Internal and Observational Parametricity for Cubical Agda

Two approaches exist to incorporate parametricity into proof assistants based on dependent type theory. On the one hand, parametricity translations conveniently compute parametricity statements and their proofs solely based on individual well-typed polymorphic programs. But they do not offer internal parametricity: formal proofs that any polymorphic program of a certain type satisfies its parametricity statement. On the other hand, internally parametric type theories augment plain type theory with additional primitives out of which internal parametricity can be derived. But those type theories lack mature proof assistant implementations and deriving parametricity in them involves low-level intractable proofs. In this paper, we contribute Agda --bridges: the first practical internally parametric proof assistant. We provide the first mechanized proofs of crucial theorems for internal parametricity, like the relativity theorem. We identify a high-level sufficient condition for proving internal parametricity which we call the structure relatedness principle (SRP) by analogy with the structure identity principle (SIP) of HoTT/UF. We state and prove a general parametricity theorem for types that satisfy the SRP. Our parametricity theorem lets us obtain one-liner proofs of standard internal free theorems. We observe that the SRP is harder to prove than the SIP and provide in Agda --bridges a shallowly embedded type theory to compose types that satisfy the SRP. This type theory is an observational type theory of logical relations and our parametricity theorem ought to be one of its inference rules.


INTRODUCTION
Theorems for free [Wadler 1989] are mathematical statements about polymorphic programs whose validity only depends on a program's type, not its implementation.Such theorems hold in programming languages that prevent polymorphic programs from inspecting their type arguments.This restriction forces polymorphic programs to behave parametrically, i.e., apply the same algorithm irrespective of the type they are invoked at.
For example, let us take a purely functional, polymorphic program taking two lists as input and outputting a single list, for an arbitrary type (we use curly braces to indicate the presence of an implicit argument). : If is parametric, its range of possible behaviors is considerably limited.Indeed, it cannot branch on concrete values of like = Bool and thus can only use its inputs , through the List interface: the resulting list must be obtained by interleaving, duplicating or omitting values from and .As a result, such a parametric program should satisfy the following theorem: The theorem holds when is a list concatenation function, for instance.But in fact, the reasoning above applies for arbitrary parametric implementations of type ∀{ : Type} → List → List → List , which all satisfy the theorem.For this reason, the theorem is "free", i.e. obtained at zero cost.
Several approaches have been developed to study the theoretical aspects of free theorems and enable their use for program verification.The first formal definition of parametricity was given by [Reynolds 1983] for System F, a.k.a. the second-order polymorphic lambda calculus [Girard 1986[Girard , 1972;;Reynolds 1974].Reynolds defined parametricity for System F programs as a form of preservation of relations.More precisely, he proceeded in two steps.First, he defined a logical relation for System F types, that is, an inductively defined translation mapping any System F type into a set-theoretic relation ⟦ ⟧ between inhabitants of the type.Second, he proved his abstraction theorem stating that every inhabitant : is related to itself ⟦ ⟧ .For example1 , the abstraction theorem for : ∀{ : Type} → List → List → List implies: The relation ListRel relates two lists iff they have the same length and their -th elements are related by for every .Observe that Reynolds's relational definition of parametricity lets us successfully recover the free theorem (2) by setting ( , ) iff ≡ in property (3).Reynolds's abstraction theorem is a metatheoretical statement about programs of System F. When verifying polymorphic programs in dependently typed proof assistants like Coq [The Coq development team 2022] or Agda [Agda Development Team 2023], such a metatheoretical statement is unsatisfactory.At best, it guarantees that the free theorem of interest can be added as an axiom in the proof assistant without jeopardizing the logical consistency of the system.The question then arises whether we can prove this free theorem in the proof assistant.To answer this question, two approaches have been developed in the literature: parametricity translations on one hand and dependent type theories with internal parametricity on the other.
Parametricity translations [Anand and Morrisett 2017;Bernardy et al. 2012;Keller and Lasson 2012] enhance Reynolds's logical relation ⟦−⟧ by acting both at the type level and at the term level.On the one hand, types of dependent type theory (DTT), say = ( : Type) → List → List → List , are mapped to Reynolds's relational parametricity statement for that type, i.e., their logical relation ⟦ ⟧.For this is (basically) statement (3) but formulated inside DTT, contrary to what can be done for System F. On the other hand, terms of DTT are mapped to a proof of the logical relation at their type.For a program : it is a proof of (3).
From the point of view of a proof assistant user, parametricity translations are convenient: solely based on an implementation : , they compute the statement of 's free theorem as well as its proof for .Nonetheless, parametricity translations are not as powerful as they could be.Indeed they fail to provide proofs of free theorems like the following: glob-hm : ∀( : { : Type} → List → List → List ) ∀( 0 1 : Type)( We call such a theorem global because the quantification on is an object-level, or internal quantification (so not metatheoretical).Because of this internal quantification, theorems like glob-hm are known to be logically independent from plain DTT [Booij et al. 2016;Boulier et al. 2017].Another example of (an indirect consequence of) a global free theorem is the correctness of the Church encoding for the type of booleans Bool ≃ ( : Type) → → → .Since parametricity translations do not alter the logical expressivity of plain DTT, they cannot possibly validate global free theorems.
An alternative approach that does validate such global free theorems in DTT is the use of internally parametric type theories [Cavallo and Harper 2021;Moulin 2016;Nuyts and Devriese 2018;Nuyts et al. 2017].In such type theories, free theorems can be proven from first principles, even theorems like (4).Those type theories draw inspiration from parametric denotational models of DTT (see e.g.[Atkey et al. 2014]) and augment plain DTT with so-called parametricity primitives: additional types, terms and equations (definitional equalities) from which free theorems can be derived.One such parametricity primitive, which appears in all internally parametric DTTs we know of, is the bridge type former (some systems use a different name).It axiomatizes the logical relation ⟦ ⟧ at each type .Internal parametricity then follows from the fact that programs preserve such bridges, similar to how parametric programs preserve relations.
Nonetheless, the cost of the extra logical expressivity granted by internally parametric DTTs is twofold.For one thing, only experimental, unpractical or incomplete implementations of such type theories exist (see e.g.[Cavallo 2020;Nuyts et al. 2017]).More fundamentally, even proving simple free theorems in those systems can be cumbersome.For example, Cavallo and Harper [2021] need about 25 lines of on-paper proof relying on their low-level parametricity primitives to establish that Bool ≃ ( : Type) → → → .
In this work we contribute a practical proof assistant and associated library combining the two approaches to parametricity in dependent type theory.Concretely, we first contribute the Agda --bridges proof assistant: an extension of the --cubical mode of the Agda proof assistant [Vezzosi et al. 2021].It implements the parametricity primitives of Cavallo and Harper [2021] (CH), which we have adapted to the cubical type theory underlying Agda --cubical [Cohen et al. 2017].In order to soundly emulate the substructurality of the bridge type former of CH and their variable-capturing equational theory, we build on the implementation of ticks [Mannaa and Møgelberg 2018] in Agda --guarded [Veltri andVezzosi 2020, 2023] and let Agda --bridges raise freshness constraints on free variables at typechecking time.Furthermore, Agda --bridges reimplements the equational theory of the Kan operations hcomp, transp of Agda --cubical with respect to a novel, extended cofibration logic (a.k.a.face logic, see e.g.[Rose et al. 2022] for some background and references).Agda --bridges successfully compiles the full Agda --cubical standard library [Agda Community [n. d.]], offering evidence of its practicality and backwards compatibility.In particular, Agda --bridges conveniently enjoys strong extensionality principles like the univalence and function extensionality theorems provided by Agda --cubical.Within Agda --bridges, we give the first fully formal proofs of several theorems fundamental to internal parametricity, such as relativity [Cavallo and Harper 2021], the relational counterpart of univalence.
Agda --bridges can be used to prove (global) free theorems by hand using its low-level parametricity primitives, as is customary in internally parametric DTTs.However, experience showed that such direct low-level proofs suffer from several drawbacks.First, familiarity with the CH parametricity primitives is required of the user.Second, these proofs lack compositionality: for example, it is unclear how to reuse a proof like (4) in order to shortcut a parametricity proof at a type built using = ( : Type) → List → List → List as a subterm.Third, these proofs are typically long and quickly get intractable as the complexity of the polymorphic target type grows.
To remedy this situation we first observe that the information required to carry out such proofs is exactly captured by a high-level metatheoretical principle which we call the structure relatedness principle (SRP).The SRP is a relational, dependent version of the structure identity principle (SIP; see e.g.Angiuli et al. [2021b] and Section 6.3).In essence, the SRP simply asserts that for each (dependent) type , the bridge type of is equivalent to the logical relation type at .For a type like (1), such an equivalence looks like the following, where 0 and 1 are polymorphic programs of type and the left-hand side looks like (3): Note that the SIP asks for similar characterizations, but for path types instead of bridge types.
The SRP at a certain (dependent) type, i.e., a characterization like the above, is enough to derive global free theorems for it.This is the content of our general parametricity theorem param (see Section 3.3.2),formulated in Agda --bridges for (dependent) types that satisfy the SRP.It is an internal abstraction theorem asserting that dependent functions preserve or act on logical relations.In practice, proofs of free theorems in Agda --bridges are one-liner invocations of param, if the appropriate type has been proven to satisfy the SRP.
Factoring the proof of a free theorem into an SRP proof obligation plus a call to the param theorem is already helpful.Such proofs are conceptually easier (with the same computational content) than their low-level counterparts and SRP proofs for simpler types compose to SRP proofs for more complex types.Nonetheless, proving the SRP for dependent types turns out to be challenging.Indeed we observe that some tools that facilitate SIP proofs do not translate to the relational setting: this includes the fundamental theorem of identity types (Theorem 3.5) and the useful fact that the proof-irrelevant fragment of a type can be ignored while proving the SIP for it (Theorem 3.6).
This motivates us to introduce a shallowly embedded domain-specific language (DSL) developed in Agda --bridges, letting the user combine types that validate the SRP.The mere act of writing a type in this DSL, amounts to the construction of an Agda --bridges type that satisfies the SRP, so that param can be used straightforwardly.Since it is a tool for composing dependent types, our DSL is in fact a dependent type theory itself, or rather a shallow embedding of a type theory.For the expert reader, our DSL consists of a (raw) category-with-families (CwF) structure on the category of types that satisfy the SRP.Our DSL can be seen as an observational type theory (OTT) [Altenkirch and Kaposi 2015;Altenkirch et al. 2022Altenkirch et al. , 2007;;Pujet and Tabareau 2022] of logical relations and our param theorem ought to be one of its inference rules.Indeed param can be seen as the relational analogue of the inference rule of OTT stating that open terms act on identifications (equalities).For this reason we call our DSL relational observational type theory (ROTT) and say that our param theorem is not just internal (to Agda --bridges) but also observational.
ROTT and param provide free theorems of practical and theoretical relevance as one-liners in Agda --bridges 2 : we prove theorem (4); we prove a scheme of Church encodings parametrized by a strictly positive functor; we give the first proof of Reynolds's abstraction theorem for (predicative) System F, using an internally parametric DTT (Agda --bridges) as a metatheory.This was not possible in [Nuyts et al. 2017].We believe this is the first formal connection between an internally parametric system and Reynolds's relational parametricity.To summarize, our contributions are as follows: Proc.ACM Program.Lang., Vol. 8, No. POPL, Article 8. Publication date: January 2024.
Internal and Observational Parametricity for Cubical Agda 8:5 • Agda --bridges: the first practical proof assistant with support for internal parametricity.It implements an adaptation of the internally parametric DTT of Cavallo and Harper [2021] (CH) to the type theory underlying Agda --cubical [Cohen et al. 2017] (CCHM).To faithfully implement the CH theory, Agda --bridges raises freshness constraints at typechecking time; the implementation of this feature builds on the implementation of ticks [Mannaa and Møgelberg 2018] in Agda --guarded [Veltri andVezzosi 2020, 2023].Agda --bridges reimplements the hcomp, transp operations of Agda --cubical with respect to an extended cofibration logic (a.k.a.face logic).It successfully compiles the full Agda --cubical standard library [Agda Community [n. d.]] and thus features the univalence and function extensionality theorems.
• Within Agda --bridges, we provide the first machine-checked proofs of several theorems of fundamental importance for internal parametricity, such as relativity.
• We identify a sufficient condition to obtain free theorems internally, the structure relatedness principle (SRP).We state and prove param: a general binary parametricity theorem (abstraction theorem) inside Agda --bridges, formulated for dependent types validating the SRP.Internal free theorems can be obtained out of param as one-liners.
• We identify objective reasons why, at a given type, proving the SRP is generally harder than proving the SIP.For these reasons, we provide ROTT: a shallowly embedded type theory for obtaining SRP proofs by merely writing a type, in the spirit of parametricity translations.Our param theorem ought to be one of the inference rules of ROTT.Internal parametricity proofs performed using ROTT and its param rule are user-friendly, compositional and concise.
• We demonstrate the use and generality of Agda --bridges, ROTT and param on practically and theoretically relevant examples.
Outline.This paper is structured as follows.In Section 2 we present the implementation and typing rules of Agda --bridges as well as its core theorems.More precisely: Section 2.1 is a brief reminder about cubical type theory and Agda --cubical; Section 2.2 discusses what makes Agda --bridges and the CH type theory substructural type systems.Sections 2.3, 2.4, 2.5 introduce the BridgeP, extent and Gel parametricity primitives; Section 2.6 and Section 2.7 prove core or basic theorems using Agda --bridges.The discussion about the Kan operations transp, mhcomp of Agda --bridges and their custom cofibration logic is rather postponed to Section 5 as they are not needed for the free theorems we present.In Section 3 we present a framework developed in Agda --bridges that provides abstractions to write user-friendly, modular and concise proofs of free theorems2 .More precisely: In Section 3.1 we discuss the structure relatedness principle (SRP); In Section 3.2 we identify obstructions to the SRP; In Section 3.3 we present ROTT and its param rule.We use ROTT and apply param on various examples in Section 4. We conclude with related work in Section 6.
Conventions and notations.We use the term "logical relation" for (1) a relation between structured types, compatible with the structure (e.g. a structure-preserving relation : 0 → 1 → Type between two monoids); (2) a proof of relatedness for such a structured relation (e.g. a proof pf : 0 1 for some 0 : 0 , 1 : 1 ); and (3) (more rarely) a relation defined by induction on the formation of types (like ⟦−⟧ above).Our choice to use the same term for (1) and (2) mirrors the situation for bridges.We assume that the reader is somewhat familiar with intensional dependent type theory and proof assistants based on it.The term "free theorem" designates consequences of relational parametricity for potentially non-graph relations , at any given polymorphic type.For us, the equational theory of a type theory is the collection of its undirected definitional equalities and it includes and rules.We typically use Agda syntax to write types, programs and proofs.We ignore writing universe levels.We use curly braces for implicit arguments.Variable binding may be denoted with ., → (Agda syntax) or sometimes just . .Logical relations between e.g.
0 and 1 are typically denoted with a postfix notation .Bridges and paths between 0 and 1 are rather denoted with a double-letter notation .The symbol systematically ranges in {0, 1}.

