(** * Envelope: 6D++ + 7D Envelope Definitions for MASIR-ND

    This file defines the enforcement envelope structure used throughout
    MASIR-ND for safe multi-agent coordination.

    - 6D++ Enforcement Layer (8 fields):
      A+, A-, B, tau, d, R, SemanticRef, ContextRef
      - SemanticRef: Reference to 7D Semantic layer
      - ContextRef: UUID for context tracking (fixed-length)
    - 7D Semantic Layer: What, Who, Whom, When, Where, Why, How
    - 13D Full Envelope: 6D++ + 7D combined
*)

Require Import Coq.Sets.Ensembles.
Require Import Coq.Arith.PeanoNat.
Require Import Coq.Lists.List.
Require Import Coq.Strings.String.
Require Import Lia.
Import ListNotations.

(** ** Basic Types *)

Definition Action := nat.

(** ** 6D++ Enforcement Envelope (8 fields) *)

Record Envelope6D := mk6D {
  A_plus      : Ensemble Action;   (* Permitted actions whitelist *)
  A_minus     : Ensemble Action;   (* Forbidden actions blacklist *)
  Budget      : nat;               (* Resource budget B *)
  Tau         : nat;               (* Trust level 0-100 *)
  Depth       : nat;               (* Max delegation depth d *)
  Risk        : nat;               (* Risk tolerance R, 0-100 *)
  SemanticRef : nat;               (* Reference to 7D Semantic layer *)
  ContextRef  : nat                (* Context reference UUID (fixed-length) *)
}.

(** ** 7D Semantic Envelope *)

Record Envelope7D := mk7D {
  W_what  : string;            (* Task specification *)
  W_who   : string;            (* Executing agent identity *)
  W_whom  : list string;       (* Beneficiary/accountability chain *)
  W_when  : nat;               (* Temporal constraint *)
  W_where : string;            (* Execution scope *)
  W_why   : string;            (* Intent/purpose *)
  W_how   : string             (* Method/approach *)
}.

(** ** 13D Full Envelope (6D++ + 7D) *)

Record Envelope13D := mk13D {
  enforcement : Envelope6D;
  semantics   : Envelope7D
}.

(** ** Effective Actions *)

(** Effective permitted actions: A+ \ A- *)
Definition effective_actions (env : Envelope6D) : Ensemble Action :=
  Setminus Action (A_plus env) (A_minus env).

(** ** Envelope Validity *)

Definition valid_6D (env : Envelope6D) : Prop :=
  Tau env <= 100 /\
  Risk env <= 100 /\
  Budget env > 0.

Definition valid_7D (env : Envelope7D) : Prop :=
  List.length (W_whom env) >= 0.  (* Always true, but shows structure *)

Definition valid_13D (env : Envelope13D) : Prop :=
  valid_6D (enforcement env) /\
  valid_7D (semantics env) /\
  (* 6D-7D Coupling: depth bounds whom chain length *)
  List.length (W_whom (semantics env)) <= Depth (enforcement env).

(** ** Envelope Ordering (for delegation) *)

(** Child envelope must be "smaller" than parent *)
Definition envelope_le (child parent : Envelope6D) : Prop :=
  Included Action (A_plus child) (A_plus parent) /\
  Included Action (A_minus parent) (A_minus child) /\
  Budget child <= Budget parent /\
  Tau child <= Tau parent /\
  Risk child <= Risk parent.

(** ** Utility Functions *)

Definition min_nat (a b : nat) : nat := if Nat.leb a b then a else b.
Definition max_nat (a b : nat) : nat := if Nat.leb a b then b else a.

(** ** Envelope Merge Operation *)

Definition merge_6D (e1 e2 : Envelope6D) : Envelope6D := mk6D
  (Intersection Action (A_plus e1) (A_plus e2))   (* A+ intersection *)
  (Union Action (A_minus e1) (A_minus e2))        (* A- union *)
  (min_nat (Budget e1) (Budget e2))               (* Budget min *)
  (min_nat (Tau e1) (Tau e2))                     (* Trust min *)
  (min_nat (Depth e1) (Depth e2))                 (* Depth min *)
  (min_nat (Risk e1) (Risk e2))                   (* Risk min *)
  (SemanticRef e1)                                (* SemanticRef: keep first/parent *)
  (ContextRef e1).                                (* ContextRef: keep first/parent *)

(** ** Core Properties *)

(** Merge produces valid envelope if inputs are valid *)
Theorem merge_preserves_validity : forall e1 e2,
  valid_6D e1 -> valid_6D e2 -> valid_6D (merge_6D e1 e2).
Proof.
  intros e1 e2 [H1a [H1b H1c]] [H2a [H2b H2c]].
  unfold valid_6D, merge_6D. simpl.
  unfold min_nat.
  repeat split.
  - destruct (Nat.leb (Tau e1) (Tau e2)); lia.
  - destruct (Nat.leb (Risk e1) (Risk e2)); lia.
  - destruct (Nat.leb (Budget e1) (Budget e2)); lia.
Qed.

