Mac Lane’s Comparison Theorem for the Kleisli Construction Formalized in Coq

(co)Monads are used to encapsulate impure operations of a computation. A (co)monad is determined by an adjunction and further determines a specific type of adjunction called the (co)Kleisli adjunction. Mac Lane introduced the comparison theorem which allows comparing these adjunctions bridged by a (co)monad through a unique comparison functor. In this paper we specify the foundations of category theory in Coq and show that the chosen representations are useful by certifying Mac Lane’s comparison theorem and its basic consequences. We also show that the foundations we use are equivalent to the foundations by Timany. The formalization makes use of Coq classes to implement categorical objects and the axiom uniqueness of identity proofs to close the gap between the contextual equality of objects in a categorical setting and the judgmental Leibniz equality of Coq. The theorem is used by Duval and Jacobs in their categorical settings to interpret the state effect in impure programming languages.

The triangle form by Jacobs computational effects, some ways to formalize them, highlight the role of the comparison functor in some of these formalizations. We end the section with an intuition of the comparison theorem implementation in Coq.
A function in mathematics always returns the same result on the same input. The result depends only on the input arguments. However, in programming, a program might do other things besides computing a result. It might be handling an exceptional case, caught by a non-terminating loop or stuck in an interaction with the outside world. Such phenomena are known as computational side effects of programs. Following Moggi's seminal approach [16], one can interpret computational side effects in the Kleisli category of a monad or dually in a coKleisli category of a comonad. For instance, in Moggi's computational metalanguage, an effectful operation in an impure language with arguments in X that returns a value in Y is interpreted as an arrow from X to T Y in the Kleisli category of a monad T . Here X denotes the object of values of type X and T Y is the object of computations that return values of type Y . The monad-comonad duality in modeling effects may be understood in general terms as a symmetric correspondence between construction and observation among different sort of computational effects, for instance between raising an exception and looking up a state [7].
Plotkin and Pretnar [18] presented handlers for algebraic effects by extending Moggi's classification of terms (values and computations) with a third level called handlers. This approach has then been implemented in the programming language Eff [1] to handle effects.
Jacobs [12] introduced the state-and-effect triangles, depicted in Fig. 1, which capture the semantics of the program state and their corresponding logics in a unified way within a triangle form.
In this setting, K L(T ) denotes the Kleisli category of the monad T = G F while E M(T ) is the Eilenberg-Moore category of the algebras of T . The comparison theorem for the Kleisli construction (see Theorem 2.7) gives a unique comparison functor L : K L(T ) → A such that the left half of the diagram commutes. The functor L maps computations to their predicate transformers. This could be understood as interpreting programs via their actions on some predicates that specify what holds at which point of the computation. One sort of such program semantics is the weakest precondition calculus introduced by Hoare [10]. The comparison theorem for the Eilenberg-Moore construction, that is outside the scope of this paper, also gives a unique comparison functor K : A → E M(T ) making the right half of the diagram above commutative. The functor K • L : K l(T ) → E M(T ) maps each computation to the algebra that explain the state change during that computation.
Duval et al. [5] proposed another paradigm to formalize effects by mixing effect systems [13] and algebraic theories, named the decorated logic. In a decorated logic, a term can be classified in three different sorts with respect to its interaction with a given effect. It can be pure, an accessor or a modifier. For instance, a state accessor may read from the program state but never modifies it while a modifier has the right to manipulate the state. The pure and accessor terms may be understood as Moggi's values and computations, and the modifiers can be seen as Plotkin and Pretnar's handlers. In Duval's approach, pure terms with respect to a computational effect are interpreted in a base category C with (co)monad on it. Accessor and modifier terms are then respectively interpreted in the Kleisli category of the monad and the base category C (the codomain of the monad endofunctor) or dually in the coKleisli category of the comonad and the base category C .
For instance, a pure term f (0) : X → Y in the logic which models the global state effect (decorated logic for the state [6]) is interpreted as a map f : X → Y in the base category C . An accessor term f (1) : X → Y as an arrow f : X → Y in C D which implicitly corresponds to a map f : X × S → Y in the base category C . Similarly, a modifier term f (2) : X → Y is interpreted as a map f : X × S → Y × S in C . Notice that terms are annotated with "decorations" (super-scripted) that describe what computational (side) effect evaluation of a term may involve, and Interpreting the decorated logic for the state the use of decorations keeps term signatures clear of the state structure S. This allows the logic to abstract from the state and work with different implementations of the state structure. The decorations come with conversion rules that basically say that a pure term can be seen as an accessor or a modifier, and similarly an accessor term can be seen as a modifier term on demand. The former conversions are interpreted by the functor G D and D respectively while the latter by F D, T . Obviously, for these conversions to be sound, the interpreting functors must be faithful so that one can keep track of terms that are converted from the "lower" annotation/decoration levels. Looking closer into the categorical settings of an interpretation of such logic, depicted in Fig. 2, we can say that the monad T is handled by the coKleisli adjunction F D G D : C → C D and further determines a Kleisli adjunction and L is faithful 1 . Now, the soundness of the all decoration conversions depends on the faithfulness of the functors G D and F D, T . Also, the conversion from the decoration (0) to (2) can now safely be factorized into first converting from (0) to (1) and then from (1) to (2).
To sum up briefly, the comparison theorem is crucial in the domain of computational effects as it is used by Duval and Jacobs to model the state effect.

