Synthetic Undecidability and Incompleteness of First-Order Axiom Systems in Coq

We mechanise the undecidability of various first-order axiom systems in Coq, employing the synthetic approach to computability underlying the growing Coq Library of Undecidability Proofs. Concretely, we cover both semantic and deductive entailment in fragments of Peano arithmetic (PA) as well as ZF and related finitary set theories, with their undecidability established by many-one reductions from solvability of Diophantine equations, i.e. Hilbert’s tenth problem (H10), and the Post correspondence problem (PCP), respectively. In the synthetic setting based on the computability of all functions definable in a constructive foundation, such as Coq’s type theory, it suffices to define these reductions as meta-level functions with no need for further encoding in a formalised model of computation. The concrete cases of PA and the considered set theories are supplemented by a general synthetic theory of undecidable axiomatisations, focusing on well-known connections to consistency and incompleteness. Specifically, our reductions rely on the existence of standard models, necessitating additional assumptions in the case of full ZF, and all axiomatic extensions still justified by such standard models are shown incomplete. As a by-product of the undecidability of set theories formulated using only membership and no equality symbol, we obtain the undecidability of first-order logic with a single binary relation.


Introduction
Being among the mainstream formalisms to underpin mathematics, first-order logic (FOL) has been subject to investigation from many different perspectives since its concretisation in the late 19th century. One of them is concerned with algorithmic properties, prominently pushed by Hilbert and Ackermann with the formulation of the Entscheidungsproblem [18], for fragments ′ and ′ even strictly below Robinson arithmetic and Zermelo set theory , respectively, with the latter now also admitting a fully constructive standard model. In summary, the contributions of this paper can be listed as follows: • We extend the Coq Library of Undecidability Proofs with verified reductions to ′ , , , ′ , , and (-regularity) , regarding both Tarski semantics and natural deduction. 1 • We verify a translation of set theory over a convenient signature with function symbols for set operations to smaller signatures just containing one or two binary relation symbols. • By composition, we obtain the undecidability of the Entscheidungsproblem for a single binary relation, improving on a previous mechanisation with additional symbols [11]. • By isolating a generic theorem (Strategy 10), we obtain synthetic undecidability and incompleteness for all axiomatisations extending the fragments ′ and ′ with respect to standard models.
This extended version of [21] adds the following contributions: • We eliminate the assumption of excluded middle in the treatment of by means of a general Gödel-Gentzen-Friedman translation (Sect. 5).
• We mechanise direct and indirect reductions to various finitary set theories not requiring or actively refuting infinite sets (Sect. 8). • We extend on the signature transformation employed for set theory without function symbols to obtain conservativity results (Lemma 53 -Fact 56). • We analyse the abstract preconditions necessary for the synthetic approach to undecidability and incompleteness of arbitrary formalisms (Sect. 9).
After a preliminary discussion of constructive type theory, synthetic undecidability, and first-order logic in Sect. 2, we proceed with the general results relating undecidabilitity, incompleteness, and consistency of first-order axiom systems in Sect. 3. This is followed by the case studies concerning arithmetical axiomatisations (Sects. 4 and 5), set theory with (Sect. 6) and without (Sect. 7) Skolem functions, as well as finitary set theories (Sect. 8).
We conclude with the abstract analysis of undecidability and incompleteness of arbitrary formalisms (Sect. 9) and with a discussion of the Coq mechanisation as well as related and future work Sect. 10.

Preliminaries
In order to make this paper self-contained and accessible, we briefly outline the synthetic approach to undecidability proofs and the representation of first-order logic in constructive type theory used in previous papers.

Constructive Type Theory
We work in the framework of a constructive type theory such as the one implemented in Coq, providing a predicative hierarchy of type universes above a single impredicative universe ℙ of propositions. On type level, we have the unit type with a single element * : , the void type , function spaces X → Y , products X × Y , sums X + Y , dependent products ∀(x ∶ X). F x , and dependent sums Σ(x ∶ X). F x . On propositional level, these types are denoted by the usual logical notation ( ⊤ , ⊥ , → , ∧ , ∨ , ∀ , and ∃ ). So-called large elimination from ℙ into computational types is restricted, in particular case distinction on proofs of ∨ and ∃ to form computational values is disallowed. On the other hand, this restriction is permeable enough to allow large elimination of the equality predicate = ∶ ∀X. X → X → ℙ specified by the constructor ∀(x ∶ X). x = x , as well as function definitions by well-founded recursion.
We employ the basic inductive types of Booleans ( ∶= | ), Peano natural numbers ( n ∶ ℕ ∶= 0 | n + 1 ), the option type ( (X) ∶= ⌜x⌝ | � ), and lists ( l ∶ (X) ∶= [ ] | x ∶∶ l ). We write |l| for the length of a list, l++l � for the concatenation of l and l ′ , x ∈ l for membership, and just f l for application of the pointwise map function. We denote by X n the type of vectors ⃗ v of length n ∶ ℕ over X and reuse the definitions and notations introduced for lists.

Synthetic Undecidability
The base of the synthetic approach to computability theory [4,35] is the fact that all functions definable in a constructive foundation are computable. This fact applies to many variants of constructive type theory and we let the assumed variant sketched in the previous section be one of those. Of course, we are confident that in particular the polymorphic calculus of cumulative inductive constructions (pCuIC) [41] currently implemented in Coq satisfies this condition although there is no formal proof yet. Now beginning with positive notions, we can introduce decidability and enumerability of decision problems synthetically, i.e. without reference to a formal model of computation: Defin ition 1 Let P ∶ X → ℙ be a predicate over a type X.
Note that it is commonly accepted practice to mechanise decidability results in this synthetic sense (e.g. [5,27,36]). In the present paper, however, we mostly consider negative results in the form of undecidability of decision problems regarding first-order axiomatisations. Such negative results cannot be established in form of the actual negation of positive results, since constructive type theory is consistent with strong classical axioms turning every problem (synthetically) decidable (as witnessed by classical models, cf. [48]).
The approximation chosen in the Coq Library of Undecidability Proofs [13] is to call P (synthetically) undecidable if the decidability of P would imply the decidability of a seed problem known to be undecidable, specifically the halting problem for Turing machines. Therefore the negative notion can be turned into a positive notion, namely the existence of a computable reduction function, that again admits a synthetic rendering:

Defin ition 2 Given predicates
Then interpreting reductions from the halting problem for Turing machines as undecidability results is backed by the following fact: Fact 3 If P ⪯ Q and Q is decidable, then so is P.
Such reductions have already been verified for Hilbert's tenth problem ( 10 ) [25] and the Post correspondence problem ( ) [10] that we employ in the present paper, so by transitivity it is enough to verify continuing reductions to the axiom systems considered.