(** Merge is commutative for numeric fields *)
Theorem merge_numeric_comm : forall e1 e2,
  Budget (merge_6D e1 e2) = Budget (merge_6D e2 e1) /\
  Tau (merge_6D e1 e2) = Tau (merge_6D e2 e1) /\
  Depth (merge_6D e1 e2) = Depth (merge_6D e2 e1) /\
  Risk (merge_6D e1 e2) = Risk (merge_6D e2 e1).
Proof.
  intros. unfold merge_6D, min_nat. simpl.
  assert (Hmin: forall a b, (if Nat.leb a b then a else b) = (if Nat.leb b a then b else a)).
  { intros. destruct (Nat.leb a b) eqn:H1; destruct (Nat.leb b a) eqn:H2.
    - apply Nat.leb_le in H1. apply Nat.leb_le in H2. lia.
    - reflexivity.
    - reflexivity.
    - apply Nat.leb_gt in H1. apply Nat.leb_gt in H2. lia. }
  repeat split; apply Hmin.
Qed.

(** ** Default Envelopes *)

Definition default_6D : Envelope6D := mk6D
  (Full_set Action)    (* All actions permitted *)
  (Empty_set Action)   (* No actions forbidden *)
  1000                 (* Default budget *)
  100                  (* Max trust *)
  10                   (* Default depth limit *)
  50                   (* Medium risk tolerance *)
  0                    (* Default SemanticRef *)
  0.                   (* Default ContextRef (root context) *)

Definition default_7D : Envelope7D := mk7D
  ""                   (* Empty task *)
  "system"             (* System agent *)
  []                   (* Empty whom chain *)
  0                    (* No time constraint *)
  "global"             (* Global scope *)
  "unspecified"        (* Unspecified intent *)
  "default".           (* Default method *)

Definition default_13D : Envelope13D := mk13D default_6D default_7D.

(** ** Action Request for Reference Monitor *)

Record ActionRequest := mkActionRequest {
  action : Action;
  cost : nat;
  required_trust : nat;
  current_depth : nat;
  action_risk : nat;
  required_semantic : nat;
  required_context : nat
}.

(** ** Reference Monitor Definition *)

(** The reference monitor checks all 6D++ dimensions (8 checks) *)
Definition reference_monitor (env : Envelope6D) (req : ActionRequest) : Prop :=
  Ensembles.In Action (A_plus env) (action req) /\
  ~ Ensembles.In Action (A_minus env) (action req) /\
  cost req <= Budget env /\
  required_trust req <= Tau env /\
  current_depth req <= Depth env /\
  action_risk req <= Risk env /\
  required_semantic req = SemanticRef env /\
  required_context req = ContextRef env.

(* ============================================================ *)
(* THEOREM: 6D++ Minimality                                     *)
(* Each of the 8 dimensions is necessary                        *)
(* ============================================================ *)

Definition monitor_without_Aplus (env : Envelope6D) (req : ActionRequest) : Prop :=
  ~ Ensembles.In Action (A_minus env) (action req) /\
  cost req <= Budget env /\
  required_trust req <= Tau env /\
  current_depth req <= Depth env /\
  action_risk req <= Risk env /\
  required_semantic req = SemanticRef env /\
  required_context req = ContextRef env.

Theorem Aplus_necessary :
  exists env req, monitor_without_Aplus env req /\ ~ reference_monitor env req.
Proof.
  exists (mk6D (Empty_set Action) (Empty_set Action) 100 100 10 100 0 0).
  exists (mkActionRequest 42 10 50 1 30 0 0).
  split.
  - unfold monitor_without_Aplus. simpl.
    repeat split; try lia.
    intro H. inversion H.
  - unfold reference_monitor. intro H. destruct H as [H _]. inversion H.
Qed.

