Verified transport
An HTTP/1.1 + h2c reverse proxy & server, in Lean 4
Every protocol decision β framing, HPACK, connection lifecycle, keep-alive, pipelining, streaming, proxying β is made by pure state machines carrying machine-checked safety theorems. The machines cannot perform I/O; the I/O shell cannot make protocol decisions. The only unverified code is the syscall shim.
- Trusted C~700 lines β io_uring proactor at the syscall boundary
- Proxy vs nginx1.7Γ per-core throughput Β· 3.6Γ lower p99 Β· preliminary, two-run
- Upstreamproven H/2 to real origins via ALPN Β· H1βH2 translation Β· verified stream demux
- As origin3.4M req/s (HTTP/1.1, pipelined, loopback, pinned) Β· 270K single-core
- HTTP/21.7Γ over HTTP/1.1 cross-host (7.5 ms RTT, 100% success / 5M req)
- Hygienezero
sorryin the HTTP-path proofs Β· curl, nghttp, h2load interop