THE INTERNAL PARAMETRICITY OF AGDA BRIDGES
Agda --bridges is a proof assistant extending the Agda --cubical proof assistant [Vezzosi et al. 2021].Accordingly, the type theory that Agda --bridges implements, i.e., its primitives and their equational theory, is an extension of the type theory that Agda --cubical implements (called CCHM in the literature [Cohen et al. 2017]).A reminder about Agda --cubical appears in Section 2.1.
The type theory of Agda --bridges is an adaptation of the internally parametric DTT of Cavallo and Harper [2021] (referred to as the CH theory).In other words, Agda --bridges implements the primitives and equations specified by the CH theory (we mostly keep the same names), or rather relatively close variants.The CH theory is not entirely standard as it is a substructural (alternatively "affine") type theory.Indeed, most of its parametricity primitives have typing rules, including operational semantics, that can only be used if certain conditions on free variables are satisfied.This is discussed in Section 2.2.The first main difference between the Agda --bridges and CH theories lies in how they both handle substructurality.Our solution, freshness typechecking constraints on free variables, is discussed in Section 2.3.Note that the other main difference w.r.t. the CH theory is that both type theories extend different kinds of cubical type theories.The latter difference is rather discussed in Section 5.
In the CH theory, the bridge type former is postulated to represent logical relations: relations between types that respect their structure, or proofs of relatedness under such relations.Concrete examples of logical relations will appear below or can be consulted in [Hermida et al. 2013], for example.To ensure that bridges do uniquely correspond to logical relations, additional primitives called extent and Gel are postulated by the theory.Internal parametricity then refers to the fact that all programs preserve bridges, which are in one-to-one correspondence with logical relations.Accordingly, Agda --bridges features primitives BridgeP, extent and Gel whose implementation and rules are explained in Sections 2.3, 2.4, 2.5.Occurrences of these primitives in a program or type may generate freshness constraints at typechecking time.
In Section 2.6 and Section 2.7 we use the above primitives to derive within Agda --bridges core theorems for internal parametricity as well as the free theorem Bool ≃ ( : Type) → → → in a low-level style.

The Cubical Fragment of Agda Bridges
Agda --cubical is an implementation of cubical type theory (CCHM) on top of the Agda proof assistant.Overall, cubical type theory modifies standard intensional type theory in several respects.First, it treats proofs of equality as if they were topological paths (see Section 2.1.1).Second, it features language primitives that let it realize univalence as a theorem (see Section 2.1.3).The latter property characterizes type equality as type equivalence (i.e.having a "bijection") and constitutes a defining aspect of homotopy type theory (HoTT) [Program 2013].Earlier instances of HoTT assume univalence as an axiom instead.Third, these primitives include the so-called Kan operations called transport, hcomp in Agda --cubical.Our adaptation of the Kan operations is rather discussed in Section 5. Lastly, as an instance of HoTT, cubical type theory defines higher inductive data types (HITs) which we do not discuss in this work.We now remind the reader about paths, equivalences, univalence and other extensionality principles.