Syntax, Semantics, and Deduction Systems of FOL
We now review the representation of first-order syntax, semantics, and natural deduction systems developed in previous papers [11,15,22]. Beginning with the syntax, we describe terms t ∶ and formulas ∶ as inductive types over a fixed signature Σ = (F Σ ;P Σ ) of function symbols f ∶ F Σ and relation symbols P ∶ P Σ with arities |f| and |P|: Negation ¬ and equivalence ↔ are obtained by the usual abbreviations.
In the chosen de Bruijn representation [8], a bound variable is encoded as the number of quantifiers shadowing its binder, e.g. ∀x. ∃y. P x u → P y v may be represented by ∀ ∃ P 1 4 → P 0 5 . For the sake of legibility, we write concrete formulas with named binders where instructive and defer de Bruijn encodings to the Coq development. A formula with all occurring variables bound by a quantifier is called closed.
Next, we define Tarski  Finally, we represent deduction systems as inductive predicates of type ( ) → → ℙ . We consider intuitionistic and classical natural deduction Γ ⊢ i and Γ ⊢ c , respectively, and write Γ ⊢ if a statement applies to both variants. The rules of the two systems are standard and listed in Appendix A, here we only highlight the quantifier rules depending on the de Bruijn encoding where [ ] denotes the capture-avoiding instantiation of a formula with a parallel substitution ∶ ℕ → , where the substitution ↑ maps n to n+1 , where the substitution (t; ) maps 0 to t and n + 1 to n , and where [t] is short for [t;( n. n )] . Extending the deduction systems to theories Constructively, only soundness of the intuitionistic system ( T ⊢ i implies T ⊨ ) is provable without imposing a restriction on the admitted models (as done in [15]). However, it is easy to verify the usual weakening ( Γ ⊢ implies Δ ⊢ for Γ ⊆ Δ ) and substitution properties of both variants by induction on the given derivations. The latter gives rise to named reformulations of (ai) and (ee) helpful in concrete derivations where n ∉ Γ denotes that n is fresh, i.e. does not occur in any formula of Γ.
The concrete signatures used in this paper all contain a reserved binary relation symbol ≡ for equality. Instead of making equality primitive in the syntax, semantics, and deduction systems, we implicitly restrict M ⊨ to extensional models M interpreting ≡ as actual equality = and define T ⊢ as derivability from T augmented with the standard axioms characterising ≡ as an equivalence relation congruent for the symbols in Σ.

Undecidable and Incomplete Axiom Systems
In this section, we record some general algorithmic facts concerning first-order axiomatisations and outline the common scheme underlying the undecidability proofs presented in the subsequent two sections. We fix an enumerable and discrete signature Σ for the remainder of this section and begin by introducing the central notion of axiom systems formally.

Defin ition 5 We call
Any axiomatisation induces two related decision problems, namely semantic entailment A ⊨ ∶= . A ⊨ and deductive entailment A ⊢ ∶= . A ⊢ . Since in our constructive setting we can show the classical deduction system ⊢ c neither sound nor complete (cf. [15]), we mostly consider a combined notion of Tarski semantics and intuitionistic deduction (reusing the ⪯-notation): Defin ition 6 We say that a predicate P ∶ X → ℙ reduces to A , written P ⪯ A , if there is a function f ∶ X → witnessing both P ⪯ A ⊨ and P ⪯ A ⊢ i .
Assuming the law of excluded middle ∶= ∀p ∶ ℙ. p ∨ ¬p would be sufficient to obtain P ⪯ A ⊢ c from P ⪯ A ⊨ , since then A ⊢ c and A ⊨ coincide. In fact, already the soundness direction is enough for our case studies on and , since for them it is still feasible to verify A ⊢ f x given P x by hand without appealing to completeness and the easier verification of A ⊨ f x. We now formulate two facts stating the well-known connections of undecidability with consistency and incompleteness for our synthetic setting. The first observation is that verifying a reduction from a non-trivial problem is at least as hard as a consistency proof.

Fact 7 If P ⪯ A ⊢ and there is x with ¬P x , then A ⊬ ⊥.
Proof If f ∶ X → witnesses P ⪯ A ⊢ , then by ¬P x we obtain A ⊬ f x . This prohibits a derivation A ⊢ ⊥ by the explosion rule (see Appendix A). ◻ The second observation is a synthetic version of (negation-)incompleteness for all axiomatisations strong enough to express an undecidable problem. We follow the common practice to focus on incompleteness of the classical deduction system, see Sect. 10.1 for a discussion. Note that this fact is an approximation of the usual incompleteness theorem in two ways. First, similar to the synthetic rendering of undecidability, axiomatisations A subject to a reduction P ⪯ A ⊢ c for P known to be undecidable are only shown incomplete in the sense that their completeness would imply decidability of P. Deriving an actual contradiction would rely on computability axioms (e.g. Church's thesis [14,24] or an undecidability assumption [11]) or extraction to a concrete model (e.g. a weak call-by-value -calculus [12]). Secondly, the fact does not produce a witness of an independent formula the way a more informative proof based on Gödel sentences does. Also note that inconsistent axiomatisations are trivially decidable, so the requirement A ⊬ c ⊥ is inessential (especially given Fact 7).

Fact 9 If
Next, we outline the general pattern of the reductions verified in this paper: 7. We conclude that A, and any sound B ⊇ A are undecidable and incomplete: Strat egy 10 Let a problem P ∶ X → ℙ , an axiomatisation A , a notion of standardness on models M ⊨ A , and a function _ ∶ X → be given with: Then P ⪯ B for all B ⊇ A admitting a standard model. If we additionally assume , then also P ⪯ B ⊢ c . Proof We begin with P ⪯ B ⊨ . That P x implies B ⊨ x is direct by (i) since every model of B is a model of A . Conversely, if B ⊨ x then in particular the assumed standard model M ⊨ B satisfies x . Thus we obtain P x by (ii).
Turning to P ⪯ B ⊢ i , the first direction is again trivial, this time by (iii) and weakening. For the converse, we assume that B ⊢ i x and hence B ⊨ x by soundness. Thus we conclude P x with the previous argument relying on (ii).
Of course (i) follows from (iii) via soundness, so the initial semantic verification could be eliminated from Strategy 10 and the informal strategy outlined before. However, we deem it more instructive to first present a self-contained semantic verification without the overhead introduced by working in a syntactic deduction system, mostly apparent in the Coq mechanisation. Also note that the necessity of a standard model will be no burden in the treatment of but in the case of this will require a careful analysis of preconditions.
We end this section with the unsurprising but still instructive fact that the decision problem for finite axiomatisations A reduces to the general Entscheidungsproblem of first-order logic concerning validity and provability in the empty context [18].

