diff --git a/thys/Q0_Metatheory/Boolean_Algebra.thy b/thys/Q0_Metatheory/Boolean_Algebra.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Boolean_Algebra.thy
@@ -0,0 +1,115 @@
+section \<open>Boolean Algebra\<close>
+
+theory Boolean_Algebra
+  imports
+    "ZFC_in_HOL.ZFC_Typeclasses"
+begin
+
+text \<open>This theory contains an embedding of two-valued boolean algebra into \<^term>\<open>V\<close>.\<close>
+
+hide_const (open) List.set
+
+definition bool_to_V :: "bool \<Rightarrow> V" where
+  "bool_to_V = (SOME f. inj f)"
+
+lemma bool_to_V_injectivity [simp]:
+  shows "inj bool_to_V"
+  unfolding bool_to_V_def by (fact someI_ex[OF embeddable_class.ex_inj])
+
+definition bool_from_V :: "V \<Rightarrow> bool" where
+  [simp]: "bool_from_V = inv bool_to_V"
+
+definition top :: V ("\<^bold>T") where
+  [simp]: "\<^bold>T = bool_to_V True"
+
+definition bottom :: V ("\<^bold>F") where
+  [simp]: "\<^bold>F = bool_to_V False"
+
+definition two_valued_boolean_algebra_universe :: V ("\<bool>") where
+  [simp]: "\<bool> = set {\<^bold>T, \<^bold>F}"
+
+definition negation :: "V \<Rightarrow> V" ("\<sim> _" [141] 141) where
+  [simp]: "\<sim> p = bool_to_V (\<not> bool_from_V p)"
+
+definition conjunction :: "V \<Rightarrow> V \<Rightarrow> V" (infixr "\<^bold>\<and>" 136) where
+  [simp]: "p \<^bold>\<and> q = bool_to_V (bool_from_V p \<and> bool_from_V q)"
+
+definition disjunction :: "V \<Rightarrow> V \<Rightarrow> V" (infixr "\<^bold>\<or>" 131) where
+  [simp]: "p \<^bold>\<or> q = \<sim> (\<sim> p \<^bold>\<and> \<sim> q)"
+
+definition implication :: "V \<Rightarrow> V \<Rightarrow> V" (infixr "\<^bold>\<supset>" 121) where
+  [simp]: "p \<^bold>\<supset> q = \<sim> p \<^bold>\<or> q"
+
+definition iff :: "V \<Rightarrow> V \<Rightarrow> V" (infixl "\<^bold>\<equiv>" 150) where
+  [simp]: "p \<^bold>\<equiv> q = (p \<^bold>\<supset> q) \<^bold>\<and> (q \<^bold>\<supset> p)"
+
+lemma boolean_algebra_simps [simp]:
+  assumes "p \<in> elts \<bool>" and "q \<in> elts \<bool>" and "r \<in> elts \<bool>"
+  shows "\<sim> \<sim> p = p"
+  and "((\<sim> p) \<^bold>\<equiv> (\<sim> q)) = (p \<^bold>\<equiv> q)"
+  and "\<sim> (p \<^bold>\<equiv> q) = (p \<^bold>\<equiv> (\<sim> q))"
+  and "(p \<^bold>\<or> \<sim> p) = \<^bold>T"
+  and "(\<sim> p \<^bold>\<or> p) = \<^bold>T"
+  and "(p \<^bold>\<equiv> p) = \<^bold>T"
+  and "(\<sim> p) \<noteq> p"
+  and "p \<noteq> (\<sim> p)"
+  and "(\<^bold>T \<^bold>\<equiv> p) = p"
+  and "(p \<^bold>\<equiv> \<^bold>T) = p"
+  and "(\<^bold>F \<^bold>\<equiv> p) = (\<sim> p)"
+  and "(p \<^bold>\<equiv> \<^bold>F) = (\<sim> p)"
+  and "(\<^bold>T \<^bold>\<supset> p) = p"
+  and "(\<^bold>F \<^bold>\<supset> p) = \<^bold>T"
+  and "(p \<^bold>\<supset> \<^bold>T) = \<^bold>T"
+  and "(p \<^bold>\<supset> p) = \<^bold>T"
+  and "(p \<^bold>\<supset> \<^bold>F) = (\<sim> p)"
+  and "(p \<^bold>\<supset> \<sim> p) = (\<sim> p)"
+  and "(p \<^bold>\<and> \<^bold>T) = p"
+  and "(\<^bold>T \<^bold>\<and> p) = p"
+  and "(p \<^bold>\<and> \<^bold>F) = \<^bold>F"
+  and "(\<^bold>F \<^bold>\<and> p) = \<^bold>F"
+  and "(p \<^bold>\<and> p) = p"
+  and "(p \<^bold>\<and> (p \<^bold>\<and> q)) = (p \<^bold>\<and> q)"
+  and "(p \<^bold>\<and> \<sim> p) = \<^bold>F"
+  and "(\<sim> p \<^bold>\<and> p) = \<^bold>F"
+  and "(p \<^bold>\<or> \<^bold>T) = \<^bold>T"
+  and "(\<^bold>T \<^bold>\<or> p) = \<^bold>T"
+  and "(p \<^bold>\<or> \<^bold>F) = p"
+  and "(\<^bold>F \<^bold>\<or> p) = p"
+  and "(p \<^bold>\<or> p) = p"
+  and "(p \<^bold>\<or> (p \<^bold>\<or> q)) = (p \<^bold>\<or> q)"
+  and "p \<^bold>\<and> q = q \<^bold>\<and> p"
+  and "p \<^bold>\<and> (q \<^bold>\<and> r) = q \<^bold>\<and> (p \<^bold>\<and> r)"
+  and "p \<^bold>\<or> q = q \<^bold>\<or> p"
+  and "p \<^bold>\<or> (q \<^bold>\<or> r) = q \<^bold>\<or> (p \<^bold>\<or> r)"
+  and "(p \<^bold>\<or> q) \<^bold>\<or> r = p \<^bold>\<or> (q \<^bold>\<or> r)"
+  and "p \<^bold>\<and> (q \<^bold>\<or> r) = p \<^bold>\<and> q \<^bold>\<or> p \<^bold>\<and> r"
+  and "(p \<^bold>\<or> q) \<^bold>\<and> r = p \<^bold>\<and> r \<^bold>\<or> q \<^bold>\<and> r"
+  and "p \<^bold>\<or> (q \<^bold>\<and> r) = (p \<^bold>\<or> q) \<^bold>\<and> (p \<^bold>\<or> r)"
+  and "(p \<^bold>\<and> q) \<^bold>\<or> r = (p \<^bold>\<or> r) \<^bold>\<and> (q \<^bold>\<or> r)"
+  and "(p \<^bold>\<supset> (q \<^bold>\<and> r)) = ((p \<^bold>\<supset> q) \<^bold>\<and> (p \<^bold>\<supset> r))"
+  and "((p \<^bold>\<and> q) \<^bold>\<supset> r) = (p \<^bold>\<supset> (q \<^bold>\<supset> r))"
+  and "((p \<^bold>\<or> q) \<^bold>\<supset> r) = ((p \<^bold>\<supset> r) \<^bold>\<and> (q \<^bold>\<supset> r))"
+  and "((p \<^bold>\<supset> q) \<^bold>\<or> r) = (p \<^bold>\<supset> q \<^bold>\<or> r)"
+  and "(q \<^bold>\<or> (p \<^bold>\<supset> r)) = (p \<^bold>\<supset> q \<^bold>\<or> r)"
+  and "\<sim> (p \<^bold>\<or> q) = \<sim> p \<^bold>\<and> \<sim> q"
+  and "\<sim> (p \<^bold>\<and> q) = \<sim> p \<^bold>\<or> \<sim> q"
+  and "\<sim> (p \<^bold>\<supset> q) = p \<^bold>\<and> \<sim> q"
+  and "\<sim> p \<^bold>\<or> q = (p \<^bold>\<supset> q)"
+  and "p \<^bold>\<or> \<sim> q = (q \<^bold>\<supset> p)"
+  and "(p \<^bold>\<supset> q) = (\<sim> p) \<^bold>\<or> q"
+  and "p \<^bold>\<or> q = \<sim> p \<^bold>\<supset> q"
