refactor: promote gds-proof to Layer 1 with gds-framework integration

gds-proof was a standalone package with no GDS dependencies, using
protocol-only types (ProofableBlock/ProofableModel). This refactor
makes it a proper Layer 1 package that depends on gds-framework and
integrates with the existing verification infrastructure.

Changes:
- Add gds-framework>=0.3.0 dependency
- Rename ProofableBlock -> SymbolicBlock, ProofableModel -> SymbolicModel
- Add adapter.py: GDSSymbolicBlock/GDSSymbolicModel bridge GDS types
  to proof engine, auto-deriving state symbols from Mechanism.updates
- Add findings.py: convert proof results to Finding/VerificationReport
  with PROOF-001 check ID and exportable_predicate population
- Rename reachability -> inductive_safety to avoid naming collision
  with gds_analysis.reachability (simulation-based)
- Add docs/proof/ with overview and getting-started guide
- Add changelog entries for v0.1.0 and v0.2.0
- 130 tests pass (18 new), 92% coverage, zero lint errors

Deprecated aliases maintained for backward compatibility until v1.0.0.

Author: rohan

CHANGELOG.md

@@ -1,5 +1,63 @@
 # Changelog
 
+## 2026-04-07 — gds-proof Layer 1 Integration
+
+Promotes gds-proof from a standalone package (Layer 0, protocol-only) to a
+Layer 1 package that depends on `gds-framework` and integrates with the
+existing verification infrastructure.
+
+### gds-proof v0.2.0
+
+**Breaking:** `ProofableBlock` renamed to `SymbolicBlock`, `ProofableModel`
+renamed to `SymbolicModel`. Deprecated aliases remain until v1.0.0.
+
+**Breaking:** `analyze_reachability()` renamed to `analyze_inductive_safety()`,
+`ReachabilityAnalysisResult` renamed to `InductiveSafetyResult`. Deprecated
+aliases remain until v1.0.0. This resolves a naming collision with
+`gds_analysis.reachability` (simulation-based forward/backward state sets).
+
+New capabilities:
+
+- **gds-framework dependency** -- gds-proof is now a Layer 1 package alongside
+  gds-analysis, gds-domains, and gds-viz
+- **`GDSSymbolicBlock`** -- adapter wrapping `AtomicBlock` + `GDSSpec` with
+  user-supplied SymPy expressions. Auto-derives `prev_state_symbols` from
+  `Mechanism.updates` + `Entity.variables[var].symbol`
+- **`GDSSymbolicModel`** -- adapter wrapping `GDSSpec` with symbolic enrichments
+  and invariants. Auto-derives assumption context from `ParameterDef.bounds`
+- **`findings.py`** -- converts proof results to `Finding`/`VerificationReport`
+  objects. Populates `Finding.exportable_predicate` with canonical SymPy form.
+  Check ID: `PROOF-001` (invariant preservation)
+- **`derive_state_symbols()`** -- utility to extract SymPy symbols from mechanism
+  updates + entity variable symbols
+- **`derive_assumption_context()`** -- utility to build SymPy assumption dicts
+  from parameter schema bounds
+
+Documentation:
+
+- Added `docs/proof/index.md` and `docs/proof/getting-started.md`
+- Updated `CLAUDE.md` for Layer 1 architecture
+- Added gds-proof to mkdocs.yml navigation and llmstxt sections
+
+---
+
+## 2026-04-07 — gds-proof v0.1.0
+
+New package added via PR #193. Extracts the domain-agnostic proof engine from
+`crypto-econ-dynamics-skill` into gds-core as the ninth workspace package.
+
+Capabilities:
+
+- Deterministic SHA-256 model identity (`hash_model`, `hash_proof`)
+- 5-strategy symbolic implication prover (`analyze_invariants`)
+- 3-layer predicate-guarded reachability (`analyze_reachability`)
+- User-authored multi-lemma ProofScript with independent verification
+- Canonical srepr serialization for third-party evidence exchange
+
+112 tests, 95% coverage.
+
+---
+
 ## 2026-04-05 — Package Consolidation (14 → 8 packages)
 
 Implements the consolidation plan from issue #143. Reduces the monorepo from

docs/changelog.md

@@ -3,6 +3,29 @@
 All notable changes to the GDS ecosystem are documented here. Each release
 lists affected packages, breaking changes, and new capabilities.
 