Fact 11 For
Proof It is straightforward to verify that the function . ⋀ A → prefixing with the conjunction of all formulas in A establishes both reductions. ◻ So the reductions to finite fragments of and presented in the next sections in particular complement the direct reductions to the Entscheidungsproblem given in [11]. More general variants of this insight can be formulated as follows: Fact 12 Let A be finite and B be an arbitrary axiomatisation.
Proof All witnessed by the reduction .

Peano Arithmetic
We begin with a rather simple case study to illustrate our general approach to undecidability and incompleteness. For the theory of Peano arithmetic ( ) we use a signature containing symbols for the constant zero, the successor function, addition, multiplication and equality: The core of consists of axioms characterising addition and multiplication: The finite list ′ consisting of these four axioms is strong enough to be undecidable. Undecidability (and incompleteness) then transport in particular to the (infinite) axiomatisation adding and the axiom schem e of induc tion, which we define as a function on formulas: Another typical reference point for incompleteness is Robinson arithmetic , obtained by replacing the induction scheme by ∀x.
Turning to undecidability, Hilbert's 10th problem ( 10 ) is concerned with the solvability of Diophantine equations and comes as a natural seed problem for showing the undecidability of , since the equations are a syntactic fragment of formulas.
To be more precise, 10  We now translate polynomials into terms by defining p * ∶ recursively: A Diophantine equation with greatest free variable N can now be encoded as the formula p,q ∶= ∃ N p * ≡ q * where we use N leading existential quantifiers to internalise the solvability condition. The formula p,q thus asserts the existence of a solution for p = q which gives us a natural encoding from Diophantine equations into .
We prepare the verification of the three requirements (Facts 20, 22 and 25) necessary for Strategy 10 with the following lemma about existential formulas: Proof We only provide some intuition for (i). For the implication from left to right, the assumption M ⊨ ∃ N gives us , showing the claim. For the other implication, we get with ⊨ . By setting � ∶= x. (x + N) we have = (0); … ; (N); � and hence there are Since has at most N free variables, ′ can be exchanged with any other ∶ ℕ → M . ◻ By Lemma 14, showing p,q is equivalent to finding a satisfying environment ∶ ℕ → M for p * ≡ q * in a model M or deductively showing that a substitution ∶ ℕ → solves it. This enables us to transport a solution for p = q to both the model and the deduction system.
We now verify the semantic part of the reduction for the axiomatic fragment ′ . To this end, we fix a model M ⊨ ′ for the next definitions and lemmas.

Defin ition 15
The axioms in ′ are sufficient to prove that is a homomorphism.

Proof
The proof for addition is done by induction on n ∶ ℕ and using the axioms for addition in ′ . The proof for multiplication is done in the same fashion, using the axioms for multiplication and the previous result for addition. ◻
Given an assignment ∶ ℕ → ℕ , we can transport the evaluation of a polynomial [[p]] to any ′ model by applying . The homomorphism property of now makes it easy to verify that we get the same result by evaluating the encoded version p * with the composition • .

Lemma 18 For any p and
Proof By induction on p, using Lemmas 16 and 17. ◻

Corol lary 19 If p = q has solution , then in any
Proof Let be the solution of p = q , then ( • ) ⊨ p * ≡ q * holds by Corollary 19 and since ∃ N p * ≡ q * is closed by construction, the goal follows by Lemma 14. ◻ For the converse direction, we employ the type ℕ as standard model.

Lemma 21 ℕ is a model of ′ , , and .
It is easy to extract a solution of p = q if ℕ ⊨ p,q by the previous lemmas.

Fact 22
If ℕ ⊨ p,q then p = q has a solution.

Lemma 24 If p = q has a solution , then we can deduce
Proof Since ℕ is a standard model for ′ , , and , the claims follow by Strategy 10 since we have shown the three necessary conditions in Facts 20, 22 and 25. ◻ As a consequence of the reductions, we can directly conclude incompleteness appealing to . Note that in Sect. 5 we explain how this conclusion can be made constructively.

Theor em 27 Assuming
, completeness of any extension A ⊇ ′ satisfied by the standard model ℕ would imply the decidability of the halting problem.
Proof By Strategy 10 as in Theorem 26, with Fact 9 and the reductions in [25]. ◻ In fact, all axiomatisations satisfied by ℕ are undecidable and incomplete: Fact 28 10 ⪯ A for any axiomatisation A satisfied by the standard model ℕ.
Proof By Strategy 10 as in Theorem 26 we obtain 10 ⪯ A ∪ � and by Fact 12 we obtain We close this section with a few remarks about the theories ′ , , and . The theory ′ is trivially incomplete under : using soundness of classical deduction, we have � ⊬ c ∀xy. x = y because of the standard model ℕ and � ⊬ c ¬∀xy. x = y because of the trivial model. Similarly, the formula ∀x. Sx ≠ x is independent in , for instance violated by the model ℕ ∞ extending ℕ with a maximal number ∞ . Note that these models in particular show that the theories ′ , , and are all distinct.

Eliminating the Law of Excluded Middle
We can strengthen the result of Theorem 27 and remove its reliance on by utilising a combination of the double negation and Friedman translations [16]. Given any signature Σ = (F Σ ;P Σ ) we add a new 0-ary predicate F to P Σ , giving us the new signature Σ F ∶=(F Σ , P Σ ∪ {F}) . This way of setting up the Friedman transform is easier to mechanise compared to the syntactic version where ⊥ is replaced by a formula, and sufficient for our purpose here.

Defin ition 29 We recursively define the F-translation
We will state the crucial results concerning the F-translation with respect to minimal natural deduction Γ ⊢ m , which is natural deduction ⊢ i without the explosion rule and restricted to formulas without the ⊥ symbol.

Lemma 30 For any formula we have
Proof By induction on the size of . ◻

Lemma 31 For any formula and context
Proof By induction on the deduction Γ ⊢ c , some cases need Lemma 30. ◻ Defin ition 32 Given a proposition P ∶ ℙ and model M of the signature Σ , we can extend M to a model M P of the extended signature Σ F by setting F M ∶=P and following the interpretation of M in all other cases. We will then write M ⊨ T F to express that for every Γ ⊆ T and P we have M P ⊨ Γ F .
We now apply the F-translation to the particular case of the signature to derive an improved version of Theorem 27, eliminating the usage of .