+  and "(p \<^bold>\<equiv> q) = (p \<^bold>\<supset> q) \<^bold>\<and> (q \<^bold>\<supset> p)"
+  and "(p \<^bold>\<supset> q) \<^bold>\<and> (\<sim> p \<^bold>\<supset> q) = q"
+  and "p = \<^bold>T \<Longrightarrow> \<not> (p = \<^bold>F)"
+  and "p = \<^bold>F \<Longrightarrow> \<not> (p = \<^bold>T)"
+  and "p = \<^bold>T \<or> p = \<^bold>F"
+  using assms by (auto simp add: inj_eq)
+
+lemma tv_cases [consumes 1, case_names top bottom, cases type: V]:
+  assumes "p \<in> elts \<bool>"
+  and "p = \<^bold>T \<Longrightarrow> P"
+  and "p = \<^bold>F \<Longrightarrow> P"
+  shows P
+  using assms by auto
+
+end
diff --git a/thys/Q0_Metatheory/Consistency.thy b/thys/Q0_Metatheory/Consistency.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Consistency.thy
@@ -0,0 +1,244 @@
+section \<open>Consistency\<close>
+
+theory Consistency
+  imports
+    Soundness
+begin
+
+definition is_inconsistent_set :: "form set \<Rightarrow> bool" where
+  [iff]: "is_inconsistent_set \<G> \<longleftrightarrow> \<G> \<turnstile> F\<^bsub>o\<^esub>"
+
+definition \<Q>\<^sub>0_is_inconsistent :: bool where
+  [iff]: "\<Q>\<^sub>0_is_inconsistent \<longleftrightarrow> \<turnstile> F\<^bsub>o\<^esub>"
+
+definition is_wffo_consistent_with :: "form \<Rightarrow> form set \<Rightarrow> bool" where
+  [iff]: "is_wffo_consistent_with B \<G> \<longleftrightarrow> \<not> is_inconsistent_set (\<G> \<union> {B})"
+
+subsection \<open>Existence of a standard model\<close>
+
+text \<open>We construct a standard model in which \<open>\<D> i\<close> is the set \<open>{0}\<close>:\<close>
+
+primrec singleton_standard_domain_family ("\<D>\<^sup>S") where
+  "\<D>\<^sup>S i = 1" \<comment> \<open>i.e., \<^term>\<open>\<D>\<^sup>S i = set {0}\<close>\<close>
+| "\<D>\<^sup>S o = \<bool>"
+| "\<D>\<^sup>S (\<alpha>\<rightarrow>\<beta>) = \<D>\<^sup>S \<alpha> \<longmapsto> \<D>\<^sup>S \<beta>"
+
+interpretation singleton_standard_frame: frame "\<D>\<^sup>S"
+proof unfold_locales
+  {
+    fix \<alpha>
+    have "\<D>\<^sup>S \<alpha> \<noteq> 0"
+    proof (induction \<alpha>)
+      case (TFun \<beta> \<gamma>)
+      from \<open>\<D>\<^sup>S \<gamma> \<noteq> 0\<close> obtain y where "y \<in> elts (\<D>\<^sup>S \<gamma>)"
+        by fastforce
+      then have "(\<^bold>\<lambda>z \<^bold>: \<D>\<^sup>S \<beta>\<^bold>. y) \<in> elts (\<D>\<^sup>S \<beta> \<longmapsto> \<D>\<^sup>S \<gamma>)"
+        by (intro VPi_I)
+      then show ?case
+        by force
+    qed simp_all
+  }
+  then show "\<forall>\<alpha>. \<D>\<^sup>S \<alpha> \<noteq> 0"
+    by (intro allI)
+qed simp_all
+
+definition singleton_standard_constant_denotation_function ("\<J>\<^sup>S") where
+  [simp]: "\<J>\<^sup>S k =
+    (
+      if
+        \<exists>\<beta>. is_Q_constant_of_type k \<beta>
+      then
+        let \<beta> = type_of_Q_constant k in q\<^bsub>\<beta>\<^esub>\<^bsup>\<D>\<^sup>S\<^esup>
+      else
+      if
+        is_iota_constant k
+      then
+        \<^bold>\<lambda>z \<^bold>: \<D>\<^sup>S (i\<rightarrow>o)\<^bold>. 0
+      else
+        case k of (c, \<alpha>) \<Rightarrow> SOME z. z \<in> elts (\<D>\<^sup>S \<alpha>)
+    )"
+
+interpretation singleton_standard_premodel: premodel "\<D>\<^sup>S" "\<J>\<^sup>S"
+proof (unfold_locales)
+  show "\<forall>\<alpha>. \<J>\<^sup>S (Q_constant_of_type \<alpha>) = q\<^bsub>\<alpha>\<^esub>\<^bsup>\<D>\<^sup>S\<^esup>"
+    by simp
+next
+  show "singleton_standard_frame.is_unique_member_selector (\<J>\<^sup>S iota_constant)"
+  unfolding singleton_standard_frame.is_unique_member_selector_def proof
+    fix x
+    assume "x \<in> elts (\<D>\<^sup>S i)"
+    then have "x = 0"
+      by simp
+    moreover have "(\<^bold>\<lambda>z \<^bold>: \<D>\<^sup>S (i\<rightarrow>o)\<^bold>. 0) \<bullet> {0}\<^bsub>i\<^esub>\<^bsup>\<D>\<^sup>S\<^esup> = 0"
+      using beta[OF singleton_standard_frame.one_element_function_is_domain_respecting]
+      unfolding singleton_standard_domain_family.simps(3) by blast
+    ultimately show "(\<J>\<^sup>S iota_constant) \<bullet> {x}\<^bsub>i\<^esub>\<^bsup>\<D>\<^sup>S\<^esup> = x"
+      by fastforce
+  qed
+next
+  show "\<forall>c \<alpha>. \<not> is_logical_constant (c, \<alpha>) \<longrightarrow> \<J>\<^sup>S (c, \<alpha>) \<in> elts (\<D>\<^sup>S \<alpha>)"
+  proof (intro allI impI)
+    fix c and \<alpha>
+    assume "\<not> is_logical_constant (c, \<alpha>)"
+    then have "\<J>\<^sup>S (c, \<alpha>) = (SOME z. z \<in> elts (\<D>\<^sup>S \<alpha>))"
+      by auto
+    moreover have "\<exists>z. z \<in> elts (\<D>\<^sup>S \<alpha>)"
+      using eq0_iff and singleton_standard_frame.domain_nonemptiness by presburger
+    then have "(SOME z. z \<in> elts (\<D>\<^sup>S \<alpha>)) \<in> elts (\<D>\<^sup>S \<alpha>)"
+      using some_in_eq by auto
+    ultimately show "\<J>\<^sup>S (c, \<alpha>) \<in> elts (\<D>\<^sup>S \<alpha>)"
+      by auto
+  qed
+qed
+
+fun singleton_standard_wff_denotation_function ("\<V>\<^sup>S") where
+  "\<V>\<^sup>S \<phi> (x\<^bsub>\<alpha>\<^esub>) = \<phi> (x, \<alpha>)"
+| "\<V>\<^sup>S \<phi> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = \<J>\<^sup>S (c, \<alpha>)"
+| "\<V>\<^sup>S \<phi> (A \<sqdot> B) = (\<V>\<^sup>S \<phi> A) \<bullet> (\<V>\<^sup>S \<phi> B)"
