(* Goal verification framework - Agent Specification *) \ \This theory sets up the framework for specifying agents by means of predicates for enabledness and Hoare triple axioms instead of providing a function for \. Instead, adopt the idea that we may assume the agent specification reflects the actual model, i.e. the \ function complies to our specification.\ theory Gvf_Agent_Specification imports Gvf_Hoare_Logic begin \ \A type for the specification of actions, enabledness and ht axioms.\ type_synonym ht_spec_elem = \Bcap \ \\<^sub>M \ hoare_triple list\ type_synonym ht_specification = \ht_spec_elem list\ section \Satisfiability of specification\ \ \The main idea behind this, and the following, section is that we now base agents on specifications. We do not want to state the belief update function for an agent specifically. As such, we need a link between agent specification and belief update function. We can reduce this problem to the problem of proving the existence of a belief update function (model) given a specification.\ definition satisfiable_base :: \mental_state \ hoare_triple list \ \\<^sub>L list \ bool\ where \satisfiable_base M hts \ \ (\ fst M \<^bold>\\<^sub>P \<^bold>\ \ \ \ \<^bold>\\<^sub>P \<^bold>\) \ (\ht \ set hts. M \\<^sub>M pre ht \ (\, [\\snd M. \ \ \<^bold>\\<^sub>P \] ) \\<^sub>M post ht)\ fun satisfiable_l :: \mental_state \ ht_spec_elem \ bool\ where \satisfiable_l M (a, \, hts) = (M \\<^sub>M \ \ (\ \. satisfiable_base M hts \))\ fun satisfiable_r :: \mental_state \ ht_spec_elem \ bool\ where \satisfiable_r M (_, \, hts) = (M \\<^sub>M \<^bold>\ \ \ (\ht \ set hts. M \\<^sub>M pre ht \ M \\<^sub>M post ht))\ definition satisfiable :: \ht_specification \ bool\ where \satisfiable S \ \M. \ M \ (\s \ set S. satisfiable_l M s \ satisfiable_r M s)\ subsection \Frame Axioms\ \ \It is more practical to distinguish effect and frame axioms during specification.\ type_synonym ht_specification_frax = \ht_specification \ ((Bcap \ bool) \ \\<^sub>M list) list\ fun add_hts :: \ht_spec_elem \ ((Bcap \ bool) \ \\<^sub>M list) list \ ht_spec_elem\ where \add_hts (a, \, hts) L = (a, \, hts @ concat (map (\(p, fms). if p a then map (\x. \<^bold>{ x \<^bold>} (basic a) \<^bold>{ x \<^bold>}) fms else []) L))\ fun from_frax :: \ht_specification_frax \ ht_specification\ where \from_frax ([], _) = []\ | \from_frax (s # S, L) = add_hts s L # from_frax (S, L)\ lemma satisfiable_r_frax: \\s \ set S. satisfiable_r M s \ \s \ set (from_frax (S, L)). satisfiable_r M s\ by (induct S) auto subsection \Compliance\ \ \We restrict those elements of the type 'ht_specification' that are valid specifications.\ \ \Hoare triples only for basic actions and should be for grouped for actions.\ fun is_ht_specification_hts :: \Bcap \ hoare_triple list \ bool\ where \is_ht_specification_hts n hts = (hts \ [] \ (\ht\ set hts. is_htb_basic ht \ fst (snd (the (htb_basic_unpack ht))) = n))\ \ \Main definition. Each action (group) can only appear once, S is satisfiable and each element s of S satisfy the function defined above.\ definition is_ht_specification :: \ht_specification \ bool\ where \is_ht_specification S \ S \ [] \ distinct (map fst S) \ satisfiable S \ (\s \ set S. is_ht_specification_hts (fst s) (snd (snd s)))\ \ \State that a given \ complies to our assumptions, partly due to semantics of Hoare triples and partly due to the properties about the fixed agent\ fun complies_ht :: \mental_state \ bel_upd_t \ \\<^sub>M \ (\\<^sub>M \ Bcap \ \\<^sub>M) \ bool\ where \complies_ht M \ \ (\, n, \) = \ \\ specify if the action is enabled\ ((M \\<^sub>M \ \ \ n M \ None) \ \ \Transitions preserves consistency.\ (\ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ \ n M \ None \ \the (\ n M) \<^bold>\\<^sub>P \<^bold>\) \ \ \Basic Hoare triple semantics for action enabled.\ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* \ (basic n) M) \\<^sub>M \) \ \ \Basic Hoare triple semantics for action not enabled.\ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \))\ \ \Does an element s of S comply to a given belief update function?\ definition complies_hts :: \(Bcap \ \\<^sub>M \ hoare_triple list) \ bel_upd_t \ bool\ where \complies_hts s \ \ \ \For all Hoare triples for this action...\ \ht\set (snd (snd s)). \ \It is for basic actions, and ...\ is_htb_basic ht \ \ \It complies for all reachable mental states.\ (\M. \M \ complies_ht M \ (fst (snd s)) (the (htb_basic_unpack ht)))\ \ \Main definition. Does the specification comply to a given belief update function?