(* Goal verification framework - Agent Specification *) \ \This theory sets up the framework for specifying agents by means of predicates for enabledness and Hoare triple axioms instead of providing a function for \. Instead, adopt the idea that we may assume the agent specification reflects the actual model, i.e. the \ function complies to our specification.\ theory Gvf_Agent_Specification imports Gvf_Hoare_Logic begin \ \A type for the specification of enabledness and Hoare triple axioms.\ type_synonym ht_specification = \(Bcap \ \\<^sub>M \ hoare_triple list) list\ \ \Set of pairs of mental state formula (enabled) and set of Hoare triple axioms.\ section \Satisfiability of specification\ \ \The main idea behind this, and the following, section is that we now base agents on specifications. We do not want to state the belief update function for an agent specifically. As such, we need a link between agent specification and belief update function. We can reduce this problem to the problem of proving the existence of a belief update function (model) given a specification.\ \ \Satisfiability of a specification.\ definition satisfiable :: \ht_specification \ bool\ where \satisfiable S \ \ \Quantify over all mental states. Go through each element s in S.\ \M. \s \ set S. \ \Get fields in s. Define a variable for the set of preconditions satisfied by M.\ (let (_, \, hts) = s; sat_hts = { ht \ set hts. M \\<^sub>M pre ht } in \ \If the basic action is enabled (\)\ (M \\<^sub>M \ \ \ \There exists a mental state M'...\ (\M'. \ \That preserves consistency, and ...\ (\ fst M \\<^sub>L \\<^sub>L \ \ fst M' \\<^sub>L \\<^sub>L) \ \ \Where the goal base is obtained by removing achieved goals, and ...\ (snd M' = snd M - {\ \ snd M. fst M' \\<^sub>L \}) \ \ \That satisfy all of the Hoare triples for this basic action.\ (\ht \ sat_hts. M' \\<^sub>M post ht))) \ \ \If the basic action is not enabled, the Hoare triples should be satisfied by M.\ (M \\<^sub>M \<^bold>\ \ \ (\ht \ sat_hts. M \\<^sub>M post ht)))\ \ \We restrict those elements of the type 'ht_specification' that are valid specifications.\ \ \Hoare triples only for basic actions and should be for grouped for actions.\ fun is_ht_specification_hts :: \Bcap \ hoare_triple list \ bool\ where \is_ht_specification_hts n hts = (\ht\ set hts. is_htb_basic ht \ fst (snd (the (htb_basic_unpack ht))) = n)\ \ \Main definition. Each action (group) can only appear once, S is satisfiable and each element s of S satisfy the function defined above.\ definition is_ht_specification :: \ht_specification \ bool\ where \is_ht_specification S \ distinct (map fst S) \ satisfiable S \ (\s \ set S. is_ht_specification_hts (fst s) (snd (snd s)))\ \ \State that a given \ complies to our assumptions, partly due to semantics of Hoare triples and partly due to the properties about the fixed agent\ fun complies_ht :: \mental_state \ bel_upd_t \ \\<^sub>M \ (\\<^sub>M \ Bcap \ \\<^sub>M) \ bool\ where \complies_ht M \ \ (\, n, \) = \ \\ specify if the action is enabled\ ((M \\<^sub>M \ \ \ n M \ None) \ \ \Transitions preserves consistency.\ (\ (fst M) \\<^sub>L \\<^sub>L \ \ n M \ None \ \the (\ n M) \\<^sub>L \\<^sub>L) \ \ \Basic Hoare triple semantics for action enabled.\ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* \ (basic n) M) \\<^sub>M \) \ \ \Basic Hoare triple semantics for action not enabled.\ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \))\ \ \Does an element s of S comply to a given belief update function?\ definition complies_hts :: \(Bcap \ \\<^sub>M \ hoare_triple list) \ bel_upd_t \ bool\ where \complies_hts s \ \ \ \For all Hoare triples for this action...