Retire manual proof data CLI surfaces

[TSavo]

Summary

• remove manual ProofIR/solver entrypoints from prove (--formula, --target, --output)
• retire legacy raw-IR public command families proof and witness
• preserve provekit dump as the supported .proof diagnostic surface
• update emit integration fixtures to use normalized ProofIR-shaped atomic predicates
• update docs away from retired provekit proof / public witness command references

Verification

• cargo test -p provekit-cli --test cli_surface --manifest-path implementations/rust/Cargo.toml -- --nocapture
• cargo test -p provekit-cli --manifest-path implementations/rust/Cargo.toml --test cmd_emit_go_testing --test cmd_emit_go_testify --test cmd_emit_python_pytest --test cmd_emit_java_junit --test cmd_emit_typescript_vitest --test cmd_emit_swift_xctest --test cmd_emit_scala_scalatest -- --nocapture
• cargo test -p provekit-cli --manifest-path implementations/rust/Cargo.toml --tests --no-run
• cargo fmt --manifest-path implementations/rust/provekit-cli/Cargo.toml --check
• git diff --check

Note: TypeScript/Vitest emit integration retained the existing local dependency skip when TS emitter deps are not built.

Summary by CodeRabbit

• Removed Features

  • Removed provekit proof command and all its subcommands
  • Removed provekit witness command
  • Removed manual formula specification flags from provekit prove

• New Features

  • Added conformance validation gate to provekit prove and provekit verify commands

• Documentation

  • Updated guides to reflect command changes and new workflow expectations
  • Clarified that conformance checking is now automatic rather than manual

[coderabbitai]

Walkthrough

The PR removes the deprecated provekit proof and provekit witness subcommands from the CLI, deletes their implementations (750 + 206 lines), refactors cmd_prove.rs to add lift-plugin-protocol conformance gating with --kit, updates documentation across protocol specs and user guides, and adjusts test fixtures and surface tests to verify the retirement.

Changes

CLI Command Retirement: Proof and Witness Removal

Layer / File(s)	Summary
CLI Routing and Command Structure Retirement implementations/rust/provekit-cli/src/main.rs	Removes Cmd::Proof and Cmd::Witness enum variants, eliminates ProveTarget enum and WitnessArgs struct, drops formula/target/output CLI flags from ProveArgs, updates module declarations to exclude cmd_proof and cmd_witness, and removes dispatch arms that route to those removed modules.
cmd_prove Lift-Plugin Conformance Gate and Logic Cleanup implementations/rust/provekit-cli/src/cmd_prove.rs	Adds --kit conformance gate that resolves kits via cmd_mint::resolve_kit, locates and spawns lifter binaries from manifest.toml, drives full JSON-RPC initialize→lift→shutdown, captures response envelopes, runs all C1–C8 verifiers, and outputs JSON results; removes local formula proving and target proving implementations; keeps admission gate; extends unit tests for gate behavior and resolve_kit regression (#325).
CLI Surface Retirement Tests implementations/rust/provekit-cli/tests/cli_surface.rs	Adds three new CLI boundary tests verifying provekit prove --help does not expose retired formula/target/output flags, provekit witness is not recognized, and provekit proof command family is rejected with clap errors.
Test Fixture Predicate Kind Updates implementations/rust/provekit-cli/tests/cmd_emit_*.rs, tests/fixtures/*	Updates seven emitter test fixtures to change predicate kind from "op" to "atomic" in generated plan.json; removes lower_formula.rs, proof_check.rs, and checked_contradiction.json fixture.
Documentation Surface Updates README.md, docs/audits/*, docs/contributing/*, docs/explanation/*, docs/how-to/*, docs/papers/*, docs/reference/*, docs/superpowers/*, protocol/conformance/*, protocol/specs/*	Removes references to deprecated CLI commands (e.g., provekit proof inspect, provekit witness), updates examples to use provekit dump and provekit prove/verify, generalizes terminology to "witness minting" and "proof-verification gate," revises CLI Shape sections to Operational Shape descriptions in protocol specs, and marks cmd_proof and cmd_witness as retired in audit matrices.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• TSavo/provekit#165: The main PR's lift-plugin-protocol conformance gate and --kit logic in cmd_prove.rs are directly aligned with the same gate implementation in this retrieved PR.
• TSavo/provekit#1015: Both PRs directly refactor implementations/rust/provekit-cli/src/cmd_prove.rs, modifying prove routing logic and CLI dispatch.
• TSavo/provekit#1565: The main PR's concurrent removal of cmd_witness.rs and CLI witness subcommand overlaps with this concurrent refactor of the witness command surface.