\ definition complies :: \ht_specification \ bel_upd_t \ bool\ where \complies S \ \ (\s\set S. complies_hts s \) \ (\n. n \ set (map fst S) \ (\M. \ n M = None))\ section \Model existence\ \ \Showing existence of a model that complies can be done separately for each group of Hoare triples.\ lemma model_exists_disjoint: assumes \is_ht_specification S\ and \\s\set S. \\. complies_hts s \\ shows \\\. complies S \\ proof from assms(1) have \distinct (map fst S)\ unfolding is_ht_specification_def by simp let ?\ = \\n. if n \ set (map fst S) then (SOME \. complies_hts (THE s'. s'\set S \ n = fst s') \) n else (\M. None)\ show \complies S ?\\ unfolding complies_def proof show \\s\set S. complies_hts s ?\\ proof fix s assume member: \s \ set S\ show \complies_hts s ?\\ proof (cases s) case f1: (fields n \ hts) have \\ht\set hts. \M. \M \ complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof fix ht assume \ht \ set hts\ show \\M. \M \ complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof fix M show \\M \ complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof assume \\M\ show \complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof (cases \(the (htb_basic_unpack ht))\) case (fields \ n' \) have \s\set S \ fst s = fst s\ using \s \ set S\ by simp moreover have \\s'. s'\set S \ fst s = fst s' \ s' = s\ using \distinct (map fst S)\ by (metis member eq_key_imp_eq_value prod.collapse) ultimately have \(THE s'. s'\set S \ fst s = fst s') = s\ using the_equality by auto then have \?\ (fst s) = (SOME \. complies_hts s \) (fst s)\ (is \?\ (fst s) = ?\' (fst s)\) using member by simp have \\\. complies_hts s \\ using assms(2) member by simp then have \complies_hts s ?\'\ using someI_ex[where ?P=\complies_hts s\] by simp then have \\ht\set hts. is_htb_basic ht \ (\M. \M \ complies_ht M ?\' \ (the (htb_basic_unpack ht)))\ using f1 complies_hts_def by fastforce with f1 \ht \ set hts\ have \\M. \M \ complies_ht M ?\' \ (the (htb_basic_unpack ht))\ by simp with \\M\ have \complies_ht M ?\' \ (the (htb_basic_unpack ht))\ by blast moreover have \n = n'\ using fields assms(1) f1 member \ht \ set hts\ unfolding is_ht_specification_def by fastforce ultimately have \complies_ht M ?\' \ (\, n, \)\ using fields by simp then have \(M \\<^sub>M \ \ ?\' n M \ None) \ (\ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ ?\' n M \ None \ \the (?\' n M) \<^bold>\\<^sub>P \<^bold>\) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* ?\' (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ by simp moreover have \n = fst s\ using f1 by simp then have \?\ n = ?\' n\ using \?\ (fst s) = ?\' (fst s)\ by blast moreover have \\* ?\ (basic n) M = \* ?\' (basic n) M\ proof (cases M) case (Pair \ \) then have \\* ?\ (basic n) M = \* ?\ (basic n) (\, \)\ by simp also have \\* ?\ (basic n) (\, \) = (case ?\ n (\, \) of Some \' \ Some (\', [\\\. \ \' \<^bold>\\<^sub>P \]) | _ \ None)\ by simp also have \\ = (case ?\' n (\, \) of Some \' \ Some (\', [\\\. \ \' \<^bold>\\<^sub>P \]) | _ \ None)\ using \?\ n = ?\' n\ by simp also have \\ = \* ?\' (basic n) (\, \)\ by simp finally show \\* ?\ (basic n) M = \* ?\' (basic n) M\ using Pair by simp qed ultimately have \(M \\<^sub>M \ \ ?\ n M \ None) \ (\ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ ?\ n M \ None \ \the (?\ n M) \<^bold>\\<^sub>P \<^bold>\) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* ?\ (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ by simp then have \complies_ht M ?\ \ (\, n, \)\ by simp with \n = n'\ show ?thesis using fields by simp qed qed qed qed moreover have \\ht\set hts. is_htb_basic ht\ using assms(1) f1 \s \ set S\ unfolding is_ht_specification_def by simp ultimately show ?thesis using f1 complies_hts_def by simp qed qed next show \\n. n \ set (map fst S) \ (\M. ?\ n M = None)\ by simp qed qed \ \If S is a valid specification, there exists a belief update function (model) that S complies to.\ lemma model_exists: \is_ht_specification S \ \\. complies S \\ proof - assume spec: \is_ht_specification S\ then have sat: \satisfiable S\ unfolding is_ht_specification_def by simp have \\s\set S. \\. complies_hts s \\ proof fix s assume \s \ set S\ show \\\. complies_hts s \\ proof (cases s) case f1: (fields n \ hts) have \\\. complies_hts (n, \, hts) \\ proof let ?\ = \\n M. if M \\<^sub>M \ then Some (SOME \. satisfiable_base M hts \) else None\ have \\ht\set hts. is_htb_basic ht \ (\M. \M \ complies_ht M ?