\ \ht\set (snd (snd s)). \ \It is for basic actions, and ...\ is_htb_basic ht \ \ \It complies for all mental states.\ (\M. complies_ht M \ (fst (snd s)) (the (htb_basic_unpack ht)))\ \ \Main definition. Does the specification comply to a given belief update function?\ definition complies :: \ht_specification \ bel_upd_t \ bool\ where \complies S \ \ (\s\set S. complies_hts s \ \ (\n. n \ set (map fst S) \ (\M. \ n M = None)))\ section \Model existence\ \ \Showing existence of a model that complies can be done separately for each group of Hoare triples.\ lemma model_exists_disjoint: assumes \is_ht_specification S\ and \\s\set S. \\. complies_hts s \\ shows \\\. complies S \\ proof from assms(1) have \distinct (map fst S)\ unfolding is_ht_specification_def by simp let ?\ = \\n. if n \ set (map fst S) then (SOME \. complies_hts (THE s'. s'\set S \ n = fst s') \) n else (\M. None)\ show \complies S ?\\ unfolding complies_def proof fix s assume member: \s \ set S\ have \complies_hts s ?\\ proof (cases s) case f1: (fields n \ hts) have \\ht\set hts. \M. complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof fix ht assume \ht \ set hts\ show \\M. complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof fix M show \complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof (cases \(the (htb_basic_unpack ht))\) case (fields \ n' \) have \s\set S \ fst s = fst s\ using \s \ set S\ by simp moreover have \\s'. s'\set S \ fst s = fst s' \ s' = s\ using \distinct (map fst S)\ by (metis member eq_key_imp_eq_value prod.collapse) ultimately have \(THE s'. s'\set S \ fst s = fst s') = s\ using the_equality by auto then have \?\ (fst s) = (SOME \. complies_hts s \) (fst s)\ (is \?\ (fst s) = ?\' (fst s)\) using member by simp have \\\. complies_hts s \\ using assms(2) member by simp then have \complies_hts s ?\'\ using someI_ex[where ?P=\complies_hts s\] by simp then have \\ht\set hts. is_htb_basic ht \ (\M. complies_ht M ?\' \ (the (htb_basic_unpack ht)))\ using f1 complies_hts_def by fastforce with f1 \ht \ set hts\ have \\M. complies_ht M ?\' \ (the (htb_basic_unpack ht))\ by simp then have \complies_ht M ?\' \ (the (htb_basic_unpack ht))\ by blast moreover have \n = n'\ using fields assms(1) f1 member \ht \ set hts\ unfolding is_ht_specification_def by fastforce ultimately have \complies_ht M ?\' \ (\, n, \)\ using fields by simp then have \(M \\<^sub>M \ \ ?\' n M \ None) \ (\ (fst M) \\<^sub>L \\<^sub>L \ ?\' n M \ None \ \the (?\' n M) \\<^sub>L \\<^sub>L) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* ?\' (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ by simp moreover have \n = fst s\ using f1 by simp then have \?\ n = ?\' n\ using \?\ (fst s) = ?\' (fst s)\ by blast moreover have \\* ?\ (basic n) M = \* ?\' (basic n) M\ proof (cases M) case (Pair \ \) then have \\* ?\ (basic n) M = \* ?\ (basic n) (\, \)\ by simp also have \\* ?\ (basic n) (\, \) = (case ?\ n (\, \) of Some \' \ Some (\', \ - {\ \ \. \' \\<^sub>L \}) | _ \ None)\ by simp also have \\ = (case ?\' n (\, \) of Some \' \ Some (\', \ - {\ \ \. \' \\<^sub>L \}) | _ \ None)\ using \?\ n = ?\' n\ by simp also have \\ = \* ?\' (basic n) (\, \)\ by simp finally show \\* ?\ (basic n) M = \* ?\' (basic n) M\ using Pair by simp qed ultimately have \(M \\<^sub>M \ \ ?\ n M \ None) \ (\ (fst M) \\<^sub>L \\<^sub>L \ ?\ n M \ None \ \the (?\ n M) \\<^sub>L \\<^sub>L) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* ?\ (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ by simp then have \complies_ht M ?