+| "\<V>\<^sup>S \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = (\<^bold>\<lambda>z \<^bold>: \<D>\<^sup>S \<alpha>\<^bold>. \<V>\<^sup>S (\<phi>((x, \<alpha>) := z)) A)"
+
+lemma singleton_standard_wff_denotation_function_closure:
+  assumes "frame.is_assignment \<D>\<^sup>S \<phi>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<V>\<^sup>S \<phi> A \<in> elts (\<D>\<^sup>S \<alpha>)"
+using assms(2,1) proof (induction A arbitrary: \<phi>)
+  case (var_is_wff \<alpha> x)
+  then show ?case
+    by simp
+next
+  case (con_is_wff \<alpha> c)
+  then show ?case
+  proof (cases "(c, \<alpha>)" rule: constant_cases)
+    case non_logical
+    then show ?thesis
+      using singleton_standard_premodel.non_logical_constant_denotation
+      and singleton_standard_wff_denotation_function.simps(2) by presburger
+  next
+    case (Q_constant \<beta>)
+    then have "\<V>\<^sup>S \<phi> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = q\<^bsub>\<beta>\<^esub>\<^bsup>\<D>\<^sup>S\<^esup>"
+      by simp
+    moreover have "q\<^bsub>\<beta>\<^esub>\<^bsup>\<D>\<^sup>S\<^esup> \<in> elts (\<D>\<^sup>S (\<beta>\<rightarrow>\<beta>\<rightarrow>o))"
+      using singleton_standard_domain_family.simps(3)
+      and singleton_standard_frame.identity_relation_is_domain_respecting by presburger
+    ultimately show ?thesis
+      using Q_constant by simp
+  next
+    case \<iota>_constant
+    then have "\<V>\<^sup>S \<phi> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = (\<^bold>\<lambda>z \<^bold>: \<D>\<^sup>S (i\<rightarrow>o)\<^bold>. 0)"
+      by simp
+    moreover have "(\<^bold>\<lambda>z \<^bold>: \<D>\<^sup>S (i\<rightarrow>o)\<^bold>. 0) \<in> elts (\<D>\<^sup>S ((i\<rightarrow>o)\<rightarrow>i))"
+      by (simp add: VPi_I)
+    ultimately show ?thesis
+      using \<iota>_constant by simp
+  qed
+next
+  case (app_is_wff \<alpha> \<beta> A B)
+  have "\<V>\<^sup>S \<phi> (A \<sqdot> B) = (\<V>\<^sup>S \<phi> A) \<bullet> (\<V>\<^sup>S \<phi> B)"
+    using singleton_standard_wff_denotation_function.simps(3) .
+  moreover have "\<V>\<^sup>S \<phi> A \<in> elts (\<D>\<^sup>S (\<alpha>\<rightarrow>\<beta>))" and "\<V>\<^sup>S \<phi> B \<in> elts (\<D>\<^sup>S \<alpha>)"
+    using app_is_wff.IH and app_is_wff.prems by simp_all
+  ultimately show ?case
+    by (simp only: singleton_standard_frame.app_is_domain_respecting)
+next
+  case (abs_is_wff \<beta> A \<alpha> x)
+  have "\<V>\<^sup>S \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = (\<^bold>\<lambda>z \<^bold>: \<D>\<^sup>S \<alpha>\<^bold>. \<V>\<^sup>S (\<phi>((x, \<alpha>) := z)) A)"
+    using singleton_standard_wff_denotation_function.simps(4) .
+  moreover have "\<V>\<^sup>S (\<phi>((x, \<alpha>) := z)) A \<in> elts (\<D>\<^sup>S \<beta>)" if "z \<in> elts (\<D>\<^sup>S \<alpha>)" for z
+    using that and abs_is_wff.IH and abs_is_wff.prems by simp
+  ultimately show ?case
+    by (simp add: VPi_I)
+qed
+
+interpretation singleton_standard_model: standard_model "\<D>\<^sup>S" "\<J>\<^sup>S" "\<V>\<^sup>S"
+proof (unfold_locales)
+  show "singleton_standard_premodel.is_wff_denotation_function \<V>\<^sup>S"
+    by (simp add: singleton_standard_wff_denotation_function_closure)
+next
+  show "\<forall>\<alpha> \<beta>. \<D>\<^sup>S (\<alpha>\<rightarrow>\<beta>) = \<D>\<^sup>S \<alpha> \<longmapsto> \<D>\<^sup>S \<beta>"
+    using singleton_standard_domain_family.simps(3) by (intro allI)
+qed
+
+proposition standard_model_existence:
+  shows "\<exists>\<M>. is_standard_model \<M>"
+  using singleton_standard_model.standard_model_axioms by auto
+
+subsection \<open>Theorem 5403 (Consistency Theorem)\<close>
+
+proposition model_existence_implies_set_consistency:
+  assumes "is_hyps \<G>"
+  and "\<exists>\<M>. is_general_model \<M> \<and> is_model_for \<M> \<G>"
+  shows "\<not> is_inconsistent_set \<G>"
+proof (rule ccontr)
+  from assms(2) obtain \<D> and \<J> and \<V> and \<M>
+    where "\<M> = (\<D>, \<J>, \<V>)" and "is_model_for \<M> \<G>" and "is_general_model \<M>" by fastforce
+  assume "\<not> \<not> is_inconsistent_set \<G>"
+  then have "\<G> \<turnstile> F\<^bsub>o\<^esub>"
+    by simp
+  with \<open>is_general_model \<M>\<close> have "\<M> \<Turnstile> F\<^bsub>o\<^esub>"
+    using thm_5402(2)[OF assms(1) \<open>is_model_for \<M> \<G>\<close>] by simp
+  then have "\<V> \<phi> F\<^bsub>o\<^esub> = \<^bold>T" if "\<phi> \<leadsto> \<D>" for \<phi>
+    using that and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> by force
+  moreover have "\<V> \<phi> F\<^bsub>o\<^esub> = \<^bold>F" if "\<phi> \<leadsto> \<D>" for \<phi>
+    using \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>is_general_model \<M>\<close> and that and general_model.prop_5401_d
+    by simp
+  ultimately have "\<nexists>\<phi>. \<phi> \<leadsto> \<D>"
+    by (auto simp add: inj_eq)
+  moreover have "\<exists>\<phi>. \<phi> \<leadsto> \<D>"
+  proof -
+    \<comment> \<open>
+      Since by definition domains are not empty then, by using the Axiom of Choice, we can specify
+      an assignment \<open>\<psi>\<close> that simply chooses some element in the respective domain for each variable.
+      Nonetheless, as pointed out in Footnote 11, page 19 in @{cite "andrews:1965"}, it is not
+      necessary to use the Axiom of Choice to show that assignments exist since some assignments
+      can be described explicitly.