Definition monitor_without_Aminus (env : Envelope6D) (req : ActionRequest) : Prop :=
  Ensembles.In Action (A_plus env) (action req) /\
  cost req <= Budget env /\
  required_trust req <= Tau env /\
  current_depth req <= Depth env /\
  action_risk req <= Risk env /\
  required_semantic req = SemanticRef env /\
  required_context req = ContextRef env.

Theorem Aminus_necessary :
  exists env req, monitor_without_Aminus env req /\ ~ reference_monitor env req.
Proof.
  exists (mk6D (Singleton Action 1) (Singleton Action 1) 100 100 10 100 0 0).
  exists (mkActionRequest 1 10 50 1 30 0 0).
  split.
  - unfold monitor_without_Aminus. simpl.
    repeat split; try lia; try constructor.
  - unfold reference_monitor. intro H.
    destruct H as [_ [H _]]. apply H. constructor.
Qed.

Definition monitor_without_B (env : Envelope6D) (req : ActionRequest) : Prop :=
  Ensembles.In Action (A_plus env) (action req) /\
  ~ Ensembles.In Action (A_minus env) (action req) /\
  required_trust req <= Tau env /\
  current_depth req <= Depth env /\
  action_risk req <= Risk env /\
  required_semantic req = SemanticRef env /\
  required_context req = ContextRef env.

Theorem B_necessary :
  exists env req, monitor_without_B env req /\ ~ reference_monitor env req.
Proof.
  exists (mk6D (Singleton Action 1) (Empty_set Action) 10 100 10 100 0 0).
  exists (mkActionRequest 1 1000 50 1 30 0 0).
  split.
  - unfold monitor_without_B. simpl.
    repeat split; try lia; try constructor.
    intro H. inversion H.
  - unfold reference_monitor. intro H.
    destruct H as [_ [_ [H _]]]. simpl in H. lia.
Qed.

Definition monitor_without_tau (env : Envelope6D) (req : ActionRequest) : Prop :=
  Ensembles.In Action (A_plus env) (action req) /\
  ~ Ensembles.In Action (A_minus env) (action req) /\
  cost req <= Budget env /\
  current_depth req <= Depth env /\
  action_risk req <= Risk env /\
  required_semantic req = SemanticRef env /\
  required_context req = ContextRef env.

Theorem tau_necessary :
  exists env req, monitor_without_tau env req /\ ~ reference_monitor env req.
Proof.
  exists (mk6D (Singleton Action 1) (Empty_set Action) 100 50 10 100 0 0).
  exists (mkActionRequest 1 10 90 1 30 0 0).
  split.
  - unfold monitor_without_tau. simpl.
    repeat split; try lia; try constructor.
    intro H. inversion H.
  - unfold reference_monitor. intro H.
    destruct H as [_ [_ [_ [H _]]]]. simpl in H. lia.
Qed.

Definition monitor_without_d (env : Envelope6D) (req : ActionRequest) : Prop :=
  Ensembles.In Action (A_plus env) (action req) /\
  ~ Ensembles.In Action (A_minus env) (action req) /\
  cost req <= Budget env /\
  required_trust req <= Tau env /\
  action_risk req <= Risk env /\
  required_semantic req = SemanticRef env /\
  required_context req = ContextRef env.

Theorem d_necessary :
  exists env req, monitor_without_d env req /\ ~ reference_monitor env req.
Proof.
  exists (mk6D (Singleton Action 1) (Empty_set Action) 100 100 3 100 0 0).
  exists (mkActionRequest 1 10 50 100 30 0 0).
  split.
  - unfold monitor_without_d. simpl.
    repeat split; try lia; try constructor.
    intro H. inversion H.
  - unfold reference_monitor. intro H.
    destruct H as [_ [_ [_ [_ [H _]]]]]. simpl in H. lia.
Qed.

Definition monitor_without_R (env : Envelope6D) (req : ActionRequest) : Prop :=
  Ensembles.In Action (A_plus env) (action req) /\
  ~ Ensembles.In Action (A_minus env) (action req) /\
  cost req <= Budget env /\
  required_trust req <= Tau env /\
  current_depth req <= Depth env /\
  required_semantic req = SemanticRef env /\
  required_context req = ContextRef env.

Theorem R_necessary :
  exists env req, monitor_without_R env req /\ ~ reference_monitor env req.
Proof.
  exists (mk6D (Singleton Action 1) (Empty_set Action) 100 100 10 50 0 0).
  exists (mkActionRequest 1 10 50 1 90 0 0).
  split.
  - unfold monitor_without_R. simpl.
    repeat split; try lia; try constructor.
    intro H. inversion H.
  - unfold reference_monitor. intro H.
    destruct H as [_ [_ [_ [_ [_ [H _]]]]]]. simpl in H. lia.
Qed.