Contribution
We refine the paper proof of Mac Lane's comparison theorem for the Kleisli construction. We then formalize the basics of category theory in Coq up to a proof of the mentioned theorem. We show a number of basic consequences that follow from the theorem as well as an equivalence between our foundation of category theory and other Coq developments. The sources of the formalization are explained in Sects. 3.2 and 3.3, and can be downloaded from the link below: https://github.com/ekiciburak/ComparisonTheorem-MacLane/tree/completeProof For the organization of the files, please refer to "Appendix A".

Organization of the Paper
In Sect. 2 we give a paper proof to the comparison theorem, since it has not been given in the book [14]. Then we explain a certification of this proof in a Coq implementation. We start by comparing the existing approaches to formalize category theory and our design choices in Sect. 3.1. Then, in Sect. 3.2 we summarize a formalization in Coq of categorical objects that appear in the theorem statement. Our formalization benefits from the use of Coq type classes and is in this respect similar to the approaches by Gross et al. [9], Timany et al. [20,21] John Wiegley [23]. The use of type classes is a very suitable way of defining categorical objects. This way we combine, in a type class, the characterization of the object that is being defined, usually as expressions in the Type universe, and the coherence conditions that the provided characterization needs to respect as the Prop universe instances. We give, in Sect. 3.3, a Coq proof of the comparison theorem in which we assume the uniqueness of identity proofs (UIP) and proof irrelevance. We make use of the former to close the gap between Coq's judgmental (Leibniz) equality and the contextual equality in categorical settings: we fail in some cases showing that two categorical objects are judgmentally equal since they are equal only contextually. We use the latter in showing that two instances of the same class are equal in satisfying the coherence conditions that live in Coq's Prop. Also, we benefit from the functional extensionality axiom in proving, for instance, that two arrows in a category are the same.
A preliminary version of this paper, with an incomplete proof formalization, was presented at Formal Mathematics for Mathematicians workshop [8].

Adjoint Functors and Monads
Adjunctions and monads are objects that can be derived from one another. Every adjunction gives raise to a monad but only some specific type of adjunctions come out of monads. In this section, we show how to turn adjunctions into monads and how to handle Kleisli adjunctions from monads. We then give a proof of Mac Lane's comparison theorem.
Informally speaking, an adjunction is a possible similarity measure between functors. It is a concept such as equality, equivalence and isomorphism, considered as the weakest notion among them. It can be understood as a further weakening of an isomorphism. If we look for isomorphisms in between two functors, say F and G, we first require them to be defined from the same source category to the same target category. Only then, we search for two natural transformations between F and G defined in opposite directions such that their composition gives the identity natural transformation over the functor F or G depending on the order of composition.
An adjunction is weaker. It can relate two functors defined between the same categories but in the opposite directions, i.e., F : C → D and G : D → C . Obviously, we cannot look for an equality, equivalence nor isomorphism between F and G since they do not live in the same type, from a type-theoretic point of view; meaning they cannot be directly compared. Indeed, this is the point where the notion of adjointness comes into the play by providing a possible way to compare them via their compositions. Therefore, for the functors F : C → D and G : D → C to qualify as adjoints, there need to be two natural transformations η : Id C ⇒ G F and ε : FG ⇒ Id D satisfying the coherence conditions stated in Eqs. (2.1) and (2.2). The former can be depicted and explained as follows: If F and G are adjoint functors, then this condition intuitively tells us that the following case holds for each map f : X → Y in the category C : we have maps I d f : X → Y and G F f : G F X → G FY also in C . Using the natural transformation η, we can deform the map I d f into G F f . We then transport this deformation through the functor F from the category C into the category D. There, using the natural transformation ε, we can do an inverse deformation (or better a formation) and form the map f back in the form of F f since we are in D. Note that we independently have the other very similar condition at Eq. (2.2) satisfied.