Paths.
A major difference between Agda and Agda --cubical lies in how each system treats propositional equality.By contrast with the inductively defined equality types ≡ of standard intensional type theory, Agda --cubical defines equality in terms of a special postulated type called the path interval denoted I and equipped with two constants i0, i1 representing the interval's endpoints.A proof of equality of 0 , 1 : is then by definition a function : I → such that i0 = 0 and i1 = 1 (definitionally).Proofs of equality are commonly called paths in the context of cubical type theory.In order to validate basic lemmas about path equality, I carries operations ~, ∧, ∨ for manipulating path variables.For instance, the map ~: I → I inverts the two endpoints and can be used to prove symmetry of path equality: To explain what are paths : 0 ≡ 1 when is constituted from dependent types (e.g. is a Σ-type), an essentially unavoidable notion of heterogeneous, or dependent path emerges.For this reason Agda --cubical features types PathP of dependent paths.Given a line of types, that is, a function : → Type and terms 0 : i0 and 1 : i1, one can form the type PathP 0 1 : Type of heterogeneous or dependent paths between 0 and 1 .While non-dependent paths : 0 ≡ 1 are functions I → with definitionally fixed endpoints 0 , 1 , dependent paths : PathP 0 1 are dependent functions ( : I) → with definitionally fixed endpoints 0 , 1 .In fact, the type 0 ≡ 1 of non-dependent paths in is defined as the type PathP → 0 1 of paths over a constant line ( → : I → Type).Note that we will use the notation .
:= → to refer to lines of types in inlined code.
2.1.3Univalence and Other Extensionality Principles.It is commonplace in proof assistants to be faced with situations where one needs a more concrete representation of an equality type 0 ≡ 1 when the specific shape of is known.For example, in order to prove that two (perhaps dependent) functions are equal it should be sufficient to prove that they are pointwise equal.In Agda --cubical, this principle admits a simple proof and is realized as an equivalence funextEquiv : (( : ) → 0 ≡ 1 ) ≃ ( 0 ≡ ( : )→ 1 ).Such characterizations of equality types 0 ≡ 1 at specific types are called extensionality principles.Interestingly, Agda --cubical is expressive enough to guarantee the validity of similar extensionality principles for all primitive type formers, which we list here.The extensionality principle for Π (or → in the non-dependent case) is funextEquiv.The principle for Σ (and ×) characterizes the path type ).Note that .fst,.sndextract values from (dependent) pairs.Similarly, extensionality principles for specific data and (even coinductive) record types can always be proven, and there also exists such a principle for the path type itself.Lastly, arguably the most important yet subtle primitive extensionality principle is univalence, which asserts that two types are equal if and only if they are equivalent, i.e., univalence : ( 0 ≃ 1 ) ≃ ( 0 ≡ Type 1 ).As all the other extensionality principles, univalence is obtained as a theorem in Agda --cubical.

Substructurality
As explained above, the CH theory is dubbed substructural (or alternatively "affine") because most of its parametricity primitives have typing rules, including operational semantics, that can only be used if certain conditions on free variables are satisfied.Reasons why these restrictions exist in the first place appear later in this subsection.The CH theory manages to express such restrictions on free variables by using a context restriction operation Γ ↦ → Γ \ acting on contexts.Typically, restricted contexts Γ \ are strictly smaller than Γ and appear in the premises of certain typing rules of CH.Note that having premises featuring smaller contexts is not standard in dependent type theory.We now exemplify context restriction by looking at how the bridge type former is defined in the CH theory.

Substructurality in CH.
Recall that the CH theory is an extension of cubical type theory.The first type former presented in CH is the bridge type former.The definition of the bridge type former is similar to that of the path type former as it is also based on the presence of an abstract interval BI called the bridge interval.The type BI is assumed to be equipped with two endpoints bi0, bi1 : BI but no other operations (like ∼, ∧, ∨ in the case of I, see Section 2.1).This implies that a term Γ ⊢ : BI in an arbitrary context is in fact always either a bridge variable ( : BI) ∈ Γ or an endpoint bi0, bi1.
Similar to the path case, the bridge introduction rule (at a closed type , say) lets us build a bridge Γ ⊢ . : Bridge 0 1 if a term Γ, : BI ⊢ : is provided.However, the bridge and path type formers feature different elimination rules which we reproduce here: Γ ⊢ : As can be seen on the right, a bridge can be applied to a bridge interval term Γ ⊢ : BI only if typechecks in a different, restricted context Γ \ .This restriction operation Γ ↦ → Γ \ is defined by structural induction on the context.Intuitively, if is a variable (so not bi0, bi1) the context Γ \ is obtained from Γ by deleting the : BI variable from Γ, as well as all those variables "strictly to the right" of in Γ (whose type could legally contain ).This intuition is made formal in Section 2.3.In particular, the term .sq that takes the diagonal of a square of bridges (i.e. a bridge between bridges), is ill-typed.The constraint appearing in bdg-elim-ch can be summarized by saying that bridges are only allowed to consume variables : BI that are "fresh".Alternatively one can say that bridges, or the interval BI itself, are substructural, or affine.
The bridge elimination rule is one example of how context restriction is used to make BI substructural.In fact the majority of the rules appearing in the parametricity fragment of the CH theory feature restricted contexts.But knowing that context restriction can be used to enforce substructurality does not explain why the theory is substructural in the first place.
There are essentially two reasons for this, we refer to the CH article for more details.First, CH show that their substructural type theory admits a denotational model (in bicubical sets, see their article).This means that their type theory is logically consistent (relative to Set theory).In other words we can be sure that no logical contradiction can be derived using their primitives, an important requirement for a logic or a proof assistant.Second, several parametricity primitives of the theory (extent, Gel and the Kan operations) present a non standard variable-capturing equational theory that is well defined solely thanks to the substructurality of BI.For instance the -rule of extent operates by identifying a free bridge variable : BI in an appropriate argument and by capturing the variable in , yielding an overall term with .as a subterm.More information about capturing appears in Section 2.4.
Substructurality in Agda --bridges.Neither normal dependent Agda functions nor paths of Agda --cubical present an elimination rule with a restricted context.Accordingly, to minimize the implementation work and maximize the reuse of existing Agda infrastructure we do not use a context restriction operation: the premises of our rules do not have smaller contexts compared to their conclusion.For instance, eliminating a bridge at a bridge variable Γ ⊢ : BI only requires to typecheck in Γ (not Γ \ ).To remain sound w.r.t. the CH theory, Agda --bridges compensates by raising appropriate constraints on free variables when typechecking a rule featuring a premise where Γ \ would appear in the CH theory.An example of such a rule is bdg-elim-ch.We call these constraints freshness typechecking constraints.Their definitions are given in Definition 2.1, 2.2.Such freshness constraints can be raised on different occasions during typechecking, which we list here.
• We are typechecking a bridge application Γ ⊢ .• We are typechecking an affine function elimination Γ ⊢ .• We are computing (so reducing or comparing terms) and need capturing to occur.Note that affine functions are exactly like bridges, but without fixed endpoints.Affine functions will be used to express the type of extent, for example.The first two cases are similar.If the raised constraint is found satisfiable, typechecking can continue and perhaps succeed.Else, a typechecking error occurs.In the third case, a freshness constraint called semi-freshness is raised.If it is found satisfiable computing goes on.Else, computing halts (no further reduction, or a failed comparison).
We now present the primitives of Agda --bridges: their typing rules and equational theory, details about their implementation as well as core theorems they guarantee.Following the above, several of these typing rules have premises that are (semi-) freshness constraints.Recall that all the theorems we obtain using Agda --bridges are available in our accompanying library.

Affine Functions and Bridges
First of all, Agda --bridges postulates the existence of a bridge interval type BI equipped with two endpoints bi0, bi1 : BI and no further operations.Next, we define the type former of affine functions.Bridges will essentially be affine functions with definitionally fixed endpoints.

Affine Functions.
Affine functions are implemented as normal Agda dependent functions but their domain is BI and it carries what is called a tick annotation (building on [Veltri andVezzosi 2020, 2023]).The type of non-dependent affine functions with codomain is denoted (@tick : BI) → or @BI → .We call an affine function : (@tick : BI) → Type an (affine) line of types and such lines are sometimes denoted .
. Given a line : (@tick : BI) → Type one can form the type of dependent affine functions over denoted (@tick : BI) → . Compared to normal dependent functions, the tick annotation has the net effect of raising an additional freshness constraint while typechecking the application of a function : (@tick : BI) → to a bridge variable ( : BI) in a given context.That is to say, the following typing rule is implemented.
The other rules of (@tick : BI) → are those of normal dependent functions.Notice how this time the context in which typechecks is not restricted.The constraint on free variables implied by the context restriction operation of (2.2) is instead expressed as a typechecking side condition denoted fresh( , ) (understood to live at the same context Γ than ).We call the latter side condition a freshness constraint and it is defined as the following decidable condition on , .
In more mundane terms, and satisfy the freshness constraint if does not mention as a free variable, nor any term variable (i.e.not a path/bridge variable) declared after in the context Γ.In what follows the presence of a tick annotation will sometimes be abbreviated to an @ symbol, or omitted.To remain sound w.r.t.CH, all functions must use BI with this annotation.
We now explain the BridgeP, extent and Gel type formers.The typing rules implemented for those primitives are provided in Fig. 1.We make a few general remarks about these rules.The symbol systematically ranges over the indices 0, 1.An equality judgment Γ ⊢ = : , or just = when the context and types are clear, signifies that "the convertibility algorithm of the Agda --bridges typechecker concludes that and are definitionally equal".A reduction judgment Γ ⊢ ↦ → : , or just ↦ → signifies that "the reduction algorithm of Agda --bridges finds that reduces to ".More precisely, Agda uses weak head normalization and we denote the result of this algorithm on by red .To be more precise about our implementation, some of the rules of Fig. 1 contain occurrences of reduction red .It is important to know that red is not a type-theoretic primitive but rather a hint that the corresponding argument should be reduced when firing the rule in question.In other words, occurrences of red in the rules must merely be seen as informative decorations providing more details about the implementation.The rules also present occurrences of variable captures ⟨ ⟩ .Again, capturing is not an object-level program but rather a metatheoretical algorithm applying various substitutions and raising freshness constraints under the hood (see Section 2.4).

