Expected standard (the "full circle"): a formal-verification asset should be (1) wired into CI, (2) gating — not continue-on-error — so a regression actually blocks the merge, and (3) complete — no sorry/axioms standing in for proofs. When any link is missing, the proof exists but cannot stop a regression, so the loop is open. Maybe there is a reason here; if so it should be documented — otherwise it should follow the standard.
Found: the rocq-proofs job (.github/workflows/ci.yml:361-366) runs with continue-on-error: true. The optimization semantic-preservation proofs (WasmSemantics, ConstantFolding/StrengthReduction correctness, and the rocq-of-rust translation link) run and report, but a proof regression passes the build silently.
Recommend: remove continue-on-error from rocq-proofs so proof breakage blocks merge. If non-gating is intentional (runtime, flakiness), document why and/or move to a gating nightly.
Noticed during a kiln verification-corpus audit comparing how each PulseEngine repo wires its proofs.
Expected standard (the "full circle"): a formal-verification asset should be (1) wired into CI, (2) gating — not
continue-on-error— so a regression actually blocks the merge, and (3) complete — nosorry/axioms standing in for proofs. When any link is missing, the proof exists but cannot stop a regression, so the loop is open. Maybe there is a reason here; if so it should be documented — otherwise it should follow the standard.Found: the
rocq-proofsjob (.github/workflows/ci.yml:361-366) runs withcontinue-on-error: true. The optimization semantic-preservation proofs (WasmSemantics, ConstantFolding/StrengthReduction correctness, and the rocq-of-rust translation link) run and report, but a proof regression passes the build silently.Recommend: remove
continue-on-errorfromrocq-proofsso proof breakage blocks merge. If non-gating is intentional (runtime, flakiness), document why and/or move to a gating nightly.Noticed during a kiln verification-corpus audit comparing how each PulseEngine repo wires its proofs.