\ \ (the (htb_basic_unpack ht)))\ proof fix ht assume \ht \ set hts\ show \is_htb_basic ht \ (\M. \M \ complies_ht M ?\ \ (the (htb_basic_unpack ht)))\ proof from spec show \is_htb_basic ht\ using \ht \ set hts\ \s \ set S\ f1 unfolding is_ht_specification_def by simp show \\M. \M \ complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof fix M show \\M \ complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof assume \\M\ show \complies_ht M ?\ \ (the (htb_basic_unpack ht))\ proof (cases \the (htb_basic_unpack ht)\) case (fields \ n' \) moreover have \complies_ht M ?\ \ (\, n, \)\ proof (cases \M \\<^sub>M \\) case True then have nM: \?\ n M = Some (SOME \. satisfiable_base M hts \)\ by simp moreover from sat have \satisfiable_l M s \ satisfiable_r M s\ unfolding satisfiable_def using \s \ set S\ \\M\ by blast with f1 True have ex: \\\. satisfiable_base M hts \\ by simp have \\\. satisfiable_base M hts \ \ \ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ ?\ n M \ None \ \ \ \<^bold>\\<^sub>P \<^bold>\\ proof fix \ show \satisfiable_base M hts \ \ \ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ ?\ n M \ None \ \ \ \<^bold>\\<^sub>P \<^bold>\\ proof assume \satisfiable_base M hts \\ then show \\ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ ?\ n M \ None \ \ \ \<^bold>\\<^sub>P \<^bold>\\ unfolding satisfiable_base_def by simp qed qed with ex have \\ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ ?\ n M \ None \ \ (SOME \. satisfiable_base M hts \) \<^bold>\\<^sub>P \<^bold>\\ using someI2[where ?P=\satisfiable_base M hts\] by blast moreover have \\\. satisfiable_base M hts \ \ (M \\<^sub>M \ \ M \\<^sub>M \ \ (\, [\\snd M. \ \ \<^bold>\\<^sub>P \]) \\<^sub>M \)\ proof fix \ show \satisfiable_base M hts \ \ (M \\<^sub>M \ \ M \\<^sub>M \ \ (\, [\\snd M. \ \ \<^bold>\\<^sub>P \]) \\<^sub>M \)\ proof assume \satisfiable_base M hts \\ with \ht \ set hts\ have \M \\<^sub>M pre ht \ (\, [\\snd M. \ \ \<^bold>\\<^sub>P \]) \\<^sub>M post ht\ unfolding satisfiable_base_def by simp moreover from \is_htb_basic ht\ have \pre ht = \\ using fields unpack_sel(1) by fastforce moreover from \is_htb_basic ht\ have \post ht = \\ using fields unpack_sel(2) by fastforce ultimately have \M \\<^sub>M \ \ (\, [\\snd M. \ \ \<^bold>\\<^sub>P \]) \\<^sub>M \\ by simp then show \M \\<^sub>M \ \ M \\<^sub>M \ \ (\, [\\snd M. \ \ \<^bold>\\<^sub>P \]) \\<^sub>M \\ by simp qed qed with ex have \(M \\<^sub>M \ \ M \\<^sub>M \ \ ((SOME \. satisfiable_base M hts \), [\\snd M. \ (SOME \. satisfiable_base M hts \) \<^bold>\\<^sub>P \]) \\<^sub>M \)\ using someI2[where ?P=\satisfiable_base M hts\] by blast ultimately have \(M \\<^sub>M \ \ Some (SOME \. satisfiable_base M hts \) \ None) \ (\ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ \ (SOME \. satisfiable_base M hts \) \<^bold>\\<^sub>P \<^bold>\) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ ((SOME \. satisfiable_base M hts \), [\\snd M. \ (SOME \. satisfiable_base M hts \) \<^bold>\\<^sub>P \]) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ using True by auto moreover have \((SOME \. satisfiable_base M hts \), [\\snd M. \ (SOME \. satisfiable_base M hts \) \<^bold>\\<^sub>P \]) \\<^sub>M \ \ the (\* ?\ (basic n) M) \\<^sub>M \\ proof (cases M) case (Pair \ \) show ?thesis proof assume entails: \((SOME \. satisfiable_base M hts \), [\\snd M. \ (SOME \. satisfiable_base M hts \) \<^bold>\\<^sub>P \]) \\<^sub>M \\ with nM Pair show \the (\* ?\ (basic n) M) \\<^sub>M \\ by auto qed qed ultimately have \(M \\<^sub>M \ \ ?\ n M \ None) \ (\ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ ?\ n M \ None \ \ the (?\ n M) \<^bold>\\<^sub>P \<^bold>\) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* ?\ (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ using nM by simp then show ?thesis using complies_ht.simps by blast next case False then have \?\ n M = None\ by simp then have \M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \\ proof - from sat \s \ set S\ False have \\ht \ set hts. M \\<^sub>M pre ht \ M \\<^sub>M post ht\ using f1 \\M\ unfolding satisfiable_def by fastforce with \ht \ set hts\ have \M \\<^sub>M pre ht \ M \\<^sub>M post ht\ by simp moreover from \is_htb_basic ht\ have \pre ht = \\ using fields unpack_sel(1) by fastforce moreover from \is_htb_basic ht\ have \post ht = \\ using fields unpack_sel(2) by fastforce ultimately have \M \\<^sub>M \ \ M \\<^sub>M \\ by simp then show ?thesis by simp qed with False show ?thesis by simp qed moreover from spec have \n = n'\ using \s \ set S\ \ht \ set hts\ f1 fields unfolding is_ht_specification_def by fastforce ultimately show ?thesis by metis qed qed qed qed qed then show \complies_hts (n, \, hts) ?