Theor em 34 Any axiomatisation
Hence, its completeness would imply the decidability of the halting problem.
Proof First we will show 10 ⪯ A ⊢ c , by verifying that p,q is a reduction, where the first part of the verification follows from Fact 25. In the converse we are given Γ ⊆ A with Γ ⊢ c p,q and need to find a solution for p = q or equivalently (Fact 22) Secondly, we can show that A is consistent (with respect to ⊢ c ) by the fact that A ⊢ c ⊥ together with Lemma 31 and soundness implies ℕ P ⊨ ⊥ F , which reduces to ⊥ in the model with P∶= ⊥ . Therefore by Fact 9, completeness of A would imply the decidability of 10 and thus also of the halting problem. ◻

ZF Set Theory with Skolem Functions
Turning to set theory, we first work in a signature providing function symbols for the operations of . So for the rest of this section we fix the signature with function symbols denoting the empty set, pairing, union, power set, the set of natural numbers, next to the usual relation symbols for equality and membership. Using such Skolem functions for axiomatic and other definable operations is common practice in settheoretic literature and eases the definition and verification of the undecidability reduction in our case. That the undecidability result can be transported to minimal signatures just containing equality and membership, or even just the latter, is subject of the next section. We do not list all axioms in detail but refer the reader to Appendix B, the Coq code, and standard literature (eg. [40]). The only point worth mentioning again is the representation of axiom schemes as functions → , for instance by the separ ation scheme expressed as We then distinguish the following axiomatisations: • ′ contains extensionality and the specifications of the function symbols. • is obtained by adding all instances of the separation scheme. • is obtained by further adding all instances of the replacement scheme.
Note that in we do not include the axiom of regularity since this would force the theory classical and would require to extend Coq's type theory even further to obtain a model [28]. Alternatively, one could add the more constructive axiom for -induction, but instead we opt for staying more general and just leave the well-foundedness of sets unspecified. So in particular we do not rule out the addition of the anti-foundation axiom [2].
Following the general outline for the undecidability proofs in this paper, we first focus on verifying a reduction to the base theory ′ and then extend to the stronger axiomatisations by use of Strategy 10. As a seed problem for this reduction, we could naturally pick just any decision problem since set theory is a general purpose foundation expressive enough for most standard mathematics. However, the concrete choice has an impact on the mechanisation overhead, where formalising Turing machine halting directly is tricky enough in Coq's type theory itself, and even a simple problem like 10 used in the previous section would presuppose a modest development of number theory and recursion in the axiomatic framework. We therefore base our reduction to ′ on the Post correspondence problem ( ) which has a simple inductive characterisation expressing a matching problem given a finite stack S of pairs (s, t) of Boolean strings: Informally, S is used to derive pairs (s, t), written S ⊳ (s, t) , by repeatedly appending the pairs from the stack componentwise in any order or multitude. S admits a solution, written S , if a matching pair (s, s) can be derived. Encoding data like numbers and Booleans in set theory is standard, using usual notations for binary union x ∪ y , singletons {x} , and ordered pairs (x, y): Starting informally, the solvability condition of can be directly expressed in set theory by just asserting the existence of a set encoding a match for S: Unfortunately, formalizing this idea is not straightforward, since the iteration operation S k is described by recursion on set-theoretic numbers k ∈ missing a native recursion principle akin to the one for type-theoretic numbers n ∶ ℕ . Such a recursion principle can of course be derived but in our case it is simpler to inline the main construction.
The main construction used in the recursion theorem for is a sequence of finite approximations f accumulating the first k steps of the recursive equations. Since in our case we do not need to form the limit of this sequence requiring the approximations to agree, it suffices to ensure that at least the first k steps are contained without cutting off, namely where we reuse the operation S ⊠ B appending the encoded elements of the stack S component-wise to the elements of the set B as specified above. Note that this operation is not definable as a function ( ( ) × ( )) → → and needs to be circumvented by quantifying over candidate sets satisfying the specification. However, for the sake of a more accessible explanation, we leave this subtlety to the Coq code and continue using the notation S ⊠ B.
Now solvability of S can be expressed formally as the existence of a functional approximation f of length k containing a match (x, x): We proceed with the formal verification of the reduction function S. S by proving the three facts necessary to apply Strategy 10. Again beginning with the semantic part for clarity, we fix a model M ⊨ ′ for the next lemmas in preparation of the facts connecting S with M ⊨ S . We skip the development of basic set theory in M reviewable in the Coq code and only state lemmas concerned with encodings and the reduction function:

Lemma 35
Let n, m ∶ ℕ and s, t ∶ ( ) be given, then the following hold:

Proof
(i) By induction on n, employing the infinity axiom characterising . With these lemmas in place, we can now conclude the first part of the semantic verification.

Proof Assuming
S , there are s ∶ ( ) and n ∶ ℕ with (s, s) ∈ S n using Lemma 36. Now to prove ′ ⊨ S we assume M ⊨ ′ and need to show M ⊨ S . Instantiating the leading existential quantifiers of S with n , f n S , S n , and s leaves the following facts to verify: • M ⊨ n ∈ , immediate by (i) of Lemma 35.
• Functionality of f n S , straightforward by construction of f n S . • M ⊨ f n S ≫ n , immediate by Lemma 37. • M ⊨ (n, S n ) ∈ f n S , again by construction of f n S . • M ⊨ (s, s) ∈ S n , by the assumption (s, s) ∈ S n . ◻ For the converse direction, we again need to restrict to models M only containing standard natural numbers, i.e. satisfying that any k ∈ is the numeral k = n for some n ∶ ℕ . Then the internally recognised solutions correspond to actual external solutions of .  In a previous paper [23] based on Aczel's sets-as-trees interpretation [1,3,48], we analyse assumptions necessary to obtain models of higher-order set theories in Coq's type theory. The two relevant axioms concerning the type T of well-founded trees can be formulated as the extensionality of classes, i.e. unary predicates, on trees ( ), and the existence of a description operator for isomorphism classes [t] ≈ of trees ( ):

Lemma 39 If in a standard model M there is a functional approximation
Then Theorem 42 can be reformulated as follows.
Proof By Fact 5.4 and Theorem 5.9 of [23] and ∧ yield models of higher-order Z and ZF set theory, respectively. It is easy to show that they are standard models and satisfy the first-order axiomatisations and . ◻ Note that assuming to obtain a model of higher-order Z is unnecessary if we allow the interpretation of equality by any equivalence relation congruent for membership, backed by the fully constructive model given in Theorem 4.6 of [23]. This variant is included in the Coq devel opment but we focus on the simpler case of extensional models in this text.
By these reductions, we can conclude the incompleteness of .

