :fpRateBudget 0.1;
+  :extraExactLookupsBudget 100.0;
+  :exactTranscendentalSymbol "whatever an attacker writes here";
+  :certifiedLambda 0.5126953125;
+  :expMinusLambdaLower 42;
+  :expMinusLambdaUpper -42;
+  :maybePositivePolicy :ConfirmAgainstCanonicalGraph;
+  :definiteNegativePolicy :ReturnAbsent.
+
+# -------------------------------------------------
+# Exact structural agreement of graph and SPO index
+# -------------------------------------------------
+
+{
+  ?a :canonicalTripleCount ?n;
+     :spoIndexTripleCount ?n.
+}
+=>
+{
+  ?a :indexAgreement true.
+  ?a :tripleCount ?n.
+}.
+
+# -------------------------------------------
+# Exact load factor lambda = k*n/m as decimal
+# -------------------------------------------
+
+{
+  ?a :tripleCount ?n;
+     :hashFunctions ?k;
+     :bloomBits ?m.
+  ( ?k ?n ) math:product ?kn.
+  ( ?kn ?m ) math:quotient ?lambda.
+}
+=>
+{
+  ?a :lambda ?lambda.
+}.
+
+# ==========================
+# Weak path (pre-hardening)
+# ==========================
+# This path deliberately computes a budget envelope from whatever numbers were
+# supplied, without first proving that they form a sane certificate.
+
+{
+  ?a :hashFunctions ?k;
+     :expMinusLambdaLower ?eLo;
+     :expMinusLambdaUpper ?eHi.
+  ( 1.0 ?eHi ) math:difference ?oneMinusLo.
+  ( 1.0 ?eLo ) math:difference ?oneMinusHi.
+  ( ?oneMinusLo ?k ) math:exponentiation ?fpLo.
+  ( ?oneMinusHi ?k ) math:exponentiation ?fpHi.
+}
+=>
+{
+  ?a :weakFpRateLower ?fpLo;
+     :weakFpRateUpper ?fpHi.
+}.
+
+{
+  ?a :weakFpRateUpper ?fpHi;
+     :fpRateBudget ?budget.
+  ?fpHi math:lessThan ?budget.
+}
+=>
+{
+  ?a :weakWithinFpRateBudget true.
+}.
+
+{
+  ?a :negativeLookupsPerBatch ?q;
+     :weakFpRateUpper ?fpHi.
+  ( ?q ?fpHi ) math:product ?extraHi.
+}
+=>
+{
+  ?a :weakExpectedExtraExactLookupsUpper ?extraHi.
+}.
+
+{
+  ?a :weakExpectedExtraExactLookupsUpper ?extraHi;
+     :extraExactLookupsBudget ?budget.
+  ?extraHi math:lessThan ?budget.
+}
+=>
+{
+  ?a :weakWithinExactLookupBudget true.
+}.
+
+{
+  ?a :indexAgreement true;
+     :weakWithinFpRateBudget true;
+     :weakWithinExactLookupBudget true;
+     :maybePositivePolicy :ConfirmAgainstCanonicalGraph;
+     :definiteNegativePolicy :ReturnAbsent.
+}
+=>
+{
+  ?a :weakDecision :AcceptUnderWeakBudgetOnlyRules.
+}.
+
+# ==============================
+# Hardened path (current design)
+# ==============================
+
+# Parameter sanity is explicit and required.
+{
+  ?a :canonicalTripleCount ?n;
+     :spoIndexTripleCount ?s;
+     :bloomBits ?m;
+     :hashFunctions ?k;
+     :negativeLookupsPerBatch ?q;
+     :fpRateBudget ?r;
+     :extraExactLookupsBudget ?e.
+  ?n math:greaterThan 0.
+  ?s math:greaterThan 0.
+  ?m math:greaterThan 0.
+  ?k math:greaterThan 0.
+  ?q math:greaterThan 0.
+  ?r math:greaterThan 0.
+  ?e math:greaterThan 0.
+}
+=>
+{
+  ?a :parameterSanity true.
+}.
+
+# A matching and well-formed interval certificate is explicit and required.