\\ unfolding complies_hts_def by simp qed with f1 show ?thesis by simp qed qed with model_exists_disjoint \is_ht_specification S\ show ?thesis . qed section \Single agent program given by specification\ locale single_agent_program = single_agent + fixes Sp :: ht_specification assumes is_ht_specification: \is_ht_specification Sp\ and \_complies: \complies Sp \\ context single_agent_program begin \ \Enabledness\ (* can this shorten other proofs? *) lemma \_None_ht_spec: \\M \ (a, \, hts) \ set Sp \ M \\<^sub>M \<^bold>\ \ \ \ a M = None\ proof - assume \(a, \, hts) \ set Sp\ then have \complies_hts (a, \, hts) \\ using \_complies complies_def by simp then have \\ht\set hts. \M. \M \ complies_ht M \ \ (the (htb_basic_unpack ht))\ unfolding complies_hts_def by simp then have \\ht\set hts. \M \ complies_ht M \ \ (the (htb_basic_unpack ht))\ by blast then have \\ht\set hts. \M \ (let (\, n, \) = the (htb_basic_unpack ht) in ((M \\<^sub>M \ \ \ n M \ None) \ (\ (fst M) \<^bold>\\<^sub>P \<^bold>\ \ \ n M \ None \ \the (\ n M) \<^bold>\\<^sub>P \<^bold>\) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* \ (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)))\ by fastforce then have \\ht\set hts. \M \ (let (\, n, \) = the (htb_basic_unpack ht) in M \\<^sub>M \ \ \ n M \ None)\ by auto moreover from is_ht_specification have \hts \ [] \ (\ht\ set hts. fst (snd (the (htb_basic_unpack ht))) = a)\ using \(a, \, hts) \ set Sp\ unfolding is_ht_specification_def by auto ultimately have \hts \ []\ \\ht\set hts. \M \ (M \\<^sub>M \ \ \ a M \ None)\ by (simp, fastforce) then have \\M \ (M \\<^sub>M \ \ \ a M \ None)\ by auto moreover assume \M \\<^sub>M \<^bold>\ \\ \\M\ ultimately show \\ a M = None\ by simp qed lemma not_enabled_ht_spec: assumes \(a, \, hts) \ set Sp\ and \\<^bold>\\<^sub>M (\ \<^bold>\ \<^bold>\ \)\ shows \\<^bold>\\<^sub>E (\\<^sup>E \<^bold>\ \<^bold>\ (enabledb (basic a)))\ proof fix M have \mst_reachable_basic M \ M \\<^sub>M (\ \<^bold>\ \<^bold>\ \)\ using assms(2) by blast have \mst_reachable_basic M \ M \\<^sub>M \ \ M \\<^sub>E \<^bold>\ (enabledb (basic a))\ proof assume \mst_reachable_basic M\ with assms(2) have \M \\<^sub>M (\ \<^bold>\ \<^bold>\ \)\ by blast show \M \\<^sub>M \ \ M \\<^sub>E \<^bold>\ (enabledb (basic a))\ proof assume \M \\<^sub>M \\ from mst_reachable_basic_is_mst have \\M\ using \mst_reachable_basic M\ . then have \\ a M = None\ proof (rule \_None_ht_spec) from assms(1) show \(a, \, hts) \ set Sp\ . from \M \\<^sub>M \\ \M \\<^sub>M (\ \<^bold>\ \<^bold>\ \)\ show \M \\<^sub>M \<^bold>\ \\ by simp qed with bel_upd_not_enabled show \M \\<^sub>E \<^bold>\ (enabledb (basic a))\ by simp qed qed with transfer_semantics\<^sub>M show \mst_reachable_basic M \ M \\<^sub>E (\\<^sup>E \<^bold>\ \<^bold>\ (enabledb ((basic a))))\ using semantics\<^sub>P.simps(4) by metis qed subsection \Proof System\ \ \Derive (the) valid Hoare triples.\ inductive derive\<^sub>H :: \hoare_triple \ bool\ (\\\<^sub>H\) where \ \Agent specific rule import\ import: \(n, \, hts) \ set Sp \ \<^bold>{ \ \<^bold>} (basic n) \<^bold>{ \ \<^bold>} \ set hts \ \\<^sub>H \<^bold>{ \ \<^bold>} (basic n) \<^bold>{ \ \<^bold>}\ | \ \Persistence of goals\ persist: \\ is_drop a \ \\<^sub>H \<^bold>{ G \ \<^bold>} a \<^bold>{ B \ \<^bold>\ G \ \<^bold>}\ | \ \Infeasible actions\ inf: \\<^bold>\\<^sub>E (\\<^sup>E \<^bold>\ \<^bold>\(enabledb a)) \ \\<^sub>H \<^bold>{ \ \<^bold>} a \<^bold>{ \ \<^bold>}\ | \ \Frame properties on beliefs for adopt and drop\ adoptB: \\\<^sub>H \<^bold>{ B \ \<^bold>} (adopt \) \<^bold>{ B \ \<^bold>}\ | adoptNegB: \\\<^sub>H \<^bold>{ \<^bold>\ (B \) \<^bold>} (adopt \) \<^bold>{ \<^bold>\ (B \) \<^bold>}\ | dropB: \\\<^sub>H \<^bold>{ B \ \<^bold>} (drop \) \<^bold>{ B \ \<^bold>}\ | dropNegB: \\\<^sub>H \<^bold>{ \<^bold>\ (B \) \<^bold>} (drop \) \<^bold>{ \<^bold>\ (B \) \<^bold>}\ | \ \Effects of adopt\ adoptBG: \\ \\<^sub>P (\<^bold>\ \) \ \\<^sub>H \<^bold>{ \<^bold>\ (B \) \<^bold>} (adopt \) \<^bold>{ G \ \<^bold>}\ | \ \Non-effect of adopt\ adoptG: \\\<^sub>H \<^bold>{ G \ \<^bold>} (adopt \) \<^bold>{ G \ \<^bold>}\ | adoptNegG: \\ \\<^sub>P (\ \<^bold>\ \) \ \\<^sub>H \<^bold>{ \<^bold>\ (G \) \<^bold>} (adopt \) \<^bold>{ \<^bold>\ (G \) \<^bold>}\ | \ \Effects of drop\ dropG: \\\<^sub>P (\ \<^bold>\ \) \ \\<^sub>H \<^bold>{ G \ \<^bold>} (drop \) \<^bold>{ \<^bold>\ (G \) \<^bold>}\ | \ \Non-effects of drop\ dropNegG: \\\<^sub>H \<^bold>{ \<^bold>\(G \) \<^bold>} (drop \) \<^bold>{ \<^bold>\ (G \) \<^bold>}\ | dropGCon: \\\<^sub>H \<^bold>{ \<^bold>\(G (\ \<^bold>\ \)) \<^bold>\ (G \) \<^bold>} (drop \) \<^bold>{ G \ \<^bold>}\ | \ \Rule for conditional actions\ rCondAct: \\\<^sub>H \<^bold>{ \ \<^bold>\ \ \<^bold>} a \<^bold>{ \' \<^bold>} \ \<^bold>\\<^sub>M (\ \<^bold>\ \<^bold>\\ \<^bold>\ \') \ \\<^sub>H \<^bold>{ \ \<^bold>} (\ \ do a) \<^bold>{ \' \<^bold>}\ | \ \Structural rules\ rImp: \\<^bold>\\<^sub>M (\' \<^bold>\ \) \ \\<^sub>H \<^bold>{ \ \<^bold>} a \<^bold>{ \ \<^bold>} \ \<^bold>\\<^sub>M (\ \<^bold>\ \') \ \\<^sub>H \<^bold>{ \' \<^bold>} a \<^bold>{ \' \<^bold>}\ | rCon: \\\<^sub>H \<^bold>{ \\<^sub>1 \<^bold>} a \<^bold>{ \\<^sub>1 \<^bold>} \ \\<^sub>H \<^bold>{ \\<^sub>2 \<^bold>} a \<^bold>{ \\<^sub>2 \<^bold>} \ \\<^sub>H \<^bold>{ \\<^sub>1 \<^bold>\ \\<^sub>2 \<^bold>} a \<^bold>{ \\<^sub>1 \<^bold>\ \\<^sub>2 \<^bold>}\ | rDis: \\\<^sub>H \<^bold>{ \\<^sub>1 \<^bold>} a \<^bold>{ \ \<^bold>} \ \\<^sub>H \<^bold>{ \\<^sub>2 \<^bold>} a \<^bold>{ \ \<^bold>} \ \\<^sub>H \<^bold>{ \\<^sub>1 \<^bold>\ \\<^sub>2 \<^bold>} a \<^bold>{ \ \<^bold>}\ \ \A proof of a Hoare triple ensures validity.\ \ \Induction over each rule.\ theorem soundness\<^sub>H: \\\<^sub>H H \ \\<^sub>H H\ proof (induct rule: derive\<^sub>H.induct) case (import n \ hts \ \) let ?a = \basic n\ let ?ht = \\<^bold>{ \ \<^bold>} ?a \<^bold>{ \ \<^bold>}\ have \\s\set Sp. complies_hts s \\ using \_complies unfolding complies_def by simp with import(1) have \\ht\set hts. is_htb_basic ht \ (\M. \M \ complies_ht M \ \ (the (htb_basic_unpack ht)))\ unfolding complies_hts_def by auto with bspec have \is_htb_basic ?ht \ (\M. \M \ complies_ht M \ \ (the (htb_basic_unpack ?ht)))\ using import(2) . then have **: \\M. \M \ (M \\<^sub>M \ \ \ n M \ None) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\* \ (basic n) M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ by simp have *: \\M. \M \ (M \\<^sub>M \ \ \ n M \ None) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ proof fix M show \\M \ (M \\<^sub>M \ \ \ n M \ None) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ proof assume \\M\ show \(M \\<^sub>M \ \ \ n M \ None) \ (M \\<^sub>M \ \ M \\<^sub>M \ \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ proof (cases M) case (Pair \ \) with ** \\M\ have \((\, \) \\<^sub>M \ \ \ n M \ None) \ ((\, \) \\<^sub>M \ \ (\, \) \\<^sub>M \ \ the (\* \ (basic n) M) \\<^sub>M \) \ ((\, \) \\<^sub>M \ \ (\, \) \\<^sub>M \<^bold>\ \ \ (\, \) \\<^sub>M \)\ by simp then show ?thesis using Pair by simp qed qed qed have \\M. \M \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M \)\ proof fix M show \\M \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M \)\ proof assume \\M\ with * have \(M \\<^sub>M \ \ M \\<^sub>M \ \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>M \<^bold>\ \ \ M \\<^sub>M \)\ by blast moreover have \M \\<^sub>E (enabledb ?a) \ M \\<^sub>M \\ proof (cases M) case (Pair \ \) with * \\M\ have \(\, \) \\<^sub>M \ \ \ n (\, \) \ None\ by blast moreover have \\ n (\, \) \ None \ \ (basic n) (\, \) \ None\ by auto moreover have \\ \ (\, \) \\<^sub>E (enabledb ?a)\ using \_some_Cap by fastforce ultimately show ?thesis using Pair by auto qed ultimately have \(M \\<^sub>M \ \ M \\<^sub>E (enabledb ?a) \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>M \ \ M \\<^sub>E \<^bold>\ (enabledb ?a) \ M \\<^sub>M \)\ by simp then show \(M \\<^sub>E (\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M \) \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M \)\ using transfer_semantics\<^sub>M by simp qed qed with mst_reachable_basic_is_mst show ?case by simp next case (persist a \) have \\M. (M \\<^sub>M (G \) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M (B \) \<^bold>\ (G \)) \ (M \\<^sub>M (G \) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M (B \) \<^bold>\ (G \))\ proof fix M show \(M \\<^sub>M (G \) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M (B \) \<^bold>\ (G \)) \ (M \\<^sub>M (G \) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M (B \) \<^bold>\ (G \))\ proof (cases M) case (Pair \ \) show ?thesis proof show \M \\<^sub>M (G \) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M (B \) \<^bold>\ (G \)\ proof assume asm: \M \\<^sub>M (G \) \ M \\<^sub>E (enabledb a)\ with Pair have notNone: \\ a (\, \) \ None\ by simp show \the (\ a M) \\<^sub>M (B \) \<^bold>\ (G \)\ proof (cases a) case (basic n) with notNone have \\ (basic n) (\, \) \ None\ by simp then obtain \' where \': \\ n (\, \) = Some \'\ by fastforce then have mst_unfold: \\ (basic n) (\, \) = Some (\', [\\\. \ \' \<^bold>\\<^sub>P \])\ (is \\ (basic n) (\, \) = Some (\', ?