+    \<close>
+    let ?\<psi> = "\<lambda>v. case v of (_, \<alpha>) \<Rightarrow> SOME z. z \<in> elts (\<D> \<alpha>)"
+    from \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>is_general_model \<M>\<close> have "\<forall>\<alpha>. elts (\<D> \<alpha>) \<noteq> {}"
+      using frame.domain_nonemptiness and premodel_def and general_model.axioms(1) by auto
+    with \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>is_general_model \<M>\<close> have "?\<psi> \<leadsto> \<D>"
+      using frame.is_assignment_def and premodel_def and general_model.axioms(1)
+      by (metis (mono_tags) case_prod_conv some_in_eq)
+    then show ?thesis
+      by (intro exI)
+  qed
+  ultimately show False ..
+qed
+
+proposition \<Q>\<^sub>0_is_consistent:
+  shows "\<not> \<Q>\<^sub>0_is_inconsistent"
+proof -
+  have "\<exists>\<M>. is_general_model \<M> \<and> is_model_for \<M> {}"
+    using standard_model_existence and standard_model.axioms(1) by blast
+  then show ?thesis
+    using model_existence_implies_set_consistency by simp
+qed
+
+lemmas thm_5403 = \<Q>\<^sub>0_is_consistent model_existence_implies_set_consistency
+
+proposition principle_of_explosion:
+  assumes "is_hyps \<G>"
+  shows "is_inconsistent_set \<G> \<longleftrightarrow> (\<forall>A \<in> (wffs\<^bsub>o\<^esub>). \<G> \<turnstile> A)"
+proof
+  assume "is_inconsistent_set \<G>"
+  show "\<forall>A \<in> (wffs\<^bsub>o\<^esub>). \<G> \<turnstile> A"
+  proof
+    fix A
+    assume "A \<in> wffs\<^bsub>o\<^esub>"
+    from \<open>is_inconsistent_set \<G>\<close> have "\<G> \<turnstile> F\<^bsub>o\<^esub>"
+      unfolding is_inconsistent_set_def .
+    then have "\<G> \<turnstile> \<forall>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>"
+      unfolding false_is_forall .
+    with \<open>A \<in> wffs\<^bsub>o\<^esub>\<close> have "\<G> \<turnstile> \<^bold>S {(\<xx>, o) \<Zinj> A} (\<xx>\<^bsub>o\<^esub>)"
+      using "\<forall>I" by fastforce
+    then show "\<G> \<turnstile> A"
+      by simp
+  qed
+next
+  assume "\<forall>A \<in> (wffs\<^bsub>o\<^esub>). \<G> \<turnstile> A"
+  then have "\<G> \<turnstile> F\<^bsub>o\<^esub>"
+    using false_wff by (elim bspec)
+  then show "is_inconsistent_set \<G>"
+    unfolding is_inconsistent_set_def .
+qed
+
+end
diff --git a/thys/Q0_Metatheory/Elementary_Logic.thy b/thys/Q0_Metatheory/Elementary_Logic.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Elementary_Logic.thy
@@ -0,0 +1,4821 @@
+section \<open>Elementary Logic\<close>
+
+theory Elementary_Logic
+  imports
+    Proof_System
+    Propositional_Wff
+begin
+
+no_notation funcset (infixr "\<rightarrow>" 60)
+notation funcset (infixr "\<Zpfun>" 60)
+
+subsection \<open>Proposition 5200\<close>
+
+proposition prop_5200:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<turnstile> A =\<^bsub>\<alpha>\<^esub> A"
+  using assms and equality_reflexivity and dv_thm by simp
+
+corollary hyp_prop_5200:
+  assumes "is_hyps \<H>" and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<H> \<turnstile> A =\<^bsub>\<alpha>\<^esub> A"
+  using derivability_implies_hyp_derivability[OF prop_5200[OF assms(2)] assms(1)] .
+
+subsection \<open>Proposition 5201 (Equality Rules)\<close>
+
+proposition prop_5201_1:
+  assumes "\<H> \<turnstile> A" and "\<H> \<turnstile> A \<equiv>\<^sup>\<Q> B"
+  shows "\<H> \<turnstile> B"
+proof -
+  from assms(2) have "\<H> \<turnstile> A =\<^bsub>o\<^esub> B"
+    unfolding equivalence_def .
+  with assms(1) show ?thesis
+    by (rule rule_R'[where p = "[]"]) auto
+qed
+
+proposition prop_5201_2:
+  assumes "\<H> \<turnstile> A =\<^bsub>\<alpha>\<^esub> B"
+  shows "\<H> \<turnstile> B =\<^bsub>\<alpha>\<^esub> A"
+proof -
+  have "\<H> \<turnstile> A =\<^bsub>\<alpha>\<^esub> A"
+  proof (rule hyp_prop_5200)
+    from assms show "is_hyps \<H>"
+      by (blast elim: is_derivable_from_hyps.cases)
+    show "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+      by (fact hyp_derivable_form_is_wffso[OF assms, THEN wffs_from_equality(1)])
+  qed
+  from this and assms show ?thesis
+    by (rule rule_R'[where p = "[\<guillemotleft>,\<guillemotright>]"]) (force+, fastforce dest: subforms_from_app)
+qed
+
+proposition prop_5201_3:
+  assumes "\<H> \<turnstile> A =\<^bsub>\<alpha>\<^esub> B" and "\<H> \<turnstile> B =\<^bsub>\<alpha>\<^esub> C"
+  shows "\<H> \<turnstile> A =\<^bsub>\<alpha>\<^esub> C"
+  using assms by (rule rule_R'[where p = "[\<guillemotright>]"]) (force+, fastforce dest: subforms_from_app)
+
+proposition prop_5201_4:
+  assumes "\<H> \<turnstile> A =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> B" and "\<H> \<turnstile> C =\<^bsub>\<alpha>\<^esub> D"
+  shows "\<H> \<turnstile> A \<sqdot> C =\<^bsub>\<beta>\<^esub> B \<sqdot> D"
+proof -
+  have "\<H> \<turnstile> A \<sqdot> C =\<^bsub>\<beta>\<^esub> A \<sqdot> C"
+  proof (rule hyp_prop_5200)
+    from assms show "is_hyps \<H>"
+      by (blast elim: is_derivable_from_hyps.cases)
+    from assms have "A \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>" and "C \<in> wffs\<^bsub>\<alpha>\<^esub>"
+      using hyp_derivable_form_is_wffso and wffs_from_equality by blast+
+    then show "A \<sqdot> C \<in> wffs\<^bsub>\<beta>\<^esub>"
+      by auto
+  qed
+  from this and assms(1) have "\<H> \<turnstile> A \<sqdot> C =\<^bsub>\<beta>\<^esub> B \<sqdot> C"
+    by (rule rule_R'[where p = "[\<guillemotright>,\<guillemotleft>]"]) (force+, fastforce dest: subforms_from_app)
+  from this and assms(2) show ?thesis
+    by (rule rule_R'[where p = "[\<guillemotright>,\<guillemotright>]"]) (force+, fastforce dest: subforms_from_app)
+qed
+
+proposition prop_5201_5:
+  assumes "\<H> \<turnstile> A =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> B" and "C \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<H> \<turnstile> A \<sqdot> C =\<^bsub>\<beta>\<^esub> B \<sqdot> C"
+proof -
+  have "\<H> \<turnstile> A \<sqdot> C =\<^bsub>\<beta>\<^esub> A \<sqdot> C"
+  proof (rule hyp_prop_5200)
+    from assms(1) show "is_hyps \<H>"
+      by (blast elim: is_derivable_from_hyps.cases)
+    have "A \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>"
+      by (fact hyp_derivable_form_is_wffso[OF assms(1), THEN wffs_from_equality(1)])
+    with assms(2) show "A \<sqdot> C \<in> wffs\<^bsub>\<beta>\<^esub>"
+      by auto
+  qed
+  from this and assms(1) show ?thesis
+    by (rule rule_R'[where p = "[\<guillemotright>,\<guillemotleft>]"]) (force+, fastforce dest: subforms_from_app)
+qed
+
+proposition prop_5201_6:
+  assumes "\<H> \<turnstile> C =\<^bsub>\<alpha>\<^esub> D" and "A \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>"
+  shows "\<H> \<turnstile> A \<sqdot> C =\<^bsub>\<beta>\<^esub> A \<sqdot> D"
+proof -
+  have "\<H> \<turnstile> A \<sqdot> C =\<^bsub>\<beta>\<^esub> A \<sqdot> C"
+  proof (rule hyp_prop_5200)
+    from assms(1) show "is_hyps \<H>"
+      by (blast elim: is_derivable_from_hyps.cases)
+    have "C \<in> wffs\<^bsub>\<alpha>\<^esub>"
+      by (fact hyp_derivable_form_is_wffso[OF assms(1), THEN wffs_from_equality(1)])
+    with assms(2) show "A \<sqdot> C \<in> wffs\<^bsub>\<beta>\<^esub>"
+      by auto
+  qed
+  from this and assms(1) show ?thesis
+    by (rule rule_R'[where p = "[\<guillemotright>,\<guillemotright>]"]) (force+, fastforce dest: subforms_from_app)
+qed
+
+lemmas Equality_Rules = prop_5201_1 prop_5201_2 prop_5201_3 prop_5201_4 prop_5201_5 prop_5201_6
+
+subsection \<open>Proposition 5202 (Rule RR)\<close>
+
+proposition prop_5202:
+  assumes "\<turnstile> A =\<^bsub>\<alpha>\<^esub> B \<or> \<turnstile> B =\<^bsub>\<alpha>\<^esub> A"
+  and "p \<in> positions C" and "A \<preceq>\<^bsub>p\<^esub> C" and "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D"
+  and "\<H> \<turnstile> C"
+  shows "\<H> \<turnstile> D"
+proof -
+  from assms(5) have "\<turnstile> C =\<^bsub>o\<^esub> C"
+    using prop_5200 and hyp_derivable_form_is_wffso by blast
+  moreover from assms(1) consider (a) "\<turnstile> A =\<^bsub>\<alpha>\<^esub> B" | (b) "\<turnstile> B =\<^bsub>\<alpha>\<^esub> A"
+    by blast
+  then have "\<turnstile> A =\<^bsub>\<alpha>\<^esub> B"
+    by cases (assumption, fact Equality_Rules(2))
+  ultimately have "\<turnstile> C =\<^bsub>o\<^esub> D"
+    by (rule rule_R[where p = "\<guillemotright> # p"]) (use assms(2-4) in auto)
+  then have "\<H> \<turnstile> C =\<^bsub>o\<^esub> D"
+  proof -
+    from assms(5) have "is_hyps \<H>"
+      by (blast elim: is_derivable_from_hyps.cases)
+    with \<open>\<turnstile> C =\<^bsub>o\<^esub> D\<close> show ?thesis
+      by (fact derivability_implies_hyp_derivability)
+  qed
+  with assms(5) show ?thesis
+    by (rule Equality_Rules(1)[unfolded equivalence_def])
+qed
+
+lemmas rule_RR = prop_5202 (* synonym *)
+
+subsection \<open>Proposition 5203\<close>
+
+proposition prop_5203:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "\<forall>v \<in> vars A. \<not> is_bound v B"
+  shows "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+using assms(2,1,3) proof induction
+  case (var_is_wff \<beta> y)
+  then show ?case
+  proof (cases "y\<^bsub>\<beta>\<^esub> = x\<^bsub>\<alpha>\<^esub>")
+    case True
+    then have "\<alpha> = \<beta>"
+      by simp
+    moreover from assms(1) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A"
+      using axiom_4_2 by (intro axiom_is_derivable_from_no_hyps)
+    moreover have "\<^bold>S {(x, \<alpha>) \<Zinj> A} (x\<^bsub>\<alpha>\<^esub>) = A"
+      by force
+    ultimately show ?thesis
+      using True by (simp only:)
+  next
+    case False
+    with assms(1) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub>"
+      using axiom_4_1_var by (intro axiom_is_derivable_from_no_hyps)
+    moreover from False have "\<^bold>S {(x, \<alpha>) \<Zinj> A} (y\<^bsub>\<beta>\<^esub>) = y\<^bsub>\<beta>\<^esub>"
+      by auto
+    ultimately show ?thesis
+      by (simp only:)
+  qed
+next
+  case (con_is_wff \<beta> c)
+  from assms(1) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>"
+    using axiom_4_1_con by (intro axiom_is_derivable_from_no_hyps)
+  moreover have "\<^bold>S {(x, \<alpha>) \<Zinj> A} (\<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) = \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>"
+    by auto
+  ultimately show ?case
+    by (simp only:)
+next
+  case (app_is_wff \<gamma> \<beta> D C)
+  from app_is_wff.prems(2) have not_bound_subforms: "\<forall>v \<in> vars A. \<not> is_bound v D \<and> \<not> is_bound v C"
+    using is_bound_in_app_homomorphism by fast
+  from \<open>D \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>\<close> have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} D"
+    using app_is_wff.IH(1)[OF assms(1)] and not_bound_subforms by simp
+  moreover from \<open>C \<in> wffs\<^bsub>\<gamma>\<^esub>\<close> have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A =\<^bsub>\<gamma>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} C"
+    using app_is_wff.IH(2)[OF assms(1)] and not_bound_subforms by simp
+  moreover have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D \<sqdot> C) \<sqdot> A =\<^bsub>\<beta>\<^esub> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A) \<sqdot> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A)"
+    using axiom_is_derivable_from_no_hyps[OF axiom_4_3[OF assms(1) \<open>D \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>\<close> \<open>C \<in> wffs\<^bsub>\<gamma>\<^esub>\<close>]] .