\ \ (\, n, \)\ by simp with \n = n'\ show ?thesis using fields by simp qed qed qed moreover have \\ht\set hts. is_htb_basic ht\ using assms(1) f1 \s \ set S\ unfolding is_ht_specification_def by simp ultimately show ?thesis using f1 complies_hts_def by simp qed then show \complies_hts s ?\ \ (\n. n \ set (map fst S) \ (\M. ?\ n M = None))\ by simp qed qed \ \Definition used in proofs to put less strain on Isabelle's simplification methods.\ definition next_state_reqs where \next_state_reqs M hts M' \ (\ fst M \\<^sub>L \\<^sub>L \ \ fst M' \\<^sub>L \\<^sub>L) \ (snd M' = snd M - {\ \ snd M. fst M' \\<^sub>L \}) \ (\ht \ { ht \ set hts. M \\<^sub>M pre ht }. M' \\<^sub>M post ht)\ \ \If S is a valid specification, there exists a belief update function (model) that S complies to.\ lemma model_exists: \is_ht_specification S \ \\. complies S \\ proof - assume spec: \is_ht_specification S\ then have sat: \satisfiable S\ unfolding is_ht_specification_def by simp have \\s\set S. \\. complies_hts s \\ proof fix s assume \s \ set S\ show \\\. complies_hts s \\ proof (cases s) case f1: (fields n \ hts) have \\\. complies_hts (n, \, hts) \\ proof let ?\ = \\n M. if M \\<^sub>M \ then Some (fst (SOME M'. next_state_reqs M hts M')) else None\ have \\ht\set hts. is_htb_basic ht \ (\M. complies_ht M ?\ \ (the (htb_basic_unpack ht)))\ proof fix ht assume \ht \ set hts\ show \is_htb_basic ht \ (\M. complies_ht M ?\ \ (the (htb_basic_unpack ht)))\ proof from spec show \is_htb_basic ht\ using \ht \ set hts\ \s \ set S\ f1 unfolding is_ht_specification_def by simp show \\M. complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof fix M show \complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof (cases \the (htb_basic_unpack ht)\) case (fields \ n' \) moreover have \complies_ht M ?\ \ (\, n, \)\ proof (cases \M \\<^sub>M \\) case True then have nM: \?\ n M = Some (fst (SOME M'. next_state_reqs M hts M'))\ by simp moreover from sat have \let (_, \, hts) = s; sat_hts = { ht \ set hts. M \\<^sub>M pre ht } in (M \\<^sub>M \ \ (\M'. (\ fst M \\<^sub>L \\<^sub>L \ \ fst M' \\<^sub>L \\<^sub>L) \ (snd M' = snd M - {\ \ snd M. fst M' \\<^sub>L \}) \ (\ht \ sat_hts. M' \\<^sub>M post ht))) \ (M \\<^sub>M \<^bold>\ \ \ (\ht \ sat_hts. M \\<^sub>M post ht))\ using \s \ set S\ unfolding satisfiable_def by blast with f1 True have ex: \\M'. next_state_reqs M hts M'\ unfolding next_state_reqs_def by simp have \\M'. next_state_reqs M hts M' \ \ (fst M) \\<^sub>L \\<^sub>L \ ?\ n M \ None \ \ fst M' \\<^sub>L \\<^sub>L\ proof fix M' show \next_state_reqs M hts M' \ \ (fst M) \\<^sub>L \\<^sub>L \ ?\ n M \ None \ \ fst M' \\<^sub>L \\<^sub>L\ proof assume \next_state_reqs M hts M'\ then show \\ (fst M) \\<^sub>L \\<^sub>L \ ?\ n M \ None \ \ fst M' \\<^sub>L \\<^sub>L\ unfolding next_state_reqs_def by simp qed qed with ex have \\ (fst M) \\<^sub>L \\<^sub>L \ ?\ n M \ None \ \ fst (SOME M'. next_state_reqs M hts M') \\<^sub>L \\<^sub>L\ using someI2[where ?P=\next_state_reqs M hts\] by blast moreover have \\M'. next_state_reqs M hts M' \ (M \\<^sub>M \ \ M \\<^sub>M \ \ M' \\<^sub>M \)\ proof fix M' show \next_state_reqs M hts M' \ (M \\<^sub>M \ \ M \\<^sub>M \ \ M' \\<^sub>M \)\ proof assume \next_state_reqs M hts M'\ with \ht \ set hts\ have \M \\<^sub>M pre ht \ M' \\<^sub>M post ht\ unfolding next_state_reqs_def by simp moreover from \is_htb_basic ht\ have \pre ht = \\ using fields unpack_sel(1) by fastforce moreover from \is_htb_basic ht\ have \post ht = \\ using fields unpack_sel(2) by fastforce ultimately have \M \\<^sub>M \ \ M' \\<^sub>M \\ by simp then show \M \\<^sub>M \ \ M \\<^sub>M \ \ M' \\<^sub>M \\ by simp qed qed with ex have \(M \\<^sub>M \ \ M \\<^sub>M \ \ (SOME M'. next_state_reqs M hts M') \\<^sub>M \)\ using someI2[where ?P=\next_state_reqs M hts\] by blast ultimately have \(M \\<^sub>M \ \ Some (fst (SOME M'. next_state_reqs M hts M')) \ None) \ (\ (fst M) \\<^sub>L \\<^sub>L \ \ fst (SOME M'. next_state_reqs M hts M') \\<^sub>L \\<^sub>L) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ (SOME M'. next_state_reqs M hts M') \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ using True by auto moreover have \(SOME M'. next_state_reqs M hts M') \\<^sub>M \ \ the (\* ?\ (basic n) M) \\<^sub>M \\ proof (cases M) case (Pair \ \) show ?thesis proof assume entails: \(SOME M'. next_state_reqs M hts M') \\<^sub>M \\ from Pair have \\M'. next_state_reqs M hts M' \ snd M' = (snd M - {\ \ snd M. fst M' \\<^sub>L \})\ unfolding next_state_reqs_def by simp with ex have \snd (SOME M'. next_state_reqs M hts M') = snd M - {\ \ snd M. fst (SOME M'. next_state_reqs M hts M') \\<^sub>L \}\ using someI2[where ?P=\next_state_reqs M hts\] by blast with entails have \(fst (SOME M'. next_state_reqs M hts M'), snd M - {\ \ snd M. fst (SOME M'. next_state_reqs M hts M') \\<^sub>L \}) \\<^sub>M \\ by (metis prod.collapse) with nM Pair show \the (\* ?\ (basic n) M) \\<^sub>M \\ by auto qed qed ultimately have \(M \\<^sub>M \ \ ?\ n M \ None) \ (\ (fst M) \\<^sub>L \\<^sub>L \ ?\ n M \ None \ \ the (?\ n M) \\<^sub>L \\<^sub>L) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* ?\ (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ using nM by simp then show ?thesis using complies_ht.simps by blast next case False then have \?\ n M = None\ by simp then have \M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \\ proof - from sat have \let (_, \, hts) = s; sat_hts = { ht \ set hts. M \\<^sub>M pre ht } in (M \\<^sub>M \ \ (\M'. (\ fst M \\<^sub>L \\<^sub>L \ \ fst M' \\<^sub>L \\<^sub>L) \ (snd M' = snd M - {\ \ snd M. fst M' \\<^sub>L \}) \ (\ht \ sat_hts. M' \\<^sub>M post ht))) \ (M \\<^sub>M \<^bold>\ \ \ (\ht \ sat_hts. M \\<^sub>M post ht))\ using \s \ set S\ unfolding satisfiable_def by blast then have \\ht \ { ht \ set hts. M \\<^sub>M pre ht }. M \\<^sub>M post ht\ using False f1 by simp with \ht \ set hts\ have \M \\<^sub>M pre ht \ M \\<^sub>M post ht\ by simp moreover from \is_htb_basic ht\ have \pre ht = \\ using fields unpack_sel(1) by fastforce moreover from \is_htb_basic ht\ have \post ht = \\ using fields unpack_sel(2) by fastforce ultimately have \M \\<^sub>M \ \ M \\<^sub>M \\ by simp then show ?thesis by simp qed with False show ?thesis by simp qed moreover from spec have \n = n'\ using \s \ set S\ \ht \ set hts\ f1 fields unfolding is_ht_specification_def by fastforce ultimately show ?thesis by metis qed qed qed qed then show \complies_hts (n, \, hts) ?\\ unfolding complies_hts_def by simp qed with f1 show ?thesis by simp qed qed with model_exists_disjoint \is_ht_specification S\ show ?thesis . qed section \Single agent program given by specification\ locale single_agent_program = single_agent + fixes S :: ht_specification assumes S_valid: \is_ht_specification S\ and \_complies: \complies S \\ context single_agent_program begin subsection \Proof System\ \ \Derive (the) valid Hoare triples.