Poem

🐰 The proof command hops away,
The witness command takes its day,
But prove --kit now gates the show,
With lifters spinning, verifiers flow—
The CLI retires, gates remain to glow!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 73.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Retire manual proof data CLI surfaces' accurately and concisely summarizes the primary change: removing legacy proof and witness CLI commands and their associated manual ProofIR/solver entrypoints from the prove command.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/cross-language-parity-gate-20260529-102720

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2d594e885d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Migrate Bug Zoo before rejecting --formula

Rejecting prove --formula is not safe yet because the checked-in Bug Zoo runner still invokes provekit prove --formula --json --quiet in menagerie/bug-zoo/src/lib.rs:1644-1648, and the build docs describe the Bug Zoo as a CI/tooling check. In any run with composition checks, this now exits at clap before producing the JSON verdict the runner parses, so the Bug Zoo experiments fail rather than reporting red/green obligations; migrate that runner to a supported gate or keep a compatible path until it is updated.

Useful? React with 👍 / 👎.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

implementations/rust/provekit-cli/src/cmd_prove.rs (2)

481-489: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reject conflicting prove modes instead of picking one silently.

run() gives --artifact/--proof/--policy precedence over --kit, and the kit path also ignores verifier-only knobs like --with and the empirical-witness flags. For example, prove --kit rust --proof receipt.json runs admission verification, not the conformance gate.

Suggested fix

 pub fn run(args: ProveArgs) -> u8 {
+    if args.kit.is_some()
+        && (args.artifact.is_some()
+            || args.proof.is_some()
+            || args.policy.is_some()
+            || !args.with.is_empty()
+            || args.require_empirically_witnessed.is_some()
+            || args.require_fixture.is_some()
+            || args.consensus_policy.is_some())
+    {
+        eprintln!(
+            "{}: --kit cannot be combined with prove/admission flags",
+            "error".red().bold()
+        );
+        return crate::EXIT_USER_ERROR;
+    }
+
     if args.artifact.is_some() || args.proof.is_some() || args.policy.is_some() {
         return run_admission_gate(&args);
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@implementations/rust/provekit-cli/src/cmd_prove.rs` around lines 481 - 489,
The run function currently prefers admission mode (run_admission_gate) when any
of args.artifact/args.proof/args.policy are set and silently ignores args.kit
and verifier-only knobs; change it to detect conflicting modes and reject the
invocation with a clear error instead of picking one: in run(ProveArgs) check
for mutually exclusive combinations (if args.kit.is_some() &&
(args.artifact.is_some() || args.proof.is_some() || args.policy.is_some() ||
args.with.is_some() || args.empirical_witness_flags_are_set())) and return a
non-zero error/print a message explaining the conflict (e.g., request user to
choose either kit/conformance via run_kit or artifact/proof/policy admission via
run_admission_gate), preventing run_admission_gate or run_kit from being called
when both modes are present; update any calling code/tests that expect the old
precedence accordingly.

---

186-264: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep --json output machine-readable.

capture_rpc() still writes dispatch: / ok: banners to stdout whenever quiet is false, so provekit prove --kit <kit> --json emits non-JSON bytes before the JSON report.

Suggested fix

-fn capture_rpc(
-    project_root: &std::path::Path,
-    surface: &str,
-    quiet: bool,
-) -> Result<CapturedRpc, String> {
+fn capture_rpc(
+    project_root: &std::path::Path,
+    surface: &str,
+    quiet: bool,
+    json_out: bool,
+) -> Result<CapturedRpc, String> {
     let manifest = find_manifest(project_root, surface)?;
-    if !quiet {
+    if !quiet && !json_out {
         println!(
             "{}: surface=`{}` plugin=`{}` command={:?}",
             "dispatch".green().bold(),
@@
-    if !quiet {
+    if !quiet && !json_out {
         if let Some(name) = init_response
             .get("result")
             .and_then(|r| r.get("name"))
@@
-    let rpc = match capture_rpc(&project_root, &surface, quiet) {
+    let rpc = match capture_rpc(&project_root, &surface, quiet, json_out) {