\')\) by simp then show ?thesis proof (cases \\' \<^bold>\\<^sub>P \\) case True then have \(\', ?\') \\<^sub>M (B \) \<^bold>\ (G \)\ by auto with mst_unfold show ?thesis using basic Pair by simp next case False moreover from asm have \(\, \) \\<^sub>M G \\ using Pair by simp ultimately have \(\', ?\') \\<^sub>M G \\ by auto with mst_unfold show ?thesis using basic Pair by simp qed next case (adopt \') have \\ (adopt \') (\, \) = (if \ \\<^sub>P (\<^bold>\ \') \ \ \ \<^bold>\\<^sub>P \' then Some (\, List.insert \' \) else None)\ by simp with notNone have \\ (adopt \') (\, \) = Some (\, List.insert \' \)\ using adopt by metis then show ?thesis using adopt Pair asm by simp next case (drop \) with persist show ?thesis by simp qed qed qed simp qed qed with semantics\<^sub>H.simps(1) show ?case using semantics\<^sub>P.simps(6) transfer_semantics\<^sub>M by blast next case (inf \ a) then have \\M. mst_reachable_basic M \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ (enabledb a) \ the (\ a M) \\<^sub>M \) \ (M \\<^sub>E (\\<^sup>E) \<^bold>\ \<^bold>\(enabledb a) \ M \\<^sub>M \)\ using transfer_semantics\<^sub>M by auto with mst_reachable_basic_is_mst show ?case by auto next case (adoptB \ \) let ?\ = \B \\ and ?\' = \B \\ and ?\ = \adopt \\ from adoptB have \\M. (M \\<^sub>E ?\\<^sup>E \<^bold>\ (enabledb ?\) \ the (\ ?\ M) \\<^sub>M ?\') \ (M \\<^sub>E ?\\<^sup>E \<^bold>\ \<^bold>\(enabledb ?\) \ M \\<^sub>M ?\')\ by simp then show ?case by force next case adoptNegB then show ?case by simp next case dropB then show ?case by simp next case dropNegB then show ?case by simp next case (adoptBG \) let ?\ = \\<^bold>\ (B \)\ and ?\ = \G \\ and ?a = \adopt \\ have \\M. mst_reachable_basic M \ (M \\<^sub>E (?\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M ?\) \ (M \\<^sub>E (?\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M ?\)\ proof fix M have \M \\<^sub>E (?\\<^sup>E) \ the (\ ?a M) \\<^sub>M ?\ \ M \\<^sub>E enabledb ?a\ proof assume \M \\<^sub>E (?\\<^sup>E)\ show \the (\ ?a M) \\<^sub>M ?\ \ M \\<^sub>E enabledb ?a\ proof from \M \\<^sub>E (?\\<^sup>E)\ show \M \\<^sub>E enabledb ?a\ using adoptBG adopt_Cap by (cases M) simp with \M \\<^sub>E (?\\<^sup>E)\ adoptBG have s: \\ ?a M = Some (fst M, List.insert \ (snd M))\ by (cases M) simp then have \\\\set (snd (the (\ ?a M))). \\<^sub>P (\ \<^bold>\ \)\ by simp moreover { from s have \fst (the (\ ?a M)) = fst M\ by simp moreover have \\ fst M \<^bold>\\<^sub>P \\ using \M \\<^sub>E (?\\<^sup>E)\ by (cases M) simp ultimately have \\ fst (the (\ ?a M)) \<^bold>\\<^sub>P \\ by simp } ultimately show \the (\ ?a M) \\<^sub>M ?\\ using semantics\<^sub>M'.simps(2)[where \=\fst (the (\ ?a M))\ and \=\snd (the (\ ?a M))\] by simp qed qed then show \mst_reachable_basic M \ (M \\<^sub>E (?\\<^sup>E) \<^bold>\ (enabledb ?a) \ the (\ ?a M) \\<^sub>M ?\) \ (M \\<^sub>E (?\\<^sup>E) \<^bold>\ \<^bold>\(enabledb ?a) \ M \\<^sub>M ?\)\ by auto qed then show ?case by simp next case adoptG then show ?case by simp next case adoptNegG then show ?case by simp next case dropG with drop_Cap show ?case by auto next case dropNegG with drop_Cap show ?case by simp next case (dropGCon \ \) let ?\ = \\<^bold>\ (G (\ \<^bold>\ \)) \<^bold>\ (G \)\ and ?\ = \G \\ and ?a = \drop \\ have \\M. M \\<^sub>M ?\ \ the (\ ?a M) \\<^sub>M ?\\ proof fix M show \M \\<^sub>M ?\ \ the (\ ?a M) \\<^sub>M ?\\ proof assume \M \\<^sub>M ?\\ with dropGCon have pre: \\ fst M \<^bold>\\<^sub>P \ \ \ (\\\set (snd M). \\<^sub>P (\ \<^bold>\ (\ \<^bold>\ \))) \ (\\\set (snd M). \\<^sub>P (\ \<^bold>\ \))\ by (cases M) auto moreover from pre obtain \ where gamma: \\ \ set (snd M) \ \\<^sub>P (\ \<^bold>\ \)\ by auto moreover have aM: \\ ?a M = Some (fst M, [\\snd M. \ [\] \<^bold>\\<^sub>P \])\ (is \\ = Some ?M'\) by (cases M) simp ultimately have \\ fst ?M' \<^bold>\\<^sub>P \\ by simp moreover from pre gamma have \\ [\] \<^bold>\\<^sub>P (\ \<^bold>\ \)\ by auto with gamma have \\\\set (snd ?M'). \\<^sub>P (\ \<^bold>\ \)\ by auto ultimately show \the (\ ?a M) \\<^sub>M ?