Updated: 2026-02-15 Sorry count: 0 (Fully Verified — 4 TCB axioms in RESP3.lean)
- Reconciler state machine: failover states wired in
reconcileCore - ValkeyReconcileState: failover tracking fields (nodeHealthMap, failedMaster, selectedReplica, failoverInProgress)
- Main.lean:
kubectlExecValkeyCli— execute valkey-cli commands via kubectl exec - Main.lean:
detectMasterFailure— PING pods, track consecutive failures, detect SDOWN - Main.lean:
performFailover— select replica, REPLICAOF NO ONE, reconfigure, update Service - Main.lean: persistent health state across reconcile iterations (IO.Ref)
- Main.lean: failover theorems (isMasterPod_correct, failover_bounded, sdown_threshold_correct, etc.)
-
.github/workflows/build.yaml— Lean 4 build + Docker image + sorry count check -
.github/workflows/e2e.yaml— Kind cluster + deploy + E2E tests
-
test/e2e/kind-config.yaml— Kind cluster config -
test/e2e/sample-cr.yaml— ValkeyCluster CR for testing -
test/e2e/run-all.sh— Test runner -
test/e2e/test-basic-deploy.sh— Verify 6 sub-resources + replication -
test/e2e/test-scale.sh— Scale 3→5→3 -
test/e2e/test-failover.sh— Kill master, verify promotion
-
phase1_eventually_holds— follows from phase0 (reconcileStepValid trivially true) -
phase6_eventually_holds— initial state has empty resources/pendingRequests -
livenessTheorem— composition of esr + failedMasterReplaced + reconcileTerminates -
reconcileTerminates_holds— well-founded induction on measure + progress assumption [9] -
failedNodeDetected_holds— node health progress assumption [11] -
failedMasterReplaced_holds— sentinel liveness assumption [10] -
esr_holds— composition of reconcileTerminates + terminal absorption [12]
-
replicaLessThan_total— Nat trichotomy + String.lt_asymm/String.le_trans -
replicaLessThan_trans— lexicographic transitivity via String.le_trans -
replicaLessThan_implies_priority_le— if-then-else case split + omega -
replicaLessThan_same_priority_implies_offset— equal priority branch analysis -
selected_has_best_priority— sorted_mergeSort + pairwise head property -
selection_maximizes_data_safety— priority disjunction from sorted head
-
parse_unparse_roundtrip— Converted to axiom (TCB). Continuation-stack parser is total; axiomatized with 3 ByteArray/String axioms.
-
atMostOneMaster_invariant— via validTransition -
ownerRefConsistency_invariant— via namespace preservation -
noConcurrentUpdates_invariant— via pendingRequests.length ≤ 1 -
sentinelForwardProgress_invariant— case split + sentinelStateOrder -
leaderElectionSafety_invariant— via validTransition guard -
phase0_eventually_holds— reconcileStepValid always true -
select_best_replica_total— case split on sortReplicas result + mergeSort perm -
priority_zero_never_selected— filterEligible excludes priority 0 -
single_eligible_selected— mergeSort singleton identity
- validTransition next-state relation defined in Invariants.lean
- nodeFailed predicate fixed (uses Degraded, not SDOWN)
- Helper lemmas: select_best_none_iff, select_best_some_mem
- Reconciler failover states wired with actual logic
- ValkeyReconcileState extended with failover fields
- F10: Backup/Restore — ValkeyBackup CRD, S3 integration, Job creation
- F11: TLS — cert-manager integration, cert mounting
- F11: QoS — resource limits enforcement
- Verification library integration (Lentil/LeanLTL/LeanMachines)
- Bridge Main.lean theorems to abstract state machine model