AAT Part II

Laws and Witnesses

This cluster explains how design principles become invariant families and how architecture breakage is represented by selected obstruction witnesses rather than by a vague failure label.

Canonical source

Chapters 3-4 in the AAT text

AAT release snapshot

Updated: 2026-05-15
Docs source commit: e4a27d9
Lean status: `lake build` passed for this snapshot; see local status notes and Status page.

Boundary note

Zero curvature names required obstruction-free status inside a selected law universe. It is not an unconditional claim about runtime behavior, semantic flatness, empirical risk, or differential-geometric curvature.

Invariant families

An `Invariant` is a property an architecture object or operation is expected to preserve. Design principles induce families of operations that preserve, reflect, improve, localize, translate, or transfer invariants; the principle itself is not treated as one universal mathematical operation.

Local contract layer SRP, OCP, LSP, ISP, and DIP organize contracts, abstraction, substitutability, and interface separation.
Global structure layer Layered and Clean Architecture handle ranking, dependency direction, acyclicity, decomposition, and boundary preservation.
State and runtime layers Event Sourcing, Saga, CRUD, Circuit Breaker, and Replicated Log carry replay, compensation, overwrite, protection, ordering, and convergence laws.

Obstruction witnesses

An `ObstructionWitness` structurally explains why a desired law does not hold. A forbidden static edge, hidden interaction, boundary policy violation, projection failure, LSP mismatch, non-commuting semantic diagram, runtime exposure, lifting failure, or residual coverage gap can all be witnesses when they live in the selected universe.

Finite witness kernel

violatingWitnesses bad xs
  = xs filtered by bad

violationCount bad xs = 0
  <-> every measured witness is not bad

Zero-curvature reading

The central theorem package connects semantic lawfulness, selected required witness absence, and selected required signature axes being zero. The connection is nontrivial: it requires witness completeness, axis exactness, coverage completeness, and observation exactness.

Required obstruction vanishing

finite law universe
  + theorem boundary B
  + complete witness coverage
  + required axis exactness
  ->
  ArchitectureLawfulWithin X B
    <-> no selected required obstruction witness
    <-> required signature axes are zero

SOLID is not treated as a universal architecture principle. It is one local-contract family among distinct global, state-transition, runtime, and distributed invariant families.

Theorem pattern

The law-to-witness connection is not definitional. A finite witness report becomes a semantic lawfulness claim only after the theorem boundary supplies the missing exactness and coverage hypotheses.

Semantic predicate `SemanticLawful X L` says the selected law universe is satisfied under the selected observation.
Witness predicate `NoRequiredWitness X W` says no required bad witness appears in the selected finite witness family.
Signature predicate `RequiredSignatureAxesZero X S` says the required measured axes are zero, not that every possible axis is safe.

Bridge assumptions

WitnessComplete(L, W)
  + AxisExact(W, S)
  + CoverageComplete(boundary)
  + ObservationExact(context)
  ->
  SemanticLawful X L
    <-> NoRequiredWitness X W
    <-> RequiredSignatureAxesZero X S

Main theorem schema

The zero-curvature theorem is the central lawfulness bridge. It is stated as a schema because the law universe, witness family, signature axes, and observation model vary across structural, projection, semantic, runtime, and extension readings.

Required obstruction vanishing theorem

Given:
  finite law universe L
  selected witness family W
  selected signature axes S
  theorem boundary B

Assuming:
  WitnessComplete(L, W)
  AxisExact(W, S)
  CoverageComplete(B)
  ObservationExact(B)

Then, within B:
  SemanticLawful X L
    <-> NoRequiredWitness X W
    <-> RequiredSignatureAxesZero X S

This theorem shape is also the guardrail for readability. A dashboard zero, a passing local contract, or a missing witness list becomes a lawfulness statement only when the stated completeness and exactness assumptions are available.

Claim	Current Lean status	Boundary	Non-conclusion	Source
Finite witness-count zero kernel	`proved`	Selected finite witness list and bad predicate.	Does not prove global absence outside the selected list.	Lean theorem index, flatness / witness-count entries.
Required law / required axis exactness bridge	`proved` for current static structural core	Explicit law-family, witness-coverage, axis-exactness, universe, coverage, and observation assumptions.	Does not automatically include runtime, semantic, empirical, or extractor-completeness claims.	AAT Status page and proof-obligation ledger.
General zero-curvature schema across all law families	`future proof obligation` / theorem schema	Requires a law-specific witness family, axis exactness, and observation exactness.	Not a universal theorem for every design principle or repository.	AAT mathematical theory and proof obligations.

Law universe

A `LawUniverse` collects required laws, optional laws, derived laws, witness families, and the observation boundary used to read them. AAT does not identify lawfulness with witness absence at the definition level; the equivalence is a theorem package that needs completeness and exactness assumptions.

Lawful-within reading

ArchitectureLawfulWithin X B
  := SemanticLawful X B.lawUniverse
     under B.coverage / B.exactness / B.observation

This distinction prevents a finite report from silently turning into a global claim. The report may certify the absence of selected required witnesses; the theorem boundary states when that absence is enough to read semantic lawfulness inside the chosen universe.

Examples

A local LSP contract can be lawful for selected client contexts while the overall dependency graph remains cyclic. A layered ranking can be lawful for static dependencies while a runtime callback still crosses a protected boundary. A Saga law can hold for a compensation relation without proving anything about distributed convergence.

Local contract witness An observation mismatch for a selected client context.
Global structure witness A forbidden dependency direction, cycle, or boundary crossing in the selected static universe.
Runtime witness A propagation, exposure, retry, or protection failure in a separate runtime observation layer.

Lean status

The generic witness-count kernel and required law / axis exactness bridge are part of the current proved static core. The broader design-principle classification remains a boundary discipline: SOLID, Layered, Clean Architecture, Event Sourcing, Saga, CRUD, Circuit Breaker, and Replicated Log are organized as different invariant families, not one Lean theorem scheme.

A zero witness count means zero selected bad witnesses in the measured finite universe. It does not erase unmeasured axes, optional laws, runtime evidence gaps, or empirical risk.