| Field | Value |
|---|---|
| Decision ID | ADR-009 |
| Initiative | unsorry Phase 2 — open lemmas and target decomposition |
| Proposed By | unsorry maintainers |
| Date | 2026-06-10 |
| Status | Accepted |
In the context of Phase 2, where the swarm must drive verified proofs toward chosen unformalised targets by splitting goals that no single prove attempt can close — the compounding mechanism the design doc (§6, §Phasing) reserves for this phase but which Phase 1 deliberately deferred (SPEC-007-A prove step 11: a prove failure is just release + flag, “no decomposition”),
facing the as-built reality that prove failures currently produce no structural progress (phase1-run-001: merge rate 0.6, the open failures all infrastructure not mathematics, nothing reshapes the queue), that the kernel — not goodwill — is the only soundness oracle (ADR-006), and that any decomposition machinery must not widen the trust boundary,
we decided for committing a SPEC-003-C decomposition record on prove-budget exhaustion that splits the parent into sub-lemma goals with typed Post(A) ⊆ Pre(B) dependency edges, requeues each sub-lemma as a fresh open prove goal (src = the decomposition record), and parks the parent at status≜blocked until its sub-lemmas are proved, after which the parent becomes claimable again with the sub-lemmas available as library imports,
and neglected human decomposition of hard goals, monolithic retry with a larger budget, trusting the dependency edges as the proof structure (skipping the parent’s own kernel check), and an external planner service,
to achieve a self-sharpening queue that converts a failed monolithic attempt into smaller reachable units and compounds proven sub-lemmas into the library, without moving anything that is load-bearing for correctness off the kernel,
accepting that decomposition spends compute on sub-lemmas that may never compose, that it churns the queue, that it relies on the affinity and gap-based selection of ADR-010 to actually converge on the target rather than wander, and that — per the red-team finding — every generated sub-statement is a new place to be vacuous or over-general, so the statement-binding work that gates parents must also gate generated subs.
The design doc’s core claim for formal mathematics is that the work compounds: “every proved lemma becomes an importable dependency; hard goals that resist proof are split into sub-lemmas that re-enter the queue” (§Recommendation, §6). Phase 1 built only half of that loop — the prove cycle (SPEC-007-A) claims a goal, drives claude to write a library module that re-states the theorem and proves it, self-verifies with lake build --wfail plus the axiom audit, and merges through Gate A. On failure it stops: SPEC-007-A prove step 11 is explicit that the decomposition path is Phase 2 and that a Phase-1 prove failure is “just release + flag.” phase1-run-001 confirms the loop works for the trivial band (3/5 merged, all soundness-clean) but produces no structural progress when an attempt is exhausted — the one genuinely unclosed goal stayed open and untouched. Phase 2 is where the failure path starts doing work.
The records and rules already exist on paper. SPEC-003-C defines the decomposition record (decompositions/<parent-id>.<agent-id>.aisp): a parent, a list of sub-lemmas each with a fresh Id and statement, typed edges in the binding form Post(A) ⊆ Pre(B), a Requeue clause setting every sub to status≜open, and a cap of “at least one sub, at most 8.” The protocol (⟦Σ:Records⟧) carries blocked as a goal status and the Decomp record type; ⟦Γ:Affinity⟧ already specifies the −10 failure penalty, the viability threshold τ_v ≜ −5, the requeue(decomposition) action below threshold, and gap-based selection select ≜ argmax(aff, −gap). This ADR decides how the prove cycle uses those records on budget exhaustion; ADR-010 decides how affinity and gap selection route the resulting queue (currently selection is purely lexicographic and affinity is not wired).
The non-negotiable constraint is soundness. ADR-006 makes the kernel the only oracle and the axiom audit the authoritative gate; the design doc (§7) and protocol (⟦Ω:Foundation⟧) state that the index, its affinity metadata, and dependency edges are “advisory only, never load-bearing for soundness.” Decomposition must inherit that property exactly: a sub-lemma proved and merged proves nothing about its parent. The parent counts as proved only when an agent writes its own library module that imports the subs, proves the parent’s exact signature, and passes Gate A — identical to the normal prove cycle. A decomposition that does not compose simply means the parent never closes (wasted effort), never an unsound parent. The dependency edges are routing hints for selection, not a trust path.
The red team (gate-a-redteam-001, PR #64) exposed the limitation this ADR must respect: Gate A guarantees soundness but not meaningfulness — no layer binds a library theorem’s statement to its claimed canonical goal, so a vacuous or mis-stated theorem under a plausible name passes the kernel. Decomposition multiplies that surface: every generated sub-statement is a new, machine-authored place to be vacuous or over-general. The statement-binding / canonical-sha fidelity check (Phase-1 work tracked off the red-team finding) must therefore extend to generated sub-statements as a prerequisite of this decision, not a follow-up. ADR-008 remains the reserved, never-triggered fidelity-fallback slot (the protocol’s fp ≥ 0.20 ⇒ fallback path); this ADR does not reuse it.
On prove-budget exhaustion the agent commits a SPEC-003-C decompositions/<parent>.<agent>.aisp record (the same PR adds the new goals/<sub>.aisp records, src → the decomposition record), the sub-lemmas enter as fresh open prove goals, and the parent moves to status≜blocked. When all of a parent’s sub-lemmas are proved, the parent becomes claimable again; an agent then proves the parent’s own signature with the subs available as imports, and that module merges only via Gate A.