Bridges.
As hinted above, the rules of BridgeP are essentially a replication of the rules of (@ : BI) → . According to the formation rule, and given an affine line of types : (@ : BI) → Type as well as two endpoints 0 : bi0 and 1 : bi1 one can form the type BridgeP 0 1 : Type of heterogeneous or dependent bridges between 0 and 1 over the line .We sometimes write the line as an index as in BridgeP 0 1 : Type.Given a type : Type and two inhabitants 0 , 1 , the type of non dependent bridges between 0 , 1 is defined as Bridge 0 1 = BridgeP .0 1 .Furthermore, eliminating a bridge at a bridge variable can only be done if a freshness constraint is satisfied, similar to the tick-app rule of Section 2.3.1.Lastly, when typechecking a bridge Γ ⊢ : BridgeP 0 1 , the typechecker will verify that bi and are definitionally equal.Conversely, the expression bi will reduce to for a typechecked bridge.So far only one example of a bridge can be built in an empty context.If is a closed type inhabited by , one can build the reflexivity bridge at as .: Bridge .To build examples of bridges different from reflexivity at function types ( : ) → , the extent primitive is introduced.

The Extent Primitive
We now turn our attention to the rules and implementation of the extent parametricity primitive.
The rules of extent are displayed in Fig. 1.The sole purpose of extent is to guarantee the validity of a certain relational extensionality principle: a principle akin to funextEquiv but characterizing bridges between functions rather than paths.We call this principle extentEquiv and it reads as: This equivalence asserts that two functions 0 , 1 are related by a bridge if and only if they are pointwise related, i.e., they map related inputs to related outputs, where "related" signifies the existence of an appropriate bridge.In other words it makes the bridge type former behave as a type former of logical relations, at ( : ) → .Note that there exists a slight generalization of this principle characterizing the type of heterogeneous bridges BridgeP .( : )→ 0 1 instead, which we still call extentEquiv.
Fig. 1.Rules of the BridgeP, extent and Gel primitives of Agda --bridges.Some premises are omi ed.
In order to validate the left-to-right direction of the above principle, Agda --bridges postulates the existence of the extent primitive (see also the ext rule of Fig. 1).Note that the type of extent rather ends with a type of affine functions.This difference is essentially cosmetic thanks the the ext-rule of extent.extent : ∀ {A : (@tick x : BI) → Type} {B : (@tick x : BI) (a : It remains to upgrade this map into an actual equivalence extentEquiv.Validating the right-toleft direction of extentEquiv is possible without assuming further primitives.Indeed, assuming a bridge : Bridge ( : )→ 0 1 , we can easily build a function of the appropriate type 0 1 → .( ).Furthermore, one of the inverse conditions can be obtained using a "propositional -rule" theorem proved for extent.The other inverse condition relies on the -rule of extent (see ext-in Fig. 1).The exact proof can be consulted in our accompanying library, or in the CH paper.
The -rule of extent is not a standard type theoretic rule, as it works by capturing (see cap rule) the bridge variable argument : BI of extent in its principal argument : . Capturing can only be performed if a specific freshness constraint (semi-freshness, denoted sfresh( , )) is satisfied and thus ext-only fires in that case.We now explain what semi-freshness is and how capturing is implemented.Note that several other parametricity primitives of Agda --bridges like Gel and the Kan operations make use of capturing in their equations.
Definition 2.2 (Semi-freshness constraint).Given a context Γ = Γ 1 , ( : BI), Γ 2 and a term Γ ⊢ , the constraint sfresh( , ) is satisfied if for every free variable of one of the following holds: We define Υ 2 as the variables satisfying this clause.

Gel Types
The univalence theorem stated in Section 2.1.3posits that paths at the universe : 0 ≡ 1 uniquely correspond to type equivalences 0 ≃ 1 .Analogously, the relativity theorem asserts that bridges at the universe uniquely correspond to relations.relativity : ( 0 → 1 → Type) ≃ Bridge Type 0 1 Similar to extent, Agda --bridges postulates the existence of Gel in order to validate the left-toright direction of relativity.Thus Gel has the following type (see also Gel-form in Fig. 1).

Gel : ∀ (
The type of Gel merely ends with a type of affine functions (@ : BI) → Type which can be turned into a bridge type thanks to the Gel-rule.
To upgrade this map into the relativity equivalence, we first need an inverse candidate.From a bridge between two types : Bridge Type 0 1 we obtain the following relation 0 1 → BridgeP .
0 1 : 0 → 1 → Type.This relation between the types 0 and 1 holds for 0 , 1 exactly when there is a dependent bridge over between them.We also need to provide two inverse conditions.
2.5.1 The First Inverse Condition.Regarding the first condition, using function extensionality one has to show ∀( : 0 → 1 → Type)( 0 : 0 )( 1 : 1 ) → BridgeP .Gel 0 1 0 1 ≡ 0 1 .By univalence, it can be reduced to proving an equivalence BridgeP .Gel 0 1 0 1 ≃ 0 1 .One could call this equivalence a (dependent) relational extensionality principle for Gel.Constructing both directions of this particular equivalence is precisely the role played by the introduction and elimination primitives of Gel, called gel and ungel, respectively (see Gel-intro, Gel-elim).The fact that gel and ungel are mutual inverses is in turn guaranteed by the equations governing those primitives, called the -rule and the -rule of Gel (see Gel-, Gel-).Note that the -rule of Gel makes use of capturing, as was the case for ext-.This means in particular that a semi-freshness constraint is checked when comparing two inhabitants of Gel.
In their paper and technical report, Cavallo andHarper [2019, 2021] sketch a proof of this lemma based on a relational extensionality principle for equivalences whose lengthy proof they also sketch.The principle is a characterization of the type of heterogeneous bridges between equivalences and its formulation is somewhat comparable to extentEquiv.We merely indicate here that our formal proof involves the pasting of several 2-dimensional paths in Type, whose construction relies on the path interval operations ~, ∧, ∨ provided by Agda --cubical.

Other Relational Extensionality Principles
The primitives extent and Gel, gel, ungel we have implemented grant relational extensionality principles for the Π type former and for the universe Type, respectively.It turns out that their addition alone ensures the validity of similar principles for the other primitive type formers of the theory.For instance, as is the case for paths, a bridge at between pairs ( 0 , 0 ), ( 1 , 1 ) can equivalently be regarded as a bridge in the base : Bridge 0 1 together with a heterogeneous bridge over it : BridgeP .( ) 0 1 .There also exist relational extensionality principles for the path type ≡ and the Bridge type itself.Essentially, those two principles reflect the fact that is is always possible to swap the order of bridge and path variables in the context.
Relational extensionality principles for specific inductive data types can also be stated and proved in Agda --bridges.For instance, in their paper CH prove such a principle for the type of booleans Bool.The principle expresses that Bool is bridge-discrete, that is, the only bridges in Bool are the ones corresponding to its paths: 0 ≡ Bool 1 ≃ (Bridge Bool 0 0 ).Since Bool has no non-reflexivity paths (i.e., is an h-set in HoTT parlance), there are only two bridges in Bool: the reflexivity bridges at true and false.We have adapted the argument of CH to prove in Agda --bridges a similar principle for the List parametrized data type.More precisely, it is a dependent extensionality principle as it characterizes the type of heterogeneous bridges BridgeP .List( ) 0 1 between two lists ( 0 : List 0 ), ( 1 : List 1 ) where : Bridge 0 1 .
The principle essentially expresses that a bridge between lists is a list of bridges.Indeed, ListRel is an inductively defined relation between the types List 0 and List 1 which holds for 0 , 1 exactly when the latter lists have the same size and exhibit -related values at each index.

