Fitch-Style Modal Lambda Calculi

Fitch-style modal deduction, in which modalities are eliminated by opening a subordinate proof, and introduced by shutting one, were investigated in the 1990s as a basis for lambda calculi. We show that such calculi have good computational properties for a variety of intuitionistic modal logics. Semantics are given in cartesian closed categories equipped with an adjunction of endofunctors, with the necessity modality interpreted by the right adjoint. Where this functor is an idempotent comonad, a coherence result on the semantics allows us to present a calculus for intuitionistic S4 that is simpler than others in the literature. We show the calculi can be extended \`{a} la tense logic with the left adjoint of necessity, and are then complete for the categorical semantics.


Introduction
The Curry-Howard propositions-as-types isomorphism [22,37,38] provides a correspondence between natural deduction and typed lambda calculus of interest to both logicians and computer scientists. For the logician, term assignment offers a convenient notation to express and reason about syntactic properties such as proof normalisation, and, especially in the presence of dependent types, allows proofs of non-trivial mathematical theorems to be checked by computer programs. For the computer scientist, logics have been repurposed as typing disciplines to address problems in computing in sometimes surprising ways. Following Lambek [26], categories form a third leg of the isomorphism. Categorical semantics can be used to prove the consistency of a calculus, and they are crucial if we wish to prove or program in some particular mathematical setting. For example, see the use of the topos of trees as a setting for both programming with guarded recursion, and proof by Löb induction, by Clouston et al [12].
This work involved two functors, 'later' and 'constant'. Where functors interact appropriately with finite products they correspond to necessity modalities in intuitionistic normal modal logic, usually written . Such modalities have been extensively studied by logicians, and the corresponding type-formers are widely applicable in computing, for example to monads [31], staged programming [14], propositional truncation [3], and recent work in homotopy type theory [35]. There is hence a need to develop all sides of the Curry-Howard-Lambek isomorphism for necessity modalities. Approaches to modal lambda calculi are diverse; see the survey by Kavvos [24], and remarks in the final section of this paper. This paper focuses on Fitch-style modal lambda calculi as first proposed by Borghuis [10] and (as the "two-dimensional" approach) by Martini and Masini [29].
Fitch-style modal lambda calculi 1 adapt the proof methods of Fitch [20] in which given a formula A we may open a '(strict) subordinate proof' in which we eliminate the to get premise A. Such a subordinate proof with conclusion B can then be shut by introducing a to conclude B. Different modal logics can be encoded by tweaking the open and shut rules; for example we could shut the proof to conclude merely B, if we had the T axiom B → B. Normal modal logics are usually understood with respect to Kripke's possible worlds semantics (for the intuitionistic version, see e.g. Simpson [36, Section 3.3]). In this setting Fitch's approach is highly intuitive, as opening a subordinate proof corresponds to travelling to a generic related world, while shutting corresponds to returning to the original world. See Fitting [21,Chapter 4]) for a lengthier discussion of this approach to natural deduction.
Borghuis [10] kept track of subordinate proofs in a sequent presentation by introducing a new structural connective to the context when a is eliminated, and removing it from the context when one is introduced, in a style reminiscent of the treatment of modal logic in display calculus [39], or for that matter of the standard duality between implication and comma. To the category theorist, this suggests an operation on contexts left adjoint to . This paper exploits this insight by presenting categorical semantics for Fitch-style modal calculi for the first time, answering the challenge of de Paiva and Ritter [32, Section 4], by modelling necessity modalities as right adjoints. This is logically sound and complete, yet less general than modelling modalities as monoidal functors as done for example by Bellin et al. [5]. For example, truncation in sets is monoidal but has no right adjoint. Nonetheless adjunctions are ubiquitous, and in their presence we argue that the case for Fitch-style calculi is compelling.
In Section 2 we present Borghuis's calculus for the logic Intuitionistic K, the most basic intuitionistic modal logic of necessity. To the results of confluence, subject reduction, and strong normalisation already shown by Borghuis we add canonicity and the subformula property, with the latter proof raising a subtle issue with sums not previously observed. We give categorical semantics for this style of calculus for the first time and prove soundness. In Section 3 we introduce the left adjoint as a first-class type formerà la intuitionistic tense logic [18], in which the "everywhere in the future" modality is paired with "somewhere in the past". To our knowledge this is the first natural deduction calculus, let alone lambda calculus, for any notion of tense logic. It is not entirely satisfactory as it lacks the subformula property, but it does allow us to prove categorical completeness. In Section 4 we show how the basic techniques developed for Intuitionistic K extend to Intuitionistic S4, one of the most-studied intuitionistic modal logics. Instead of working with known Fitch-style calculi for this logic [33,14] we explore a new, particularly simple, calculus where the modality is idempotent, i.e. A and A are not merely logically equivalent, but isomorphic. Our semantics for this calculus rely on an unusual 'coherence' proof. In Section 5 we present a calculus corresponding to the logic Intuitionistic R. In Section 6 we conclude with a discussion of related and further work.