\ inductive derive\<^sub>H :: \hoare_triple \ bool\ (\\\<^sub>H\) where \ \Agent specific rule import\ import: \(n, \, hts) \ set S \ \<^bold>{ \ \<^bold>} (basic n) \<^bold>{ \ \<^bold>} \ set hts \ \\<^sub>H \<^bold>{ \ \<^bold>} (basic n) \<^bold>{ \ \<^bold>}\ | \ \Persistence of goals\ (*persist: \\ is_drop a \ \\<^sub>H \<^bold>{ G \ \<^bold>} a \<^bold>{ (B \) \<^bold>\ (G \) \<^bold>}\ |*) persist: \\ is_drop a \ \\<^sub>H \<^bold>{ (G \) \<^bold>} a \<^bold>{ (B \) \<^bold>\ (G \) \<^bold>}\ | \ \Infeasible actions\ inf: \\\<^sub>E ((\\<^sup>E) \<^bold>\ \<^bold>\(enabledb a)) \ \\<^sub>H \<^bold>{ \ \<^bold>} a \<^bold>{ \ \<^bold>}\ | \ \Frame properties on beliefs for adopt and drop\ adoptB: \\\<^sub>H \<^bold>{ B \ \<^bold>} (adopt \) \<^bold>{ B \ \<^bold>}\ | adoptNegB: \\\<^sub>H \<^bold>{ \<^bold>\ (B \) \<^bold>} (adopt \) \<^bold>{ \<^bold>\ (B \) \<^bold>}\ | dropB: \\\<^sub>H \<^bold>{ B \ \<^bold>} (drop \) \<^bold>{ B \ \<^bold>}\ | dropNegB: \\\<^sub>H \<^bold>{ \<^bold>\ (B \) \<^bold>} (drop \) \<^bold>{ \<^bold>\ (B \) \<^bold>}\ | \ \Effects of adopt\ adoptBG: \\ {} \\<^sub>P (\<^bold>\ \) \ \\<^sub>H \<^bold>{ \<^bold>\ (B \) \<^bold>} (adopt \) \<^bold>{ G \ \<^bold>}\ | \ \Non-effect of adopt\ adoptG: \\\<^sub>H \<^bold>{ G \ \<^bold>} (adopt \) \<^bold>{ G \ \<^bold>}\ | adoptNegG: \\ {} \\<^sub>P \ \<^bold>\ \ \ \\<^sub>H \<^bold>{ \<^bold>\ (G \) \<^bold>} (adopt \) \<^bold>{ \<^bold>\ (G \) \<^bold>}\ | \ \Effects of drop\ dropG: \{} \\<^sub>P \ \<^bold>\ \ \ \\<^sub>H \<^bold>{ G \ \<^bold>} (drop \) \<^bold>{ \<^bold>\ (G \) \<^bold>}\ | \ \Non-effects of drop\ dropNegG: \\\<^sub>H \<^bold>{ \<^bold>\(G \) \<^bold>} (drop \) \<^bold>{ \<^bold>\(G \) \<^bold>}\ | dropGCon: \\\<^sub>H \<^bold>{ \<^bold>\(G (\ \<^bold>\ \)) \<^bold>\ (G \) \<^bold>} (drop \) \<^bold>{ G \ \<^bold>}\ | \ \Rule for conditional actions\ rCondAct: \\\<^sub>H \<^bold>{ \ \<^bold>\ \ \<^bold>} a \<^bold>{ \' \<^bold>} \ \\<^sub>M (\ \<^bold>\ \<^bold>\\) \<^bold>\ \' \ \\<^sub>H \<^bold>{ \ \<^bold>} (\ \ do a) \<^bold>{ \' \<^bold>}\ | \ \Structural rules\ rImp: \\\<^sub>M \' \<^bold>\ \ \ \\<^sub>H \<^bold>{ \ \<^bold>} a \<^bold>{ \ \<^bold>} \ \\<^sub>M \ \<^bold>\ \' \ \\<^sub>H \<^bold>{ \' \<^bold>} a \<^bold>{ \' \<^bold>}\ | rCon: \\\<^sub>H \<^bold>{ \\<^sub>1 \<^bold>} a \<^bold>{ \\<^sub>1 \<^bold>} \ \\<^sub>H \<^bold>{ \\<^sub>2 \<^bold>} a \<^bold>{ \\<^sub>2 \<^bold>} \ \\<^sub>H \<^bold>{ \\<^sub>1 \<^bold>\ \\<^sub>2 \<^bold>} a \<^bold>{ \\<^sub>1 \<^bold>\ \\<^sub>2 \<^bold>}\ | rDis: \\\<^sub>H \<^bold>{ \\<^sub>1 \<^bold>} a \<^bold>{ \ \<^bold>} \ \\<^sub>H \<^bold>{ \\<^sub>2 \<^bold>} a \<^bold>{ \ \<^bold>} \ \\<^sub>H \<^bold>{ \\<^sub>1 \<^bold>\ \\<^sub>2 \<^bold>} a \<^bold>{ \ \<^bold>}\ \ \A proof of a Hoare triple ensures validity.\ \ \Induction over each rule.\ theorem soundness\<^sub>H: \\\<^sub>H H \ \\<^sub>H H\ proof (induct rule: derive\<^sub>H.induct) case (import n \ hts \ \) let ?a = \basic n\ let ?ht = \\<^bold>{ \ \<^bold>} ?a \<^bold>{ \ \<^bold>}\ have \\s\set S. complies_hts s \\ using \_complies unfolding complies_def by simp with import(1) have \\ht\set hts. is_htb_basic ht \ (\M. complies_ht M \ \ (the (htb_basic_unpack ht)))\ unfolding complies_hts_def by auto with bspec have \is_htb_basic ?ht \ (\M. complies_ht M \ \ (the (htb_basic_unpack ?ht)))\ using import(2) . then have **: \\M. (M \\<^sub>M \ \ \ n M \ None) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* \ (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ by simp have *: \\M. (M \\<^sub>M \ \ \ n M \ None) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ proof fix M show \(M \\<^sub>M \ \ \ n M \ None) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ proof (cases M) case (Pair \ \) with ** have \((\, \) \\<^sub>M \ \ \ n M \ None) \ ((\, \) \\<^sub>M \ \ (\, \) \\<^sub>M \ \ the (\* \ (basic n) M) \\<^sub>M \) \ ((\, \) \\<^sub>M \ \ (\, \) \\<^sub>M \<^bold>\ \ \ (\, \) \\<^sub>M \)\ by simp then show ?thesis using Pair by simp qed qed have \\M. (M \\<^sub>E (\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M \)\ proof fix M from * have \(M \\<^sub>M \ \ M \\<^sub>M \ \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ by blast moreover have \M \\<^sub>E (enabledb ?a) \ M \\<^sub>M \\ proof (cases M) case (Pair \ \) with * have \(\, \) \\<^sub>M \ \ \ n (\, \) \ None\ by blast moreover have \\ n (\, \) \ None \ \ (basic n) (\, \) \ None\ by auto moreover have \\ \ (\, \) \\<^sub>E (enabledb ?a)\ by simp ultimately show ?thesis using Pair by auto qed ultimately have \(M \\<^sub>M \ \ M \\<^sub>E (enabledb ?a) \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>E \<^bold>\ (enabledb ?a) \ M \\<^sub>M \)\ by simp then show \(M \\<^sub>E (\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M \)\ using transfer_semantics\<^sub>M by simp qed then show ?case by simp next case (persist a \) have \\M. (M \\<^sub>M (G \) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M (B \) \<^bold>\ (G \)) \ (M \\<^sub>M (G \) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M (B \) \<^bold>\ (G \))\ proof fix M show \(M \\<^sub>M (G \) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M (B \) \<^bold>\ (G \)) \ (M \\<^sub>M (G \) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M (B \) \<^bold>\ (G \))\ proof (cases M) case (Pair \ \) show ?thesis proof show \M \\<^sub>M (G \) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M (B \) \<^bold>\ (G \)\ proof assume asm: \M \\<^sub>M (G \) \ M \\<^sub>E (enabledb a)\ with Pair have notNone: \\ a (\, \) \ None\ by simp show \the (\ a M) \\<^sub>M (B \) \<^bold>\ (G \)\ proof (cases a) case (basic n) with notNone have \\ (basic n) (\, \) \ None\ by simp then obtain \' where \': \\ n (\, \) = Some \'\ by fastforce then have mst_unfold: \\ (basic n) (\, \) = Some (\', \ - {\ \ \. \' \\<^sub>L \})\ (is \\ (basic n) (\, \) = Some (\', ?\')\) by simp then show ?thesis proof (cases \\' \\<^sub>L \\) case True then have \(\', ?\') \\<^sub>M (B \) \<^bold>\ (G \)\ by auto with mst_unfold show ?thesis using basic Pair by simp next case False moreover from asm have \(\, \) \\<^sub>M G \\ using Pair by simp ultimately have \(\', ?\') \\<^sub>M G \\ by auto with mst_unfold show ?thesis using basic Pair by simp qed next case (adopt \') have \\ (adopt \') (\, \) = (if \ {} \\<^sub>L \<^bold>\ \' \ \ \ \\<^sub>L \' then Some (\, \ \ {\'}) else None)\ by simp with notNone have \\ (adopt \') (\, \) = Some (\, \ \ {\'})\ using adopt by metis then show ?thesis using adopt Pair asm by simp next case (drop \) with persist show ?thesis by simp qed qed qed simp qed qed then show ?case by simp next case (inf \ a) then have \\M. \M \ M \\<^sub>E (\\<^sup>E) \<^bold>\ \<^bold>\ (enabledb a)\ using soundness\<^sub>E by blast then have \\M. \M \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ (enabledb a) \ the (\ a M) \\<^sub>M \) \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ \<^bold>\(enabledb a) \ M \\<^sub>M \)\ using transfer_semantics\<^sub>M by auto then show ?case by auto next case (adoptBG \) let ?\ = \\<^bold>\ (B \)\ and ?\ = \G \\ and ?a = \adopt \\ have \\M. \M \ (M \\<^sub>E (?\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M ?\) \ (M \\<^sub>E (?\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M ?\)\ proof fix M have \\M \ M \\<^sub>E (?\\<^sup>E) \ the (\ ?a M) \\<^sub>M ?\ \ M \\<^sub>E enabledb ?a\ proof assume \\ M\ show \M \\<^sub>E (?\\<^sup>E) \ the (\ ?a M) \\<^sub>M ?\ \ M \\<^sub>E enabledb ?a\ proof assume \M \\<^sub>E (?\\<^sup>E)\ show \the (\ ?a M) \\<^sub>M ?