Core Concepts Trust Algebra

Trust Algebra

A seven-level ordered algebra over evidence admissibility, giving every claim in JuGeo a precise, auditable trustworthiness level — from a copilot suggestion through to a mechanically verified Lean proof.

The Problem #

Classical proof assistants like Lean, Coq, and F* operate with a single, binary trust bit: a term either type-checks or it does not. This is perfectly appropriate for a closed, fully-interactive proof session, but it is severely limiting in the environment where JuGeo operates — a heterogeneous, live Python codebase with evidence arriving from many sources simultaneously.

✔️

Lean / Coq / F*

Binary: type-checks or doesn't. Every claim is either proved or not proved. No gradation between proof kinds.

⚠️

SMT Solvers (Z3)

Discharges arithmetic / SMT goals; weaker than a full proof but far stronger than a runtime test. No standard level for this.

🧪

Runtime Witnesses

A passing test suite tells you the property held on observed inputs. Valuable, but clearly weaker than a universal proof.

🤖

Copilot Suggestions

An LLM proposed a specification or repair. Useful signal, but must not silently be treated as equivalent to a proof.

Without a unified gradation, a system is forced to either reject all non-proof evidence (too strict for everyday development) or silently promote weak evidence to proof status (dangerous). JuGeo solves this with the Trust Ordered Algebra \(\mathfrak{T}\).

Design Principle

Trust levels are monotone metadata attached to evidence items. They flow conservatively through composition, may only rise through explicit, audited promotion, and fall automatically when challenges arrive. No claim can silently gain trust.

The Trust Ordered Algebra #

Formally, the Trust Ordered Algebra is the six-tuple

\[ \mathfrak{T} \;=\; \bigl( \mathcal{E}_{\text{adm}},\; \preceq,\; \oplus,\; \ominus,\; \uparrow_{\!\pi},\; \downarrow_{\!\chi} \bigr) \]

where the components are:

\(\mathcal{E}_{\text{adm}}\) — the carrier set of admissible evidence items: everything JuGeo can attach a trust level to (Z3 certificates, test logs, Lean terms, LLM proposals, …).
\(\preceq\) — the partial order on trust levels, with \(\texttt{CONTRADICTED} \preceq \texttt{UNVERIFIED} \preceq \cdots \preceq \texttt{VERIFIED\_PROOF}\).
\(\oplus\) — the conservative join (composition): combines two evidence items by taking the weaker of their trust levels.
\(\ominus\) — attenuation: models trust weakening that occurs when evidence is transported across sheaf restriction maps.
\(\uparrow_{\!\pi}\) — promotion: explicit strengthening of a trust level along a named policy route \(\pi\), always logged to the audit trail.
\(\downarrow_{\!\chi}\) — demotion: ceiling enforcement in response to a challenge \(\chi\); trust may only fall, never silently rise.

\(\mathfrak{T}\) is not a lattice: \(\oplus\) gives the conservative (lower) bound, not a least upper bound. Promotion \(\uparrow_{\!\pi}\) is the only way to move upward, and it is gated by policy. This asymmetry is intentional — it makes every trust increase explicit and auditable.

Trust Levels #

\(\mathcal{E}_{\text{adm}}\) is stratified into seven named levels forming a total preorder embedded in \(\preceq\). Each level corresponds to a concrete kind of evidence that JuGeo can produce or consume.

Rank	Level	Meaning & Evidence Source
6	VERIFIED_PROOF	A term type-checked by a mechanical proof assistant (Lean 4, Coq, F*). The gold standard: the kernel has accepted the full formal derivation. Cannot be obtained by any other means.
5	SOLVER_DISCHARGED	Z3 (or another complete SMT solver) returned `unsat` on the negated goal. Sound for the solver's supported fragment; weaker than a full Lean proof because the solver's certificate is not independently kernel-checked by default.
4	RUNTIME_WITNESSED	A runtime test, property-based test, or concrete execution trace confirmed the property on observed inputs. Existential evidence only — does not imply universality.
3	ORACLE_PROPOSED	A deferred oracle (external API, database query, or human annotator) has asserted the property. Trusted within a stated scope; subject to oracle reliability and latency assumptions.
2	COPILOT_SUGGESTED	An LLM copilot proposed a specification, repair, or lemma. Useful signal for ideation and exploration; must not be treated as verified without independent confirmation.
1	UNVERIFIED	No evidence has been attached yet. The default level for a freshly created claim. Serves as the neutral element for composition.
0	CONTRADICTED	Active counter-evidence exists: a failing test, a solver `sat` model for the negation, or an explicit challenge that was not refuted. The bottom element of \(\preceq\).