Intuitionistic K
This section presents results for the calculus of Borghuis [10] for the most basic modal logic for necessity, first identified to our knowledge by Božić et al. [11] as HK ; following Yokota [40] we use the name Intuitionistic K (IK). This logic extends intuitionistic logic with a new unary connective , one new axiom K: (A → B) → A → B and one new inference rule Necessitation: if A is a theorem, then so is A.

Type System
Contexts are defined by the grammar where x is a variable not in Γ , A is a formula of intuitionistic modal logic, and is called a lock. The open lock symbol is used to suggest that a box has been opened, allowing access to its contents.
Ignoring variables and terms, sequents Γ ⊢ A may be interpreted as intuitionistic modal formulae by the translation This interpretation suffices to confirm the soundness and completeness of our calculus, considered as a natural deduction calculus, with respect to IK. It is however not a satisfactory basis for a categorical semantics, because it does not interpret the context as an object. In Section 2.3 we shall see that may instead by interpreted as a left adjoint of , applied to the context to its left. Figure 1 presents the typing rules. Rules for the product constructions 1, A × B, , t, u , π 1 t, π 2 t are as usual and so are omitted, while sums are discussed at the end of Section 2.2. Note that variables can only be introduced or abstracted if they do not appear to the right of a lock. In the variable rule the context Γ ′ builds in variable exchange, while in the open rule Γ ′ builds in variable weakening. Exchange of variables with locks, and weakening for locks, are not admissible. Theorem 2.1 (Logical Soundness and Completeness). A formula is a theorem of IK if and only if it is an inhabited type in the empty context. We can for example show that the K axiom is inhabited:

Computation
We extend the usual notion of β-reduction on untyped terms with the rule We write for the reflexive transitive closure of →. This relation is plainly confluent. Two lemmas, proved by easy inductions on the derivation of the terms t, then allow us to prove subject reduction:  Proof. β-reduction for → requires Lemma 2.3, and for requires Lemma 2.2.
A term t is normalisable if there exists an integer ν(t) bounding the length of any reduction sequence starting with t, and normal if ν(t) is 0. By standard techniques we prove the following theorems: Theorem 2.6 (Canonicity). If Γ is a context containing no variable assignments, Γ ⊢ t : A, and t is normal, then the main term-former of t is the introduction for the main type-former of A.
Concretely, if A is some base type then t is a value of that type.
Elimination term-formers for sums Theorem 2.7 (Subformula Property). Given Γ ⊢ t : A with t normal, all subterms of t have as their type in the derivation tree a subtype of A, or a subtype of a type assigned in Γ .
To attain this final theorem we need to take some care with sums. It is well known that lambda calculi with sums do not enjoy the subformula property un- Finally, while we will not explore computational aspects of η-equivalence in this paper, we do note that shut open t = t obeys subject reduction in both directions (provided, in the expansion case, that t has as its main type-former).

Categorical Semantics
This section goes beyond Theorem 2.1 to establish the soundness of the type system with respect to a categorical semantics, in cartesian closed categories C equipped with an endofunctor that has a left adjoint, which we write . We interpret types as C-objects via the structure of C in the obvious way. We then interpret contexts as C-objects by We omit the brackets · · · where no confusion is possible, and usually abuse notation by omitting the left-most '1×' where the left of the context is a variable. We will also sometimes interpret contexts Γ as endofunctors, abusing notation to also write them as Γ , or merely Γ , by taking · as the identity, Γ, x : A = Γ × A, and Γ, = Γ . We interpret Γ ⊢ t : A as a C-arrow Γ ⊢ t : A : Γ → A, often abbreviated to t , or merely t, by induction on the derivation of t as follows. shut: we simply apply the isomorphism C( Γ , A) → C( Γ , A) given by the ⊣ adjunction.
We also have that η-equivalent terms have the same denotation.

Left Adjoints and Categorical Completeness
In this section we extend the calculus to include the left adjoint as a first-class type-former, and hence prove categorical completeness. The underlying logic is the fragment of intuitionistic tense logic [18] with just one pair of modalities, studied by Dzik et al. [16] as 'intuitionistic logic with a Galois connection'; we use the name IK . We have two new axioms η m : A → A ε m : A → A We use the superscript m to identify these as the unit as the unit and counit of the modal adjunction ⊣ , to differentiate them from other (co)units used elsewhere in the paper. We have one new inference rule Monotonicity: if A → B is a theorem, then so is A → B.