+{
+  ?a :lambda ?lambda;
+     :certifiedLambda ?lambda;
+     :expMinusLambdaLower ?lo;
+     :expMinusLambdaUpper ?hi.
+  ?lambda math:greaterThan 0.
+  ?lo math:lessThan ?hi.
+  ?lo math:greaterThan 0.
+  ?hi math:lessThan 1.
+}
+=>
+{
+  ?a :expIntervalCertificate :CertifiedDecimalInterval.
+}.
+
+# Hardened envelope uses only a certified interval.
+{
+  ?a :expIntervalCertificate :CertifiedDecimalInterval;
+     :hashFunctions ?k;
+     :expMinusLambdaLower ?eLo;
+     :expMinusLambdaUpper ?eHi.
+  ( 1.0 ?eHi ) math:difference ?oneMinusLo.
+  ( 1.0 ?eLo ) math:difference ?oneMinusHi.
+  ( ?oneMinusLo ?k ) math:exponentiation ?fpLo.
+  ( ?oneMinusHi ?k ) math:exponentiation ?fpHi.
+}
+=>
+{
+  ?a :fpRateLower ?fpLo;
+     :fpRateUpper ?fpHi.
+}.
+
+{
+  ?a :fpRateUpper ?fpHi;
+     :fpRateBudget ?budget.
+  ?fpHi math:greaterThan 0.
+  ?fpHi math:lessThan ?budget.
+}
+=>
+{
+  ?a :withinFpRateBudget true.
+}.
+
+{
+  ?a :negativeLookupsPerBatch ?q;
+     :fpRateUpper ?fpHi.
+  ( ?q ?fpHi ) math:product ?extraHi.
+}
+=>
+{
+  ?a :expectedExtraExactLookupsUpper ?extraHi.
+}.
+
+{
+  ?a :expectedExtraExactLookupsUpper ?extraHi;
+     :extraExactLookupsBudget ?budget.
+  ?extraHi math:greaterThan 0.
+  ?extraHi math:lessThan ?budget.
+}
+=>
+{
+  ?a :withinExactLookupBudget true.
+}.
+
+{
+  ?a :parameterSanity true;
+     :indexAgreement true;
+     :expIntervalCertificate :CertifiedDecimalInterval;
+     :withinFpRateBudget true;
+     :withinExactLookupBudget true;
+     :maybePositivePolicy :ConfirmAgainstCanonicalGraph;
+     :definiteNegativePolicy :ReturnAbsent.
+}
+=>
+{
+  ?a :hardenedDecision :AcceptForHighTrustUse.
+}.
+
+# ======================================
+# Explicit tamper evidence / reject path
+# ======================================
+# These rules make hardening visible in the output.
+
+{
+  ?a :bloomBits ?m.
+  ?m math:notGreaterThan 0.
+}
+=>
+{
+  ?a :rejectReason :NonPositiveBloomBits.
+}.
+
+{
+  ?a :lambda ?lambda;
+     :certifiedLambda ?certified.
+  ?certified math:notEqualTo ?lambda.
+}
+=>
+{
+  ?a :rejectReason :CertifiedLambdaMismatch.
+}.
+
+{
+  ?a :expMinusLambdaLower ?lo;
+     :expMinusLambdaUpper ?hi.
+  ?hi math:notGreaterThan ?lo.
+}
+=>
+{
+  ?a :rejectReason :MalformedIntervalOrdering.
+}.
+
+{
+  ?a :expMinusLambdaLower ?lo.
+  ?lo math:notGreaterThan 0.
+}
+=>
+{
+  ?a :rejectReason :NonPositiveIntervalLowerBound.
+}.
+
+{
+  ?a :expMinusLambdaUpper ?hi.
+  ?hi math:notLessThan 1.
+}
+=>
+{
+  ?a :rejectReason :IntervalUpperBoundNotBelowOne.
+}.
+
+{
+  ?a :rejectReason ?why.
+}
+=>
+{
+  ?a :hardenedDecision :RejectForHighTrustUse.
+}.
+
+
+# ---------------------------------
+# Explicit contrast for wide readers
+# ---------------------------------
+
+{
+  :trustedArtifact :weakDecision :AcceptUnderWeakBudgetOnlyRules;
+                   :hardenedDecision :AcceptForHighTrustUse.