The Partial Order #

Levels are totally ordered under \(\preceq\):

6 VERIFIED_PROOF Lean / Coq / F*

↑ promotion required

5 SOLVER_DISCHARGED Z3 / CVC5

4 RUNTIME_WITNESSED pytest / runtime

3 ORACLE_PROPOSED deferred oracle

2 COPILOT_SUGGESTED LLM proposal

1 UNVERIFIED no evidence yet

↓ challenge / counter-evidence

0 CONTRADICTED counter-evidence exists

Formally, the order is given by the integer ranking above: \(t_1 \preceq t_2 \iff \text{rank}(t_1) \le \text{rank}(t_2)\). This makes \(\mathcal{E}_{\text{adm}}\) a seven-element chain under \(\preceq\).

Operations #

Four operations act on trust levels (and on full evidence profiles carrying those levels). Together they define the algebraic structure of \(\mathfrak{T}\).

\(\oplus\)

Composition conservative join

\[t_1 \oplus t_2 \;=\; \min_{\preceq}(t_1, t_2)\]

Combines two evidence items into a composite claim. The result carries only the weaker trust level. You cannot gain trust by combining evidence — only by explicit promotion.

SOLVER_DISCHARGED \(\oplus\) COPILOT_SUGGESTED \(=\) COPILOT_SUGGESTED

\(\ominus\)

Attenuation restriction weakening

\[r^*\!(e) \;\;\Rightarrow\;\; \text{trust}(r^*\!e) \preceq \text{trust}(e)\]

When evidence is restricted along a sheaf morphism \(r\) (e.g., transported from a module scope to a call-site scope), its trust level may only stay the same or decrease. Attenuation encodes this conservatism formally.

Trust is monotone-decreasing under restriction — no free upgrades from context transport.

\(\uparrow_{\!\pi}\)

Promotion explicit strengthening

\[\uparrow_{\!\pi}(e,\, t') \;\;:\;\; \text{trust}(e) \xrightarrow{\;\pi\;} t'\]

The only way to move up the trust hierarchy. Requires a named policy route \(\pi\) (e.g., "z3-confirmed-arithmetic") and always emits an entry to the audit log. Attempting promotion without a policy route raises JuGeoError.

Audited · Policy-gated · No silent promotions

\(\downarrow_{\!\chi}\)

Demotion challenge response

\[\downarrow_{\!\chi}(e) \;\;:\;\; \text{trust}(e) \;\to\; \min_{\preceq}(\text{trust}(e),\; \text{ceil}(\chi))\]

When a challenge \(\chi\) arrives (e.g., a counterexample is found, or a monitoring assertion fires), the trust level is capped at \(\text{ceil}(\chi)\). Existing claims cannot retain stale trust in the presence of contradicting evidence.

Trust may only fall on challenge — never silently maintained

The Three Laws #

Three invariants are enforced system-wide. Violations raise JuGeoError at runtime and are flagged as verification failures in the audit log.

Law I

No Silent Promotion

\[ \forall e \in \mathcal{E}_{\text{adm}},\;\; t' \succ \text{trust}(e) \;\;\Longrightarrow\;\; \exists \pi \in \Pi_{\text{named}} \text{ s.t. } \uparrow_{\!\pi}(e, t') \text{ is audited} \]

Every increase in trust level must be associated with a named policy route \(\pi\) and must produce an immutable audit log entry. There is no back-door path to higher trust. Code that calls profile.promote(tier) without explicit=True and a reason argument raises an error immediately.

Law II

Conservative Join

\[ \text{trust}(e_1 \oplus e_2) \;=\; \min_{\preceq}(\text{trust}(e_1),\, \text{trust}(e_2)) \]

When two evidence items are composed, the resulting composite adopts the lower of the two trust levels. This is the dual of the classical "chain is only as strong as its weakest link" principle. Combining a solver discharge with a copilot suggestion does not yield a solver-level composite — it yields a copilot-level one.