Type System and Computation
We extend the type system for IK of Figure 1 with the new rules for presented in Figure 3. , unlike , need not commute with products, so does not interact well with contexts. This explains why the subterms in the let dia rule may not share their context. We can construct the axioms of IK : A ⊢ let dia y be x in open y : A and given a closed term f : A → B we have the monotonicity construction To this we add the new β rule We can hence extend the syntactic results of the previous section to the logic IK , with the exception of the subformula property. Consider the term This term is normal but evidently fails the subformula property. One might expect, as with sums, that a commuting conversion would save the day by reducing the term to let dia y be x in ((λz.dia y)x), but this term sees the free variable x appear in the second subterm of a let dia expression, which is not permitted.
We now turn to η-equivalence, and an equivalence which we call associativity: For example, under associativity the counter-example to the subformula property equals (λz.let dia y be x in dia y)x, which reduces to let dia y be x in dia y, which is η-equal to x. The equivalences enjoy subject reduction in both directions (requiring, as usual, that t has the right type for η-expansion).

Categorical Semantics
We interpret the new term-formers in the same categories as used in Section 2.3. For dia, given t : Γ → A we compose t with the projection Γ, , Γ ′ → Γ. . The denotation of let dia x be t in u is simply u • t. We may then confirm the soundness of β-reduction, η-equivalence, and associativity; we call these equivalences collectively definitional equivalence.
We extend standard techniques for proving completeness [26], constructing a term model, a category with types as objects and, as arrows A → B, terms of form x : A ⊢ t : B modulo definitional equivalence. This is a category by taking identity as the term x and composition u • t as u[t/x]. It is a cartesian closed category using the type-and term-formers for products and function spaces.
The modalities and act on types; they also act on terms by, for , the monotonicity construction, and for , mapping x : One can check these constructions are functorial, and that the terms for η m and ε m are natural and obey the triangle equalities for the adjunction ⊢ .
Given a context Γ we define the context term Γ ⊢ c Γ : Γ by Theorem 3.2 (Categorical Completeness). If Γ ⊢ t : A and Γ ⊢ u : A are equal in all models then they are definitionally equal.
Proof. t and u have equal denotations in the term model, so their denotations are definitionally equal. Definitional equality is preserved by substitution, so

Intuitionistic Sfor Idempotent Comonads
Intuitionistic S4 (IS4) is the extension of IK with the axioms T: A → A 4: A → A To the category theorist IS4 naturally suggests the notion of a comonad. IS4 is one of the most studied and widely applied intuitionistic modal logics; in particular there exist two Fitch-style calculi [33,14]. Instead of presenting one of these systems and developing categorical results, as we did with Borghuis's calculus for IK, we here show that a simpler calculus is possible if we restrict to idempotent comonads, where A and A are isomorphic. This restriction picks out an important class of examples -see for example the discussion of Rijke et al.

Type System and Computation
A calculus for IS4 is obtained by replacing the open rule of Figure 1 by The T and 4 axioms are obtained by This confirms logical completeness; once can also easily check soundness. Subject reduction for the β-reduction open shut t → t requires a new lemma, proved by an easy induction on t: The key syntactic theorems 2.5, 2.6, and 2.7 then follow easily. η-expansion obeys subject reduction as before, but it is not the case, for example, that the term presented above for the 4 axiom reduces to shut x. We may however accept a notion of η-reduction on typed terms-in-context: This equivalence is more powerful than it might appear; it allows us to derive the idempotence of , as the 4 axiom is mutually inverse with the instance

Categorical Semantics
We give semantics to our type theory in a cartesian closed category with an adjunction of endofunctors ⊣ in which is a comonad. Equivalently [17, Section 3], is a monad, equipped with a unit η and multiplication µ. To confirm the coherence of these semantics, discussed in the next subsection, and the soundness of η-equivalence we further require that is idempotent, or equivalently that all µ A : A → A are isomorphisms with inverses η A = η A . To define the semantics we define lock replacement natural transformations l Γ : Γ → , corresponding to Lemma 4.1, by induction on Γ : Note that l is the identity by the monad laws.
We may now define the interpretation of open: given t : Γ → A we apply the adjunction to get an arrow Γ → A, then compose with l Γ ′ : Γ, Γ ′ → Γ, .
Lemma 4.2. If we replace part of a context with a lock, then replace part of the new context that includes the new lock, we could have done this in one step: Proof. By induction on Γ 4 , with the base case following by induction on Γ 3 .
Proof. By induction on the derivation of t. We present only the cases for types. shut: By induction Γ, , Γ ′′ , where the natural η m is the unit of the modal adjunction ⊣ . open: Where the lock in question is part of the context introduced by the weakening we use Lemma 4.2. Where it was part of the original context we use induction and the naturality of lock replacement. Now open shut t, where the open has weakening Γ ′ , has denotation ε m • t • η m • l Γ ′ , which is t • l Γ ′ by the naturality of ε m , and the adjunction. This is what is required by Lemma 4.3, so β-reduction for is soundly modelled.