+  ultimately show ?case
+    using Equality_Rules(3,4) and substitute.simps(3) by presburger
+next
+  case (abs_is_wff \<beta> D \<gamma> y)
+  then show ?case
+  proof (cases "y\<^bsub>\<gamma>\<^esub> = x\<^bsub>\<alpha>\<^esub>")
+    case True
+    then have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. D"
+      using axiom_is_derivable_from_no_hyps[OF axiom_4_5[OF assms(1) abs_is_wff.hyps(1)]] by fast
+    moreover from True have "\<^bold>S {(x, \<alpha>) \<Zinj> A} (\<lambda>y\<^bsub>\<gamma>\<^esub>. D) = \<lambda>y\<^bsub>\<gamma>\<^esub>. D"
+      using empty_substitution_neutrality
+      by (simp add: singleton_substitution_simps(4) fmdrop_fmupd_same)
+    ultimately show ?thesis
+      by (simp only:)
+  next
+    case False
+    have "binders_at (\<lambda>y\<^bsub>\<gamma>\<^esub>. D) [\<guillemotleft>] = {(y, \<gamma>)}"
+      by simp
+    then have "is_bound (y, \<gamma>) (\<lambda>y\<^bsub>\<gamma>\<^esub>. D)"
+      by fastforce
+    with abs_is_wff.prems(2) have "(y, \<gamma>) \<notin> vars A"
+      by blast
+    with \<open>y\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>\<close> have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A"
+      using axiom_4_4[OF assms(1) abs_is_wff.hyps(1)] and axiom_is_derivable_from_no_hyps by blast
+    moreover have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} D"
+    proof -
+      have "\<forall>p. y\<^bsub>\<gamma>\<^esub> \<preceq>\<^bsub>\<guillemotleft> # p\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. D \<longrightarrow> y\<^bsub>\<gamma>\<^esub> \<preceq>\<^bsub>p\<^esub> D"
+        using subforms_from_abs by fastforce
+      from abs_is_wff.prems(2) have "\<forall>v \<in> vars A. \<not> is_bound v D"
+        using is_bound_in_abs_body by fast
+      then show ?thesis
+        by (fact abs_is_wff.IH[OF assms(1)])
+    qed
+    ultimately have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. \<^bold>S {(x, \<alpha>) \<Zinj> A} D"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+    with False show ?thesis
+      by simp
+  qed
+qed
+
+subsection \<open>Proposition 5204\<close>
+
+proposition prop_5204:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<beta>\<^esub>" and "C \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "\<turnstile> B =\<^bsub>\<beta>\<^esub> C"
+  and "\<forall>v \<in> vars A. \<not> is_bound v B \<and> \<not> is_bound v C"
+  shows "\<turnstile> \<^bold>S {(x, \<alpha>) \<Zinj> A} (B =\<^bsub>\<beta>\<^esub> C)"
+proof -
+  have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<beta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A"
+  proof -
+    have "(\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A \<in> wffs\<^bsub>\<beta>\<^esub>"
+      using assms(1,2) by auto
+    then show ?thesis
+      by (fact prop_5200)
+  qed
+  from this and assms(4) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<beta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A"
+    by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotleft>]"]) force+
+  moreover from assms(1,2,5) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+    using prop_5203 by auto
+  moreover from assms(1,3,5) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} C"
+    using prop_5203 by auto
+  ultimately have "\<turnstile> (\<^bold>S {(x, \<alpha>) \<Zinj> A} B) =\<^bsub>\<beta>\<^esub> (\<^bold>S {(x, \<alpha>) \<Zinj> A} C)"
+    using Equality_Rules(2,3) by blast
+  then show ?thesis
+    by simp
+qed
+
+subsection \<open>Proposition 5205 ($\eta$-conversion)\<close>
+
+proposition prop_5205:
+  shows "\<turnstile> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> (\<lambda>y\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> y\<^bsub>\<alpha>\<^esub>)"
+proof -
+  {
+  fix y
+  assume "y\<^bsub>\<alpha>\<^esub> \<noteq> \<xx>\<^bsub>\<alpha>\<^esub>"
+  let ?A = "\<lambda>y\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> y\<^bsub>\<alpha>\<^esub>"
+  have "\<turnstile> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> ?A) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>\<alpha>\<^esub>. (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> ?A \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)"
+  proof -
+    have "\<turnstile> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>\<alpha>\<^esub>. (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)" (is "\<turnstile> ?B =\<^bsub>o\<^esub> ?C")
+      using axiom_3[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    have "\<turnstile> \<^bold>S {(\<gg>, \<alpha>\<rightarrow>\<beta>) \<Zinj> ?A} (?B =\<^bsub>o\<^esub> ?C)"
+    proof -
+      have "?A \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>" and "?B \<in> wffs\<^bsub>o\<^esub>" and "?C \<in> wffs\<^bsub>o\<^esub>"
+        by auto
+      moreover have "\<forall>v \<in> vars ?A. \<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+      proof
+        fix v
+        assume "v \<in> vars ?A"
+        have "vars ?B = {(\<ff>, \<alpha>\<rightarrow>\<beta>), (\<gg>, \<alpha>\<rightarrow>\<beta>)}" and "vars ?C = {(\<ff>, \<alpha>\<rightarrow>\<beta>), (\<xx>, \<alpha>), (\<gg>, \<alpha>\<rightarrow>\<beta>)}"
+          by force+
+        with \<open>y\<^bsub>\<alpha>\<^esub> \<noteq> \<xx>\<^bsub>\<alpha>\<^esub>\<close> have "(y, \<alpha>) \<notin> vars ?B" and "(y, \<alpha>) \<notin> vars ?C"
+          by force+
+        then have "\<not> is_bound (y, \<alpha>) ?B" and "\<not> is_bound (y, \<alpha>) ?C"
+          using absent_var_is_not_bound by blast+
+        moreover have "\<not> is_bound (\<ff>, \<alpha>\<rightarrow>\<beta>) ?B" and "\<not> is_bound (\<ff>, \<alpha>\<rightarrow>\<beta>) ?C"
+          by code_simp+
+        moreover from \<open>v \<in> vars ?A\<close> have "v \<in> {(y, \<alpha>), (\<ff>, \<alpha>\<rightarrow>\<beta>)}"
+          by auto
+        ultimately show "\<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+          by fast
+      qed
+      ultimately show ?thesis
+        using \<open>\<turnstile> ?B =\<^bsub>o\<^esub> ?C\<close> and prop_5204 by presburger
+    qed
+    then show ?thesis
+      by simp
+  qed
+  moreover have "\<turnstile> ?A \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+  proof -
+    have "\<xx>\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>\<alpha>\<^esub>" and "\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> y\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>\<beta>\<^esub>"
+      by auto
+    moreover have "\<forall>v \<in> vars (\<xx>\<^bsub>\<alpha>\<^esub>). \<not> is_bound v (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> y\<^bsub>\<alpha>\<^esub>)"
+      using \<open>y\<^bsub>\<alpha>\<^esub> \<noteq> \<xx>\<^bsub>\<alpha>\<^esub>\<close> by auto
+    moreover have "\<^bold>S {(y, \<alpha>) \<Zinj> \<xx>\<^bsub>\<alpha>\<^esub>} (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> y\<^bsub>\<alpha>\<^esub>) =  \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+      by simp
+    ultimately show ?thesis
+      using prop_5203 by metis
+  qed
+  ultimately have "\<turnstile> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> ?A) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>\<alpha>\<^esub>. (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)"
+    by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+  moreover have "\<turnstile> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>\<alpha>\<^esub>. (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)"
+  proof -
+    let ?A = "\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>"
+    have "\<turnstile> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>\<alpha>\<^esub>. (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)" (is "\<turnstile> ?B =\<^bsub>o\<^esub> ?C")
