{"id":50602089,"url":"https://github.com/chantakan/verified-mbse","last_synced_at":"2026-06-05T19:02:09.389Z","repository":{"id":350539543,"uuid":"1207048238","full_name":"chantakan/verified-mbse","owner":"chantakan","description":"Formally verified MBSE framework in Lean 4 — dependent type semantics for SysML v2 / KerML with V\u0026V matrix completeness by type checking","archived":false,"fork":false,"pushed_at":"2026-04-21T10:18:30.000Z","size":209,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-21T12:29:11.069Z","etag":null,"topics":["dependent-types","formal-verification","lean4","mathlib4","mbse","model-based-systems-engineering","sysml","systems-engineering"],"latest_commit_sha":null,"homepage":"https://chantakan.github.io/verified-mbse/","language":"Lean","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chantakan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-10T14:17:33.000Z","updated_at":"2026-04-21T10:18:34.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/chantakan/verified-mbse","commit_stats":null,"previous_names":["chantakan/verified-mbse"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/chantakan/verified-mbse","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chantakan%2Fverified-mbse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chantakan%2Fverified-mbse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chantakan%2Fverified-mbse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chantakan%2Fverified-mbse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chantakan","download_url":"https://codeload.github.com/chantakan/verified-mbse/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chantakan%2Fverified-mbse/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33955544,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-05T02:00:06.157Z","response_time":120,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependent-types","formal-verification","lean4","mathlib4","mbse","model-based-systems-engineering","sysml","systems-engineering"],"created_at":"2026-06-05T19:02:08.516Z","updated_at":"2026-06-05T19:02:09.384Z","avatar_url":"https://github.com/chantakan.png","language":"Lean","funding_links":[],"categories":[],"sub_categories":[],"readme":"# verified-mbse\n\n**Machine-verified V\u0026V matrices for spacecraft systems engineering.**\n\nA Lean 4 library that gives SysML v2 / KerML design models a dependent type-theoretic semantics.\nIf your model type-checks, your V\u0026V matrix is complete and your design constraints are proven correct.\n\n\u003e `lake build` passing with zero `sorry` = every specification verified, every V-matrix cell filled.\n\n## The Problem\n\nSystems engineers maintain V\u0026V matrices — tables that map requirements to verification evidence — in spreadsheets, wikis, or DOORS. This creates three failure modes:\n\n1. **Gaps go unnoticed.** A cell is empty or says \"TBD\" but nobody catches it before launch review.\n2. **Evidence is disconnected.** The proof that \"power budget holds across all mode combinations\" lives in a separate analysis tool with no formal link to the design model.\n3. **Composition is unchecked.** Two subsystems are individually correct, but their integration breaks an assumption neither team documented.\n\n`verified-mbse` eliminates all three by encoding V\u0026V as types:\n\n```\nVVRecord = { spec : Prop,  verified : spec,  validation : ValidationTrace spec }\n           ─────────────   ───────────────   ─────────────────────────────────\n           requirement     machine proof      confidence trace (→ trusted)\n```\n\nIf a `VVRecord` exists, the requirement is proven. If a `VMatrix.Complete` theorem compiles, every cell is filled.