\ \ M \\<^sub>E enabledb ?a\ proof from \M \\<^sub>E (?\\<^sup>E)\ show \M \\<^sub>E enabledb ?a\ using adoptBG by (cases M) simp with \M \\<^sub>E (?\\<^sup>E)\ adoptBG have s: \\ ?a M = Some (fst M, snd M \ {\})\ by (cases M) simp then have \\\\snd (the (\ ?a M)). {} \\<^sub>L \ \<^bold>\ \\ by simp moreover { from s have \fst (the (\ ?a M)) = fst M\ by simp moreover have \\ fst M \\<^sub>L \\ using \M \\<^sub>E (?\\<^sup>E)\ by (cases M) simp ultimately have \\ fst (the (\ ?a M)) \\<^sub>L \\ by simp } ultimately show \the (\ ?a M) \\<^sub>M ?\\ using semantics\<^sub>M'.simps(2)[where \=\fst (the (\ ?a M))\ and \=\snd (the (\ ?a M))\] by simp qed qed qed then show \\M \ (M \\<^sub>E (?\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M ?\) \ (M \\<^sub>E (?\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M ?\)\ by auto qed then show ?case by simp next case (dropGCon \ \) let ?\ = \\<^bold>\ (G (\ \<^bold>\ \)) \<^bold>\ (G \)\ and ?\ = \G \\ and ?a = \drop \\ have \\M. \M \ (M \\<^sub>M ?\ \ the (\ ?a M) \\<^sub>M ?\)\ proof fix M show \\M \ (M \\<^sub>M ?\ \ the (\ ?a M) \\<^sub>M ?\)\ proof assume \\M\ show \M \\<^sub>M ?\ \ the (\ ?a M) \\<^sub>M ?\\ proof assume \M \\<^sub>M ?\\ with dropGCon have pre: \\ fst M \\<^sub>L \ \ \ (\\\snd M. {} \\<^sub>L \ \<^bold>\ (\ \<^bold>\ \)) \ (\\\snd M. {} \\<^sub>L \ \<^bold>\ \)\ by (cases M) auto moreover from pre obtain \ where gamma: \\ \ snd M \ {} \\<^sub>L \ \<^bold>\ \\ by auto moreover have aM: \\ ?a M = Some (fst M, snd M - {\ \ snd M. {\} \\<^sub>L \})\ (is \\ = Some ?M'\) by (cases M) simp ultimately have \\ fst ?M' \\<^sub>L \\ by simp moreover from pre gamma have \\ {\} \\<^sub>L \ \<^bold>\ \\ by auto with gamma have \\\\snd ?M'. {} \\<^sub>L \ \<^bold>\ \\ by auto ultimately show \the (\ ?a M) \\<^sub>M ?\\ using aM by simp qed qed qed then show ?case by simp next case (rCondAct \ \ a \') have \\ s \ Agent. \i. ((\\<^bold>[s i\<^bold>]\<^sub>M) \ (\ \ do a) = (act_nth s i) \ (\'\<^bold>[s (i+1)\<^bold>]\<^sub>M))\ proof fix s assume \s \ Agent\ show \\i. ((\\<^bold>[s i\<^bold>]\<^sub>M) \ (\ \ do a) = (act_nth s i) \ (\'\<^bold>[s (i+1)\<^bold>]\<^sub>M))\ proof fix i have \\ (st_nth s i)\ using is_mst_trace \s \ Agent\ . with rCondAct have a: \((\ \<^bold>\ \<^bold>\\) \<^bold>\ \')\<^bold>[s i\<^bold>]\<^sub>M\ \(st_nth s i \\<^sub>E ((\ \<^bold>\ \)\<^sup>E) \<^bold>\ (enabledb a) \ the (\ a (st_nth s i)) \\<^sub>M \') \ (st_nth s i \\<^sub>E ((\ \<^bold>\ \)\<^sup>E) \<^bold>\ \<^bold>\(enabledb a) \ st_nth s i \\<^sub>M \')\ using soundness\<^sub>M semantics\<^sub>H.simps(1) by blast+ show \(\\<^bold>[s i\<^bold>]\<^sub>M) \ (\ \ do a) = (act_nth s i) \ (\'\<^bold>[s (i+1)\<^bold>]\<^sub>M)\ proof assume pre: \st_nth s i \\<^sub>M \ \ (\, a) = act_nth s i\ then have bact: \(\, a) = act_nth s i\ by simp show \\'\<^bold>[s (i+1)\<^bold>]\<^sub>M\ proof (cases \(st_nth s i) \(\, a) (st_nth s (i+1))\) case True then have \st_nth s i \\<^sub>M \\ unfolding transition_def by simp with pre have \st_nth s i \\<^sub>E ((\ \<^bold>\ \)\<^sup>E)\ using transfer_semantics\<^sub>M by simp moreover from True have \\ a (st_nth s i) \ None\ unfolding transition_def by simp moreover from this have \st_nth s i \\<^sub>E enabledb a\ by simp ultimately show ?thesis using \_suc_state \s \ Agent\ bact a(2) by auto next case False moreover from \s \ Agent\ have \is_trace s\ unfolding Agent_def by simp ultimately have \st_nth s i = st_nth s (i+1)\ using not_transition_eq bact by simp moreover from \is_trace s\ have \let (M, M', \, a) = (st_nth s i, st_nth s (i + 1), act_nth s i) in (\, a) \ \ \ ((M \(\, a) M') \ \ a M = None \ M = M')\ unfolding is_trace_def by simp with False bact have \\ a (st_nth s i) = None\ by auto ultimately show ?thesis using a pre transfer_semantics\<^sub>M by auto qed qed qed qed then show ?case by simp next case (rImp \' \ a \ \') have \\M. \M \ (M \\<^sub>M \' \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \') \ (M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \')\ proof fix M show \\M \ (M \\<^sub>M \' \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \') \ (M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \')\ proof assume \\M\ show \(M \\<^sub>M \' \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \') \ (M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \')\ proof show \M \\<^sub>M \' \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \'\ proof assume pre: \M \\<^sub>M \' \ M \\<^sub>E (enabledb a)\ moreover from rImp have \M \\<^sub>M \ \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \\ using \\M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(5) by blast moreover from soundness\<^sub>M have \M \\<^sub>M \' \<^bold>\ \\ using \\M\ rImp(1) by blast moreover have \\ (the (\ a M))\ using \\M\ \_preserves_mst pre by (cases M) simp with soundness\<^sub>M have \the (\ a M) \\<^sub>M \ \<^bold>\ \'\ using rImp(4) by blast ultimately show \the (\ a M) \\<^sub>M \'\ by simp qed show \M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \'\ proof assume pre: \M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a)\ from rImp(3) have \M \\<^sub>M \ \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \\ using \\M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(5) by blast moreover from soundness\<^sub>M have \M \\<^sub>M \' \<^bold>\ \\ using \\M\ rImp(1) by blast moreover from soundness\<^sub>M have \M \\<^sub>M \ \<^bold>\ \'\ using \\M\ rImp(4) by blast ultimately show \M \\<^sub>M \'\ using pre by simp qed qed qed qed with transfer_semantics\<^sub>M show ?case by simp next case (rDis \\<^sub>1 a \ \\<^sub>2) have \\M. \M \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \) \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \)\ proof fix M show \\M \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \) \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \)\ proof assume \\M\ show \(M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \) \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \)\ proof show \M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \\ proof assume \M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a)\ moreover from rDis(2) have \M \\<^sub>M \\<^sub>1 \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \\ using \\M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(5) by blast moreover from rDis(4) have \M \\<^sub>M \\<^sub>2 \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \\ using \\M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(5) by blast ultimately show \the (\ a M) \\<^sub>M \\ by auto qed show \M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \\ proof assume \M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a)\ moreover from rDis(2) have \M \\<^sub>M \\<^sub>1 \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \\ using \\M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(5) by blast moreover from rDis(4) have \M \\<^sub>M \\<^sub>2 \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \\ using \\M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(5) by blast ultimately show \M \\<^sub>M \\ by auto qed qed qed qed with transfer_semantics\<^sub>M show ?case by simp qed auto end end