Copy editing

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: dstebila

examples.md

@@ -192,4 +192,4 @@ The [`examples/joy_old`](https://github.com/ProofFrog/examples/tree/main/joy_old
 
 ## External Uses of ProofFrog
 
-A list of external projects and papers using ProofFrog is maintained on the [external uses page]{% link researchers/external-uses.md %}.
+A list of external projects and papers using ProofFrog is maintained on the [external uses page]({% link researchers/external-uses.md %}).

manual/cli-reference.md

@@ -37,7 +37,7 @@ The ProofFrog command-line interface (`proof_frog`) lets you parse, type-check,
 ### Synopsis
 
 ```
-python -m proof_frog version [OPTIONS]
+proof_frog version [OPTIONS]
 ```
 
 ### Behavior
@@ -48,7 +48,7 @@ Prints the installed ProofFrog version string to standard output and exits. The
 
 ```bash
 # Print the installed version
-python -m proof_frog version
+proof_frog version
 ```
 
 Expected output (version may differ):
@@ -64,7 +64,7 @@ ProofFrog 0.4.0
 ### Synopsis
 
 ```
-python -m proof_frog parse [OPTIONS] FILE
+proof_frog parse [OPTIONS] FILE
 ```
 
 ### Behavior
@@ -81,13 +81,13 @@ Parses any FrogLang source file (`.primitive`, `.scheme`, `.game`, or `.proof`)
 
 ```bash
 # Parse a primitive definition
-python -m proof_frog parse examples/Primitives/PRG.primitive
+proof_frog parse examples/Primitives/PRG.primitive
 
 # Parse a scheme and get JSON output
-python -m proof_frog parse --json examples/joy/Schemes/SymEnc/OTP.scheme
+proof_frog parse --json examples/joy/Schemes/SymEnc/OTP.scheme
 
 # Parse a proof file
-python -m proof_frog parse examples/joy/Proofs/Ch2/OTPSecure.proof
+proof_frog parse examples/joy/Proofs/Ch2/OTPSecure.proof
 ```
 
 ### Common Errors
@@ -101,7 +101,7 @@ python -m proof_frog parse examples/joy/Proofs/Ch2/OTPSecure.proof
 ### Synopsis
 
 ```
-python -m proof_frog check [OPTIONS] FILE
+proof_frog check [OPTIONS] FILE
 ```
 
 ### Behavior
@@ -118,13 +118,13 @@ Type-checks and performs semantic analysis on any FrogLang file. This goes beyon
 
 ```bash
 # Type-check a symmetric encryption scheme
-python -m proof_frog check examples/joy/Schemes/SymEnc/OTP.scheme
+proof_frog check examples/joy/Schemes/SymEnc/OTP.scheme
 
 # Type-check a primitive definition
-python -m proof_frog check examples/Primitives/SymEnc.primitive
+proof_frog check examples/Primitives/SymEnc.primitive
 
 # Check a proof file and emit JSON diagnostics
-python -m proof_frog check --json examples/joy/Proofs/Ch2/OTPSecure.proof
+proof_frog check --json examples/joy/Proofs/Ch2/OTPSecure.proof
 ```
 
 ### Common Errors
@@ -140,7 +140,7 @@ python -m proof_frog check --json examples/joy/Proofs/Ch2/OTPSecure.proof
 ### Synopsis
 
 ```
-python -m proof_frog prove [OPTIONS] FILE
+proof_frog prove [OPTIONS] FILE
 ```
 
 ### Behavior
@@ -168,16 +168,16 @@ Pass `-v` once to print the canonical game form after each hop, which is invalua
 
 ```bash
 # Verify the OTP security proof from Joy of Cryptography examples
-python -m proof_frog prove examples/joy/Proofs/Ch2/OTPSecure.proof
+proof_frog prove examples/joy/Proofs/Ch2/OTPSecure.proof
 
 # Verbose: print canonical game forms at each hop
-python -m proof_frog prove -v examples/joy/Proofs/Ch2/OTPSecure.proof
+proof_frog prove -v examples/joy/Proofs/Ch2/OTPSecure.proof
 
 # Very verbose: also show transformation rule firings
-python -m proof_frog prove -vv examples/joy/Proofs/Ch2/OTPSecure.proof
+proof_frog prove -vv examples/joy/Proofs/Ch2/OTPSecure.proof
 
 # Verify a PRG security proof, skipping lemma re-verification
-python -m proof_frog prove --skip-lemmas examples/Proofs/PRG/CounterPRG_PRGSecurity.proof
+proof_frog prove --skip-lemmas examples/Proofs/PRG/CounterPRG_PRGSecurity.proof
 ```
 
