sorryaudit: Transitive Sorry Taint Detection for AI-Assisted Lean 4 Proofs

Anshuman Singh

AI proof assistants (Lean Copilot, LLMs) routinely use `sorry` as a placeholder for proof steps they cannot complete. The file compiles clean, CI passes, and the "formally verified" label gets attached. The problem is transitive: if theorem B depends on theorem A, and A uses sorry anywhere in its proof chain, B is also unsound - but Lean only warns at the point of sorry, not at every downstream dependent.

sorryaudit runs two passes on any Lean 4 codebase. First, a syntactic pass that detects sorry/admit/native_decide/Unsafe.cast by line, stripping comments and string literals to avoid false positives. Second, a semantic pass that runs Lean's own `#print axioms` command on every theorem and checks whether sorryAx appears in the transitive axiom set. Both passes merge into a per-theorem trustworthiness report with an overall project score.

Tested on lean-tcb (117 theorems, 23 files): correctly identified sorryThm (1+1=3) as the only UNSOUND theorem, with 115 trusted. On AI-generated proofs, caught a theorem with no sorry in its own body that was silently unsound due to a dependency - a case the syntactic pass alone misses entirely.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Detecting cheating is a critical challenge in model training. This work identifies cheating by syntactically flagging problematic keywords and semantically tracking dependencies to catch lemmas that rely on incomplete proofs. Although the approach incorporates a semantic pass to improve reliability, it still relies on syntactic matching. Integrating a tool like LeanREPL would enable more robust analysis of Lean code and facilitate the detection of a wider variety of cheating strategies."

sorryaudit is a working Python tool that pairs a syntactic scan for sorry, admit, native_decide, and Unsafe.cast with a semantic pass over Lean's #print axioms output, then aggregates the results into a per-theorem trust report. The artifact runs end-to-end, the repository layout is understandable, and the demo correctly surfaces the load-bearing case: a theorem that appears clean at the source level but is unsound through a transitive dependency. That is a meaningful workflow contribution.

To strengthen the work, please consider the following:

1. Tighten the novelty framing. Lean 4's #print axioms already supports auditing the axiom dependencies of declarations, including detecting dependence on sorryAx. The contribution here is automation, project-scale surfacing, and presentation — not a new soundness primitive. Revising the framing to credit the existing Lean mechanism and positioning sorryaudit explicitly as the workflow layer on top would make the claim more defensible.

2. Strengthen validation beyond a planted canary. The lean-tcb example is useful, but the deliberately unsound theorem is designed to be caught by soundness-checking workflows. A more convincing evaluation would run on mathlib4 or a comparably large real-world Lean 4 project, and on an actual corpus of AI-generated proofs, such as Lean Copilot output or LLM-generated lemmas, since AI-assisted proofs are the stated motivation.

3. Deepen the evaluation set. The current evaluation appears too small to support broad generalization claims. Adding precision and recall against a planted-fault corpus, plus false-positive rates on known-clean projects, would make the results more convincing.

4. Clarify the trust-score model. The project reports an overall project score, but the scoring policy would be stronger if the raw signals, weighting logic, and aggregation behavior were clearly documented. This would let downstream users decide whether to treat sorryAx, native_decide, unsafe constructs, and non-standard axioms as hard failures, warnings, or policy-specific risks.

5. Reconcile the headline number across artifacts. The project page and repository appear to report slightly different trusted/unsound/suspect counts for the same lean-tcb evaluation. The qualitative finding survives, but a single reproducible headline figure pinned to one command would improve reader trust.

6. Improve repository hygiene. Adding an OSI license, a small test suite covering the comment/string stripper and the #print axioms parser, and a pyproject.toml or pinned requirements file would meaningfully improve credibility and reproducibility.

Overall, this is solid hackathon work with a correct diagnosis and a usable artifact. With tighter framing, evaluation on AI-generated proofs at larger scale, clearer scoring semantics, and minimal repository hygiene improvements, the project could move meaningfully above solid hackathon quality.

Cite this work

@misc {

title={

(HckPrj) sorryaudit: Transitive Sorry Taint Detection for AI-Assisted Lean 4 Proofs

},

author={

Anshuman Singh

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.