Low-Level Parametricity
We are now ready to prove theorems for free from first principles in Agda --bridges.It is customary in type theories with internal parametricity (incl.CH) to prove free theorems by directly appealing lowChurchBool : (∀ (X : Type Fig. 2. A low-level proof of a free theorem.
to the available low-level parametricity primitives.This is unsurprising since, after all, those primitives have been added precisely for that purpose.
Such a low-level proof of a free theorem in Agda --bridges appears in Fig. 2. The lowChurchBool theorem asserts that Bool admits a Church encoding, i.e., that this equivalence holds: ( : Type) → → → ≃ Bool.It is a faithful reproduction of the proof appearing in [Cavallo and Harper 2021].We provide a high-level description of the proof and refer to the latter for more detailed explanations.To build an equivalence, it is sufficient to provide two maps and two inverse conditions.This is the content of the isoToEquiv lemma.The two candidate inverses are defined in a where block below and are called boolToCh and chToBool.The first inverse condition can simply be proven by induction.Using function extensionality, the second inverse condition asks that for every : ( : Type) → → → , this equality holds boolToCh(chToBool ) ≡ .Note that the universal quantification on appears inside the system (with an Agda Π-type).The logic of Agda --cubical alone would not be sufficient to warrant this result (see Section 1).Therefore the internal parametricity of Agda --bridges must be used.All calls to parametricity primitives are isolated in a separate module called CH-inverse-cond.The last lemma of this module param-prf implies the second inverse condition.
We observe that such low-level proofs suffer from several defects.First, the user of Agda --bridges wanting to reproduce this style of proofs must have a good familiarity with the parametricity primitives provided by Agda --bridges, including their inner workings.But these primitives use advanced or non-standard type-theoretic notions like freshness and capturing.This makes for hard and non user-friendly proofs.Second these proofs lack compositionality.Indeed, we have proved in Fig. 2 a free theorem param-prf about polymorphic programs of type = ( : Type) → → → .We expect other free theorems to hold at this type and it is unclear at first glance if param-prf could be reused to achieve that.In fact we even would like to be able to reuse the latter parametricity proof to shortcut proofs of free theorems at types having − → − → − as a subexpression.Lastly, these proofs are typically long even for seemingly simple examples of free theorems.Furthermore their complexity quickly gets intractable when the size of the target type grows (there are several reasons for this, discussed in the next section).
All in all, these drawbacks motivated us to develop in Agda --bridges a library providing userfriendly, compositional and short proofs of free theorems.This is the content of Section 3.

THE OBSERVATIONAL PARAMETRICITY OF AGDA BRIDGES
As explained in Section 2.7, low-level proofs of internal free theorems are unsatisfactory in several respects.We improve these low-level proofs in two steps.
Our first improvement stems from the observation that, in order to make use of internal parametricity, it is always sufficient to prove appropriate relational extensionality principles.More precisely, we argue that obtaining internal free theorems for an Agda --bridges program : ( : Γ) → can be reduced to providing (dependent) relational extensionality principles for 's domain and codomain, so characterizations of their (dependent) bridge types as types of actual logical relations: an equivalence Γ : ... ≃ Bridge Γ 0 1 and an equivalence : ... ≃ BridgeP .( ) ( 0 : 0 )( 1 : 1 ) where : Bridge Γ 0 1 .This is explained in Section 3.1 and illustrated on an example in Section 3.1.4.
We call this informal sufficient condition for obtaining free theorems, which asks that all (dependent) types are equipped with a characterization of their Bridge/BridgeP type as logical relations, the structure relatedness principle (SRP).The SRP is precisely stated in Section 3.1.The reason behind this name is that there exists an analogous principle asking instead that all (dependent) types feature a characterization of their ≡/PathP types as types of isomorphisms.The latter principle is known (to varying degrees of generality, see Section 6.3) as the structure identity principle (SIP) in HoTT/UF.
The second improvement we make compared to low-level proofs stems from the observation that proving the SRP or the SIP "by hand" at a given type can quickly get intractable, as explained in Section 3.2.To remedy this situation we introduce in Section 3.3 a shallowly embedded domainspecific language (DSL) implemented as an Agda --bridges library that allow the user to (1) show the SRP at a type by merely writing their type in the DSL (using the rules in Section 3.3.1)and (2) derive free theorems for in a straightforward manner (see the param theorem of Section 3.3.2).We call our DSL relational observational type theory (ROTT).By contrast with low-level proofs, ROTT provides abstractions to write user-friendly, modular and concise proofs.

The SRP and Bare Parametricity
The first improvement we make for better internal parametricity proofs is to systematically factor proofs of free theorems into two simpler statements: the structure relatedness principle (SRP) on one side, and bare parametricity on the other.We first explain these principles and then illustrate their use by deriving the global free theorem (4) of Section 1 in Agda --bridges..cr→ Type dlrel : ∀ ( 0 1 : .cr)( r : .lrel0 1 ) (a 0 : dcr 0 ) (a 1 : dcr 1 ) → Type drequ : ( 0 1 : .cr)( r : .lrel0 1 ) ( : Bridge 0 1 ) ( prf : r [ ( .requ0 1 ) ] ) (a 0 : dcr 0 ) (a 1 : dcr Structure Relatedness Principle (SRP): For each type Γ : Type of Agda --bridges, (resp.type family : Γ → Type) the Bridge type of Γ (resp.the BridgeP type of ) can be characterized as a type of logical relations (resp.heterogeneous logical relations).In other words, the SRP conveys the idea that bridges act as logical relations at all types*.For instance the SRP holds at Type thanks to the relativity theorem of Section 2.5, and the SRP holds at function types ( : ) → thanks to the extentEquiv theorem of Section 2.4.
Contrary to bare parametricity, the SRP can not be stated as an object-level theorem of Agda --bridges.The reason is that types of logical relations are ad hoc: there is a priori no Agda --bridges function Lrel : Type → Type acting as an internal parametricity translation, computing for each Γ its type of logical relations Lrel Γ. Indeed parametricity translations are defined by induction on the syntax, so using a type-casing operation.But having a first-class type-casing operator on types would contradict the internal parametricity of Agda --bridges!This means that the quantification (*) must be stated metatheoretically.
Since the SRP can not be obtained as a theorem, we package it as a definition on types (or type families).For reasons explained hereafter, types that satisfy the SRP are called relativistic reflexive graphs (RRG).Moreover type families : Γ → Type satisfying the SRP are called displayed relativistic reflexive graphs (dRRG).In what follows RRGs and dRRGs are defined in plain English.The corresponding formal Agda --bridges definitions of these structures are provided in Fig. 3.
By exact analogy with the SRP, the structure identity principle (SIP; see Section 6.3 for references) is a metatheoretical statement asking that, for each type Γ (resp.: Γ → ) the ≡ type of Γ (c.f.bridge type; resp.PathP type of ) can be characterized as a type of isomorphisms (c.f.logical relations).That is to say, the SIP conveys the idea that paths act as isomorphisms at all types.For instance the SIP holds at Type and at function types ( : ) → thanks to the univalence and funextEquiv theorems of Section 2.1.3.Types satisfying the SIP are most commonly known as univalent groupoids, or setoids in the literature (c.f.relativistic reflexive graphs).

Examples of RRGs and dRRGs. We give two examples of RRGs and one example of dRRG.
The upshot is that each (dependent) relational extensionality principle that we can prove (see Section 2.6) for a potentially composite type, can be repackaged as a (d)RRG.
First, we define the composite type of premonoids PreMon = Σ[ ∈ Type ] × ( → → ).This type can be turned into an RRG.Indeed we can pick Γ = PreMon and define PreMon{ 0 , 1 } as the type of (actual) logical relations of premonoids between 0 , 1 .A logical relation of premonoids is a relation between 0 , 1 with a proof that the neutral elements of 0 , 1 are related, and a proof that the binary functions are pointwise related.By combining the principles for Σ, ×, Type, → appearing in Section 2.6, one can prove that the type PreMon{ 0 , 1 } is equivalent to Bridge PreMon 0 1 which makes Γ = PreMon an RRG.Second, the type Bool → Bool can be turned into an RRG.We can indeed pick (Bool → Bool){ 0 , 1 } = (∀ 0 1 → 0 0 ≡ Bool 1 1 ) and use the appropriate relational extensionality principles, including the one for Bool mentioned in (2.6) to build the expected equivalence.Our third example regards the List type former.Recall that the triple (Type, 0 1 → 0 → 1 → Type, relativity) turns Type into a RRG.We assert that the type family → List is a displayed RRG over the Type RRG, i.e., ( : Type) ⊨ List dRRG.The reason is that we can pick ( → List ){ 0 , 1 } = ListRel 0 1 , the inductive characterization of BridgeP .List( ) discussed in Section 2.6.
3.1.4SRP + Bare Parametricity.Next, we illustrate how the SRP and bare parametricity can be used to improve proofs of internal free theorems.The main idea is that since (1) bare parametricity tells us that programs act on bridges and (2) the SRP guarantees that bridges uniquely correspond to logical relations, we expect that (3) programs act on logical relations as well.And all free theorems are consequences of the latter fact.We derive the global free theorem (4) of Section 1 in Agda --bridges, or rather a slightly reduced version of it for sparing space.
hm : The first step of our proof is to derive the SRP for the domain and codomain of .In other words we must (1) equip Type with an RRG structure (we chose the one induced by relativity) and ( 2) equip the type family .List → List with a dRRG structure over the Type RRG.This amounts to proving the following characterization of the BridgeP type of .List → List where 0 , 1 : Type, , and : List → List for = 0, 1.The proof uses the relational extensionality principles extentEquiv, ListvsBridgeP and the one for Gel (see Section 2.5.1, 2.6) as well as the fact that all type formers preserve equivalences.In the spirit of parametricity translations, an appropriate relational extensionality principle is used based on the head of the type former appearing in the BridgeP type at hand.
The second step of our proof is to "conjugate" bare-param with the SRP proof obligations we produced for Type and .List → List .Let 0 , 1 , , 0 , be as in hm.We first convert the graph relation of denoted Gr = 0 1 → 0 ≡ 1 1 into a bridge denoted : Bridge Type 0 1 , using relativity.Then we apply bare parametricity to .