Coherence
Because the open rule involves a weakening, and does not explicitly record in the term what that weakening is, the same typed term-in-context can be the root of multiple derivation trees, for example: The categorical semantics of the previous section is defined by induction on derivations, and so does not truly give semantics to terms unless any two trees with the same root must have the same denotation. In this section we show that this property, here called coherence, indeed holds. We make crucial use of the idempotence of the comonad . We first observe that if Γ, Γ ′ , Γ ′′ ⊢ t : A and all variables of Γ ′ are not free in t, then Γ, Γ ′′ ⊢ t : A. The following lemma, proved by easy inductions, describes how the denotations of these derivations are related: The technical lemma below is the only place where idempotence is used.
where t on the bottom line is the original arrow with Γ ′ strengthened away.
Proof. By induction on Γ ′ . The base case holds by the naturality of η.
We present only the lock case: η • t = t • η by the naturality of η. But by idempotence η : Γ, Γ ′ , → Γ, Γ ′ , , equals η. Then by Lemma 4.4 t • η is Γ, Γ ′ ⊢ t : A , i.e. we have strengthened the lock away and can hence use our induction hypothesis, making the top trapezium commute in: The left triangle commutes by definition, the bottom trapezium commutes by the naturality of µ, and the right triangle commutes by the monad laws.
Given two different derivation trees of a term, their denotation is equal.
Proof. By induction on the number of nodes in the trees. The base case with one node is trivial. Suppose we have n + 1 nodes. Then the induction hypothesis immediately completes the proof unless the nodes above the roots are non-equal. Then the final construction must be an instance of open, i.e. we have Clearly any variables in Γ ′ are not free in t, so we can use Lemma 4.4 on the top line of the right hand tree to derive Γ ⊢ t : A. By induction hypothesis this has the same denotation as the top line of the left hand tree. But Lemma 4.7 tells us that applying this strengthening and then opening with Γ ′ , Γ ′′ is the same as opening with Γ ′′ only.
We can now demonstrate the soundness of η-equivalence: given Γ ⊢ t : A and Γ ⊢ shut open t : A by any derivations, we can by coherence safely assume that open used one lock only as its weakening, and so the arrows are equal by the ⊣ adjunction.

Left Adjoints and Categorical Completeness
Following Section 3 we can add to the type theory; we need only modify the dia rule to to retain Lemma 4.1. The results of the previous sections, apart once more for the subformula property, still hold, where we define the denotation of Γ, Γ ′ ⊢ dia t as t composed with l Γ ′ . In particular, we must confirm that Lemma 3.1 extends to the new definitions of open and dia, for which we need the lemma below: Lemma 4.9. Given the term x : Γ, Γ ′ ⊢ l Γ ′ : Γ defined in the term model, , which equals open t by induction. The proof for dia is similar.

Intuitionistic R
One can readily imagine how the calculus for IS4 could be modified for logics with only one of the T and 4 axioms. In this section we instead illustrate the flexibility of Fitch-style calculi by defining a calculus for the rather different logic Intuitionistic R (IR), which extends IK with the axiom R: A → A This axiom was first studied for intuitionistic necessity modalities by Curry [13], along with the axiom M, A → A, to develop a logic for monads. The importance of the logic with R but without M was established by McBride and Paterson [30] who showed that it captured the useful programming abstraction of applicative functors. We take the name R for the axiom from Fairtlough and Mendler [19], and for the logic from Litak [28].
We modify Figures 1 and 3 simply by removing the side-conditions / ∈ Γ from the variable, open, and dia rules. We can then derive R: For substitution and subject reduction we require the following lemma, easily proved by induction on the derivation of t: We can also observe that η-equivalence preserves types in both directions. We give semantics for this calculus in a cartesian closed category equipped with an adjunction of endofunctors ⊣ and a 'point' natural transformation r : Id → preserved by , i.e. r = r : A → A. This last property makes this model slightly less general than the notion of tensorial strength used for categorical semantics by McBride and Paterson [30], but is needed for coherence and the soundness of η-equivalence. We will use the arrow A → A defined by applying the adjunction to r; we call this q and note the property: The weakening natural transformation w Γ : Γ → Id is defined by induction on Γ via projection and q. Variables are then denoted by projection composed with weakening, and weakening is used similarly for open and dia. We can hence show the soundness of β-reduction for and . For the soundness of η-equivalence for we need the following lemma: • η m . By this lemma above we replace w Γ ′ , with w ,Γ ′ , so by the naturality of η m have ε m • η m • t • w ,Γ ′ , which is t • w ,Γ ′ by the monad laws.
Moving to coherence, we conduct a similar induction to Theorem 4.8, considering the case The top line on the left weakens to the top line on the right, with denotation t•w ,Γ ′ . By induction this equals the denotation of the top line of the right. Then the right hand term has denotation ε m which is exactly the weakening used on the left. Coherence for dia follows similarly.
Moving finally to categorical completeness, in the term model t • r is shut t[open shut x/x], which reduces to shut t, so r is natural. r : A → A is shut shut open x, which is indeed η-equal to shut x.
We finally need to update Lemma 3.1 for our new definitions. We do this via a lemma similar to Lemma 4.9: Lemma 5.4. Given the term x : Γ, Γ ′ ⊢ w Γ ′ : Γ defined in the term model, which is π 2 c Γ,A by the lemma above. This is π 2 c Γ , x , which reduces to x. The