 ### Common Errors
@@ -195,7 +195,7 @@ python -m proof_frog prove --skip-lemmas examples/Proofs/PRG/CounterPRG_PRGSecur
 ### Synopsis
 
 ```
-python -m proof_frog describe [OPTIONS] FILE
+proof_frog describe [OPTIONS] FILE
 ```
 
 ### Behavior
@@ -212,13 +212,13 @@ Prints a concise, human-readable summary of any FrogLang file's interface — th
 
 ```bash
 # Describe a primitive
-python -m proof_frog describe examples/Primitives/PRG.primitive
+proof_frog describe examples/Primitives/PRG.primitive
 
 # Describe a scheme
-python -m proof_frog describe examples/joy/Schemes/SymEnc/OTP.scheme
+proof_frog describe examples/joy/Schemes/SymEnc/OTP.scheme
 
 # Describe with JSON output (useful for tooling)
-python -m proof_frog describe --json examples/Primitives/SymEnc.primitive
+proof_frog describe --json examples/Primitives/SymEnc.primitive
 ```
 
 ---
@@ -228,7 +228,7 @@ python -m proof_frog describe --json examples/Primitives/SymEnc.primitive
 ### Synopsis
 
 ```
-python -m proof_frog download-examples [OPTIONS] [DIRECTORY]
+proof_frog download-examples [OPTIONS] [DIRECTORY]
 ```
 
 ### Behavior
@@ -246,16 +246,16 @@ Downloads the [ProofFrog examples repository](https://github.com/ProofFrog/examp
 
 ```bash
 # Download the examples matching your version of ProofFrog into an "examples" directory
-python -m proof_frog download-examples
+proof_frog download-examples
 
 # Download into a custom directory
-python -m proof_frog download-examples my-examples
+proof_frog download-examples my-examples
 
 # Download the latest main branch instead of the pinned version
-python -m proof_frog download-examples --ref main
+proof_frog download-examples --ref main
 
 # Overwrite an existing examples directory
-python -m proof_frog download-examples --force
+proof_frog download-examples --force
 ```
 
 ---
@@ -265,7 +265,7 @@ python -m proof_frog download-examples --force
 ### Synopsis
 
 ```
-python -m proof_frog web [OPTIONS] [DIRECTORY]
+proof_frog web [OPTIONS] [DIRECTORY]
 ```
 
 ### Behavior
@@ -279,13 +279,13 @@ The web interface provides the same verification engine as the CLI. It is partic
 
 ```bash
 # Start the editor using the current directory as the file root
-python -m proof_frog web
+proof_frog web
 
 # Start the editor rooted at the bundled examples directory
-python -m proof_frog web examples/
+proof_frog web examples/
 
 # Start the editor rooted at a specific project directory
-python -m proof_frog web /path/to/my/proofs
+proof_frog web /path/to/my/proofs
 ```
 
 ---

manual/language-reference/execution-model.md

@@ -32,7 +32,7 @@ The security model is **left/right indistinguishability**: a scheme is considere
 
 ## Game execution model
 
-One execution of a game `G` with an adversary `A` proceeds in three stages:
+One execution of a game `G` with an adversary `A` proceeds in four stages:
 
 1. **Field initialization.** All state fields are set up. Fields declared with an explicit initializer (`Type x = expr;`) are assigned the value of `expr`. Fields declared without an initializer (`Type x;`) are left in an undefined state until the first assignment.
 

manual/limitations.md

@@ -55,10 +55,9 @@ polynomially many independent samples), that argument lives outside what ProofFr
 verifies.
 
 **Recursive computation.** FrogLang methods cannot call themselves recursively, and
-there is no loop construct. The language is not Turing-complete. Proofs that require
-reasoning about an inductively defined sequence of games (for example, a hybrid argument
-over n independent challenges) must be structured using the `lemma:` mechanism to reason
-about a single step, with the inductive argument stated externally.
+loops are bounded (numeric `for` loops have a fixed range and generic `for` loops iterate
+over a finite collection; there is no general while loop or unbounded iteration). The
+language is not Turing-complete.
 