\\ using aM by simp qed qed then show ?case by (meson semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(6) transfer_semantics\<^sub>M) next case (rCondAct \ \ a \') have \\ s \ Agent. \i. ((\\<^bold>[s i\<^bold>]\<^sub>M) \ (\ \ do a) = (act_nth s i) \ (\'\<^bold>[s (i+1)\<^bold>]\<^sub>M))\ proof fix s assume \s \ Agent\ show \\i. ((\\<^bold>[s i\<^bold>]\<^sub>M) \ (\ \ do a) = (act_nth s i) \ (\'\<^bold>[s (i+1)\<^bold>]\<^sub>M))\ proof fix i from mst_reachable_basic_trace have \mst_reachable_basic (st_nth s i)\ using \s \ Agent\ . with rCondAct have a: \((\ \<^bold>\ \<^bold>\\) \<^bold>\ \')\<^bold>[s i\<^bold>]\<^sub>M\ \(st_nth s i \\<^sub>E ((\ \<^bold>\ \)\<^sup>E) \<^bold>\ (enabledb a) \ the (\ a (st_nth s i)) \\<^sub>M \') \ (st_nth s i \\<^sub>E ((\ \<^bold>\ \)\<^sup>E) \<^bold>\ \<^bold>\(enabledb a) \ st_nth s i \\<^sub>M \')\ using rCondAct.hyps(2) semantics\<^sub>H.simps(1) by blast+ show \(\\<^bold>[s i\<^bold>]\<^sub>M) \ (\ \ do a) = (act_nth s i) \ (\'\<^bold>[s (i+1)\<^bold>]\<^sub>M)\ proof assume pre: \st_nth s i \\<^sub>M \ \ (\, a) = act_nth s i\ then have bact: \(\, a) = act_nth s i\ by simp show \\'\<^bold>[s (i+1)\<^bold>]\<^sub>M\ proof (cases \(st_nth s i) \(\, a) (st_nth s (i+1))\) case True then have \st_nth s i \\<^sub>M \\ unfolding transition_def by simp with pre have \st_nth s i \\<^sub>E ((\ \<^bold>\ \)\<^sup>E)\ using transfer_semantics\<^sub>M by simp moreover from True have \\ a (st_nth s i) \ None\ unfolding transition_def by simp moreover from this have \st_nth s i \\<^sub>E enabledb a\ using \_some_Cap by simp ultimately show ?thesis using \_suc_state \s \ Agent\ bact a(2) using snd_act_nth fst_act_nth transfer_semantics\<^sub>M by auto next case f: False moreover from \s \ Agent\ have \is_trace s\ unfolding Agent_def by simp ultimately have \st_nth s i = st_nth s (i+1)\ using not_transition_eq bact by simp then show ?thesis proof (cases \st_nth s i \\<^sub>M \\) case True then have \\ ((enabledb a)\<^bold>[s i\<^bold>]\<^sub>E)\ proof - from \is_trace s\ have \((st_nth s i) \(act_nth s i) (st_nth s (i+1))) \ \(\M. ((st_nth s i) \(act_nth s i) M)) \ (st_nth s i) = (st_nth s (i+1))\ unfolding is_trace_def by simp with f True bact have \\(\M. ((st_nth s i) \(\ \ do a) M))\ by auto moreover have \(\ \ do a) \ \\ using \is_trace s\ bact trace_in_\ by force ultimately have \\ (st_nth s i) \\<^sub>M \ \ \ a (st_nth s i) = None\ unfolding transition_def by fastforce with True show \\ ((enabledb a)\<^bold>[s i\<^bold>]\<^sub>E)\ by simp qed then have \st_nth s i \\<^sub>M \'\ using a pre transfer_semantics\<^sub>M by auto with \st_nth s i = st_nth s (i+1)\ show ?thesis by simp next case False with bact have \\'\<^bold>[s i\<^bold>]\<^sub>M\ using a(1) pre by auto with \st_nth s i = st_nth s (i+1)\ show ?thesis by simp qed qed qed qed qed then show ?case by simp next case (rImp \' \ a \ \') have \\M. mst_reachable_basic M \ (M \\<^sub>M \' \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \') \ (M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \')\ proof fix M show \mst_reachable_basic M \ (M \\<^sub>M \' \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \') \ (M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \')\ proof assume \mst_reachable_basic M\ show \(M \\<^sub>M \' \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \') \ (M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \')\ proof show \M \\<^sub>M \' \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \'\ proof assume pre: \M \\<^sub>M \' \ M \\<^sub>E (enabledb a)\ moreover from rImp(3) have \M \\<^sub>M \ \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \\ using \mst_reachable_basic M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(6) by blast moreover have \M \\<^sub>M \' \<^bold>\ \\ using \mst_reachable_basic M\ rImp(1) by blast ultimately have \the (\ a M) \\<^sub>M \\ by simp moreover from pre have \\ a M \ None\ by simp with mst_reachable_basic_\ have \mst_reachable_basic (the (\ a M))\ using \mst_reachable_basic M\ unfolding mst_reachable_basic_def by simp with rImp have \the (\ a M) \\<^sub>M \ \<^bold>\ \'\ by blast ultimately show \the (\ a M) \\<^sub>M \'\ by simp qed show \M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \'\ proof assume pre: \M \\<^sub>M \' \ M \\<^sub>E \<^bold>\(enabledb a)\ from rImp(3) have \M \\<^sub>M \ \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \\ using \mst_reachable_basic M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(6) by