Related and Further Work
Conventional contexts. It is sometimes possible to design modal lambda calculi with conventional contexts containing typed variables only. This has been done for the logic of monads [31], for IS4 [6], for IK [5], and for a logic with 'Löb induction' [7], from which it is possible to extract a calculus for IR. In previous work [12] we developed the guarded lambda calculus featuring two modalities, where one ('constant') was an (idempotent) comonad, and the other ('later') supported a notion of guarded recursion corresponding to Löb induction. We therefore used the existing work [6,7] 'off the shelf'.
Problems arose when we attempted to extend the guarded lambda calculus with dependent types [8]. Neither of the calculi with conventional contexts we had used scaled well to this extension. The calculus for IS4 [6], whose terms involved explicit substitutions, turned out to require these substitutions on types also, which added a level of complexity that made it difficult to write even quite basic dependently typed programs. The constant modality was therefore jettisoned in favour of an approach based on clock quantification [2], of which more below. The calculus for later employed a connective ⊛ (from McBride and Paterson [30]) which acted on function spaces under the modality. However with dependent types we need to act not merely on function spaces, but on Π-types, and ⊛ was unable to be used. Instead a novel notion of 'delayed substitution' was introduced. These were given an equational theory, but some of these equations could not be directed, so they did not give rise to a useful notion of computation.
Modalities as quantifiers. The suggestive but formally rather underdeveloped paper of De Queiroz and Gabbay [15] proposed that necessity modalities should be treated as universal quantifiers, inspired by the standard semantics of necessity as 'for all possible worlds'. This is one way to understand the relationship between the constant modality and clock quantification [2]. However clock quantification is more general than a single constant modality because we can identify multiple free clock variables with multiple 'dimensions' in which a type may or may not be constant. This gap in generality can probably be bridged by using multiple independent constant modalities. More problematically, while it is clear what the denotational semantics of the constant modality are, the best model for clock quantifiers yet found [9] is rather complicated and still leaves open some problems with coherence in the presence of a universe.
Previous Fitch-style calculi. The Fitch-style approach was pioneered, apparently independently, by Martini and Masini [29] and Borghuis [10]. Martini and Masini's work is rather notationally heavy, and weakening appears to not to be admissible. Borghuis's calculus for IK is excellent, but his calculi for stronger logics are not so compelling, as each different axiom is expressed with another version of the open or shut rules, not all of which compute when combined. The calculus for IS4 of Pfenning and Wong [33], refined by Davies and Pfenning [14,Section 4], provide the basis of the IS4 calculus of this paper, but involve some complications which appear to correlate to not assuming idempotence. We have extended this previous work by investigating the subformula property, introducing categorical semantics, and showing how left adjoints to necessity modalities a la tense logic can be used as types. Finally, the recent clocked type theory of Bahr et al. [4] independently gave a treatment of the later modality that on inspection is precisely Fitch-style (albeit with named 'locks'), and which has better computational properties than the delayed substitution approach.
Dual contexts. Davies and Pfenning [14] use a pair of contexts ∆; Γ with intended meaning ∆ ∧ Γ . This is quite different from the formula translation of Fitch-style sequents in which structure in a context denotes a applied to the conclusion (or its left adjoint applied to the context). In recent work Kavvos [25] has shown how dual contexts may capture a number of different modal logics. We support this work but there is reason to explore other options. First, writing programs with dual context calculi was described by Davies and Pfenning themselves as 'somewhat awkward', and they suggest the Fitch-style approach as a less awkward alternative. Indeed, Fitch's approach was exactly designed to capture 'natural' modal deduction. Second, any application with multiple interacting modalities is unlikely to be accommodated in a mere two zones; the mode theories of Licata et al. [27] is an attempt to extend the dual zone approach to such a richer setting, but the increase in complexity is considerable and much work remains to be done.
Further logics and algorithmic properties. We wish to bring more logics into the Fitch-style framework. In particular we wish to extend IR with the strong Löb axiom ( A → A) → A. The obvious treatment of this axiom does not terminate. but Abel and Vezzosi [1] suggest that this can be avoided by restricting reductions under a shut. We would further like to develop calculi involving multiple modalities. This is easy to do by according each modality its own lock; two IK modalities gives exactly the notion of intuitionistic tense logic of Goré et al. [23]. The situation is rather more interesting where the modalities interact. We wish to develop a calculus with later and constant modalities, rather than the clock quantification used by Bahr et al. [4]; the interaction of these modalities create some coherence problems which are yet to be solved. Finally, we would like to further investigate algorithmic properties of Fitch-style calculi such as type checking, type inference, and η-expansion and other notions of computation. In particular, we wonder if a notion of commuting conversion can be defined so that the calculi with enjoy the subformula property.  (2), 177-199 (1985) A Intuitionistic K This appendix presents proof details for the theorems of Section 2. We omit routine proof details for products, and sometimes function spaces also, and we delay discussion of sums until Appendix A.6.