\n\n## Quick Start\n\n### 1. Add to your project\n\n```lean\n-- lakefile.lean\nrequire verifiedMbse from git\n  \"https://github.com/chantakan/verified-mbse.git\"\n```\n\n### 2. Define components and a state machine\n\n```lean\nimport VerifiedMBSE\n\nopen VerifiedMBSE.Core\nopen VerifiedMBSE.Behavior\nopen VerifiedMBSE.VV\n\n-- A component with ports and an invariant\ndef PowerSupply : PartDef :=\n  { baseType  := { name := some \"PowerSupply\" }\n    ports     := [pwrOutPort]\n    invariant := True }\n\n-- State machine: invariant preservation is a *type-level contract*\n-- (transitions that violate it simply won't compile)\ndef epsSM : StateMachine EPSMode Nat (fun _ v =\u003e v ≤ 1000) where\n  initialState := .nominal\n  transitions  := [nominalToLowPower, lowPowerToFault, ...]\n```\n\n### 3. Bundle everything into one `SubSystemSpec`\n\n```lean\ndef epsSpec : SubSystemSpec epsSM :=\n  { structural := epsStructural   -- System + WellFormed proof\n    behavioral := epsBehavioral   -- NonEmpty (Kripke-generalized)\n    fdir       := epsFDIR }       -- Safety + Detection + Recovery proofs\n```\n\nThis single value proves: the structure is well-formed, the state machine preserves its invariant, and all three FDIR requirements hold.\n\n### 4. Compose subsystems (N-way nested composition supported)\n\n```lean\n-- 2 subsystems\ndef epsAocsPK : ProductKripke epsSM aocsSM := ⟨⟩\ndef epsAocsSpec : SubSystemSpec epsAocsPK :=\n  SubSystemSpec.compose epsSpec aocsSpec epsAocsPK\n    epsSM_WellFormed.nonEmpty aocsSM_WellFormed.nonEmpty [] (by intros; contradiction)\n\n-- 3 subsystems (nested) — enabled by B-8 ProductKripke generalization\ndef epsAocsTcsPK : ProductKripke epsAocsPK tcsSM := ⟨⟩\ndef epsAocsTcsSpec : SubSystemSpec epsAocsTcsPK :=\n  SubSystemSpec.compose epsAocsSpec tcsSpec epsAocsTcsPK\n    epsAocsSpec.behavioral.nonEmpty tcsSM_WellFormed.nonEmpty [] (by intros; contradiction)\n\n-- N subsystems via variadic API (B-8d) — List.foldl-based composition\ndef sats : Option SubSystemPayload :=\n  SubSystemPayload.composeMany\n    [ SubSystemPayload.ofSpec epsSpec\n    , SubSystemPayload.ofSpec aocsSpec\n    , SubSystemPayload.ofSpec tcsSpec\n    , SubSystemPayload.ofSpec ttcSpec ]\n```\n\nThe composed spec auto-derives FDIR safety / detection / recovery for the product.\nSee [Variadic Composition Guide](docs/VariadicComposition.md) for details on the B-8d API.\n\n### 5. Build the V-Matrix and prove completeness\n\n```lean\nopen VerifiedMBSE.Matrix\n\ndef satellite : VMatrix :=\n  { columns := [epsColumn, aocsColumn, tcsColumn, ttcColumn] }\n\n-- This theorem IS the verification: no gaps in the V-matrix.\ntheorem sat_complete : satellite.Complete [\"EPS\", \"AOCS\", \"TCS\", \"TTC\"] := by\n  constructor\n  · intro s hs; ...   -- every subsystem has a column\n  · intro col hcol; ... -- every column covers all layers\n```\n\n### 6. Generate human-readable outputs\n\n```lean\nopen VerifiedMBSE.Output\n\n#eval IO.println (satellite.toMarkdown \"MySatellite\")\n#eval IO.println (satellite.toTerminal \"MySatellite\")\n```\n\nOutput:\n```\n═══════════════════════════════════════════\n  V-Matrix: MySatellite\n  4 subsystems │ 25 records │ ALL TRUSTED\n═══════════════════════════════════════════\n  EPS  [5] ████████████████████ 100%\n  AOCS [6] ████████████████████ 100%\n  TCS  [8] ████████████████████ 100%\n  TTC  [6] ████████████████████ 100%\n═══════════════════════════════════════════\n  Completeness: ✓ All layers covered\n═══════════════════════════════════════════\n```\n\n## Module Structure\n\n```\nVerifiedMBSE/\n├── Core/                    # Domain-independent type-theoretic foundations\n│   ├── KerML.lean           #   Element, KerMLType, Feature, Direction\n│   ├── Port.lean            #   PortDef, Conjugation, compatible\n│   ├── Specialization.lean  #   Specialization (preorder), FeatureTyping, Interpretation\n│   ├── Component.lean       #   PartDef, PortRef, Connector, System, WellFormed\n│   ├── Compose.lean         #   System.compose, compose_WellFormed\n│   └── Interpretation.lean  #   PartInstance, ConnectorSemantic, categorical laws\n│\n├── Behavior/                # Behavioral models (Kripke-generalized LTL)\n│   ├── StateMachine.lean    #   Transition, StateMachine, Reachable, inv_holds\n│   ├── Temporal.lean        #   Always (□), Eventually (◇), Next, Until, Leads\n│   ├── KripkeStructure.lean #   KripkeStructure + ToKripke type class (B-1)\n│   ├── StateMachineKripke.lean #   StateMachine → KripkeStructure instance\n│   ├── StateMachineLTL.lean    #   Dot-notation for sm.Always / sm.Eventually\n│   ├── Product.lean         #   ProductStateMachine (abbrev of ProductKripke)\n│   ├── ProductKripke.lean   #   ProductKripke (N-way nested, B-8)\n│   ├── ProductTemporal.lean #   Always_prod / Eventually_prod / Leads_prod lifting\n│   └── FDIR.lean            #   FDIRSpec, StateMachineComponent\n│\n├── VV/                      # Verification \u0026 Validation framework\n│   ├── Layer.lean           #   Layer (8-level ECSS-E-ST-10C: mission→part)\n│   ├── Evidence.lean        #   ValidationEvidence, isTrusted, ValidationTrace, VVRecord\n│   ├── SubSystemSpec.lean   #   StructuralSpec, BehavioralSpec, FDIRBundle, SubSystemSpec\n│   ├── VVBundle.lean        #   mkComponentRecord, SubSystemVVBundle, allRecords\n│   ├── Power.lean           #   ModePowerSpec, PowerBudgetOK₂\n│   ├── Propagation.lean     #   LayerPropagation, depth-based supports\n│   ├── Contract.lean        #   Contract, ContractedSystem, CouplingConstraint\n│   ├── ProductFDIR.lean     #   FDIRBundle.compose, SubSystemSpec.compose (N-way)\n│   └── VariadicCompose.lean #   SubSystemPayload, composeMany (B-8d variadic)\n│\n├── Matrix/                  # V-matrix construction\n│   ├── VColumn.lean         #   VColumn, atLayer, Complete, fullyTrusted (struct-discrim)\n│   ├── VMatrix.lean         #   VMatrix, SubSystemComplete, Complete\n│   ├── Query.lean           #   column, cell, allRecords, summary\n│   └── ModelBoundary.lean   #   ModelBoundary (vm : VMatrix) — dependently typed\n│\n├── Output/                  # Human-readable output generation\n│   ├── Render.lean          #   indent, typeName, layerToAbbr (8-layer)\n│   ├── SysML.lean           #   → SysML v2 textual notation\n│   ├── StateMachineSysML.lean # → SysML v2 state def\n│   ├── Markdown.lean        #   → Markdown table\n│   └── Terminal.lean        #   → Terminal summary with confidence bars\n│\n└── Equivalence/             # HoTT-inspired equivalence (advanced)\n    ├── ComponentEquiv.lean  #   PortEquiv, ComponentEquiv, Substitutable\n    ├── Refinement.lean      #   DesignEquiv, RequirementRefinement\n    ├── Abstraction.lean     #   AbstractionLevel, DesignParameter\n    └── Univalence.lean      #   DesignSpace (quotient), ua/ua_inv, Transport, Fiber\n\nExamples/Spacecraft/         # Full satellite case study + acceptance tests\n├── EPS.lean                 #   Electric Power Subsystem (+ EPSTypeTag F8 pattern)\n├── AOCS.lean                #   Attitude \u0026 Orbit Control\n├── TCS.lean                 #   Thermal Control (mode-dependent invariants)\n├── TTC.lean                 #   Telemetry, Tracking \u0026 Command\n├── Satellite.lean           #   V-Matrix + completeness + ModelBoundary\n├── Integration.lean         #   2-way and 3-way nested composition sanity tests\n├── F1F2Tests.lean           #   Evidence parameterization + mixed-evidence tests\n├── F3F5F6Tests.lean         #   Specialization preorder, Layer 8-level, ModelBoundary type-binding\n├── F8Tests.lean             #   Interpretation pattern (EPSTypeTag + exhaustive dispatch)\n└── VariadicComposeTests.lean #  B-8d payload / compose / composeMany sanity tests\n```\n\n## Key Types at a Glance\n\n| Type | What it is | Why it matters |\n|------|-----------|----------------|\n| `PartDef` | Component with ports + invariant | Invariant is a `Prop` — must be proven at instantiation |\n| `Connector` | Port-to-port connection | Carries a `compatible` proof — incompatible ports won't compile |\n| `System.WellFormed` | All connectors reference valid parts | Structural soundness as a theorem |\n| `Transition.preserves` | Invariant preserved across state change | Transitions that break invariants are **unconstructible** |\n| `Reachable.inv_holds` | Safety