Example 1
In the Calculus of Inductive Constructions (CIC), the conjunction and implication over propositions are adjoint operations. To show this, we first take the Prop universe as the category of propositional formulas and entailments, and name it CatP. It is then possible to form two endo-functors F, G : ∀p ∈ obj (Cat P), Cat P → Cat P as We now define two natural transformations ∀η : ∀p ∈ obj (Cat P), where conj x y is a proof of x ∧ y.
It is straightforward to check that the functors F and G form an adjunction through η and ε by simply showing that Eqs. (2.1) and (2.2) are satisfied. It is interesting to notice that ε is modus-ponens.
There are other equivalent ways to formulate the notion of adjunction. For instance, the following Proposition 2.2 makes use of an isomorphism of hom-functors and may better highlight the connection between an isomorphism and an adjunction. Also, an adjunction can be seen as a generalization of the "equivalence" between categories.

Proposition 2.2 An adjunction F G : D → C determines a bijection of natural transformations defined between hom-functors
for each X ∈ C and A ∈ D as follows:

Definition 2.3
A monad T = (T, η, μ) in a category C consists of an endo-functor T : C → C equipped with two natural transformations such that the following diagrams commute: The natural transformations μ and η can be respectively seen as the binary multiplication and the identity operations of the monad. Then, the coherence condition given by the above diagram on the left (aka the associativity square) ensures that the multiplication is an associative operation. While the one on the right (aka the unit triangles) assures the neutrality of the identity with respect to the multiplication.
Example 2 A monad is in fact a monoid in the category of endo-functors with its identity being unit η : I d C → T of the monad and its binary operation being the multiplication μ : T 2 → T . The properties of the monoidal identity meet the coherence conditions at unit triangles. The associativity square can be formed by the associativity of the monoid's binary operation.

Proposition 2.5
Each monad (T, η, μ) on a category C determines a Kleisli category C T and an associated adjunction F T G T : C T → C as follows: • The categories C and C T have the same objects and there is a morphism f : • The composition of a pair of morphisms f : X → Y and g : Y → Z in C T is given by the Kleisli composition: (2.10) • The functor G T : C T → C maps each object X in C T to T X in C . On morphisms, Below lemma is used in Theorem 2.7 to prove the uniqueness of the comparison functor.
Proof By assumption, we have Gg Theorem 2.7 (The comparison theorem for the Kleisli construction [14, Ch. VI, §5, Theorem 2]) Let F G : D → C be a adjunction and let (T, η, μ) be the associated monad on C . Then, there is a unique comparison functor Intuitively, one can start with an arbitrary adjunction F G : D → C . This determines a monad T on the base category C and dually a comonad on the category D as stated in Proposition 2.4. Later, the monad T creates a Kleisli category C T together with a Kleisli adjunction F T G T : C T → C as in Proposition 2.5. The theorem states that one can compare these arbitrary and structured adjunctions using a functor L : C T → D (aka comparison functor) which is unique and making the above diagram commutative in both directions.
Proof Let us first assume that L : C T → D is a functor satisfying G L = G T and L F T = F. So that the below given diagram commutes.
be a bijection associated to the adjunction F T G T provided by be a bijection associated to the adjunction F G. Since units of adjunctions F T G T and F G are the unit η of the monad (T, η, μ) by [14, Ch. IV, §7, Proposition 1], we obtain the commutative diagram below: In other words, given a functor L satisfying G L = G T and L F T = F, then it must be such We first prove that some map L : Ch. IV, §1, We additionally need to show that the functor L : C T → D, as characterized before, satisfying the equations G L = G T and L F T = F is unique. Otherwise put, for each functor R : C T → D satisfying G R = G T and R F T = F, we need to obtain R = L. Let us show in the following items that the functors L and R map objects and morphisms in the same way: • For each object X in C T , we have L X = F X = R F T X by definition of L and the assumption R F T = F. Since F T is the identity on objects (see the fourth item in Proposition 2.5), we get L X = R X.
• η X holds in C , thanks to Lemma 2.6. We first trivially get f = G T f • η X = G T f • η X using the assumed equations G R = G T and G L = G T . Then, we have In general, when there are subsequent dual adjunctions, a coKleisli over a Kleisli or vice versa, out of the same monad or comonad, the comparison functor provided by Theorem 2.7 can be used to annihilate these adjunctions in such a way that one basically returns to the initial point up to the number of annihilations that the endo-functor of the initial monad or comonad composed to itself.
We have formalized all of the categorical content mentioned so far in Coq, and briefly explain the formalization in the following Sect. 3.