Common Mistake

Developers sometimes expect that attaching additional stronger evidence automatically upgrades a composite's trust. It does not. The composition law is conservative. To raise the composite's trust you must apply explicit promotion after composition.

Law III

Challenge Conservativity

\[ \text{trust}(\downarrow_{\!\chi}(e)) \;\preceq\; \text{trust}(e) \quad\text{and}\quad \text{trust}(\downarrow_{\!\chi}(e)) \;\preceq\; \text{ceil}(\chi) \]

Upon any challenge \(\chi\), trust may only fall or stay the same — it can never be silently maintained above the challenge ceiling. This ensures that stale high-trust claims do not persist after contradicting evidence arrives. Staleness itself is tracked: unchallenged claims older than the configured TTL are automatically attenuated.

Python Examples #

Creating and Inspecting Trust Profiles

A TrustProfile records the trust tier, the evidence scope, and the chain of reasons that produced it.

Python

from jugeo.evidence.trust import TrustLevel, TrustProfile, TrustTier

# Create a profile at COPILOT_SUGGESTED level
profile = TrustProfile(
    tier=TrustTier.COPILOT_SUGGESTED,
    scope=("spec.affine.program.00",),
    reasons=("copilot-proposal",),
)

print(profile.tier)       # TrustTier.COPILOT_SUGGESTED
print(profile.rank)       # 2
print(profile.is_at_least(TrustTier.RUNTIME_WITNESSED))  # False
print(profile.is_at_least(TrustTier.UNVERIFIED))         # True

Silent Promotion is Rejected

Calling promote() without an explicit policy route and audit reason raises JuGeoError immediately, enforcing Law I.

Python

from jugeo.evidence.trust import TrustProfile, TrustTier
from jugeo.errors import JuGeoError

profile = TrustProfile(
    tier=TrustTier.COPILOT_SUGGESTED,
    scope=("spec.affine.program.00",),
    reasons=("copilot-proposal",),
)

# Silent promotion → raises JuGeoError  (Law I violation)
try:
    profile.promote(TrustTier.VERIFIED_PROOF)
except JuGeoError as e:
    print(e)
# JuGeoError: silent promotion from COPILOT_SUGGESTED to VERIFIED_PROOF
# is not permitted. Provide explicit=True and a named reason.

Explicit, Audited Promotion

With explicit=True and a named reason, promotion is permitted and an audit entry is written automatically.

Python

from jugeo.evidence.trust import TrustProfile, TrustTier

profile = TrustProfile(
    tier=TrustTier.COPILOT_SUGGESTED,
    scope=("spec.affine.program.00",),
    reasons=("copilot-proposal",),
)

# After Z3 confirms the arithmetic goal:
promoted = profile.promote(
    TrustTier.SOLVER_DISCHARGED,
    explicit=True,
    reason="z3-confirmed-arithmetic",
    policy_route="smt-dispatch-v2",   # named policy route π
)

print(promoted.tier)     # TrustTier.SOLVER_DISCHARGED
print(promoted.reasons)
# ("copilot-proposal", "z3-confirmed-arithmetic")

# Audit trail is automatically persisted
for entry in promoted.audit_log():
    print(entry)
# AuditEntry(op='promote', from_tier=COPILOT_SUGGESTED,
#            to_tier=SOLVER_DISCHARGED, policy='smt-dispatch-v2',
#            reason='z3-confirmed-arithmetic', ts=2026-03-23T...)

Composing Evidence Items

The compose() method applies the conservative join (\(\oplus\)), returning a new profile whose tier is the minimum of the two inputs.