+      using axiom_3[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    have "\<turnstile> \<^bold>S {(\<gg>, \<alpha>\<rightarrow>\<beta>) \<Zinj> ?A} (?B =\<^bsub>o\<^esub> ?C)"
+    proof -
+      have "?A \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>" and "?B \<in> wffs\<^bsub>o\<^esub>" and "?C \<in> wffs\<^bsub>o\<^esub>"
+        by auto
+      moreover have "\<forall>v \<in> vars ?A. \<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+      proof
+        fix v
+        assume "v \<in> vars ?A"
+        have "vars ?B = {(\<ff>, \<alpha>\<rightarrow>\<beta>), (\<gg>, \<alpha>\<rightarrow>\<beta>)}" and "vars ?C = {(\<ff>, \<alpha>\<rightarrow>\<beta>), (\<xx>, \<alpha>), (\<gg>, \<alpha>\<rightarrow>\<beta>)}"
+          by force+
+        with \<open>y\<^bsub>\<alpha>\<^esub> \<noteq> \<xx>\<^bsub>\<alpha>\<^esub>\<close> have "(y, \<alpha>) \<notin> vars ?B" and "(y, \<alpha>) \<notin> vars ?C"
+          by force+
+        then have "\<not> is_bound (y, \<alpha>) ?B" and "\<not> is_bound (y, \<alpha>) ?C"
+          using absent_var_is_not_bound by blast+
+        moreover have "\<not> is_bound (\<ff>, \<alpha>\<rightarrow>\<beta>) ?B" and "\<not> is_bound (\<ff>, \<alpha>\<rightarrow>\<beta>) ?C"
+          by code_simp+
+        moreover from \<open>v \<in> vars ?A \<close>have "v \<in> {(y, \<alpha>), (\<ff>, \<alpha>\<rightarrow>\<beta>)}"
+          by auto
+        ultimately show "\<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+          by fast
+      qed
+      ultimately show ?thesis
+        using \<open>\<turnstile> ?B =\<^bsub>o\<^esub> ?C\<close> and prop_5204 by presburger
+    qed
+    then show ?thesis
+      by simp
+  qed
+  ultimately have "\<turnstile> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> (\<lambda>y\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> y\<^bsub>\<alpha>\<^esub>)"
+    using Equality_Rules(1)[unfolded equivalence_def] and Equality_Rules(2) and prop_5200
+    by (metis wffs_of_type_intros(1))
+  }
+  note x_neq_y = this
+  then have "\<section>6": "\<turnstile> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<lambda>\<yy>\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>" (is "\<turnstile> ?B =\<^bsub>_\<^esub> ?C")
+    by simp
+  then have "\<section>7": "\<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> (\<lambda>\<yy>\<^bsub>\<alpha>\<^esub>. (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>)"
+  proof -
+    let ?A = "\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+    have "?A \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>" and "?B \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>" and "?C \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>"
+      by auto
+    moreover have "\<forall>v \<in> vars ?A. \<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+    proof
+      fix v
+      assume "v \<in> vars ?A"
+      have "\<not> is_bound (\<xx>, \<alpha>) ?B" and "\<not> is_bound (\<xx>, \<alpha>) ?C"
+        by code_simp+
+      moreover have "\<not> is_bound (\<ff>, \<alpha>\<rightarrow>\<beta>) ?B" and "\<not> is_bound (\<ff>, \<alpha>\<rightarrow>\<beta>) ?C"
+        by code_simp+
+      moreover from \<open>v \<in> vars ?A \<close>have "v \<in> {(\<xx>, \<alpha>), (\<ff>, \<alpha>\<rightarrow>\<beta>)}"
+        by auto
+      ultimately show "\<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+        by fast
+    qed
+    ultimately have "\<turnstile> \<^bold>S {(\<ff>, \<alpha>\<rightarrow>\<beta>) \<Zinj> ?A} (?B =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> ?C)"
+      using "\<section>6" and prop_5204 by presburger
+    then show ?thesis
+      by simp
+  qed
+  have "\<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> (\<lambda>\<yy>\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>)"
+  proof -
+    have "\<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>"
+    proof -
+      have "\<yy>\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>\<alpha>\<^esub>" and "\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>\<beta>\<^esub>"
+        by auto
+      moreover have "\<forall>v \<in> vars (\<yy>\<^bsub>\<alpha>\<^esub>). \<not> is_bound v (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)"
+        by simp
+      moreover have "\<^bold>S {(\<xx>, \<alpha>) \<Zinj> \<yy>\<^bsub>\<alpha>\<^esub>} (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>"
+        by simp
+      ultimately show ?thesis
+        using prop_5203 by metis
+    qed
+    from "\<section>7" and this show ?thesis
+      by (rule rule_R [where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+  qed
+  with "\<section>6" and x_neq_y[of y] show ?thesis
+    using Equality_Rules(2,3) by blast
+qed
+
+subsection \<open>Proposition 5206 ($\alpha$-conversion)\<close>
+
+proposition prop_5206:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "(z, \<beta>) \<notin> free_vars A"
+  and "is_free_for (z\<^bsub>\<beta>\<^esub>) (x, \<beta>) A"
+  shows "\<turnstile> (\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A)"
+proof -
+  have "is_substitution {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>}"
+    by auto
+  from this and assms(1) have "\<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+    by (fact substitution_preserves_typing)
+  obtain y where "(y, \<beta>) \<notin> {(x, \<beta>), (z, \<beta>)} \<union> vars A"
+  proof -
+    have "finite ({(x, \<beta>), (z, \<beta>)} \<union> vars A)"
+      using vars_form_finiteness by blast
+    with that show ?thesis
+      using fresh_var_existence by metis
+  qed
+  then have "(y, \<beta>) \<noteq> (x, \<beta>)" and "(y, \<beta>) \<noteq> (z, \<beta>)" and "(y, \<beta>) \<notin> vars A" and "(y, \<beta>) \<notin> free_vars A"
+    using free_vars_in_all_vars by auto
+  have "\<section>1": "\<turnstile> (\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>y\<^bsub>\<beta>\<^esub>. (\<lambda>x\<^bsub>\<beta>\<^esub>. A) \<sqdot> y\<^bsub>\<beta>\<^esub>)"
+  proof -
+    let ?A = "\<lambda>x\<^bsub>\<beta>\<^esub>. A"
+    have *: "\<turnstile> \<ff>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>y\<^bsub>\<beta>\<^esub>. \<ff>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<sqdot> y\<^bsub>\<beta>\<^esub>)" (is "\<turnstile> ?B =\<^bsub>_\<^esub> ?C")
+      by (fact prop_5205)
+    moreover have "\<turnstile> \<^bold>S {(\<ff>, \<beta>\<rightarrow>\<alpha>) \<Zinj> ?A} (?B =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> ?C)"
+    proof -
+      from assms(1) have "?A \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>" and "?B \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>" and "?C \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>"
+        by auto
+      moreover have "\<forall>v \<in> vars ?A. \<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+      proof
+        fix v
+        assume "v \<in> vars ?A"
+        then consider (a) "v = (x, \<beta>)" | (b) "v \<in> vars A"
+          by fastforce
+        then show "\<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+        proof cases
+          case a
+          then show ?thesis
+            using \<open>(y, \<beta>) \<noteq> (x, \<beta>)\<close> by force
+        next
+          case b
+          then have "\<not> is_bound v ?B"
+            by simp
+          moreover have "\<not> is_bound v ?C"
+            using b and \<open>(y, \<beta>) \<notin> vars A\<close> by code_simp force
+          ultimately show ?thesis
+            by blast
+        qed
+      qed
+      ultimately show ?thesis
+        using prop_5204 and * by presburger
+    qed
+    ultimately show ?thesis
+      by simp
+  qed
+  then have "\<section>2": "\<turnstile> (\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>y\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> y\<^bsub>\<beta>\<^esub>} A)"
+  proof -