Also applies to: 385-427

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@implementations/rust/provekit-cli/src/cmd_prove.rs` around lines 186 - 264,
The function capture_rpc prints human-readable banners to stdout (e.g., the
println! with "dispatch" and the "ok" message) which corrupts machine-readable
--json output; change those prints to write to stderr instead (use eprintln! or
write to std::io::stderr()) when quiet is false or when JSON output is requested
so stdout remains pure JSON. Update the println! calls in capture_rpc (the
dispatch banner that uses manifest.name/manifest.command and the plugin-ready
"ok" message) and make the equivalent change in the other similar block around
the later region (lines ~385-427) so all human banners go to stderr, not stdout.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@implementations/rust/provekit-cli/src/cmd_prove.rs`:
- Around line 481-489: The run function currently prefers admission mode
(run_admission_gate) when any of args.artifact/args.proof/args.policy are set
and silently ignores args.kit and verifier-only knobs; change it to detect
conflicting modes and reject the invocation with a clear error instead of
picking one: in run(ProveArgs) check for mutually exclusive combinations (if
args.kit.is_some() && (args.artifact.is_some() || args.proof.is_some() ||
args.policy.is_some() || args.with.is_some() ||
args.empirical_witness_flags_are_set())) and return a non-zero error/print a
message explaining the conflict (e.g., request user to choose either
kit/conformance via run_kit or artifact/proof/policy admission via
run_admission_gate), preventing run_admission_gate or run_kit from being called
when both modes are present; update any calling code/tests that expect the old
precedence accordingly.
- Around line 186-264: The function capture_rpc prints human-readable banners to
stdout (e.g., the println! with "dispatch" and the "ok" message) which corrupts
machine-readable --json output; change those prints to write to stderr instead
(use eprintln! or write to std::io::stderr()) when quiet is false or when JSON
output is requested so stdout remains pure JSON. Update the println! calls in
capture_rpc (the dispatch banner that uses manifest.name/manifest.command and
the plugin-ready "ok" message) and make the equivalent change in the other
similar block around the later region (lines ~385-427) so all human banners go
to stderr, not stdout.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 94dc32bb-c744-453c-a9f0-05f894facc68

📥 Commits

Reviewing files that changed from the base of the PR and between ff19472 and 2d594e8.

📒 Files selected for processing (28)

• README.md
• docs/audits/2026-05-18-kit-as-substrate-participant-vision.md
• docs/contributing/build.md
• docs/explanation/use-cases.md
• docs/how-to/debugging-a-failed-handshake.md
• docs/papers/03-substrate-not-blockchain.md
• docs/reference/per-language-status.md
• docs/reference/protocol-extensions.md
• docs/superpowers/plans/2026-05-08-bridgeworks-white-room-contract-stack.md
• docs/superpowers/specs/2026-05-08-bridgeworks-white-room-contract-stack-design.md
• implementations/rust/provekit-cli/src/cmd_proof.rs
• implementations/rust/provekit-cli/src/cmd_prove.rs
• implementations/rust/provekit-cli/src/cmd_witness.rs
• implementations/rust/provekit-cli/src/main.rs
• implementations/rust/provekit-cli/tests/cli_surface.rs
• implementations/rust/provekit-cli/tests/cmd_emit_go_testify.rs
• implementations/rust/provekit-cli/tests/cmd_emit_go_testing.rs
• implementations/rust/provekit-cli/tests/cmd_emit_java_junit.rs
• implementations/rust/provekit-cli/tests/cmd_emit_python_pytest.rs
• implementations/rust/provekit-cli/tests/cmd_emit_scala_scalatest.rs
• implementations/rust/provekit-cli/tests/cmd_emit_swift_xctest.rs
• implementations/rust/provekit-cli/tests/cmd_emit_typescript_vitest.rs
• implementations/rust/provekit-cli/tests/fixtures/checked_contradiction.json
• implementations/rust/provekit-cli/tests/lower_formula.rs
• implementations/rust/provekit-cli/tests/proof_check.rs
• protocol/conformance/proof-protocol/README.md
• protocol/specs/2026-05-02-binary-attestation-protocol.md
• protocol/specs/2026-05-14-witness-consensus-promotion.md

💤 Files with no reviewable changes (6)

• implementations/rust/provekit-cli/tests/fixtures/checked_contradiction.json
• implementations/rust/provekit-cli/tests/lower_formula.rs
• implementations/rust/provekit-cli/src/cmd_proof.rs
• implementations/rust/provekit-cli/src/cmd_witness.rs
• docs/reference/protocol-extensions.md
• implementations/rust/provekit-cli/tests/proof_check.rs