Theor em 44 Assuming
, completeness of any extension A ⊇ ′ satisfied by a standard model would imply the decidability of the halting problem.
Proof By Corollary 43, Strategy 10, Fact 9, and the reductions verified in [10]. ◻ In principle, it should be possible to derive a constructive version of Theorem 44 using the same technique as in Theorem 34. However, the reduction formula S we use for the undecidability of set theory is much more complex than the one for Peano arithmetic and not immediately in the necessary syntactic fragment applicable to the Friedman translation. We therefore leave a constructivisation of Theorem 44 as future work.

ZF Set Theory without Skolem Functions
We now work in the signature Σ ∶= (_ ≡ _, _ ∈ _) only containing equality and membership. To express set theory in this syntax, we refor mulat e the axioms specifying the Skolem symbols used in the previous signature Σ to just assert the existence of respective sets, for instance: In this way we obtain axiomatisations ̃ ′ , ̃ , and ̃ as the respective counterparts of ′ , , and . In this section, we show that these symbol-free axiomatisations admit the same reduction from . Instead of reformulating the reduction given in the previous section to the smaller signature, which would require us to replace the natural encoding of numbers and strings as terms by a more obscure construction, we define a general translation ̃∶ Σ of formulas ∶ Σ . We then show that � ′ ⊨̃ implies ′ ⊨ (Fact 48) and that ′ ⊢ implies ̃ ′ ⊢̃ (Fact 51), which is enough to deduce the undecidability of ̃ ′ , ̃ , and ̃ (Theorem 52).
The informal idea of the translation function is to replace terms t ∶ Σ by formulas t ∶ Σ characterising the index 0 to behave like t, for instance: The formula expressing P(t) first asserts that there is a set satisfying t (where the substitution ↑ n shifts all indices by n) and then characterises 0 (appearing as 2 given the two quantifiers) as its power set. Similarly, formulas are translated by descending recursively to the atoms, which are replaced by formulas asserting the existence of characterised sets being in the expected relation, for instance: We now verify that the translation ̃ satisfies the two desired facts, starting with the easier semantic implication. To this end, we denote by M the Σ -model obtained from a Σ-model M by forgetting the interpretation of the function symbols not present in Σ . Then for a model M ⊨ ′ , satisfiability is preserved for translated formulas, given that the term characterisations are uniquely satisfied over the axioms of ′ : Proof By induction on t with x generalised. We consider the cases n and ∅: • We need to show x =̂ n iff (x; ) ⊨M 0 ≡ n+1 which is immediate by definition.
• First assuming x = � , we need to show that ∀y. y ∉ x , which is immediate since M satisfies the empty set axiom. Conversely assuming ∀y. y ∉ x yields x = � by using the extensionality axiom also satisfied by M . ◻ Proof By induction on with generalised, all cases but atoms are directly inductive. Considering the case t ∈ t � , we first need to show that if ̂t ∈̂t � , then there are x and x ′ with x ∈ x � satisfying t and t ′ , respectively. By Lemma 45 the choice x ∶=̂t and x � ∶=̂t � is enough. Now conversely, if there are such x and x ′ , by Lemma 45 we know that x =̂t and x � =̂t � and thus conclude ̂t ∈̂t � . The case of t ≡ t ′ is analogous. ◻ Then the semantic implication follows since pruned models M satisfy ̃ ′ : We now turn to the more involved deductive verification of the translation, beginning with the fact that ̃ ′ proves the unique existence of sets satisfying the term characterisations of terms t ∶ in the set-theoretic signature: Proof Both claims are by induction on t, the latter with x and x ′ generalised. The former is immediate for variables and ∅ , so here we just discuss the case of P(t) . By induction we know � � ⊢ ∃ t yielding a set x simulating t and need to show After instantiating the first quantifier with the set u guaranteed by the existential power set axiom for the set x and the second quantifier with x itself, it remains to show t [x] and ∀ 0 ∈ u ↔ 0 ⊆ x which are both straightforward by the choice of x and u.
The second claim follows from extensionality given that the characterisation t specifies its satisfying sets exactly by their elements. So in fact the axioms concerning the set operations are not even used in the proof of uniqueness. ◻

During translation, term can be simulated by variables:
Lemma 50 For all ∶ and t ∶ we have Proof By induction on , all cases but the atoms are straightforward, relying on the fact that the syntax translation interacts well with variable renamings in the quantifier cases.
The proof for atoms relies on a similar lemma for terms stating that s [y;x] and s [t] [y] are interchangeable whenever t [x] , the rest is routine. ◻ This is the main ingredient to verify the desired proof transformation: Proof We prove the more general claim that Γ++ � ⊢ implies � Γ++̃ � ⊢̃ by induction on the first derivation. All rules but the assumption rule (a), ∀-elimination (ae), and ∃-elimination (ee) are straightforward, we explain the former two.
• If ∈ Γ++ � , then either ∈ Γ or ∈ � . In the former case we have ̃∈Γ , so Γ ++ � � ⊢̃ by (a). Regarding the latter case, we can verify � ′ ⊢̃ for all ∈ � by rather tedious derivations given the sheer size of some axiom translations. Proof As Strategy 10, using Facts 48 and 51 and the reduction from Sect. 6. ◻ Note that Fact 51 almost yields deductive conservativity, i.e. the fact that if ′ proves a symbol-free formula over Σ then so does ̃ ′ . The missing lemma is that from ̃ ′ such a formula is provably equivalent to its translation ̃ (after tacitly embedding into the full signature Σ): Lemma 53 � ′ ⊢ ↔̃ for all over Σ .
Proof By induction on , all composite cases are trivial. For the atom x ∈ y , we have to show its equivalence to ∃x � . x ≡ x � ∧ ∃y � . y ≡ y � ∧ x ∈ y , similarly for x ≡ y . If we instead suppose ⊢ , we have in particular � ++Γ ⊢ , where Γ contains finitely many instances of the separation scheme. Then by the generalised goal used in the proof of Fact 51 also � � ++Γ ⊢̃ and therefore � � ++Γ ⊢ again using Lemma 53. We hence conclude � ⊢ since every translated instance of separation for a formula can be proved from the respective instance for ̃ available in ̃ .
The case for is analogous by further decomposing into the finitely many used instances of the replacement scheme. ◻ For the sake of completeness, we also establish the converse directions. To this end, we first verify a deductive counterpart of Lemma 47: Lemma 55 ′ ⊢ � ′ , i.e. ′ proves every axiom from ̃ ′ (embedded into Σ).
Proof By instantiating every existentially formulated axiom from ̃ ′ with the respective symbol available in ′ . ◻
Proof If � ′ ⊢ , we obtain the same deduction if we consider both ̃ ′ and embedded into the full signature. Then by Lemma 55 we can conclude that ′ ⊢ .
The respective results for ̃ and ̃ follow by similar decompositions regarding the axiom schemes as used in the proof of Fact 54. ◻ Note that in the absence of unique choice there is no direct proof for semantic conservativity, i.e. the fact that if ′ validates a symbol-free formula over Σ then so does ̃ ′ , since this would involve constructing a Σ-model from a Σ -model only existentially exhibiting the set operations.
We conclude this section with a brief observation concerning the further reduced signature Σ ∶= ( _ ∈ _) , full detail can be found in the Coq development. Since equality is expressible by x ≡ y ∶= ∀z. x ∈ z ↔ y ∈ z , we can rephrase the above translation to yield formulas ̌∶ Σ satisfying the same properties as stated in Facts 48 and 51 for a corresponding axiomatisation ̌ ′ . Moreover, since ̌ ′ does not refer to primitive equality, we can freely interpret it with the fully constructive model given in Theorem 4.6 of [23] and therefore obtain ⪯̌ � without assumptions. This allows us to deduce the undecidability of the Entscheidungsproblem in its sharpest possible form:

Theor em 57 FOL with a single binary relation symbol is undecidable.
Proof By Fact 11 and the reduction ⪯̌ � . ◻

Finitary Set Theories
In this section, we consider various finitary set theories, i.e. axiomatisations of set theory that do not guarantee infinite sets or do even refute their existence. Given our setting, the undecidability and incompleteness of such systems can be established either by indirectly reducing from set theories such as ′ or by modifying the direct reduction function ⪯ � . We discuss both of these strategies where applicable. A first way to axiomatise finite set theory is to work in the full signature used in Sect. 6 and simply leave the set unspecified. Then on top, one can add an axiom ruling out any inductive sets like , i.e. sets containing ∅ and being closed under successors x ∪ {x}.
• ′ denotes ′ without the axioms specifying as the least inductive set. • � + ¬ denotes ′ plus the axiom that no set is inductive.
That ′ as a mere subset of ′ is undecidable follows immediately by Fact 12: Fact 58 � ⪯ � and therefore, provided , also Proof By (2) of Fact 12 and Corollary 43. ◻ However, this direct result is unsatisfactory by the reliance on the extensional standard model T of ′ requiring and containing infinite sets. So in order to show � + ¬ undecidable and dispense with , we have to rework the reduction ⪯ � from Sect. 6 to avoid mention of such that the constructive model of hereditarily finite sets [39] can be employed.
In this model, the numerals are exactly the hereditarily transitive sets (i.e. sets x that are transitive, meaning y ⊆ x for all y ∈ x , and every element of x is transitive, written (x) ), allowing us to modify the reduction formula S given a -instance as follows: Note that the bound k ∈ was only used to express that k is a natural number such that (at least in standard models) the approximation f ≫ k corresponds to a faithful accumulation of -solutions. This bound can be replaced by any defining property of numerals in the intended model and in the present case, (x) is particularly easy to express.
By according modification of the proofs for S we can verify the new reduction S with respect to all standard models, i.e. models where every hereditarily transitive set is a numeral:

Lemma 59
The following facts about S hold: Proof Analogous to Facts 38, 40 and 41, using the fact that (n) for all n ∶ ℕ . ◻ Following the construction from [39], adopted more recently for, [22], a model T 2 of ′ can be obtained by taking the inductive type of binary trees quotiented by tree equivalence and implementing the set operations by suitable tree manipulations. In particular, this model is standard in the above sense and does not contain inductive sets: Lemma 60 T 2 is a standard model of � + ¬ .
Proof To establish that T 2 is standard, we show that for every x ∶ T 2 we can compute a number n x ∶ ℕ such that x = n x . By induction on the well-foundedness of x we may assume that every element y ∈ x is a numeral n y . Since x is finite, we can compute a bound n such that n y < n for all y ∈ x . Then we can obtain that x is a numeral (and in fact compute n x ) since x is a transitive subset of the numeral n by induction on n.
Regarding the second claim, suppose x were inductive. By finiteness of x we obtain the cardinality N of distinct elements in x. But since x is inductive, it must contain the set of the first N + 1 numerals that are distinct by construction, yielding a contradiction. ◻ So we can conclude the undecidability of ′ and � + ¬ as usual: Theor em 61 ⪯ � and ⪯ � + ¬ .
Proof By applying Strategy 10 to Lemmas 59 and 60. ◻ An alternative, more incisive formulation of finitary set theory just axiomatises the empty set in addition to the adjunction operation {x} ∪ y (usually definable from union and pairing) [20], i.e. we work in the signature where the term x.y is enforced to behave like {x} ∪ y by the axiom Moreover, to rule out infinite sets, one can require an induction scheme on top: • denotes the axioms characterising ∅ and x.y as well as extensionality. • + denotes plus all intances of the induction scheme.
We again begin with the indirect argument to establish undecidability of the core axiomatisation still compatible with ′ . First note that, while the usual ZF-operations can define adjunction, the converse does not hold since the ZF-operations are strictly stronger on infinite models. We can therefore not directly translate formulas in the ZF-signature to the new signature Σ . Instead, the translation has to go through the function-free signature Σ ∶= (_ ≡ _, _ ∈ _) used in Sect. 7, reusing the verified translation ̃.