+## 2026-04-07 — gds-proof Layer 1 Integration
+
+Promotes gds-proof from standalone (Layer 0, protocol-only) to Layer 1
+(depends on `gds-framework`, integrates with verification pipeline).
+
+### gds-proof v0.2.0
+
+**Breaking:** `ProofableBlock` -> `SymbolicBlock`, `ProofableModel` -> `SymbolicModel`.
+`analyze_reachability()` -> `analyze_inductive_safety()`. Deprecated aliases until v1.0.0.
+
+New:
+
+- **`GDSSymbolicBlock` / `GDSSymbolicModel`** -- adapters bridging GDS types to proof engine
+- **`findings.py`** -- converts proof results to `Finding`/`VerificationReport` (check ID: `PROOF-001`)
+- **`derive_state_symbols()`** / **`derive_assumption_context()`** -- GDS type utilities
+- Documentation: `docs/proof/` with overview and getting-started guide
+
+### gds-proof v0.1.0
+
+New package (PR #193). Deterministic model identity and SymPy-based invariant
+proof verification. 5-strategy implication prover, 3-layer inductive safety,
+multi-lemma ProofScript system. 112 tests, 95% coverage.
+
 ---
 
 ## 2026-04-03 — Tier 0 + Tier 1 Complete

docs/proof/getting-started.md

@@ -0,0 +1,167 @@
+# Getting Started
+
+## Installation
+
+```bash
+uv add gds-proof
+```
+
+For development (monorepo):
+
+```bash
+git clone https://github.com/BlockScience/gds-core.git
+cd gds-core
+uv sync --all-packages
+```
+
+## Your First Invariant Proof
+
+The typical workflow: define a GDS spec, enrich blocks with symbolic expressions, declare invariants, and run the proof engine.
+
+### 1. Define the structural spec
+
+```python
+import sympy
+from gds import GDSSpec, Mechanism, Entity, interface, state_var, typedef
+
+# Types and state
+Balance = typedef("Balance", float)
+account = Entity(
+    name="Account",
+    variables={"balance": state_var(Balance, symbol="x_prev")},
+)
+
+# Mechanism block
+withdrawal = Mechanism(
+    name="withdrawal",
+    interface=interface(forward_in=["Balance Command"]),
+    updates=[("Account", "balance")],
+)
+
+# Register in a spec
+spec = GDSSpec(name="bank_account")
+spec.collect(Balance, account, withdrawal)
+```
+
+### 2. Enrich with symbolic expressions
+
+GDS blocks are structural -- they don't carry SymPy math. Use `GDSSymbolicBlock` to pair a block with its symbolic state transition:
+
+```python
+from gds_proof import (
+    GDSSymbolicBlock, GDSSymbolicModel,
+    Invariant, predicate_from_post_check,
+)
+
+X = sympy.Symbol("x_prev")  # pre-state (plain, no assumptions!)
+U = sympy.Symbol("u")       # input
+
+# Build a predicate: balance must remain positive after withdrawal
+pred = predicate_from_post_check(
+    name="no_overdraft",
+    post_state_check=sympy.Symbol("x") > 0,   # desired post-state property
+    state_transition={"x": X - U},             # x = x_prev - u
+)
+
+# Enrich the mechanism with symbolic expressions
+symbolic_block = GDSSymbolicBlock(
+    block=withdrawal,
+    spec=spec,