Pros: matches the design doc’s compounding mechanism and reuses existing record types and rules (SPEC-003-C, protocol Decomp/blocked/affinity) rather than inventing new ones; soundness is unchanged because the parent’s final close is an ordinary Gate-A prove — the kernel stays the only load-bearing check and edges stay advisory; a non-composing decomposition wastes compute but can never produce an unsound parent; the failed attempt now feeds the pool and reshapes the queue toward reachable units instead of dead-ending.
Cons: spends compute on sub-lemmas that may never compose; churns the queue (new goals, a blocked parent, sibling claims); fan-out and circular-dependency risks need explicit guardrails (below); does not on its own drive toward the target — it needs ADR-010’s affinity/gap selection or it wanders; and it inherits, and multiplies, the unfixed statement-binding gap, so the canonical-sha fidelity check must cover generated subs before this is safe to run.
Guardrails (part of the selected option): cap decomposition breadth at SPEC-003-C’s existing limit of 8 subs and cap depth (e.g. ≤ 3 levels) to prevent runaway fan-out — compounded with the known throughput risk (phase1-run-001: agents re-select the same goal under pending auto-merge, producing duplicate PRs), an uncapped sibling flood would worsen dup-PR churn. Dependency edges must form a DAG: SPEC-003-C defines the Post(A) ⊆ Pre(B) edge type but specifies no acyclicity check (a likely gap — verify against Gate B before relying on it), so cycle detection/rejection must be added at Gate B. A sub-lemma must be a strictly smaller goal: a decomposition that re-emits the parent (or an equal goal) is rejected, so depth caps are not the only termination guard.
A maintainer hand-splits goals the swarm cannot close. Rejected: it defeats the autonomy the swarm exists for and reintroduces a human into the per-goal loop the design explicitly keeps humans out of (humans review naming/duplication, never the proof or its structure).
On exhaustion, re-claim the same goal with more attempts/wall time. Rejected: it does not compound (a closed monolith yields no importable sub-lemmas) and does not reshape the queue toward what is reachable; phase1-run-001’s open failure was infrastructure, not budget, so “more budget” addresses the wrong axis.
Mark the parent proved once its sub-lemmas are proved and their Post ⊆ Pre edges line up, without an agent proving the parent’s own signature. Rejected: this is precisely the unsound trust path ADR-006 forbids — it makes the edges (advisory metadata) load-bearing for correctness, and sub-lemmas alone prove nothing about the target. Prior art is unanimous here (native have/suffices, hammer reconstruction, DeepSeek-Prover-V2’s recombination reward, APOLLO’s re-verify): subgoals only count when recomposed and re-checked by the kernel.
Delegate goal-splitting to a hosted planner/decomposer outside the repo. Rejected: it violates the repo-only-infrastructure principle (⟦Ω:Foundation⟧: infra ≜ git, judge ≜ ∅) and adds a trust/availability dependency that buys nothing the in-repo decomposition record cannot.
| Relationship | ADR ID | Title | Notes |
|————–|——–|——-|——-|
| Depends On | ADR-006 | Gate A Soundness Enforcement | The parent still closes only through the kernel; edges/subs are never load-bearing. Decomposition does not relax the gate; the statement-binding fidelity check must extend to generated subs. |
| Depends On | ADR-007 | Agent Identity and Budgets | Decomposition fires on budget exhaustion; sub-lemma proving consumes the same per-agent budgets and identity trail. |
| Relates To | ADR-010 | Affinity-Weighted Gap Selection | Affinity (−10/+1, τ_v ≜ −5, requeue(decomposition)) and gap-based selection are what make the requeued subs converge on the target rather than wander. |
| Refines | SPEC-003-C | Translation and Decomposition Records | This ADR puts the already-specified decomposition record into the prove cycle (the slot SPEC-007-A step 11 deferred), and motivates adding an acyclicity/strictly-smaller-goal check absent from the current spec. |
| Reference ID | Title | Type | Location |
|————–|——-|——|———-|
| REF-1 | Distributed research swarm plan — §6 Compounding, §7 Library index, §Phasing (Phase 2), §Risks | Design document | ../proposals/distributed-research-swarm-plan.md |
| REF-2 | swarm/protocol.aisp — ⟦Σ:Records⟧ (Decomp, blocked), ⟦Γ:Affinity⟧ (−10/+1, τ_v, gap selection, requeue(decomposition)) | Swarm contract | ../../swarm/protocol.aisp |
| REF-3 | SPEC-003-C — Decomposition record schema and Post(A) ⊆ Pre(B) edges | Specification | specs/SPEC-003-C-Translation-and-Decomposition-Records.md |
| REF-4 | SPEC-007-A — Agent loop as built (prove cycle; step 11 defers decomposition; lexicographic selection, affinity not wired) | Specification | specs/SPEC-007-A-Agent-Loop-Script.md |
| REF-5 | Gate A Red Team — Round 001 (statement-binding / vacuity gap, PR #64) | Metrics / evidence | ../metrics/gate-a-redteam-001.md |
| REF-6 | Phase-1 swarm trial — run 001 (merge rate 0.6, build friction, dup-PR throughput note) | Metrics / evidence | ../metrics/phase1-run-001.md |
| Status | Approver | Date | |——–|———-|——| | Proposed | unsorry maintainers | 2026-06-10 | | Accepted | unsorry maintainers | 2026-06-10 |