Fact 62
⪯ Proof We use the reduction formula S ∶= ⋀ � � →̃S tacitly embedding the translated formulas from ̃ ′ and ̃S in Σ into the signature Σ . Then the sufficient facts are that S implies ⊢ S and that ⊨ S implies S. Regarding the former, from S we obtain � ′ ⊢̃S from Facts 51 and 41. So in particular ⊢ ⋀ � ′ →̃S and by weakening (and correctness of the tacit embedding) ⊢ S . Regarding the latter, suppose ⊨ S . The (intensional) standard model T from Facts 38 interprets the full ZF-signature, so in particular Σ and the axioms of . We therefore obtain that T ⊨ S . Then by Lemmas 46 and 47 we can deduce that T (now equipped with the full ZF-structure again) satisfies S and conclude S with Fact 40. ◻ As with Fact 58 before, this indirect method does not extend to the axiomatisation + , which is not satisfied by the standard model T . We therefore sketch the direct reduction from obtained by further modifying the formula S , full detail is given in the Coq forma lisat ion.
First, the encodings of numbers and strings is mostly unaffected since the adjunction operation is exactly the natural successor function and can define unordered pairs {x, y} by x.y.∅ , from which we obtained the ordered pairs used for strings. Secondly, the only other usage of a ZF-function in S is the (binary) union used to implement the operation S ⊠ B recursively, which can be replaced by any set enforced to behave accordingly. Thus we obtain a formula S in the signature Σ that we can verify to capture as usual:

Lemma 63
The following facts about S hold: 3. If S then ⊢ S .
Proof Analogous to Lemma 59 with the expectable differences regarding the altered data encodings and the elimination of binary unions. ◻ Lemma 64 T 2 is a standard model of + .
Proof That T 2 is standard was already part of Lemma 60 and that it models was shown in [40]. They also established the higher-order induction principle which is easily seen to entail the first-order induction scheme. ◻
Proof By applying Strategy 10 to Lemmas 63 and 64. ◻ We conclude with a formulation of in the binary signature Σ ∶= ( _ ∈ _) introduced in Sect. 7. As done with ′ to obtain ̌ ′ , we can replace the two axioms from specifying ∅ and x.y by existentially quantified versions, express equality via membership, and hence obtain the axiomatisation ̌ over Σ . This is a particularly compact system showing a single binary relation symbol undecidable, by virtue of the following reduction:
Proof To obtain ̌ � ⪯̌ we use (1) of Fact 12, so we have to show ̌ ′ ⊢̌ . The only axiom of ̌ not already present in ̌ ′ is the existential specification of adjunction, which can be established by the existential specification of union and pairing available in ̌ ′ . The full reduction ⪯̌ is obtained by composition with the reduction ⪯̌ � underlying Theorem 57. ◻

Abstract Undecidability and Incompleteness
We conclude the technical part of this paper by isolating the synthetic arguments underlying Fact 9 and Strategy 10, abstracting from the concrete formalism of FOL. This abstraction is in the spirit of Popescu and Traytel's [31] analysis of the abstract preconditions for Gödel's two incompleteness theorems. Given our computational approach, much less internal structure like substitution or numerals needs to be assumed, at the cost of essential incompleteness and Gödel's second incompleteness theorem remaining out of reach. Overwriting all notation from before, our base setup is to assume an arbitrary discrete type representing formulas as well as an enumerable predicate ∶ . ⊢ considered the provable formulas. We do not have to commit to only containing a specific sort of formulas (e.g. the closed formulas) or to ⊢ being defined over a particular context (e.g. an axiomatisation of arithmetic) or coming in a specific flavour (e.g. intuitionistic or classical).
If we add a reasonably well-behaved negation operation, we obtain an abstract version of the fact that negation-completeness implies decidability: Fact 67 We assume a negation operation ¬ ∶ → as follows: • Discriminability: given it is decidable if is a negation ¬ for some . • Injectivity: we have = whenever ¬ = ¬ . • Consistency: there is no with both ⊢ and ⊢ ¬ .
Then if ⊢ is complete (i.e. either ⊢ or ⊢ ¬ for all ), then it is decidable. Proof As in the proof of Fact 9 we use Post's theorem, leaving us to show logical decidability and co-enumerability of provability (given enumerability by assumption): • Given , to (logically) decide whether ⊢ or ⊬ is the case, we analyse completeness for . In the non-trivial case where ⊢ ¬ we obtain ⊬ by consistency. • For co-enumerability, by completeness and consistency it suffices to enumerate . ⊢ ¬ instead of . ⊬ . This is obtained by the enumerator of ⊢ , using discriminability to check for each if it is a negation, and injectivity for the correctness proof. ◻ If instead of a negation operation we add an abstract notion of (standard) models, we obtain an abstract undecidability result analogous to Strategy 10:

Fact 68
We assume a type of models together with the following data: If we further assume P ∶ X → ℙ and F ∶ X → satisfying • Whenever P x holds, we have a derivation ⊢ F x , and • Whenever M ⊨ F x in a standard model S M , we obtain P x, then the function F induces reductions P ⪯ ( . ⊢ ) and P ⪯ ( . ⊨ ). Proof The assumed standard model justifies that P x whenever ⊨ F x . We hence obtain the two reductions, with soundness used for the missing directions. ◻ Note that if we extend the setting of Fact 68 with the negation operation from Fact 67, we arrive at the conclusion that completeness of ⊢ would entail the decidability of P.
It is easy to instantiate Fact 68 to obtain Strategy 10 concerning first-order axiomatisations B . We simply let be the first-order formulas, ⊢ the formulas (intuitionistically) provable from B , and be the type of first-order models M with environments such that ⊨ B . Then the remaining assumptions of Strategy 10 imply the assumptions of Fact 68. Slightly more involved (at least on mechanisation level) is the insta ntiat ion of Fact 68 to Fact 9, since this time we pick as the type of closed first-order formulas, to which we have to adopt the negation operation and the (classical) deduction system as well as the discreteness and enumerability proofs for arbitrary formulas.
Although these comments only show the applicability of our abstract analysis to the case of first-order logic as examined in this paper, we remark that Facts 67 and 68 could as well be instantiated to extended formalisms such as second-or higher-order logic, or systems based on completely different primitives such as dependent type theories.