+}
+=>
+{
+  :result :trustedArtifactBehavesAsExpected true.
+}.
+
+{
+  :tamperedArtifact :weakDecision :AcceptUnderWeakBudgetOnlyRules;
+                    :hardenedDecision :RejectForHighTrustUse.
+}
+=>
+{
+  :result :tamperedArtifactShowsWhyHardeningMatters true.
+}.
+
+{
+  ?a :weakDecision ?weak;
+     :hardenedDecision ?hard.
+}
+log:query
+{
+  :result :decision [
+    :artifact ?a;
+    :weak ?weak;
+    :hardened ?hard
+  ].
+}.
+
+# ---------------
+# Readable output
+# ---------------
+
+{
+  ?a :lambda ?lambda;
+     :certifiedLambda ?certifiedLambda;
+     :weakFpRateUpper ?weakFpHi;
+     :weakExpectedExtraExactLookupsUpper ?weakExtraHi;
+     :weakDecision ?weakDecision;
+     :hardenedDecision ?hardDecision.
+}
+log:query
+{
+  :result :summary (
+    ?a
+    "lambda" ?lambda
+    "certified-lambda" ?certifiedLambda
+    "weak-fp-upper" ?weakFpHi
+    "weak-extra-exact-upper" ?weakExtraHi
+    "weak-decision" ?weakDecision
+    "hardened-decision" ?hardDecision
+  ).
+}.
+
+{
+  ?a :rejectReason ?why.
+}
+log:query
+{
+  :result :rejectReason [
+    :artifact ?a;
+    :why ?why
+  ].
+}.

package/examples/integer-first-control-tank-level.n3

@@ -0,0 +1,209 @@
+# =======================================================================================
+# Integer-first sampled tank-level control
+#
+# Why this example exists:
+#   It shows a control-engineering pattern in a genuinely integer-first style.
+#   The plant state is a water level in integer millimetres. The controller reads that
+#   level once per sample, chooses an integer valve opening, and the plant updates by an
+#   exact integer balance law.
+#
+# Plant and controller:
+#   level(k+1) = level(k) + valve(k) - outflow
+#   with outflow = 2 mm/sample and valve in {0,1,2,3,4}.
+#
+# Control law around setpoint 20 mm:
+#   level < 16          -> valve = 4   (net +2)
+#   16 <= level < 19    -> valve = 3   (net +1)
+#   19 <= level <= 21   -> valve = 2   (net  0)
+#   21 < level <= 24    -> valve = 1   (net -1)
+#   24 < level          -> valve = 0   (net -2)
+#
+# What is certified:
+#   * every closed-loop transition is exact integer arithmetic
+#   * the absolute error to the setpoint shrinks whenever it is still > 1
+#   * once the level enters the hold band [19,21], it stays there exactly
+#
+# This is “integer-first” because the certifying part of the reasoning uses only counts,
+# comparisons, sums, and differences. No floating point is needed to explain why the loop
+# behaves safely.
+# =======================================================================================
+
+@prefix :     <http://example.org/integer-control#>.
+@prefix math: <http://www.w3.org/2000/10/swap/math#>.
+@prefix log:  <http://www.w3.org/2000/10/swap/log#>.
+
+# ----------
+# Parameters
+# ----------
+
+:controller a :SampledTankController;
+  :setpoint 20;
+  :outflow 2;
+  :maxStep 8.
+
+:trialLow a :ClosedLoopTrial; :initialLevel 12.
+:trialHigh a :ClosedLoopTrial; :initialLevel 28.
+:trialNominal a :ClosedLoopTrial; :initialLevel 20.
+
+# -----------------
+# Initial condition
+# -----------------
+
+{ ?trial a :ClosedLoopTrial; :initialLevel ?level0. }
+=>
+{ ?trial :levelAt (0 ?level0). }.
+
+# ------------------------------
+# Integer control law by regions
+# ------------------------------
+
+{ ?trial :levelAt (?k ?level). ?level math:lessThan 16. }
+=>
+{ ?trial :valveAt (?k 4). }.