 **Side channels.** Timing, power, cache, and other physical side-channel attacks are not
 modeled. All games are defined solely by the sequence of return values their oracles
@@ -233,6 +232,6 @@ If you encounter a case where the engine rejects a proof step that you believe i
 mathematically valid, please open an issue at
 [https://github.com/ProofFrog/ProofFrog/issues](https://github.com/ProofFrog/ProofFrog/issues).
 Include the smallest proof file that reproduces the problem, the full output of
-`python -m proof_frog prove -v <your-file.proof>` (which shows the canonical form of
+`proof_frog prove -v <your-file.proof>` (which shows the canonical form of
 each game and the point of failure), and a brief description of what you expected the
 engine to accept and why.

manual/troubleshooting.md

@@ -134,12 +134,12 @@ FrogLang does not allow.
 **Symptom:** `<file>:<line>: imported file not found: '<path>'`
 
 **Likely cause:** The path in an `import` statement does not resolve to an
-existing file relative to the directory where the CLI was invoked.
+existing file relative to the importing file's directory.
 
 **Fix:** Confirm the file exists at the given path and that the import is
-relative to the directory from which you are running `proof_frog`, not
-relative to the source file. Import paths in FrogLang are resolved from the
-working directory of the CLI invocation.
+relative to the directory containing the source file that has the `import`
+statement, not relative to the directory where the CLI is invoked. Import
+paths in FrogLang are resolved relative to the importing file's directory.
 
 **See also:** [Language Reference: Basics]({% link manual/language-reference/basics.md %})
 

manual/tutorial/otp-ots.md

@@ -9,7 +9,7 @@ nav_order: 2
 # Tutorial Part 2 — One-time pad has one-time secrecy
 {: .no_toc }
 
-In Tutorial Part 1, you ran an existing proof that that the one-time pad has one-time secrecy, broke it on purpose, and fixed it again. Now you will write that proof from scratch — all four files of it. By the end of this tutorial you will have defined a cryptographic primitive, a security game, a concrete scheme, and a game-hopping proof file, and you will have seen each one type-check or prove green as you finish it. We follow [Joy of Cryptography Section 2.5](https://joyofcryptography.com/provsec/#sec.abstract-defs) closely; if you have Rosulek's textbook handy, keep it open. Everything you write here is already in the `examples/joy/` directory, so you can always peek at the finished version if you get stuck.
+In Tutorial Part 1, you ran an existing proof that the one-time pad has one-time secrecy, broke it on purpose, and fixed it again. Now you will write that proof from scratch — all four files of it. By the end of this tutorial you will have defined a cryptographic primitive, a security game, a concrete scheme, and a game-hopping proof file, and you will have seen each one type-check or prove green as you finish it. We follow [Joy of Cryptography Section 2.5](https://joyofcryptography.com/provsec/#sec.abstract-defs) closely; if you have Rosulek's textbook handy, keep it open. Everything you write here is already in the `examples/joy/` directory, so you can always peek at the finished version if you get stuck.
 
 {: .important }
 **Activate your virtual environment first.** Before running any `proof_frog` command in a fresh terminal, activate the Python virtual environment you created during [installation]({% link manual/installation.md %}): `source .venv/bin/activate` on macOS/Linux (bash/zsh), `source .venv/bin/activate.fish` on fish, or `.venv\Scripts\Activate.ps1` on Windows PowerShell. Your prompt should show `(.venv)` once it is active.
@@ -76,7 +76,7 @@ Primitives declare **method signatures only** — there are no method bodies her
 Two new language features appear here:
 
 - `Message?` — the `?` suffix denotes a **nullable** (optional) type. In a symmetric encryption scheme, the decryption algorithm  `Dec` returns either a `Message` or `None`; decryption is allowed to fail if the ciphertext is invalid. If we later create a scheme returning just plain `Message` where the primitive declared `Message?`, we will get a type mismatch that the engine will catch.
-- `deterministic` — this modifier on `Dec` tells the engine that `Dec` is a deterministic algorithm that always returns the same output for the same inputs. In general, algorithms in FrogLang are assumed to be probabilistics, unless explicitly declared to be deterministic. We will come back to why this matters in Step 4 when the proof engine uses it to justify certain algebraic simplifications.
+- `deterministic` — this modifier on `Dec` tells the engine that `Dec` is a deterministic algorithm that always returns the same output for the same inputs. In general, algorithms in FrogLang are assumed to be probabilistic, unless explicitly declared to be deterministic. We will come back to why this matters in Step 4 when the proof engine uses it to justify certain algebraic simplifications.
 