bare-param
Finally we use the above dependent principle for .List → List and obtain a proof pf : ∀ 0 1 → (ListRel (Gr ) 0 1 ) → (ListRel (Gr ) ( 0 0 ) ( 1 1 )).By a simple list induction we see that ListRel (Gr ) is equal to the relation 0 1 → (map ) 0 ≡ 1 .Thus pf 0 (map 0 ) refl grants the free theorem hm.The technique of factoring free theorems into SRP proof obligations and a call to bare-param is an improvement compared to low-level parametricity proofs like the one presented in Section 2.7.The proofs are conceptually easier.Moreover they allow for more compositionality.Indeed, contrary to Section 2.7 we are now in position to reuse the SRP proof obligations obtained for Type and .List → List to derive (1) other free theorems for programs : ( : Type) → List → List and even (2) shorter proofs of free theorems for a composite type having List − → List − as a subexpression.However it turns out that proving SRP obligations "by hand" like in the above is challenging, in fact strictly more challenging than SIP obligations, as explained in the next subsection.

Obstructions to the SRP and SIP
In this subsection we argue that proving the SIP, or worse, the SRP at a given type can get tedious.We begin with an example of SIP and SRP proofs for the type of pointed unary type operations PointedOp = Σ[ ∈ Type → Type ] (( : Type) → → ).
Example 3.3 (The SIP via extensionality principles).By repeatedly applying extensionality principles (see Section 2.1.3)we can characterize the meaning of a path between such pointed operations: We conclude that a path between pointed operations ( 0 , 0 ) and ( 1 , 1 ) consists of a pointwise equivalence between 0 and 1 , compatible with the pointings 0 and 1 .
We conclude that a bridge between pointed operations ( 0 , 0 ) and ( 1 , 1 ) consists of a relation transformer between them such that the pointings 0 and 1 send related pairs to related pairs.
The examples above required rote work: we had to apply a series of extensionality principles which was entirely dictated by the formation of PointedOp.Hence, it is clear that proofs of the SIP and SRP at a type scale at least with the complexity of : for each type former used to define , an appropriate extensionality principle must be used to swap PathP/BridgeP and .
Moreover we argue that proving the SRP is in general strictly harder than proving the SIP, because of three obstructions which we list here.
The first obstruction is that the extentEquiv principle of Section 2.4 always produces an extra Bridge type when characterizing the type of bridges between two given functions.Both generated Bridge types must be further characterized to finish the SRP proof at hand.This is to compare with the funextEquiv principle of Section 2.1.3which (if not in the fully dependent case) does not produce an extra PathP type.
The second and third obstructions relate to the fact that, in the SIP case, some tools are available to dismiss part of the rote work seen above.A first such tool is a theorem (see Rijke [2022] e.g.) that can be seen as a reformulation in cubical type theory of the rule of equality types.Recall that a type is contractible (isContr ) if it is equivalent to the unit type { * }.
This theorem might allow us to shortcut proofs as in Example 3.3, especially in the case of ordinary data types, by simply proving that the end result satisfies the above criteria.However, since bridges have no elimination principles like , the theorem does not to our knowledge translate to the relational setting.
Similarly, the third obstruction is the lack of the following result, standard in HoTT but only available in case of the SIP.Recall that a type is an h-proposition if any two inhabitants of are equal, i.e., isProp = ∀ 0 1 → 0 ≡ 1 .For instance the empty and unit types are h-propositions.The theorem guarantees the existence and unicity of heterogeneous paths between proofs of h-propositions.
Theorem 3.6 (Heterogenous eqality of proofs).Let : I → Type be a line of h-propositions, i.e., there is a map isp : ( : I) → isProp ( ).Suppose that 0 : i0 and that 1 : i1.Then isContr (PathP .0 1 ) 5 .Typically, this theorem is used while proving the SIP for structured types of the form Σ[ ∈ ] ( ) where for all , is an h-proposition.For instance this is the reason why two equivalences 0 , 1 : 0 ≃ 1 are equal if and only if their underlying functions are equal 0 ≡ 1 ≃ ( 0 .fst≡ 0 .fst).This is to compare with the relational extensionality principle for equivalences evoked in Section 2.5.2 which has the hardest proof amongst basic relational principles.
Because of these obstructions to SRP proofs, we have developed a domain-specific language (DSL) to obtain proofs of the SRP at a given type by merely writing the type in the DSL.Our DSL is explained in the next subsection.

ROTT
The second improvement we make compared to low-level proofs of free theorems is the introduction of relational observational type theory (ROTT): a domain-specific language (DSL) implemented as a library in Agda --bridges.It allows users to (1) show the SRP at a type by merely writing their type in the DSL and (2) derive free theorems for in a straightforward manner.
Since ROTT has abstractions that compose dependent types satisfying the SRP (i.e.dRRGs from Definition 3.2), it is itself a dependent type theory.To be more precise, ROTT is a type theory shallowly embedded in Agda --bridges.This means that ROTT is not defined as some kind of data type of expressions whose constructors would be inference rules used to write types .Instead, ROTT is an Agda --bridges library (part of our accompanying library) comprised of a bunch of theorems called "semantic rules" explaining how to compose dRRGs.These Agda --bridges theorems are discussed in Section 3.3.1.As an example, we program in Fig. 3 the →fm semantic rule of ROTT directly in Agda --bridges.
Internal and Observational Parametricity for Cubical Agda 8:21 . Some rules of ROTT.Some premises are not displayed.

The Standard Rules of ROTT.
The key idea behind ROTT is to remark that RRGs Γ act as if they were contexts of a certain type theory, and displayed RRGs over Γ act as if they were types of a type theory.In other words it seems like the type of all RRGs RRGraph somehow constitutes a model of type theory.For the expert reader this can be summarized as the fact that ROTT is a raw category-with-families (CwF) structure (with support for various type formers) on the category formed by relativistic reflexive graphs and their morphisms6 .Here "raw" means that no equations between the CwF operations are required.There is no need to define what a (raw) CwF is since we only deal with one instance here and since in practice our proofs of the SRP sometimes combine manual reasoning with using the ROTT interface.
ROTT features standard (shallowly embedded!)type theoretic rules to combine RRGs and dRRGs, treating them as type-theoretic contexts and types in contexts, respectively.Some of those rules appear in Fig. 4 using traditional type-theoretic syntax.Recall that our notation for displayed RRGs over Γ is Γ ⊨ dRRG.Each of those rules is an Agda --bridges program parametrized by the premises appearing in the rule.For example, the →fm rule of ROTT (a restricted version of Πfm) is programmed directly in Agda --bridges in Fig. 3.
Let us explain how some of those rules are defined in Agda --bridges.The important idea here is that those rules compose the relational extensionality principles of their premises to yield composite types satisfying the SRP.This means that from the point of view of the user of ROTT, the SRP is proved by the system while types are being written with those rules.As can be expected, given Γ a RRG and a displayed RRG over it, the context extension Γ # is a RRG whose carrier is simply Σ[ ∈ Γ ] .Its type of logical relations (Γ # ){( 0 , 0 ), ( 1 , 1 )} is moreover defined as Σ[ ∈ Γ{ 0 , 1 }] { 0 , 1 } .The fact that this type matches the corresponding bridge type Bridge Γ # ( 0 , 0 ) ( 1 , 1 ), can easily be deduced from the same fact for Γ and .Regarding fm and Σfm, and supposing that Γ is empty, fm and Σfm are RRGs7 with carriers ( : ) → and Σ[ ∈ ] ( ).In particular (( : ) → ){ 0 , 1 } is defined as the type ∀ 0 1 ( : { 0 , 1 }) → { 0 0 , 1 1 } and this type can again be proven to match the corresponding Bridge type by composing the relativistic equivalences of and .The Tyfm rule equips Type with a dRRG structure in the expected way.For an empty Γ, the rule sets Type{ 0 , 1 } = 0 → 1 → Type and uses relativity.Finally ROTT also features a term judgment written Γ ⊨ : needed because arbitrary dependent types might mention terms in their definition.We do not state the definition of this judgment and merely indicate that Γ ⊨ : holds if : ( : Γ) → features a custom action on logical relations : Γ{ 0 , 1 } which matches it canonical action on Bridge Γ 0 1 , i.e., bare-param 0 1 .