+    state_transition={"x_prev": X - U},        # f(x_prev, u) = x_prev - u
+    output_expressions={"balance": X - U},      # observable output
+    predicates_list=[pred.expr],                # admissibility guard
+    inputs=frozenset({U}),
+)
+```
+
+### 3. Declare invariants and run analysis
+
+```python
+from gds_proof import analyze_invariants, analyze_inductive_safety
+
+# Build the proof-ready model
+model = GDSSymbolicModel(
+    spec=spec,
+    enrichments={"withdrawal": symbolic_block},
+    invariants_dict={
+        "balance_nonneg": Invariant(
+            name="balance_nonneg",
+            expr=sympy.Ge(X, 0),  # x_prev >= 0
+        ),
+    },
+    assumptions={
+        X: {"nonnegative": True, "real": True},
+        U: {"nonnegative": True, "real": True},
+    },
+)
+
+# Run symbolic analysis
+result = analyze_invariants(model)
+for r in result.results:
+    print(f"{r.invariant_name} x {r.mechanism_name}: "
+          f"{r.status} ({r.proof_method})")
+
+# Run inductive safety analysis
+safety = analyze_inductive_safety(model)
+print(f"Multi-step verdict: {safety.multi_step.verdict}")
+```
+
+### 4. Convert to VerificationReport
+
+Integrate proof results with the existing verification pipeline:
+
+```python
+from gds_proof.findings import (
+    symbolic_analysis_to_findings,
+    proof_findings_to_report,
+)
+
+findings = symbolic_analysis_to_findings(result)
+report = proof_findings_to_report("bank_account", findings)
+print(f"Checks: {report.checks_total}, Errors: {report.errors}")
+```
+
+## Auxiliary Proofs for INCONCLUSIVE Results
+
+When the automatic prover can't resolve a pair, build a manual proof script:
+
+```python
+from gds_proof import (
+    hash_model, ProofBuilder, LemmaKind,
+    verify_proof, attach_proof,
+)
+
+model_hash = hash_model(model)
+
+# Build a proof script with a geometric series lemma
+k = sympy.Symbol("k", integer=True, nonneg=True)
+script = (
+    ProofBuilder(
+        model_hash, "balance_nonneg",
+        "convergence_proof", "Balance converges to steady state",
+    )
+    .lemma(
+        "series_limit",
+        LemmaKind.EQUALITY,
+        expr=sympy.Sum(sympy.Rational(1, 2) ** k, (k, 0, sympy.oo)),
+        expected=sympy.Integer(2),
+    )
+    .build()
+)
+
+# Verify independently (no trust in original analyst)
+proof_result = verify_proof(script, model_hash)
+print(f"Proof status: {proof_result.status}")
+
+# Attach to invariant if VERIFIED
+if proof_result.status == "VERIFIED":
+    inv = model.invariants()["balance_nonneg"]
+    inv = attach_proof(inv, script, model_hash)
+    print(f"Proof hash: {inv.proof_hash}")
+```
+
+## Next Steps
+
+- [Proof Overview](index.md) -- architecture, key concepts, and verification integration
+- [Framework](../framework/index.md) -- GDS specification and structural types
+- [Analysis](../analysis/index.md) -- simulation-based reachability and PSUU