 Finally, add a brace to close the block:
 
@@ -407,7 +407,7 @@ Scheme OTP(Int lambda) extends SymEnc {
 Click **Type Check** in the web editor, or run:
 
 ```bash
-proof_frog OTP.scheme
+proof_frog check OTP.scheme
 ```
 
 Expected output:
@@ -569,15 +569,15 @@ Because `k` is sampled uniformly from `BitString<lambda>` and used exactly once
 
 ### Diving into the canonical forms
 
-ProofFrog's engine works by trying to convert a game in to a "canonical form", by renaming variables to have standard names, removing unused statements, sorting the lines into a canonical order, and applying other mathematical and logical transformations. It then compares the canonical forms of the two games that are being checked for interchangeability.
+ProofFrog's engine works by trying to convert a game into a "canonical form", by renaming variables to have standard names, removing unused statements, sorting the lines into a canonical order, and applying other mathematical and logical transformations. It then compares the canonical forms of the two games that are being checked for interchangeability.
 
 In the web editor, you can drill down into the canonical forms derived at each step. When you clicked "Run Proof" above, the Game Hop panel in the bottom left should have been updated to have one line highlighted in green: `OneTimeSecrecy(E).Random ✅`. Click on this green line, and you will see four different chunks of source code appear:
 
 ![Details of canonicalization of one hop of OTPSecure.proof](otpsecure-hopdetail.png){: .lightbox }
 
 - Top left: The previous game (`OneTimeSecrecy(E).Real`), with the code of the one-time pad scheme `E` inlined. Notice that the variables from the OTP scheme have a prefix to avoid any collisions between variable names when inserted.
 - Middle left: The current game (`OneTimeSecrecy(E).Random`), with the code of the one-time pad scheme `E` inlined.
-- Top right: The canonicalized form of the previous game, `OneTimeSecrecy(E).Real`. Notice that the variable names have been replaced with canonical versions (`v1`) and that the engine has simplified the program by applyinh a mathematical identity it knows: that the XOR of a uniform random bit string with any bit string is equivalent to just sampling a uniform random bit string.
+- Top right: The canonicalized form of the previous game, `OneTimeSecrecy(E).Real`. Notice that the variable names have been replaced with canonical versions (`v1`) and that the engine has simplified the program by applying a mathematical identity it knows: that the XOR of a uniform random bit string with any bit string is equivalent to just sampling a uniform random bit string.
 - Bottom right: The canonicalized form of the current game, `OneTimeSecrecy(E).Random`. The canonicalization here is more obvious, and no extra transforms were applied.
 
 As you can see, the two canonicalized forms are exactly the same: this is why ProofFrog concludes that the hop is valid.
@@ -593,7 +593,7 @@ If you really want to dive into the details of every transformation ProofFrog ap
 
 **Proof Failed! Individual hops verified, but the proof is incomplete.** If the first and last game steps use the same side of the theorem (both `Real`, or both `Random`), the engine accepts all individual hops but reports that the overall sequence is incomplete. This is the error you saw in Tutorial Part 1 when you commented out the second game step. Make sure the sequence starts at `Real` and ends at `Random` (or vice versa).
 
-**A hop fails.** If the engine cannot verify a hop as an equivalence, it will report which step failed and show a diagnostic. For a proof as small as this one, a failing hop usually means the scheme file has a typo — for example, `k * m` instead of `k + m` in `Enc`. See the [troubleshooting page]({ %link manual/troubleshooting.md %}) for a deeper guide to diagnosing failing steps.
+**A hop fails.** If the engine cannot verify a hop as an equivalence, it will report which step failed and show a diagnostic. For a proof as small as this one, a failing hop usually means the scheme file has a typo — for example, `k * m` instead of `k + m` in `Enc`. See the [troubleshooting page]({% link manual/troubleshooting.md %}) for a deeper guide to diagnosing failing steps.
 
 ---