Solving the verification bottleneck.
Verification and curation for formal mathematics at the rate it is now generated — mechanical, source-blind, and continuous with the libraries the community maintains.
Generating formal mathematics is no longer the hard part. Modern systems produce kernel-checkable Lean proofs at scale, and the kernel settles correctness in milliseconds. What is scarce is everything around that verdict: knowing what a result assumes, whether it already exists, what it strengthens — at the rate work now arrives.
A proof's correctness does not depend on its author. The kernel accepts the term or it does not, and the verdict is the same whatever produced it. The discipline follows: verify the artifact and leave the source alone — check the proof, profile what it assumes, admit it on those facts. Judging artifacts blind is feasible at scale exactly where the check is mechanical, which is why formal mathematics is the beachhead and not the exception.
The field has moved this from diagnosis to schedule. Lean's main library re-checks itself daily against tampered environments; external checkers gate admission on axiom allowlists; the people who build Lean ask publicly who verifies the world's software once AI writes most of it; and campaigns to verify real systems — Signal among them — are underway. Replay has become a commodity. Identity has not: when two results are the same result across repositories, what each one assumes down to the axiom, what is new and what is duplicate — admitted on those facts alone, blind to source. That layer is what is being built here.
What it makes possible is concrete. Mathlib tracked as it moves, every upstream change classified and priced by what actually changed — never a fork, strictly additive to the library and the community that maintains it. A corpus that grows at the speed machines now prove, because admission is a set of decisive checks rather than a queue for reviewer attention — faster than human review, carrying more certainty rather than less. And the body of formal mathematics made visible as the single structure it is: what every result assumes, where results coincide, how the whole hangs together.
Built and checked
The whole of Mathlib — 707,053 declarations — has been re-encoded into a content-addressed archive and proven faithful against the kernel three ways: every declaration replays from the stored bytes alone and is accepted; every declaration reconstructs byte-exactly, down to binder names; every inductive block re-enters the kernel and the recursors it regenerates match the store. 180 million unique nodes, each re-hashing to its own address — the archive's integrity is something anyone recomputes, never something anyone grants. Types and complete proof terms together cost about 8 KB per declaration.
The update arithmetic is measured, not hoped. Declarations reference one another by name, and the kernel's verdict on a result rests on the types of what it uses — so a rewritten proof costs nothing downstream, and a library version bump re-verifies exactly the cone that changed. Tracking a moving Mathlib is priced by the delta, never the corpus; full re-certification from nothing, the worst case, is a one-time cost measured in hours on a laptop.
Over the certified store, the structural layer is being rebuilt: every declaration addressed by statement, proof term, axiom closure, and build context, so identity, novelty, and trust profile are lookups rather than judgments. Its predecessor indexed roughly 414,000 statements and 1.3 million witnesses across six repositories; the rebuild stands on a substrate whose every byte is kernel-certified.
An early finding: within one indexed research corpus, 245 of 919 declarations carry no axioms at all, and the rest reach Classical.choice only through three Mathlib infrastructure channels — bookkeeping, not the mathematics. The headline number ships when it reproduces over the certified store: the discipline on offer is the discipline applied to our own results first.
The engine's first acceptance test is fixed, publicly: the Adámek initial-algebra theorem — kernel-clean, expert-reviewed, closed without artifact review. See the record. Run on that record, the engine must admit what was closed — and it fails as a product until it does.
Writing
Privatization of Reason
2026The principle stated directly: judging a claim by its source — author, venue, credential — in place of judging whether it holds, the same move in a private quarrel, in the expert's chair, and in an institution's gate. DOI