A.1 Proof of Theorem 2.1 (Logical Soundness and Completeness)
In this section we prove the soundness and completeness of the type system of Figure 1 (considered as a natural deduction system) with respect to the logic IK. The typing rules for the connectives of intuitionistic logic are as usual and so soundness and completeness for this fragment is clear. For logical completeness we then need only show that the K axiom is derivable, which is done in Section 2.1, and that necessitation holds. For this we need the lemma: Proof. Easy induction on the derivation of t.
If A is a theorem, then by induction on the length of Hilbert derivations · ⊢ A is derivable in the type system, so, by the lemma above, ⊢ A, so by the shut rule · ⊢ A.
We then turn to soundness.
Proof. By induction on Γ . The base case is trivial. The variable case asks that This follows by assuming all formulae to the left of implications, applying Modus Ponens twice, and induction. The lock case starts by applying necessitation to the induction hypothesis, then using the K axiom to distribute the box through. Lemma A.3. All typing rules are sound with respect to the formula translation.
Proof. The λ and shut rules are trivial because in each the formula translations of the premise and conclusion are identical.
Variable rule: Let Γ ′ (which contains no locks) be B 1 , . . . , B n . Then A → B 1 → · · · → B n → A is a theorem. We then construct the context Γ from the right by, for formulae B, observing that B → C is a theorem for any theorem C, and, for locks, using necessitation.
Application follows by Lemma A.2 and Modus Ponens. open: note that Γ, , B 1 , . . . , B n ⊢ A has the same interpretation as Γ ⊢ (B 1 → · · · → B n → A). Now A → (B 1 → · · · → B n → A) is a theorem; by necessitation and K, so is As a corollary, any type inhabited in the empty context, i.e. · ⊢ A, is indeed a theorem of IK.

A.2 Proof of Theorem 2.5 (Strong Normalisation)
Strong normalisation could be proved in a number of ways; we choose Tait's method, as presented for example by Girard et al. [22,Chapter 6]. We define sets RED A of reducible untyped terms by induction on the type A by taking the usual definitions, e.g.
t ∈ RED A→B if for all u ∈ RED A , t u ∈ RED B and extending them with A term is neutral if it is a variable x, or if its outermost term-former is an elimination, e.g. it has form t u or open t.
Note that the third criteria vacuously implies that if t is neutral and normal, then it is reducible. We call this criterion (CR4).
Proof. We prove all three properties simultaneously by induction on the type.
Here we present only the A case. Lemma A.6. Let Γ ⊢ t : A be a typed term where Γ has as variable assignments x 1 : A 1 , . . . , x n : A n , and let u 1 , . . . , u n be a set of terms with u i ∈ RED Ai for 1 ≤ i ≤ n. Then t[u 1 /x 1 , . . . , u n /x n ] ∈ RED A .
Proof. By induction on the derivation of t. Looking only at the term-formers for , this holds for shut t by induction and Lemma A. 5, and for open t by induction and the definition of RED A . Theorem 2.5 may hence be proved as follows: variables are neutral and normal, so are in RED Ai for any A i by (CR4). Hence we can apply Lemma A.6 to the identity substitution, replacing variables by themselves, to conclude that t ∈ RED A . Then by (CR1) t is normalisable.
A.3 Proof of Theorem 2.6 (Canonicity) Lemma A.7. If an typed term-in-context Γ ⊢ t : A is normal and neutral, then t contains a free variable.
Proof. By induction on the derivation of t. We present only the open t case: if such a term is normal then t is normal and does not start with shut, and so is neutral, and so by induction contains a variable. Theorem 2.6 then follows because a normal term with no free variables cannot be neutral by the lemma above, so it must have as main term-former the appropriate introduction.
A.4 Proof of Theorem 2.7 (Subformula Property) Lemma A.8. If Γ ⊢ t : A is normal and neutral then A is a subtype of some type assigned in Γ .

