Solving the verification bottleneck.
Verification and curation for formal mathematics at the rate it is now generated — mechanical, source-blind, and continuous with the libraries the community maintains.
Generating formal mathematics is no longer the hard part. Modern systems produce kernel-checkable Lean proofs at scale, and the kernel settles correctness in milliseconds. What is scarce is everything around that verdict: knowing what a result assumes, whether it already exists, what it strengthens — at the rate work now arrives.
A proof's correctness does not depend on its author. The kernel accepts the term or it does not, and the verdict is the same whatever produced it. The discipline follows: verify the artifact and leave the source alone — check the proof, profile what it assumes, admit it on those facts. Judging artifacts blind is feasible at scale exactly where the check is mechanical, which is why formal mathematics is the beachhead and not the exception.
The field has moved this from diagnosis to schedule. Lean's main library re-checks itself daily against tampered environments; external checkers gate admission on axiom allowlists; the people who build Lean ask publicly who verifies the world's software once AI writes most of it; and campaigns to verify real systems — Signal among them — are underway. Replay has become a commodity. Identity has not: when two results are the same result across repositories, what each one assumes down to the axiom, what is new and what is duplicate — admitted on those facts alone, blind to source. That layer is what is being built here.
What it makes possible is concrete. Mathlib tracked as it moves, every upstream change classified and priced by what actually changed — never a fork, strictly additive to the library and the community that maintains it. A corpus that grows at the speed machines now prove, because admission is a set of decisive checks rather than a queue for reviewer attention — faster than human review, carrying more certainty rather than less. And the body of formal mathematics made visible as the single structure it is: what every result assumes, where results coincide, how the whole hangs together.
Built and checked
The whole of Mathlib — 707,053 declarations — has been re-encoded into a content-addressed archive and proven faithful against the kernel three ways: every declaration replays from the stored bytes alone and is accepted; every declaration reconstructs byte-exactly, down to binder names; every inductive block re-enters the kernel and the recursors it regenerates match the store. 180 million unique nodes, each re-hashing to its own address — the archive's integrity is something anyone recomputes, never something anyone grants. Types and complete proof terms together cost about 8 KB per declaration.
The update arithmetic is measured, not hoped. Declarations reference one another by name, and the kernel's verdict on a result rests on the types of what it uses — so a rewritten proof costs nothing downstream, and a library version bump re-verifies exactly the cone that changed. The dependency graph — 18.4 million edges — says the delta is typically tiny: half of all declarations are used, transitively, by at most eleven others, and the expensive tail is exactly enumerable. Tracking a moving Mathlib is priced by the delta, never the corpus; full re-certification from nothing, the worst case, is a one-time cost measured in hours on a laptop.
Over the certified store, the structural layer runs queries-first: every declaration carries its content address, axiom closure, and dependency cone, so identity, novelty, and trust profile are lookups rather than judgments — each query certified by independent implementations agreeing on all 707,053 rows.
The whole of Mathlib has exactly 23 distinct axiom profiles. A quarter of its 707,053 declarations — 177,395 — depend on no axioms at all, 99.96% of the corpus sits on the eight subsets of just three axioms, and not one declaration carries a sorry. Half the library reaches Classical.choice — through a frontier of only 206 declarations, three classical gateways carrying the majority of it: infrastructure, not the mathematics. First measured on a 919-declaration research corpus, now a fact about the library entire — the discipline on offer, applied to our own results first.
The engine's first acceptance test is fixed, publicly: the Adámek initial-algebra theorem — kernel-clean, expert-reviewed, closed without artifact review. See the record. Run on that record, the engine must admit what was closed — and it fails as a product until it does.
Writing
Privatization of Reason
2026The principle stated directly: judging a claim by its source — author, venue, credential — in place of judging whether it holds, the same move in a private quarrel, in the expert's chair, and in an institution's gate. DOI