General Remarks
In this paper, we have described a synthetic approach to the formalisation and mechanisation of undecidability and incompleteness results in first-order logic. The general approach was then instantiated to case-studies concerned with arithmetical theories in the family of as the typical systems considered in the investigation of incompleteness, and with various formulations of set theory as one of the standard foundations of mathematics. The chosen strategy complements the considerably harder to mechanise proofs relying on Gödel sentences, and for the choice of as seed problem instead of 10 or itself is a slight simplification since only a single recursion needs to be simulated. We use this section for some additional remarks based on the helpful feedback by the anonymous reviewers.
As formally stated in Definition 8, we only consider incompleteness as a property of the classical deduction system. This is simply owing to the fact that much of the literature on incompleteness seems focused on classical logic, with a notable exception of the more agnostic treatment in [32]. Although perhaps weaker in general, incompleteness of the intuitionistic deduction system can also be considered a meaningful property and follows in an analogous way. Concretely, a corresponding version of Fact 9 holds for the intuitionistic notion, yielding variants of Theorems 27 and 44 provable without . Employing the negative translation, incompleteness of classical systems could then be considered from the perspective of intuitionistic systems.
In alignment with [11] but in contrast to [15], we define semantic entailment T ⊨ without restricting to classical models, i.e. models that satisfy all first-order instances of . In our constructive meta-theory this relaxation is necessary to be able to use the standard models of and , which would only be classical in a classical meta-theory. Leaving T ⊨ in this sense constructively underspecified seems like a reasonable trade for a more economical usage of . Similarly, we leave it underspecified whether and are seen as classical theories or their intuitionistic counterparts, namely Heyting arithmetic and a variant of intuitionistic set theory, respectively. By the choice not to distinguish these explicitly by as a first-order axiom scheme, we leave it to the deduction system to discriminate between both views while the Tarski-style semantics leans towards the classical interpretation (especially in the presence of ). For simplicity, we decided to only speak of and in the main body of the text, especially since a discussion of intuitionistic set theories would involve choosing a particular system. While is an extension of ′ close to with collection instead of replacement, the more predicative does not have power sets as included in ′ .

Coq Mechanisation
Our axiom-free mecha nisat ion contributes about 10k lines of code (loc) to the Coq Library of Undecidability Proofs [13], on top of about 1500loc that could be reused from previous developments [15,23]. Remarkably, the axiomatisation, undecidability, and incompleteness of add up to only 800loc, while already the initial reduction from to in the skolemised signature is above 1800loc. The remaining development is mostly concerned with the signature reduction for (2500loc) and the material on finitary set theories (3000loc). Both contain files with very similar proofs, especially the reduction files for ′ and ′ are nearly identical and therefore it should be possible to reduce the development size by reorganisation (at the cost of a less transparent presentation). The abstract development outlined in Sect. 9 is below 300loc, including the instantiation to FOL.
Our mechanisation of first-order logic unifies ideas from previous versions [11,15,22] and is general enough to be reused in other use cases. Notably, we refrained from including equality as a syntactic primitive to treat both intensional and extensional interpretations without changing the underlying signature. On the other hand, with primitive equality, the extensionality of models would hold definitionally and the deduction system could be extended with the Leibniz rule, making the additional axiomatisation of equality obsolete.
Furthermore, manipulating deductive goals of the form Γ ⊢ benefitted a lot from custom tactics, mostly to handle substitution and the quantifier rules. The former tactics approximate the automation provided by the Autosubst 2 framework unfortunately relying on functional extensionality [42] and the latter are based on the named reformulations of (ai) and (ee) given in Sect. 2.3. We are currently working on a more scalable proof mode for deductive goals including a HOAS input language hiding de Bruijn encodings [19], implementing a two-level approach in comparison to the one-level compromise proposed by Laurent [26].

Related Work
We report on other mechanisations concerned with incompleteness and undecidability results in first-order logic. Regarding the former, a fully mechanised proof of Gödel's first incompleteness theorem was first given by Shankar [37] using the Nqthm prover. O'Connor [29] implements the same result fully constructively in Coq, and Paulson [30] provides an Isabelle/HOL mechanisation of both incompleteness theorems using the theory of hereditarily finite sets instead of a fragment of . Moreover, there are several partial mechanisations [6,34,38], and Popescu and Traytel [31] investigate the abstract preconditions of the incompleteness theorems using Isabelle/HOL. With the independence of the continuum hypothesis, Han and van Doorn [17] mechanise a specific instance of incompleteness for in Lean. None of these mechanisations approach incompleteness via undecidability.
Turning to undecidability results, Forster, Kirst, and Smolka [11] mechanise the undecidability of the Entscheidungsproblem in Coq, using a convenient signature to encode , and Kirst and Larchey-Wendling [22] give a Coq mechanisation of Trakhtenbrot's theorem [46], stating the undecidability of finite satisfiability. They also begin with a custom signature for the encoding of but provide the transformations necessary to obtain the undecidability result for the small signature containing a single binary relation symbol. We are not aware of any previous mechanisations of the undecidability of or .

Future Work
There are two ways how our incompleteness results (Theorems 27 and 44) could be strengthened. First, while we were able to eliminate the use of in the case of (Sect. 5), it is unclear whether the same technique applies to the concrete reduction formulas used for and the related systems. It might be necessary to reformulate (and streamline) the reduction to make the argument feasible for mechanisation. Secondly, that supposed negation-completeness only implies synthetic decidability of a halting problem instead of a provable contradiction could be sharpened by extracting all reduction functions to a concrete model of computation like the weak call-by-value -calculus [12]. Then the actual contradiction of an -decider for -halting could be derived.
We plan to continue the work on with a constructive analysis of Tennenbaum's theorem [45], stating that no computable non-standard model of exists. Translated to the synthetic setting where all functions are computable by construction, this would mean that no non-standard model of can be defined in Coq's type theory as long as function symbols are interpreted with type-theoretic functions. It would be interesting to investigate which assumptions of synthetic computability [4] are necessary to derive this observation as an actual theorem inside of Coq.
Complementing Theorem 57 and Fact 66, it would be interesting to find a more elementary characterisation of an undecidable binary relation usable for the sharp formulations of the Entscheidungsproblem and Trakhtenbrot's theorem. This might well work without an intermediate axiomatisation of set theory and express an undecidable decision problem more directly.
Regarding the signature translations and conservativity results for discussed in Sect. 7, it should be possible to mechanise similar results for arbitrary axiom systems with definable extensions. Results like these would pave the way for an abstract mechanisation of undecidable theories as outlined by Tarski [43].
Finally, we plan to mechanise similar undecidability and incompleteness results for second-order logic. Since second-order is categorical, in particular the incompleteness of any sound and enumerable deduction system for second-order logic would then follow easily.

A Deduction Systems
Intuitionistic natural deduction Γ ⊢ i is defined by the following rules: The classical variant Γ ⊢ c adds the Peirce rule (( → ) → ) → .

B Axioms of Set Theory
We list the axioms over Σ ∶= (�, {_, _}, ⋃ _, P(_), ; _ ≡ _, _ ∈ _): The core axiomatisation ′ contains extensionality and the set operation axioms, adds the separation scheme, and also adds the replacement scheme. The equality axioms are added when working with the deduction system or in an intensional model.