Definition monitor_without_SemanticRef (env : Envelope6D) (req : ActionRequest) : Prop :=
  Ensembles.In Action (A_plus env) (action req) /\
  ~ Ensembles.In Action (A_minus env) (action req) /\
  cost req <= Budget env /\
  required_trust req <= Tau env /\
  current_depth req <= Depth env /\
  action_risk req <= Risk env /\
  required_context req = ContextRef env.

Theorem SemanticRef_necessary :
  exists env req, monitor_without_SemanticRef env req /\ ~ reference_monitor env req.
Proof.
  exists (mk6D (Singleton Action 1) (Empty_set Action) 100 100 10 100 42 0).
  exists (mkActionRequest 1 10 50 1 30 99 0).
  split.
  - unfold monitor_without_SemanticRef. simpl.
    repeat split; try lia; try constructor.
    intro H. inversion H.
  - unfold reference_monitor. intro H.
    destruct H as [_ [_ [_ [_ [_ [_ [H _]]]]]]]. simpl in H. lia.
Qed.

Definition monitor_without_ContextRef (env : Envelope6D) (req : ActionRequest) : Prop :=
  Ensembles.In Action (A_plus env) (action req) /\
  ~ Ensembles.In Action (A_minus env) (action req) /\
  cost req <= Budget env /\
  required_trust req <= Tau env /\
  current_depth req <= Depth env /\
  action_risk req <= Risk env /\
  required_semantic req = SemanticRef env.

Theorem ContextRef_necessary :
  exists env req, monitor_without_ContextRef env req /\ ~ reference_monitor env req.
Proof.
  exists (mk6D (Singleton Action 1) (Empty_set Action) 100 100 10 100 0 42).
  exists (mkActionRequest 1 10 50 1 30 0 99).
  split.
  - unfold monitor_without_ContextRef. simpl.
    repeat split; try lia; try constructor.
    intro H. inversion H.
  - unfold reference_monitor. intro H.
    destruct H as [_ [_ [_ [_ [_ [_ [_ H]]]]]]]. simpl in H. lia.
Qed.

(** Main Theorem: 6D++ Minimality (8 dimensions all necessary) *)
Theorem six_d_plus_plus_minimality :
  (exists env req, monitor_without_Aplus env req /\ ~ reference_monitor env req) /\
  (exists env req, monitor_without_Aminus env req /\ ~ reference_monitor env req) /\
  (exists env req, monitor_without_B env req /\ ~ reference_monitor env req) /\
  (exists env req, monitor_without_tau env req /\ ~ reference_monitor env req) /\
  (exists env req, monitor_without_d env req /\ ~ reference_monitor env req) /\
  (exists env req, monitor_without_R env req /\ ~ reference_monitor env req) /\
  (exists env req, monitor_without_SemanticRef env req /\ ~ reference_monitor env req) /\
  (exists env req, monitor_without_ContextRef env req /\ ~ reference_monitor env req).
Proof.
  repeat split.
  - exact Aplus_necessary.
  - exact Aminus_necessary.
  - exact B_necessary.
  - exact tau_necessary.
  - exact d_necessary.
  - exact R_necessary.
  - exact SemanticRef_necessary.
  - exact ContextRef_necessary.
Qed.

(* ============================================================ *)
(* THEOREM: 6D++ Sufficiency                                    *)
(* 8 dimensions are sufficient for complete reference monitor   *)
(* ============================================================ *)

Definition is_safe (env : Envelope6D) (req : ActionRequest) : Prop :=
  reference_monitor env req.

Theorem six_d_plus_plus_sufficiency :
  forall env req,
    Ensembles.In Action (A_plus env) (action req) ->
    ~ Ensembles.In Action (A_minus env) (action req) ->
    cost req <= Budget env ->
    required_trust req <= Tau env ->
    current_depth req <= Depth env ->
    action_risk req <= Risk env ->
    required_semantic req = SemanticRef env ->
    required_context req = ContextRef env ->
    is_safe env req.
Proof.
  intros env req H1 H2 H3 H4 H5 H6 H7 H8.
  unfold is_safe, reference_monitor.
  repeat split; assumption.
Qed.