theorem | Every reachable state satisfies the invariant — by induction |\n| `ToKripke α S D` | Type class lifting α to KripkeStructure | Unifies LTL over StateMachine / ProductKripke / future continuous-time |\n| `ProductKripke x y` | Heterogeneous product of Kripke structures | Enables N-way nested composition (3+ subsystems) |\n| `SubSystemSpec` | Structure + behavior + FDIR | One value = complete subsystem verification |\n| `SubSystemSpec.compose` | Parallel composition of two specs | Composes FDIR, spawns auto-derived bridge Records |\n| `SubSystemPayload` | Anonymous wrapper bundling `α / S / D / ToKripke / x / spec` | Enables `List`-based variadic composition across heterogeneous specs (B-8d) |\n| `SubSystemPayload.composeMany` | `List.foldl`-based N-way composition | One-shot composition of N subsystems (B-8d) |\n| `SubSystemPayload.composeWithBridge` | 2-ary payload composition with bridge connectors | Inter-subsystem connectors at the payload level (B-8e) |\n| `VVRecord` | Machine proof + validation trace | The atomic unit of V\u0026V evidence |\n| `ValidationEvidence` | `.trusted` / `.contract` / `.confidence` | 3-level confidence hierarchy; `isTrusted` by constructor (no Float equality) |\n| `VMatrix.Complete` | No gaps in the V-matrix | **The main theorem** — if it compiles, you're done |\n| `Contract` | Assume-guarantee pair with validity proof | Integration obligations become type errors when missing |\n| `ContractedSystem` | Contracts + coupling constraints, all discharged | Catches the \"individually correct, jointly broken\" failure mode |\n| `ModelBoundary (vm)` | **Dependently-typed** verified/tested/analyzed/unmodeled split | `verifiedCount` auto-derived from `vm.totalRecords` — no manual sync |\n| `Layer` | 8 levels: mission → part (ECSS-E-ST-10C) | depth-based `supports` relation; new levels added without case explosion |\n| `DesignSpace` | `PartDef / ComponentEquiv` quotient | Univalence: equivalent components are equal in design space |\n| `ua` / `ua_inv` | Equiv ↔ equality in `DesignSpace` | HoTT univalence via setoid quotient — sorry-free |\n\n## Design Principles\n\n1. **Declarative.** Define a `SubSystemSpec`; proofs and VVRecords are derived.\n2. **Verifiable.** `lake build` = all proofs checked. Zero `sorry` = zero gaps.\n3. **Readable.** V-Matrix output in Markdown, terminal, and SysML v2 text.\n4. **Composable.** N-way nested subsystem composition via `ProductKripke`, plus variadic `composeMany` over `List SubSystemPayload`.\n5. **Extensible.** Domain-independent core; spacecraft examples are separate.\n6. **Typed discipline.** `ModelBoundary (vm : VMatrix)`, `EPSTypeTag` enum for interpretations — structural checks over string matching.\n\n## Documentation\n\n- **[API Reference](https://chantakan.github.io/verified-mbse/)** — doc-gen4 generated (auto-deployed via GitHub Pages)\n- **[Architecture Guide](docs/Architecture.md)** — Type-theoretic foundations, design decisions, proof patterns\n- **[Tutorial: Adding a New Subsystem](docs/Tutorial.md)** — Step-by-step walkthrough\n- **[Interpretation Pattern](docs/InterpretationPattern.md)** — Best practices for `KerMLType → Type` interpretations (F8)\n- **[Variadic Composition Guide](docs/VariadicComposition.md)** — `SubSystemPayload` and `composeMany` for N-way composition (B-8d)\n\n## Requirements\n\n- Lean 4 (v4.30.0-rc1)\n- Mathlib\n\n## Statistics\n\n| | Files | Lines | sorry | warnings |\n|---|---|---|---|---|\n| Library (VerifiedMBSE/) | 37 | ~4,450 | 0 | 0 |\n| Examples (satellite + tests) | 11 | ~3,630 | 0 | 0 |\n| Acceptance tests | ~100 examples | — | — | — |\n\nBuild: `lake build VerifiedMBSE` (177 jobs) + `lake build Examples` (187 jobs), all passing with zero sorry/warnings.\n\n## License\n\nApache 2.0","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchantakan%2Fverified-mbse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchantakan%2Fverified-mbse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchantakan%2Fverified-mbse/lists"}