Proof. By induction on t, as usual presenting only the case:
If open t is normal and neutral then so must t be. But then by induction the type A of t is a subformula of Γ , so the type A of open t is also.
We then prove Theorem 2.7 by induction on t, presenting only the cases: Γ ⊢ shut t : A: all proper subterms are subterms of t, which by induction have type included in Γ , or A, and hence, in the latter case, A. Γ, , Γ ′ ⊢ open t : A: by induction all subterms of t are contained in Γ or A. But if open t is normal then t is neutral, so by Lemma A.8 A is contained in Γ .

A.5 Proof of Theorem 2.8 (Categorical Soundness)
We first confirm the soundness of open shut t → t. Γ, , Γ ′ ⊢ open shut t : A is ϕ −1 ϕ Γ, ⊢ t : A composed with a projection, where ϕ is the isomorphism given by the ⊣ adjunction. But this is exactly Γ, , Γ ′ ⊢ t : A as required.
The soundness of β-reduction for functions follows immediately given the lemma below regarding the interpretation of substitution. The lemma is slightly more general than necessary for function spaces, because the general form will be useful later.
Proof. By induction on t. We present one variable case and the cases for ; other cases are routine. If t is the variable x then Γ ′ contains no locks so we have Finally, the soundness of η-equivalence for follows because it is defined by applying the ⊣ adjunctions in both directions.

A.6 Sums in IK
We finally show that the proofs above still hold given the generalised rules for sums of Figure 2.
For the logical soundness of the case rule we note that is a theorem and use Lemma A.2 and the K axiom to complete. For abort we use that 0 → Γ ′ ⊢ A . The other syntactic proofs proceed as usual for sums.
For the categorical semantics, we need to interpret the new case and abort rules, and to confirm that the β-reductions and commuting conversions still hold.
case: We interpret case s of x.t; y.u as . This suffices to show that β-reduction (for the first injection) is sound where Γ ′ is empty. For the general Γ ′ we hence use this as the base case for a proof that d•Γ ′ (Γ ×in 1 ) = in 1 : Γ, A, Γ ′ → Γ, A, Γ ′ +Γ, B, Γ ′ . We show the step case for locks only: Here the leftmost triangle commutes by induction. The commuting conversions can be confirmed by diagram chase similarly. We present one case: where the right hand arrow is unique because products and are left adjoints, so preserve the initial object. The soundness of the commuting conversions then follow easily. We show one case: The top line is abort t and the other perimeter is open abort t .

B.1 Type System and Computation
Logical soundness: For dia, we have A → B 1 → · · · → B n → A, which by necessitation and K yields A → (B 1 → · · · → B n → A). But A → A by η. Using Lemma A.2 for the context Γ completes the proof.
For let dia, the second premise yields A → B by monotonicity and ε. Then Γ ⊢ A → B , and Lemma A.2 completes the proof.
Subject reduction: We need left weakening (Lemma A.1) and variable weakening to weaken x : A, ⊢ u : B to Γ, x : A, , Γ ′ ⊢ u : B, and may then apply the substitution.
Strong normalisation: The dia rule involves a 'parasitic' type, as with sums, so we use similar techniques as for sums to extend Tait's method. Unfortunately these techniques appear to be folklore and we could not find an explicit description in the literature 2 , so we write out the proof with some care. We set t ∈ RED A if t dia u for u ∈ RED A , or t normalises to a neutral term.
For (CR1), if t dia u and u is by induction normalisable, then dia u is also normalisable because no reduction touches the outer dia. Otherwise t is normalisable by definition.
For (CR2), if t t ′ and t dia u then by confluence t ′ dia u ′ for some u u ′ . By induction u ′ ∈ RED A , so t ′ ∈ RED A . Else if t normalises to a neutral term then so does t ′ .
For (CR3), if there exists a one-step reduction of t that reduces in turn to some dia u then t does also. Else if all one-step reductions of t reduce to a neutral term then t does similarly.
Lemma A.6 can then be extended to the new term-formers. The dia case follows immediately by definition. For let dia we use a secondary induction on ν(t) + ν(u), and (CR3). We omit the substitutions for Γ in the below for clarity. If t has form dia s then one possible reduction is to u[s/x]. But by definition s ∈ RED A , so u[s/x] ∈ RED B . If ν(t) + ν(u) = 0 this is the only possible reduction. Otherwise we might reduce one of the subterms t or u; without loss of generality, say t → t ′ . By (CR2) t ′ ∈ RED A . But then we can use our secondary induction to conclude let dia x be t ′ in u ∈ RED B .
Canonicity follows as before.