Related Work: Category Theory in Proof Assistants
We have developed our own category theory library in Coq for the sole purpose of formalizing and proving the comparison theorem. As already mentioned earlier and detailed in the next Sect. 3.2, in order to formalize categorical objects that take part in the theorem, we make use of Coq type classes. That is similar to what has been done by Timany et al [21] and Wiegley [23] in their Coq libraries, and by Daniel Peebles in his Agda library [17]. We managed to formally verify in Coq that the intersection of our formalization of categorical objects and the one by Timany are equivalent. As Timany does, we benefit from Coq's universe polymorphism in our formalization but never explicitly mention universe levels. We rely on typical ambiguity where Coq automatically resolves universe constraints, i.e., "smallness/largeness" of objects in categorical terms. Since there is no typical ambiguity is allowed in Agda, Peebles' library handles all related universe levels explicitly.
The only difference in object formalizations between our library and the one of Wiegley is that he makes use of setoid equivalences in stating proof obligations while we use Coq's judgmental equality. With the setoid approach, equivalence proofs between objects may become simpler. However, this approach brings an overhead: always needs the proof of the fact that every function send equivalent elements to equivalent elements. Using Coq's judgmental equality, we skip this problem but face another one: categorical objects are usually not judgmentally but contextually equal. To have the judgmental equality as the contextual equality, we make use of the UIP assumption. Peebles also makes use of the setoid approach in his above mentioned Agda library.
Unlike the libraries by Gross et al [9] and Ahrens et al [22], we are not yet benefiting from HoTT proposals: no use of higher order inductive types nor the Univalence Axiom. Again the reason for this is that we managed to implement the comparison theorem without being in the need of such structures. However, the formalization can be clearly adapted to use the Univalence Axiom instead of the UIP axiom if needed.
In addition to the ones we have mentioned above, there are other implementations of category theory in type theory. For instance, in Agda, Capriotti's [3] formalization is based on HoTT. Ishii [11] and Pouillard [19] make use of records. The agda-categories library [4] also benefits from the records, and avoids the UIP axiom when it comes to do equational reasoning.
Categories and functors have also been specified by Byliński in Mizar [2], using set theoretic permissive types and record types. However the formalization is limited by the use of explicit Grothendieck universes and it would be very hard if not impossible to extend it to the comparison theorem.
Chad Brown has specified the foundations of category theory in the Egal proof system where he gives definitions to meta and locally small categories with the use of predicates over Egal types and sets respectively. He also defines small categories over Egal sets. His specification would possibly allow the comparison theorem to be formalized using metacategories but it might be cumbersome due to the heavy use of predicates.