Python

from jugeo.evidence.trust import TrustProfile, TrustTier

solver_ev = TrustProfile(
    tier=TrustTier.SOLVER_DISCHARGED,
    scope=("spec.arithmetic",),
    reasons=("z3-unsat",),
)

copilot_ev = TrustProfile(
    tier=TrustTier.COPILOT_SUGGESTED,
    scope=("spec.arithmetic",),
    reasons=("gpt4-proposal",),
)

# Conservative join: SOLVER_DISCHARGED ⊕ COPILOT_SUGGESTED = COPILOT_SUGGESTED
composite = solver_ev.compose(copilot_ev)
print(composite.tier)  # TrustTier.COPILOT_SUGGESTED   (Law II)

# Composed reasons are unioned
print(composite.reasons)  # ("z3-unsat", "gpt4-proposal")

Handling Challenges

When a challenge arrives (e.g., a monitoring assertion fires at runtime), the challenge() method applies \(\downarrow_\chi\) and may lower the trust level to CONTRADICTED.

Python

from jugeo.evidence.trust import TrustProfile, TrustTier, Challenge

# A profile that previously held SOLVER_DISCHARGED
profile = TrustProfile(
    tier=TrustTier.SOLVER_DISCHARGED,
    scope=("spec.bounds",),
    reasons=("z3-bounds-check",),
)

# A counterexample was found at runtime
cx = Challenge(
    kind="runtime-counterexample",
    payload={"input": -1, "output": "IndexError"},
    ceiling=TrustTier.CONTRADICTED,
)

demoted = profile.challenge(cx)
print(demoted.tier)    # TrustTier.CONTRADICTED  (Law III)
print(demoted.reasons)
# ("z3-bounds-check", "challenged:runtime-counterexample")

Trust in Evidence Bundles #

In practice, JuGeo's multi-channel evidence system assembles Evidence Bundles — structured collections of evidence items from heterogeneous sources (static analysis, Z3, runtime monitoring, copilot, Lean). Each item carries its own TrustProfile, and the bundle computes a combined trust for downstream consumers.

Evidence Bundle — Channel Composition

🧠

Static Analysis

COPILOT_SUGGESTED

⚖️

Z3 Solver

SOLVER_DISCHARGED

🧪

Runtime Tests

RUNTIME_WITNESSED

📜

Lean Proof

VERIFIED_PROOF

\(\oplus\) conservative join across all channels ↓

Bundle Trust (composite)

COPILOT_SUGGESTED

\(\min_{\preceq}\) of all channel tiers

The conservative join across all channels means the bundle's trust is bounded by its weakest contributor. To raise the bundle's trust, every channel contributing at a lower level must be either:

Replaced with a stronger evidence item for that channel, or
Dropped from the bundle scope (if the channel is not required), or
Explicitly promoted via a named policy route that covers the gap.

Trust Across Sheaf Restrictions

JuGeo models code as sections of a sheaf over a site of semantic scopes. When evidence is restricted from a broad scope (a whole module) to a narrow one (a single call-site), the trust level may attenuate:

\[ \text{trust}(\rho_{U \to V}(e)) \;\preceq\; \text{trust}(e) \qquad \text{for } V \subseteq U \]

This captures the intuition that a proof about a module does not necessarily transfer unchanged to a specific call-site with different preconditions. Attenuation is computed automatically by the restriction functor; developers do not need to manage it manually.

Gluing and Descent

The flip side of restriction is gluing: if compatible evidence items exist on all opens of a cover, JuGeo can attempt to glue them into evidence on the total space. Gluing preserves trust levels — it is the one operation that does not attenuate. The descent obstruction machinery checks that the gluing is coherent before granting the global claim.

Summary #

The Trust Ordered Algebra gives JuGeo a principled, auditable way to handle the full spectrum of evidence that arises in real software verification — from an LLM's first suggestion to a fully mechanically checked Lean proof. The key properties are:

🔒

No Silent Upgrades

Trust can only rise through explicit, policy-gated, audited promotion. Every increase leaves a permanent trace.

⛓️

Conservative by Default

Composition takes the minimum. The system errs on the side of under-claiming rather than over-claiming correctness.

⚡

Live Challenges

Demotion is automatic on challenge. Stale trust cannot survive contradicting runtime evidence.

📊

Full Audit Trail

Every promotion event is logged with timestamp, policy route, and reason string. The trail is queryable and exportable.

🧮

Formal Semantics

\(\mathfrak{T}\) has a precise algebraic definition; the three laws are machine-checked in the JuGeo Lean proofs.

🔗

Sheaf-Compatible

Trust attenuates under restriction and is preserved by coherent gluing, fitting naturally into JuGeo's sheaf-theoretic semantics.