(* ============================================================ *)
(* THEOREM: Merge-Closure                                       *)
(* Delegation can only restrict, never expand permissions       *)
(* ============================================================ *)

Theorem merge_closure_permitted :
  forall e1 e2 : Envelope6D,
  forall a : Action,
    Ensembles.In Action (A_plus (merge_6D e1 e2)) a ->
    Ensembles.In Action (A_plus e1) a /\
    Ensembles.In Action (A_plus e2) a.
Proof.
  intros e1 e2 a H.
  simpl in H.
  inversion H; subst.
  split; assumption.
Qed.

Theorem merge_closure_forbidden :
  forall e1 e2 : Envelope6D,
  forall a : Action,
    Ensembles.In Action (A_minus e1) a \/
    Ensembles.In Action (A_minus e2) a ->
    Ensembles.In Action (A_minus (merge_6D e1 e2)) a.
Proof.
  intros e1 e2 a H.
  simpl.
  destruct H as [H1 | H2].
  - apply Union_introl. assumption.
  - apply Union_intror. assumption.
Qed.

Theorem merge_closure :
  forall e1 e2 : Envelope6D,
    (Budget (merge_6D e1 e2) <= Budget e1 /\ Budget (merge_6D e1 e2) <= Budget e2) /\
    (Tau (merge_6D e1 e2) <= Tau e1 /\ Tau (merge_6D e1 e2) <= Tau e2) /\
    (Depth (merge_6D e1 e2) <= Depth e1 /\ Depth (merge_6D e1 e2) <= Depth e2) /\
    (Risk (merge_6D e1 e2) <= Risk e1 /\ Risk (merge_6D e1 e2) <= Risk e2).
Proof.
  intros e1 e2.
  unfold merge_6D, min_nat. simpl.
  repeat split;
    destruct (Nat.leb (Budget e1) (Budget e2)) eqn:HB;
    destruct (Nat.leb (Tau e1) (Tau e2)) eqn:HT;
    destruct (Nat.leb (Depth e1) (Depth e2)) eqn:HD;
    destruct (Nat.leb (Risk e1) (Risk e2)) eqn:HR;
    try (apply Nat.leb_le in HB || apply Nat.leb_gt in HB);
    try (apply Nat.leb_le in HT || apply Nat.leb_gt in HT);
    try (apply Nat.leb_le in HD || apply Nat.leb_gt in HD);
    try (apply Nat.leb_le in HR || apply Nat.leb_gt in HR);
    lia.
Qed.

Theorem delegation_never_expands :
  forall e1 e2 : Envelope6D,
  forall a : Action,
    (~ Ensembles.In Action (A_plus e1) a \/
     ~ Ensembles.In Action (A_plus e2) a) ->
    ~ Ensembles.In Action (A_plus (merge_6D e1 e2)) a.
Proof.
  intros e1 e2 a [H | H].
  - intro Hmerge.
    apply merge_closure_permitted in Hmerge.
    destruct Hmerge as [H1 _]. contradiction.
  - intro Hmerge.
    apply merge_closure_permitted in Hmerge.
    destruct Hmerge as [_ H2]. contradiction.
Qed.

(* ============================================================ *)
(* THEOREM: 6D++ ⊂ 13D (Containment)                            *)
(* 6D++ is properly contained in 13D full envelope              *)
(* ============================================================ *)

Definition extract_6D (env : Envelope13D) : Envelope6D :=
  enforcement env.

Theorem containment_6D_13D :
  forall env : Envelope13D,
    extract_6D env = enforcement env.
Proof.
  intros. reflexivity.
Qed.

Theorem containment_preserves_fields :
  forall env : Envelope13D,
    A_plus (extract_6D env) = A_plus (enforcement env) /\
    A_minus (extract_6D env) = A_minus (enforcement env) /\
    Budget (extract_6D env) = Budget (enforcement env) /\
    Tau (extract_6D env) = Tau (enforcement env) /\
    Depth (extract_6D env) = Depth (enforcement env) /\
    Risk (extract_6D env) = Risk (enforcement env) /\
    SemanticRef (extract_6D env) = SemanticRef (enforcement env) /\
    ContextRef (extract_6D env) = ContextRef (enforcement env).
Proof.
  intros. repeat split; reflexivity.
Qed.

(** ** Summary *)

Print Envelope6D.
Print Envelope7D.
Print Envelope13D.
Print six_d_plus_plus_minimality.
Print six_d_plus_plus_sufficiency.
Print merge_closure.
Print containment_6D_13D.