Formalization of Categorical Objects
In a Coq implementation, we represent category theoretical objects such as categories, functors, natural transformations, monads and adjunctions with data structures having single constructors and several fields, namely classes. For instance, the Functor class is implemented as follows: Remark 3.1 The Coq type "arrow C b a" is the type of maps from a to b (not from b to a) in the category C as it makes the composition "relatively" easier.
In order to build a Functor class instance, one needs to instantiate four fields. The first two, called fobj and fmap, describe how the instance in question would map objects and arrows from the category C to D. The last two, namely preserve_id and preserve_comp, are coherence conditions asserting the facts that the characterization provided in the first two fields should preserve the identity and the composition.
One difficulty with such an implementation would arise when proving an equality between two functor instances. To do so, one needs to mainly show that they map objects and arrows in the same way. It is fine to put Coq's Leibniz equality between fobj F and fobj G since Coq can implicitly infer the fact that they are instances of the same type. This is however not the case for fmap F and fmap G. Namely, Coq cannot implicitly infer the fact that they are living in the same type. Meaning, this type coercion needs to be proven explicitly. To overcome the issue, we hide this explicit coercion behind the heterogeneous (or John Major's) equality, by McBride [15], at the lemma statement below: This complicates the equality proofs since one needs to show fmap F and fmap G are instances of the same type each time before proving that they map arrows in the same way. In doing so, we usually prefer converting the goal into the shape where we need to prove an equality over dependent pairs: If such a proof of the fact that "fmap F and fmap G are instances of the same type" is given as p, then it is still necessary to show that p is indeed the eq_refl. Only then we can try proving that fmap F equalizes to fmap G. The proof of p = eq_refl usually requires to make UIP (uniqueness of identity proofs) assumption depending on the structures that F and G are relating. This is in fact a similar sort of complication that would be brought by the use of setoid equivalences (as in [23]) when replaced by the Leibniz equality. Also note that to prove the equalities between coherence conditions, preserve_id and preserve_comp, we assume proof irrelevance.
A natural transformation instance defined form the functor F to G has a component (aka transformation) of type arrow (G a) (F a) in the category D for each object a in C. We name this trans in the implementation. The instance also satisfies the coherence condition which is named comm_diag. This intuitively says that using the compatible components, trans a and trans b, of the natural transformation, one can deform the arrow fmap F f into fmap G f. where unit and counit correspond to natural transformations η and ε and proof obligations ob1 and ob2 implement Eqs. (2.1) and (2.2) respectively. This means that to build an adjunction between given functors, one needs to provide two natural transformations satisfying the proof obligations. We also implement monads as a Coq type class in parallel with the formalism given in Definition 2. In the above script, eta and mu are concerned with the two natural transformations stated in (2.6). The first field comm_diagram1 is the proof obligation requiring the associativity of the monad multiplication mu as in Eq. (2.7). The remaining obligations comm_diagram2, comm_diagram2_b1 and comm_diagram2_b2 are also consulting the neutrality of the monad identity eta with respect to the multiplication as in Eqs. (2.7), (2.8) and (2.9). Basically, to construct a monad instance, one needs to provide an identity and an associative multiplication as natural transformations, satisfying these four obligations. Also, IdFunctor is the identity functor over the base category C in the above script.
We have so far briefly discussed the categorical objects that appear in the formal statement Theorem 2.7 in a Coq implementation. In the next Sect. 3.3, we comment on how to build a proof instance to the statement in Coq, in a similar manner to its paper proof.

A Coq Proof of the Comparison Theorem
In order to state and prove the comparison theorem in Coq, we need to (1) demonstrate that every adjunction gives a monad on the base category that is actually the statement of Proposition 2.4, (2) show that every monad determines a Kleisli category and a Kleisli adjunction in association as in Proposition 2.5, (3) characterize some map L : C T → D as and show that it is indeed a functor, (4) prove that the functor L meets equations L • F T = F and G • L = G T , (5) and finally show that L is unique. Notice that first two steps are used to state the theorem in Coq and the remaining three are indeed the proof steps.

Remark 3.2
The natural transformation ε used above in item three is the counit of the comonad that the coKleisli adjunction determines over C T .

