C Proof

Verified financial computing

The math is right. The code is something else.

A model can be sound on the page and wrong in the binary. C Proof builds runtimes an AI can write and a compiler can check, so the gap between the equation and the production code is something a machine closes, not something a reviewer hopes is closed.

Start a conversation How it works

The two-language problem

One language proves the math. Another one runs it.

Quant work lives in two languages that never meet. The first is the language of the model: the LaTeX in the paper, the derivation on the whiteboard, the closed form a desk signs off on. It is precise and it is reviewed.

The second is the language the model runs in: Python, C++, CUDA, hand-tuned and rewritten under deadline. The translation between the two is manual, and every manual translation is where a sign flips, a unit drifts, or an index goes off by one.

Nothing in the pipeline checks that the running code still computes the formula that was approved. C Proof closes that distance by making the translation itself a typed, checkable artifact, with a trace from the source equation to the emitted machine code.

The trust stack

Three levels of assurance, named for what they cover today.

  1. L1 Shipped

    Type-checked translation

    Source becomes Chelis Deep that passes type checking, effect and linearity validation, lowering, and code generation before any binary is produced.

  2. L2 In build

    Property and provenance verification

    Property-based fuzzing and end-to-end provenance from the source formula to the emitted source line, so a result can be traced back to the equation it came from.

  3. L3 Future

    Machine-checked proof

    Formal proofs of the translation and runtime guarantees, carried in a proof assistant, for the parts of the stack where a desk needs more than a test suite.

What C Proof gives you

The pieces that turn a formula into a checked binary.

Octant

A LaTeX-to-Chelis bridge with provenance. It translates mathematical LaTeX into Chelis Deep s-expressions and attaches span information to every emitted node, so the audit chain runs from a LaTeX byte range to a Deep node to an IR node to the emitted C, HIP, or Metal source line.

Calcify

Translates typed Python into Chelis source, function by function, in three tiers: deterministic pure translation, mixed Python-Chelis through the existing bridge, and best-effort translation with documented decisions. Existing models become checkable code.

Compile-time guarantees

Generated Deep goes through the same chain as hand-written Chelis: type checking, effect and linearity validation, lowering to RISC IR, and code generation. Whole categories of bug are rejected before a binary exists.

On-prem

The compiler is open-source under MIT and emits C, HIP, and Metal backends. Builds run inside your perimeter against hardware you control. No model weights or positions leave the boundary you set.

Open core

The compiler is open. The trust is auditable.

C Proof is built on Chelis, an open-source functional language for code an AI writes and a human supervises. The compiler is MIT-licensed and version 0.7.12, with C, HIP, and Metal backends and a Nautilus numerical library of 163 exports. You can read the type checker that rejects your bugs.

Read the language site github.com/Chelis-Lang

Bring us a formula and a deadline.

Tell us the model you run and the assurance you need on it. We will show you what the trust stack covers today and where it is going.

Start a conversation hello@cproof.ai