Internal Observational
Parametricity.We state the param semantic rule of ROTT.Once again we do so as if it was a syntactic type-theoretic rule even though param really is an Agda --bridges program parametrized by the premises appearing in the rule.The theorem states that, given an Similarly, we can reprove the lowChurchBool theorem of Section 2.7.The call to param-prf and the CH-inverse-cond module appearing in Fig. 2 are replaced by the following call to the param theorem and definition of an appropriate dRRG using ROTT:

Church Encodings
Using ROTT and param we were able to prove a scheme of Church encodings for data types obtained out of a strictly positive functor, represented as a container [Abbott et al. 2005].We first state the theorem and briefly explain its proof in Agda --bridges, and then discuss its hypotheses and significance in the more concrete case of the List type former.Assume a type of shapes : Type and a type family of positions : → Type.Assume that : Type is bridge-discrete, i.e. has an equivalence : ( 0 ≡ 1 ) ≃ Bridge 0 1 .Assume that : → Type is dependently bridge-discrete, that is, for every 0 , 1 , ( : 0 ≡ 1 ), ( : Bridge 0 1 ) such that [ ] and for every 0 : 0 and 1 : 1 , there exists an equivalence : PathP .Note here that the data type declaration is accepted by Agda since is a container functor and its input occurs strictly positively8 .We assert that the following equivalence holds F ≃ ( : Type) → ( → ) → .The proof follows a standard pattern.Recall that F has an elimination principle Frec : ∀ → ( → ) → F → .Going from left to right we can define a map toCh using the latter principle.Going from right to left we can define a map → F fold.Proving the first inverse condition is done by induction.The other condition requires parametricity and reads as follows (using funExt whenever needed): This of course looks like a global free theorem in the sense of (4).We wish to obtain this equality by applying param at program and at the (logical) relation given by the graph of the function Frec : F → .We denote this graph as Gr( Frec ) : F → → Type.To that end we must supply a RRG structure for the domain of and a dRRG structure for its codomain.For its domain we use Tyfm as above.For its codomain we must show : Type ⊨ ( → ) → dRRG.Applying the fm rule of ROTT and other structural rules not displayed in Fig. 4 the goal is reduced to : Type ⊨ dRRG.Recalling that = Σ[ ∈ ] → we can apply the Σfm and fm rules of ROTT thereby reducing the goal to providing a RRG structure for and providing : ⊨ dRRG.We can repackage our bridge-discreteness hypotheses , as such structures.At this stage all premises of param have been supplied and so we expect to obtain from param something of type ( .(→ ) → ){ F, } Gr( Frec ) .Again, contrary to its BridgeP counterpart, the latter type computes to the appropriate relational parametricity statement, i.e.: param ... F (Gr( Frec )) : By setting 0 = fold, 1 = and providing an easy proof of their logical relatedness we get Frec ( F fold) ≡ and this proves the theorem.Up to some reordering lemmas, we can obtain a Church encoding for the List data type as an instance of the above scheme of Church encodings: List ≃ ( : Type) → → ( → → ) → .To do this the and parameters of the scheme are set to = 1 + and (inl ) = ⊥, (inr ) = Unit.For this simpler List Church encoding, our bridge-discreteness hypotheses about and translate into the fact that must be bridge-discrete for the encoding to hold.The reason is that, if is not bridge-discrete, additional programs using their type variable non-parametrically will exist in the encoding.For instance Type is not bridge-discrete as its bridges are relations between types.Accordingly the encoding for List with = Type does not hold, essentially because some polymorphic programs can use their type variable non parametrically: . : ( : Type) → → (Type → → ) → .Similar considerations appear in [Nuyts and Devriese 2018].

System F
We can prove Reynolds's abstraction theorem [Reynolds 1983] for predicative System F [Leivant 1991] using ROTT and param.Indeed predicative System F is a subset of ROTT and the param theorem for dRRGs in that subset exactly expresses the abstraction theorem.
Corollary 4.1.By analogy to Section 3.3.2,we have the following "inference rule", which states that, given a kinding context Γ of predicative System F (consisting of type variables labeled with levels) and a type of predicative System F over this context, all external dependent functions (i.e.all functions definable in Agda --bridges) from ⟦ Γ⟧ to ⟦ ⟧ respect logical relations, where ⟦−⟧ is an object-level translation from System F contexts (resp.types) to RRGs (resp.dRRGs).
We emphasize that this result proves parametricity of the obvious embedding ⟦−⟧ of predicative System F into Agda --bridges, which is definable in Agda --bridges.That is, ⟦−⟧ is defined the expected way.For instance, the System F type : * 0 ⊢ → type-F interprets as the dRRG Type 0 ⊨ → dRRG which has .→ as its carrier.In other words, the dRRG model ⟦−⟧ is not some contrived construction, but simply a proof that all Agda --bridges types that read as System F types satisfy the SRP.
Hence we recover Reynolds's original notion of parametricity in Agda --bridges.We remark that [Nuyts et al. 2017] could not prove this result as it lacked the power of the extent rule and therefore could not properly characterize bridges between functions.Cavallo and Harper's [2021] system (which is almost identical to Agda --bridges) could prove this result equally well but the authors did not do this, and the same holds almost certainly for Bernardy et al. [2015].Thus, as far as we are aware, this establishes the first formal relation between traditional parametricity as defined by Reynolds for System F using a logical relation, and internally parametric type theory.

REIMPLEMENTING HCOMP AND TRANSP
Recall from Section 2.1 that when compared to plain dependent type theory, cubical type theories feature additional language primitives: (1) a path interval, path types, path abstraction and application, (2) Kan operations, (3) additional type formers for turning equivalences into paths in the universe, necessary to prove univalence, (4) (optionally) higher inductive types with path constructors.
The Kan operations of cubical type theory are necessary to make paths act as well-behaved proofs of equality.For instance, these operations are used to compose paths (i.e.prove transitivity of ≡) or to turn the univalence map into an equivalence.The operational semantics of these operations is somewhat peculiar as it is defined by specifying how these operations reduce at each type former, i.e., by induction on the syntax of types.Hence the process of extending cubical type theory with a new type former requires extra work: specifying how the Kan operations reduce at .
Agda --bridges is an extension of Agda --cubical which implements CCHM cubical type theory [Cohen et al. 2017].Thus, Agda --bridges must implement reduction clauses for the Kan operations of Agda --cubical at the BridgeP and Gel type formers.In Agda --cubical, the Kan operations are primitives named homogeneous composition (hcomp) and transport (transp).We now explain the transp (Section 5.1) and hcomp (Section 5.2) operations and how Agda --bridges extend these.The exact equations can be consulted in our implementation.Further details about transp, hcomp can be found in [Vezzosi et al. 2021].This section ends with a brief comparison between the Kan operations implemented by Agda --bridges and those specified by the CH theory.

Transport
The transp operation provides a way to coerce elements of a type into elements of a path-equal type.Indeed, given : 0 ≡ Type 1 we obtain transp ( . ) i0 : 0 → 1 .This map can in turn be upgraded into an equivalence and thus transp can be used to validate one direction of the univalence equivalence 0 ≡ 1 → 0 ≃ 1 .
Regarding the : I argument of transp, we merely indicate that it controls where the resulting coercion function is definitionally the identity.In other words, transp i1 0 reduces to 0 (a typechecking side condition asks that is constant when = i1)."Normal" transport is recovered by setting = i0 as illustrated above.
As explained before, the transp primitive reduces by induction on the formation of the line , that is, a clause describing how transp reduces is specified when is a line of Π-types, Σ-types, data types, record types, etc.Compared to --cubical, Agda --bridges implements two additional clauses for transp, handling lines of BridgeP and Gel types.For Gel, we indicate that the clause uses capturing (see Definition 2.2).We provide some details regarding the clause for BridgeP since it requires a generalized hcomp operation called mhcomp in Agda --bridges and explained hereafter.
Setting the result of this reduction to be the bridge ( : BI).transp ( . ) ( 0 ) does not work.Indeed the latter term does not have the required endpoints 0 i1, 1 i1 definitionally.
A second idea is to use the hcomp primitive (its type appears above) of --cubical, which is used to reduce transp along lines of path types.In general, the sole purpose of hcomp is to allow terms to be definitionally adjusted on a fragment of the type they live in.More precisely, suppose the ambient context Γ contains a number of path variables Φ = , , ... and suppose Γ ⊢ : I. Intuitively, the term Γ ⊢ hcomp { : Type} { : I} ( 0 : ) is 0 : but definitionally adjusted (using the argument, not explained here) on the fragment of Γ ⊢ where ( , , ...) = i1 (since 0 , , live in context Γ they can depend on variables in Φ).In cubical type theory, constraints like ( , , ...) = i1 are called face constraints or alternatively cofibrations and can be regarded as subsets of a cube ⊆ Φ.The language used to express face constraints is called a face or cofibration logic.The cofibration logic used by Agda --cubical is De Morgan algebra and assertions in this logic are encoded as terms : I.If Γ ⊢ , , : I, an example of face constraint is = ((~ ) ∨ ) ∧ .
In our case we would like, in a context extended with ( : BI), to definitionally adjust the term transp ( . ) ( 0 ) of type i1 when = bi0 and = bi1 (and in fact when = i1).The problem of course is that is a bridge variable, and that hcomp only allows constraints : on path variables.The mixed homogeneous composition mhcomp primitive of Agda --bridges generalizes hcomp w.r.t.bridge variables and can be used in place of hcomp to specify the result of transporting along a line of bridges.