Remark 3.4
The unshelve econstructor tactic breaks up the under-construction (type class) instance so that it could be constructed field by field as opposed to be done in one go.
As explicitly given above, the endo-functor T of the monad that the adjunction A builds on the base category C1 is G • F. Its unit is the unit (eta) of the adjunction while the multiplication is defined in terms of the counit eps, and implemented benefiting the refine tactic: the constructor mk_nt is "refined" to build the corresponding NaturalTransformation instance with the underlying map being G(eps (F )) for each object a in C1. Dually, the endo-functor D of the comonad that the adjunction A builds on the co-domain category C2 is F • G, its counit is the counit (eps) of the adjunction, and the co-multiplication is defined in terms of the unit eta as F(eta (G a)) for each object a in C2.
We implement Proposition 2.5 in three steps starting with the fact that every monad gives raise to a Kleisli category whose objects are the ones of the base category C and morphisms are of the form f : b → a for each f : b → Ta in C.
Once we obtain this category, we can claim that there is a special adjunction, namely the Kleisli adjunction between the base category C and the Kleisli category. We implement the candidate adjoint functors as in Eqs. (2.10) and (2.11). To close the goal above, it suffices to build two natural transformations with signatures Id C ⇒ G T • F T and F T • G T ⇒ Id D , and then show that they satisfy the coherence conditions ob1 and ob2 given as fields (proof obligations) of the Adjunction class. The component of the former natural transformation is simply the unit, eta a for each a in C, of the monad that we have started with. It is the map from fobj G (fobj F a) to a for each object a in the Kleisli category for the latter natural transformation. Notice that this map corresponds to the identity map over the object fobj G (fobj F a) in the category C. We now characterize some map L, which will then be the comparison functor, and show that with such a characterization L qualifies as a functor: We need to prove functor equalities at both sides of the goal conjunction. Since both sides follow similar proofs, it suffices to show the proof of the left component. We start with an application of the lemma F_split which generates two sub-goals:

Definition FT
1. fobj (Compose_Functors FT (L F G A)) = fobj F. This goal is trivial since by definition L behaves as F on objects and F T as the identity. 2. JMeq (fmap (Compose_Functors FT (L F G A))) (fmap F). This one is more involved. We turn the goal into the shape of an equality over dependent pairs after applying a sequence of standard library lemmas (given in the above script) and a cbn reduction: It now remains to implement the fact that the functor L is unique in order to get the whole proof formalized in Coq.
For that, we start with implementing a helper statement as in Lemma 2.6: It is indeed an equality proof between functors L and R which proceeds with an application of F_split. This gives us two sub-goals to discharge: (1) they map objects and (2) morphisms in the same way. The former trivially follows from the definition of L and the assumption FT o R = F. In the proof of the latter, we follow similar steps with the one of commL in such a way that we need to successfully tackle the heterogeneous equality as the second enumeration above. We use the UIP axiom since L and R map arrow in the same way only contextually not judgmentally. We end up with a goal of the following shape: The goal simply gets discharged by providing an existence of such a comparison functor followed the application of the fact that the functor makes the proof diagram commutative in both directions, and finally showing the fact that it is unique.

Conclusion
The categorical setting in which a comonad determining a coKleisli adjunction with a monad over a Kleisli adjunction is used as an interpretation environment to formalize the state effect by Duval. See Fig. 2. The state-effect-triangles, as in Fig. 1, by Jacobs also provide a categorical setting to interpret the state effect. Mac Lane's comparison theorem plays an important role in both approaches. In the former, the provided unique comparison functor annihilates the "dual" adjunctions and serves a better understanding of modifier terms. While in the latter, the comparison functor directly interprets a map that maps programs to some predicates that describe their actions during the computations. For example, it may be seen as the weakest precondition functor which maps programs to their weakest preconditions given any post-condition.
We have formalized in Coq the comparison theorem for the Kleisli construction together with the use case given in Example 3. We also showed that the foundations we use are equivalent to the foundations of Timany. Our formalization currently suffices to analyze Duval's approach but only the one half of the approach by Jacobs. To build on this, we plan to continue with formalizing a proof of comparison theorem for the monad algebras in Coq. This is a variant of the comparison theorem for the Kleisli construction in such a way that the Kleisli category C T of the monad T is replaced with the Eilenberg-Moore category C T of algebras of T . This will then give a complete picture of the state-effect triangles by Jacobs in a Coq formalization. Beck's monadicity theorem [14, Ch. VI, §7, Theorem 1] constitutes a next possible challenging formalization goal.