blast moreover have \M \\<^sub>M \' \<^bold>\ \\ using \mst_reachable_basic M\ rImp(1) by blast moreover have \M \\<^sub>M \ \<^bold>\ \'\ using \mst_reachable_basic M\ rImp(4) by blast ultimately show \M \\<^sub>M \'\ using pre by simp qed qed qed qed with transfer_semantics\<^sub>M show ?case by simp next case rCon then show ?case by simp next case (rDis \\<^sub>1 a \ \\<^sub>2) have \\M. mst_reachable_basic M \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \) \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \)\ proof fix M show \mst_reachable_basic M \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \) \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \)\ proof assume \mst_reachable_basic M\ show \(M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \) \ (M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \)\ proof show \M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \\ proof assume \M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E (enabledb a)\ moreover from rDis(2) have \M \\<^sub>M \\<^sub>1 \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \\ using \mst_reachable_basic M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(6) by blast moreover from rDis(4) have \M \\<^sub>M \\<^sub>2 \ M \\<^sub>E (enabledb a) \ the (\ a M) \\<^sub>M \\ using \mst_reachable_basic M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(6) by blast ultimately show \the (\ a M) \\<^sub>M \\ by auto qed show \M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \\ proof assume \M \\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) \ M \\<^sub>E \<^bold>\(enabledb a)\ moreover from rDis(2) have \M \\<^sub>M \\<^sub>1 \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \\ using \mst_reachable_basic M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(6) by blast moreover from rDis(4) have \M \\<^sub>M \\<^sub>2 \ M \\<^sub>E \<^bold>\(enabledb a) \ M \\<^sub>M \\ using \mst_reachable_basic M\ transfer_semantics\<^sub>M semantics\<^sub>H.simps(1) semantics\<^sub>P.simps(6) by blast ultimately show \M \\<^sub>M \\ by auto qed qed qed qed with transfer_semantics\<^sub>M show ?case by simp qed end lemma is_ht_spec_single_agent_program: assumes \\ \ {} \ \ M\ and \is_ht_specification S\ and \\a. (\\. (\, basic a) \ \) \ a \ set (map fst S)\ shows \single_agent_program (SOME \. complies S \) \ M S\ (is \single_agent_program ?\ \ M S\) proof - from assms(2) have c: \complies S ?\\ using model_exists by (simp add: someI2_ex) moreover have \single_agent ?\ \ M\ proof fix a \ \ show \\(\, \) \ (\\. (\, basic a) \ \) \ \ \ \<^bold>\\<^sub>P \<^bold>\ \ ?\ a (\, \) \ None \ \ the (?\ a (\, \)) \<^bold>\\<^sub>P \<^bold>\\ proof assume \\(\, \)\ show \(\\. (\, basic a) \ \) \ \ \ \<^bold>\\<^sub>P \<^bold>\ \ ?\ a (\, \) \ None \ \ the (?\ a (\, \)) \<^bold>\\<^sub>P \<^bold>\\ proof assume \\\. (\, basic a) \ \\ with assms(3) have a: \a \ set (map fst S)\ by simp then obtain \ hts where \(a, \, hts) \ set S\ by auto with assms(2) have \complies_hts (a, \, hts) ?\\ using c unfolding complies_def by simp have \\ht\set hts. \(\, \) \ \ \ \<^bold>\\<^sub>P \<^bold>\ \ ?\ a (\, \) \ None \ \the (?\ a (\, \)) \<^bold>\\<^sub>P \<^bold>\\ proof fix ht assume \ht \ set hts\ with \complies_hts (a, \, hts) ?\\ \\(\, \)\ assms(1) have \complies_ht (\, \) ?\ \ (the (htb_basic_unpack ht))\ (is \complies_ht (\, \) ?\ \ ?ht\) unfolding complies_hts_def by simp then have \complies_ht (\, \) ?\ \ (fst ?ht, fst (snd ?ht), snd (snd ?ht))\ by simp then have \(\ fst (\, \) \<^bold>\\<^sub>P \<^bold>\ \ ?\ (fst (snd ?ht)) (\, \) \ None \ \the (?\ (fst (snd ?ht)) (\, \)) \<^bold>\\<^sub>P \<^bold>\)\ using complies_ht.simps by blast moreover from assms(2) have \fst (snd (the (htb_basic_unpack ht))) = a\ using \(a, \, hts) \ set S\ \ht \ set hts\ unfolding is_ht_specification_def by simp ultimately show \\ (\, \) \ \ \ \<^bold>\\<^sub>P \<^bold>\ \ ?\ a (\, \) \ None \ \the (?\ a (\, \)) \<^bold>\\<^sub>P \<^bold>\\ by simp qed with assms(2) \\(\, \)\ show \\ \ \<^bold>\\<^sub>P \<^bold>\ \ ?\ a (\, \) \ None \ \the (?\ a (\, \)) \<^bold>\\<^sub>P \<^bold>\\ using \(a, \, hts) \ set S\ unfolding is_ht_specification_def by auto qed qed show \?\ a (\, \) \ None \ (\\. (\, basic a) \ \)\ using c assms(3) unfolding complies_def by auto qed (simp add: assms(1)) ultimately show \single_agent_program ?\ \ M S\ using assms(2) single_agent_program_axioms.intro single_agent_program.intro by simp qed end