Mixed Homogeneous Composition
The mhcomp primitive of Agda --bridges has a type different than that of hcomp.mhcomp : ∀ {A : Type} { : MCstr} (u : (i : I) → MPartial A) (u 0 : A) → A This time 0 and its type can have free path variables Φ = ( , , ...) but also free bridge variables Ψ = ( , , ...) and 0 ought to be definitionally adjusted on a subset of the mixed cube Φ × Ψ.For this reason mhcomp expects face constraints expressed in an extended cofibration logic called MCstr.Concretely, the latter is a type postulated by Agda --bridges and equipped with primitives for combining atomic mixed face constraints.Instead of precisely explaining these primitives we provide a formula MCstr(Φ, Ψ) expressing what mixed constraints can be built in a context containing Φ and Ψ as above.First, define I(Φ) = { | Φ ⊢ : I}.Second, define the set of bridge hyperfaces of Ψ as (Ψ) = Ψ × {bi0, bi1}.We define BCstr(Ψ) = ( ,bi ) ∈ ′ ( = bi ) ′ ⊆ ∪ {⊤}, i.e., bridge face constraints obtainable in Ψ are disjunctions of bridge hyperfaces (this includes an empty disjunction ⊥), or a vacuous constraint denoted ⊤.Finally we set The quotient is taken to turn the map ↦ → ( , ⊥) into an embedding of logics: a --cubical constraint : I holds if and only if its image ( , ⊥) : MCstr is a mixed constraint that holds.This condition is required to ensure that a term typechecks in Agda --cubical if and only if it typechecks in Agda --bridges.An example of mixed constrainted : MCstr is := ( , ( = bi0)∨( = bi1)) which appears when transporting bridges, as hinted above.transp ( .BridgeP . ( Similar to transp, the operational semantics of mhcomp is defined by induction on the syntax of its : Type argument.Concretely, Agda --bridges duplicates the hcomp equations for Glue, hcomp, PathP, Σ, Π, record and (non-indexed, non-HIT) data types, but propagating a mixed constraint this time.Additionally, it implements reductions at BridgeP and Gel types.The latter clause uses capturing.Following --cubical, if is a HIT, an inhabitant mhcomp { } { } 0 : is considered normal and functions defined by pattern matching on compute on it if = ( , ⊥) for some .
Comparison with the CH Theory.While the theory of Agda --bridges extends CCHM cubical type theory, the CH theory is an extension of cartesian cubical type theory [Angiuli et al. 2021a[Angiuli et al. , 2018] ] (CCTT).This distinction leads to Kan operations formulated differently in each system.First, in order to validate univalence, CCTT postulates V-types whereas CCHM postulates Glue types.Hence transp and mhcomp both have a reduction clause for Glue types instead of V-types.Second, the composition Kan operation of CCTT uses a simple cofibration logic with a constructor for diagonal constraints ( = : I).By contrast, CCHM uses a De Morgan cofibration logic which Agda --bridges had to extend (see MCstr above).To pinpoint a sound definition for MCstr we inspected the presheaf model psh(□ DM × □ a ) where □ DM (resp.□ a ) is the category of De Morgan cubes (see CCHM; resp.affine cubes, see CH).The above formula for MCstr(Φ, Ψ) can be regarded as the definition of such a presheaf.Finally some equations for the Kan operations use capturing, handled differently in Agda --bridges and CH: sound capturing is performed through context restriction in the CH theory (see Section 2.2) and through semi-freshness in Agda --bridges (see Section 2.4).
6 RELATED WORK 6.1 Relational Parametricity in and of Type Theory In order to discuss and classify related work about parametricity in and of type theory, we analyze the general statement of parametricity.We assume that we are studying an object language which embeds or can be interpreted in a target language where free theorems [Wadler 1989] will be stated.
Parametricity: For every ( ) type in , there exists a logical relation [ ] in , such that every ( ) program : in is self-related according to [ ] in .
Note that the general statement of parametricity contains two universal quantifications, which we have labeled with names and for the (meta)theories where these quantifications take place.We will classify related work on parametricity by its choice of languages/theories , , and .Note that if = = , then we have global free theorems in and can prove in e.g. that Church encodings in behave as the data type they encode.By contrast if is a metatheory, then we only have free theorems for concretely known programs and the framework is merely a parametricity translation of such programs.These situations are often referred to as internal vs. external parametricity.In any provenly sound framework for internal parametricity hitherto developed that we are aware of, is a metatheory (at least if you want [ ] to be a concrete relation and not a bridge type whose meaning needs to be characterized separately), implying that the SRP (Section 3.1.2) is a metatheorem.
Languages with internal parametricity typically feature non-standard parametricity primitives which call for a denotational model to establish soundness.In this case, when relevant, we specify how (closed) types in are modelled, and the metatheory ℳ in which the model is built.In the case of external parametricity, we rather specify how is interpreted in the metatheory .
The resulting classification is given in Table 1 (Ab denotes Agda --bridges).The first block lists treatments of System F. Reynolds's original model is in set theory, but was later shown not to support impredicativity [Reynolds 1984].Subsequent treatments use a logic over System F and prove parametricity results about concrete programs of concrete types.Atkey explains how Reynolds's model can be restructured as a reflexive graph model and then generalizes to System F .The third block lists treatments of external parametricity for dependent types.The first three papers prove parametricity results again in dependent type systems, but only for concrete programs of concrete types.The latter two use denotational models.Tabareau et al.'s approach is peculiar in that it defines the logical relation on the universe as the type of relations that are the graph of an equivalence, thus establishing a framework not for relational but for univalent parametricity.[Nuyts et al. 2017, fig. 9].Here, is (faintly) highlighted when (possibly) = ; is highlighted if = = ; and is highlighted if = .
Citation Obj.lang.Target lang.ℳ model in or (italic) ℳ [Reynolds 1983] System F Meta: Set theory Sets with relations [Abadi et al. 1993] System F System ℛ Meta Meta Meta PERs [Bellucci et al. 1995] [Plotkin andAbadi 1993] System F System F + logic Meta Meta [Wadler 2007] System F System F + logic Meta Meta [Atkey 2012] System F Meta: Impred.CIC Reflexive graphs [Takeuti 2001] ∈ -cube +∀+Π ∈ -cube Meta Meta [Bernardy et al. 2012] Any PTS Suitable PTS Meta Meta [Tabareau et al. 2021 be very close to that of the concurrent work by Altenkirch et al. [2024], who present an internally parametric type theory which avoids the use of an interval and validates the SRP definitionally.

Parametricity and Univalence
While relational parametricity requires functions to respect relations, HoTT asks that they respect equivalences.Of course, equivalences are a form of relations, so one idea is akin to the other.We already mentioned Tabareau et al.'s [2021] work in the previous section.A reformulation of their work using our techniques would effectively lead to a shallow embedding of observational setoid [Pujet and Tabareau 2022] or homotopy [Altenkirch et al. 2022] type theory in a CwF of univalent setoids or groupoids.Awodey et al. [2018] define Church-like encodings of ordinary but also higher inductive types in (homotopy) type theory.Since the correctness of the Church encoding relies on preservation not only of equivalences but of all relations, they cannot be proven correct in plain type theory or HoTT.Instead, the authors enforce relational parametricity simply by adding it as a "such that" clause to the encoding.

The Structure Identity Principle (SIP)
We discuss appearances of the SIP in the literature and compare these to our discussion in Section 3. The HoTT book does not actually feature the full SIP and two other treatments rely on a DSL.
Standard notions of structure on univalent categories.The HoTT book [Program 2013] defines a notion of structure on a category C essentially as a displayed category D • over C such that the projection functor : ΣCD • → C from the total space is faithful, implying that the fiber of any object of C (and its identity morphism) is a preorder.A notion of structure is standard if this preorder is always a partial order, which is defined as a univalent preorder.The theorem called SIP then states that if C is univalent and D • is standard, then the total space ΣCD • is univalent.Relevant examples are group structures over h-sets, setoid structures over h-sets, monad structures over endofunctors, functor structures over indexed objects, . . .Fundamentally, the proof of this theorem does two things: It applies the extensionality principle for Σ-types to characterize a path between objects in ΣCD • , and it uses path induction to deduce "displayed" univalence from standardness (which meant fiberwise univalence).Importantly, if D • is quite complex, it is still up to the user to prove fiberwise univalence there, which still requires either rote work or the usage of a DSL for standard notions of structure.As such, we see this SIP as only a fragment of the fully general SIP.
A DSL for univalent structures on Type.Angiuli et al. [2021b] are concerned with proving the SIP (in our most general sense) for types of the form = Σ[ : Type ] Σ[ : ] , where is a mere proposition (h-prop).The idea is that a tuple ( , , ) is an algebra-like object with carrier and operations satisfying the axioms .Their paper features a theorem titled SIP which amounts to the characterization of paths in a type of the form Σ[ : Type ] . Since paths in a mere proposition can be characterized as informationless (Theorem 3.6), only the SIP for the operations type remains to be dealt with.A DSL -essentially the type language of the STLC with base type (the carrier) -is then provided to build structures satisfying the SIP.
A DSL for univalent higher categories.Ahrens et al. [2020, thm. 7.10] use FOLDS [Makkai 1995] as a DSL for building univalent higher categories.In other words, they show that a higher type satisfies the SIP if it occurs as the object type of a higher category specified by a FOLDS signature.

Table 1 .
Classification of related work about parametricity, based on