docs/proof/index.md

@@ -0,0 +1,79 @@
+# gds-proof
+
+[![PyPI](https://img.shields.io/pypi/v/gds-proof)](https://pypi.org/project/gds-proof/)
+[![Python](https://img.shields.io/pypi/pyversions/gds-proof)](https://pypi.org/project/gds-proof/)
+[![License](https://img.shields.io/github/license/BlockScience/gds-core)](https://github.com/BlockScience/gds-core/blob/main/LICENSE)
+
+**Deterministic model identity and SymPy-based invariant proof verification for GDS models.**
+
+## What is this?
+
+`gds-proof` is a formal verification layer for the GDS ecosystem. It proves that system invariants are preserved across state transitions using symbolic implication analysis powered by SymPy.
+
+Where `gds-analysis` answers "what happens when I simulate this?", `gds-proof` answers "can I *prove* this property always holds?"
+
+- **`analyze_invariants()`** -- 5-strategy symbolic implication prover for every (invariant, block) pair
+- **`analyze_inductive_safety()`** -- 3-layer predicate-guarded inductive safety (single-step, predicate sufficiency, multi-step induction)
+- **`ProofBuilder` / `verify_proof()`** -- user-authored multi-lemma proof scripts for INCONCLUSIVE results
+- **`hash_model()` / `hash_proof()`** -- deterministic SHA-256 identity for models and proof scripts
+- **`GDSSymbolicBlock` / `GDSSymbolicModel`** -- adapters bridging GDS structural types to the proof engine
+
+## Architecture
+
+```
+gds-framework                   gds-proof
+|                                |
+|  GDSSpec, AtomicBlock,         |  SymbolicBlock/SymbolicModel protocols
+|  Mechanism, Entity,            |  GDSSymbolicBlock/GDSSymbolicModel adapters
+|  Finding, VerificationReport   |  analyze_invariants(), analyze_inductive_safety()
+|                                |  ProofBuilder, verify_proof(), attach_proof()
++-------+                       |  hash_model(), hash_proof()
+        |                        |  Finding integration (findings.py)
+        +--- Your application ---+
+             |
+             |  Structural spec + symbolic expressions
+             |  -> invariant proofs + VerificationReport
+```
+
+`gds-proof` sits at Layer 1 of the GDS ecosystem, alongside `gds-analysis`, `gds-domains`, and `gds-viz`. It depends on `gds-framework` for structural types and integrates with the existing verification pipeline via `Finding` and `VerificationReport`.
+
+## Key Concepts
+
+| Concept | What it is |
+|---------|-----------|
+| **Invariant** | A named SymPy BooleanExpr (e.g., `x >= 0`) that must hold across all transitions |
+| **SymbolicBlock** | A block enriched with symbolic state transition `f(x, u)`, output map `c(x, u)`, and predicates |
+| **Predicate** | Admissibility guard on inputs -- `U_{x} = {u : check(f(x, u)) = True}` |
+| **Proof obligation** | `I(x) AND P(x,u) -> I(f(x,u))` for each (invariant, block) pair |
+| **ProofScript** | Multi-lemma chain targeting one invariant, verified independently |
+| **Model hash** | SHA-256 of canonical_dict -- changes when the model changes |
+
+## The R1/R3 Gap
+
+GDS blocks are structural (R1) -- they declare *what* state variables a mechanism updates, but not *how*. The proof engine needs symbolic expressions (R3). The adapter layer bridges this:
+
+- **Structural (from GDSSpec)**: block names, entity variables, mechanism updates, parameter schema
+- **Behavioral (from user)**: SymPy state transitions, output expressions, predicates
+- **Bridge**: `GDSSymbolicBlock` wraps an `AtomicBlock` with user-supplied symbolic expressions
+
+## Verification Integration
+
+Proof results convert to `gds-framework` `Finding` objects via `findings.py`:
+
+| Check ID | What it checks |
+|----------|---------------|
+| `PROOF-001` | Invariant preservation (symbolic analysis) |
+
+`Finding.exportable_predicate` is populated with the invariant's canonical SymPy form, making it available to the OWL/RDF exporter in `gds-interchange`.
+
+## Quick Start
+
+```bash
+uv add gds-proof
+```
+
+See [Getting Started](getting-started.md) for a full walkthrough.
+
+## Credits
+
+Built on [gds-framework](../framework/index.md) and [SymPy](https://www.sympy.org/) by [BlockScience](https://block.science).

mkdocs.yml

@@ -126,6 +126,9 @@ plugins:
         Symbolic Math (gds-domains):
           - {symbolic/index.md: "SymPy bridge for gds-domains (control) — symbolic equations and linearization"}
           - {symbolic/getting-started.md: "Compile symbolic equations to ODE functions"}
+        Proof (gds-proof):
+          - {proof/index.md: "Deterministic model identity and SymPy invariant proof verification"}
+          - {proof/getting-started.md: "Build your first invariant proof with GDS types"}
         Analysis (gds-analysis):
           - {analysis/index.md: "Bridge GDSSpec structural annotations to gds-sim runtime"}
           - {analysis/getting-started.md: "Convert a GDSSpec to a runnable simulation model"}
@@ -391,6 +394,9 @@ nav:
       - Symbolic Math:
           - Overview: symbolic/index.md
           - Getting Started: symbolic/getting-started.md
+      - Proof:
+          - Overview: proof/index.md
+          - Getting Started: proof/getting-started.md
       - Analysis:
           - Overview: analysis/index.md
           - Getting Started: analysis/getting-started.md