B.2 Categorical Semantics
To determine β-reduction for function spaces, which involves substitution, still holds we must confirm that Lemma A.9 extends to the new type-formers for , which is straightforward from expanding the definitions. β-reduction for involves a left weakeningà la Lemma A.1, so we must determine the categorical equivalent of this.
Proof. By induction on t. The variable case holds because we use the projection to A.
For λ we use the diagram below. The natural η c is the unit of the cartesian closure adjunction, while the triangle commutes by induction.
This lemma, along with Lemma A.9, establishes that u[t/x] is u • (! × A) • Γ, t •pr. The middle two arrows simplify to t, as required by let dia x be dia t in u. For η-equivalence let dia x be t in x has denotation t by definition. For the associativity equivalence it clear that both sides equal (t • u) • s = t • (u • s).
We now move to the term model construction.
is a functor: applied to the identity x is shut open x, which is η-equal to x. is a functor: x is let dia x be x in dia x, which is η-equal to the identity. u• t is let dia x be (let dia x be x in dia t) in dia u. By the associativity equality this equals let dia x be x in let dia x be dia t in dia u, reducing to let dia x be x in (dia u[t/x]) as required.
η m is natural: We require that t • η m = η m • t. The left hand side is shut let dia x be open shut dia x in dia t, which reduces to shut let dia x be dia x in dia t, then to shut dia t. ε m is natural: We require that ε m • t = t • ε m . The left hand side is We then check that ε m • η m is the identity on any A. This is let dia x be (let dia x be x in dia shut dia x) in open x which by associativity equals let dia x be x in let dia x be dia shut dia x in open x, which reduces to let dia x be x in open shut dia x → let dia x be x in dia x, which is η-equal to x. Proof of Lemma 3.1.
tu is t u , so the substitution is ( t [c Γ /x])( u [c Γ /x]), which equals tu by induction.
shut t is t • η m , which is shut t [open shut dia x/x], which reduces to shut t [dia x/x]. The substitution is then shut t [dia c Γ /x], which equals shut t by induction.
open t is ε m • t • pr, where pr is the projection out of the weakening of the variables y 1 , . . . , y n . This is let dia y be (let dia x be π 1 · · · π 1 x in dia t ) in open y where there are n first projections. By associativity this equals let dia x be π 1 · · · π 1 x in let dia y be dia t in open y which reduces to let dia x be π 1 · · · π 1 x in open t . The substitution is then let dia x be π 1 · · · π 1 dia c Γ , y 1 , . . . dia t is t • pr, which is let dia x be π 1 · · · π 1 x in dia t . The substitution is let dia x be π 1 · · · π 1 dia c Γ , y 1 , . . . , y n in dia t which reduces to let dia x be dia c Γ in dia t → dia t [c Γ /x], which equals dia t by induction.
let dia x be t in u is u • t , so the substitution is u [ t [c Γ /x]/x], which by induction equals u [t/x]. This is η-equal to u [let dia x be t in dia x/x], which is by associativity equal to let dia x be t in ( u [dia x/x]). This equals let dia x be t in u by induction.

C.1 Type System and Computation
Logical soundness follows by showing that A → Γ ′ ⊢ A is a theorem by induction on Γ ′ , then using Lemma A.2 to incorporate Γ , and finally noting that Γ ⊢ Γ ′ ⊢ A = Γ, Γ ′ ⊢ A .
For the induction, the base case is the T axiom. The variable case extends the induction hypothesis A → Γ ′ ⊢ A to A → B → Γ ′ ⊢ A . The lock case combines the 4 axiom with A → Γ ′ ⊢ A , which follows by applying the K axiom to the induction.

C.2 Categorical Semantics
We here show that Lemma A.9 extends to the new open rule. If the variable substituted for is part of the weakening, this is easy. Suppose instead we had Γ, x : A, Γ ′ ⊢ t : B, opening with weakening Γ ′′ . Then This establishes that q •η m = q •η m . But by the adjunction there should be a unique arrow h such that h • η m = r, so q = q.
Categorical Semantics: Note that that for the soundness of β-reduction for function spaces and we need updated versions of Lemmas A.9 and B.1; these are straightforward from the naturality of weakening.
There are two simple lemmas we need for the soundness of β-reduction for and : Lemma D.1.
Proof. By induction on Γ 4 , with the base case using induction on Γ 3 .