+
+{
+  ?trial :levelAt (?k ?level).
+  ?level math:notLessThan 16.
+  ?level math:lessThan 19.
+}
+=>
+{ ?trial :valveAt (?k 3). }.
+
+{
+  ?trial :levelAt (?k ?level).
+  ?level math:notLessThan 19.
+  ?level math:notGreaterThan 21.
+}
+=>
+{ ?trial :valveAt (?k 2). }.
+
+{
+  ?trial :levelAt (?k ?level).
+  ?level math:greaterThan 21.
+  ?level math:notGreaterThan 24.
+}
+=>
+{ ?trial :valveAt (?k 1). }.
+
+{ ?trial :levelAt (?k ?level). ?level math:greaterThan 24. }
+=>
+{ ?trial :valveAt (?k 0). }.
+
+# -----------------------
+# Exact plant propagation
+# -----------------------
+
+{
+  :controller :maxStep ?max; :outflow ?outflow.
+  ?trial a :ClosedLoopTrial.
+  ?trial :levelAt (?k ?level).
+  ?trial :valveAt (?k ?valve).
+  ?k math:lessThan ?max.
+
+  ( ?k 1 ) math:sum ?k1.
+  ( ?level ?valve ) math:sum ?inflowed.
+  ( ?inflowed ?outflow ) math:difference ?nextLevel.
+}
+=>
+{ ?trial :levelAt (?k1 ?nextLevel). }.
+
+# ------------------------------------
+# Exact absolute error to the setpoint
+# ------------------------------------
+
+{
+  :controller :setpoint ?sp.
+  ?trial :levelAt (?k ?level).
+  ?level math:lessThan ?sp.
+  ( ?sp ?level ) math:difference ?error.
+}
+=>
+{
+  ?trial :errorAt (?k ?error).
+  ?trial :sideAt (?k :below).
+}.
+
+{
+  :controller :setpoint ?sp.
+  ?trial :levelAt (?k ?level).
+  ?level math:notLessThan ?sp.
+  ( ?level ?sp ) math:difference ?error.
+}
+=>
+{
+  ?trial :errorAt (?k ?error).
+  ?trial :sideAt (?k :aboveOrOn).
+}.
+
+# -----------------------------------------------------------
+# If the absolute error is still > 1, the next one is smaller
+# -----------------------------------------------------------
+
+{
+  ?trial :errorAt (?k ?error).
+  ?error math:greaterThan 1.
+  ( ?k 1 ) math:sum ?k1.
+  ?trial :errorAt (?k1 ?nextError).
+  ?nextError math:lessThan ?error.
+}
+=>
+{ ?trial :strictImprovementAt ?k. }.
+
+# -----------------------------------------------------------
+# In the hold band [19,21], valve = 2 and the level is fixed
+# -----------------------------------------------------------
+
+{
+  ?trial :levelAt (?k ?level).
+  ?trial :valveAt (?k 2).
+  ?level math:notLessThan 19.
+  ?level math:notGreaterThan 21.
+  ( ?k 1 ) math:sum ?k1.
+  ?trial :levelAt (?k1 ?nextLevel).
+  ?nextLevel math:equalTo ?level.
+}
+=>
+{
+  ?trial :holdBandAt ?k.
+  ?trial :invariantStepAt ?k.
+}.
+
+# ----------------
+# Compact queries
+# ----------------
+
+{
+  ?trial :levelAt (?k ?level).
+  ?trial :valveAt (?k ?valve).
+  ?trial :errorAt (?k ?error).
+}
+log:query
+{
+  :result :trace (?trial ?k ?level ?valve ?error).
+}.
+
+{
+  ?trial :strictImprovementAt ?k.
+}
+log:query
+{
+  :result :strictImprovement (?trial ?k true).
+}.
+
+{
+  ?trial :holdBandAt ?k.
+}
+log:query
+{
+  :result :holdBand (?trial ?k true).
+}.
+
+{
+  ?trial :levelAt (?k ?level).
+  ?level math:notLessThan 19.
+  ?level math:notGreaterThan 21.
+}
+log:query
+{
+  :result :insideBand (?trial ?k ?level).
+}.