+    have "\<turnstile> (\<lambda>x\<^bsub>\<beta>\<^esub>. A) \<sqdot> y\<^bsub>\<beta>\<^esub> =\<^bsub>\<alpha>\<^esub> \<^bold>S {(x, \<beta>) \<Zinj> y\<^bsub>\<beta>\<^esub>} A" (is "\<turnstile> (\<lambda>x\<^bsub>\<beta>\<^esub>. ?B) \<sqdot> ?A =\<^bsub>_\<^esub> _")
+    proof -
+      have "?A \<in> wffs\<^bsub>\<beta>\<^esub>" and "?B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+        by blast fact
+      moreover have "\<forall>v \<in> vars ?A. \<not> is_bound v ?B"
+        using \<open>(y, \<beta>) \<notin> vars A\<close> and absent_var_is_not_bound by auto
+      ultimately show ?thesis
+        by (fact prop_5203)
+    qed
+    with "\<section>1" show ?thesis
+      by (rule rule_R [where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+  qed
+  moreover
+  have "\<section>3": "\<turnstile> (\<lambda>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>y\<^bsub>\<beta>\<^esub>. (\<lambda>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A) \<sqdot> y\<^bsub>\<beta>\<^esub>)"
+  proof -
+    let ?A = "\<lambda>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A"
+    have *: "\<turnstile> \<ff>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>y\<^bsub>\<beta>\<^esub>. \<ff>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<sqdot> y\<^bsub>\<beta>\<^esub>)" (is "\<turnstile> ?B =\<^bsub>_\<^esub> ?C")
+      by (fact prop_5205)
+    moreover have "\<turnstile> \<^bold>S {(\<ff>, \<beta>\<rightarrow>\<alpha>) \<Zinj> ?A} (?B =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> ?C)"
+    proof -
+      have "?A \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>" and "?B \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>" and "?C \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>"
+        using \<open>\<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> by auto
+      moreover have "\<forall>v \<in> vars ?A. \<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+      proof
+        fix v
+        assume "v \<in> vars ?A"
+        then consider (a) "v = (z, \<beta>)" | (b) "v \<in> vars (\<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A)"
+          by fastforce
+        then show "\<not> is_bound v ?B \<and> \<not> is_bound v ?C"
+        proof cases
+          case a
+          then show ?thesis
+            using \<open>(y, \<beta>) \<noteq> (z, \<beta>)\<close> by auto
+        next
+          case b
+          then have "\<not> is_bound v ?B"
+            by simp
+          moreover from b and \<open>(y, \<beta>) \<notin> vars A\<close> and \<open>(y, \<beta>) \<noteq> (z, \<beta>)\<close> have "v \<noteq> (y, \<beta>)"
+            using renaming_substitution_minimal_change by blast
+          then have "\<not> is_bound v ?C"
+            by code_simp simp
+          ultimately show ?thesis
+            by blast
+        qed
+      qed
+      ultimately show ?thesis
+        using prop_5204 and * by presburger
+    qed
+    ultimately show ?thesis
+      by simp
+  qed
+  then have "\<section>4": "\<turnstile> (\<lambda>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>y\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> y\<^bsub>\<beta>\<^esub>} A)"
+  proof -
+    have "\<turnstile> (\<lambda>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A) \<sqdot> y\<^bsub>\<beta>\<^esub> =\<^bsub>\<alpha>\<^esub> \<^bold>S {(x, \<beta>) \<Zinj> y\<^bsub>\<beta>\<^esub>} A" (is "\<turnstile> (\<lambda>z\<^bsub>\<beta>\<^esub>. ?B) \<sqdot> ?A =\<^bsub>_\<^esub> _")
+    proof -
+      have "?A \<in> wffs\<^bsub>\<beta>\<^esub>" and "?B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+        by blast fact
+      moreover from \<open>(y, \<beta>) \<notin> vars A\<close> and \<open>(y, \<beta>) \<noteq> (z, \<beta>)\<close> have "\<forall>v \<in> vars ?A. \<not> is_bound v ?B"
+        using absent_var_is_not_bound and renaming_substitution_minimal_change by auto
+      ultimately have "\<turnstile> (\<lambda>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A) \<sqdot> y\<^bsub>\<beta>\<^esub> =\<^bsub>\<alpha>\<^esub> \<^bold>S {(z, \<beta>) \<Zinj> y\<^bsub>\<beta>\<^esub>} \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A"
+        using prop_5203 by fast
+      moreover have "\<^bold>S {(z, \<beta>) \<Zinj> y\<^bsub>\<beta>\<^esub>} \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A = \<^bold>S {(x, \<beta>) \<Zinj> y\<^bsub>\<beta>\<^esub>} A"
+        by (fact renaming_substitution_composability[OF assms(2,3)])
+      ultimately show ?thesis
+        by (simp only:)
+    qed
+    with "\<section>3" show ?thesis
+      by (rule rule_R [where p = "[\<guillemotright>,\<guillemotleft>]"]) auto
+  qed
+  ultimately show ?thesis
+    using Equality_Rules(2,3) by blast
+qed
+
+lemmas "\<alpha>" = prop_5206 (* synonym *)
+
+subsection \<open>Proposition 5207 ($\beta$-conversion)\<close>
+
+context
+begin
+
+private lemma bound_var_renaming_equality:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  and "(z, \<gamma>) \<notin> vars A"
+  shows "\<turnstile> A =\<^bsub>\<alpha>\<^esub> rename_bound_var (y, \<gamma>) z A"
+using assms proof induction
+  case (var_is_wff \<alpha> x)
+  then show ?case
+    using prop_5200 by force
+next
+  case (con_is_wff \<alpha> c)
+  then show ?case
+    using prop_5200 by force
+next
+  case (app_is_wff \<alpha> \<beta> A B)
+  then show ?case
+    using Equality_Rules(4) by auto
+next
+  case (abs_is_wff \<beta> A \<alpha> x)
+  then show ?case
+  proof (cases "(y, \<gamma>) = (x, \<alpha>)")
+    case True
+    have "\<turnstile> \<lambda>y\<^bsub>\<gamma>\<^esub>. A =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. A"
+      by (fact abs_is_wff.hyps[THEN prop_5200[OF wffs_of_type_intros(4)]])
+    moreover have "\<turnstile> A =\<^bsub>\<beta>\<^esub> rename_bound_var (y, \<gamma>) z A"
+      using abs_is_wff.IH[OF assms(2)] and abs_is_wff.prems(2) by fastforce
+    ultimately have "\<turnstile> \<lambda>y\<^bsub>\<gamma>\<^esub>. A =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. rename_bound_var (y, \<gamma>) z A"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+    moreover
+    have "
+      \<turnstile> \<lambda>y\<^bsub>\<gamma>\<^esub>. rename_bound_var (y, \<gamma>) z A
+        =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>
+        \<lambda>z\<^bsub>\<gamma>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A)"
+    proof -
+      have "rename_bound_var (y, \<gamma>) z A \<in> wffs\<^bsub>\<beta>\<^esub>"
+        using hyp_derivable_form_is_wffso[OF \<open>\<turnstile> A =\<^bsub>\<beta>\<^esub> rename_bound_var (y, \<gamma>) z A\<close>]
+        by (blast dest: wffs_from_equality)
+      moreover from abs_is_wff.prems(2) have "(z, \<gamma>) \<notin> free_vars (rename_bound_var (y, \<gamma>) z A)"
+        using rename_bound_var_free_vars[OF abs_is_wff.hyps assms(2)] by simp
+      moreover from abs_is_wff.prems(2) have "is_free_for (z\<^bsub>\<gamma>\<^esub>) (y, \<gamma>) (rename_bound_var (y, \<gamma>) z A)"
+        using is_free_for_in_rename_bound_var[OF abs_is_wff.hyps assms(2)] by simp
+      ultimately show ?thesis
+        using "\<alpha>" by fast
+    qed
+    ultimately have "\<turnstile> \<lambda>y\<^bsub>\<gamma>\<^esub>. A =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub> \<lambda>z\<^bsub>\<gamma>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A)"
+      by (rule Equality_Rules(3))
+    then show ?thesis
+      using True by auto
+  next
+    case False
+    have "\<turnstile> \<lambda>x\<^bsub>\<alpha>\<^esub>. A =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<lambda>x\<^bsub>\<alpha>\<^esub>. A"
+      by (fact abs_is_wff.hyps[THEN prop_5200[OF wffs_of_type_intros(4)]])
+    moreover have "\<turnstile> A =\<^bsub>\<beta>\<^esub> rename_bound_var (y, \<gamma>) z A"
+      using abs_is_wff.IH[OF assms(2)] and abs_is_wff.prems(2) by fastforce
+    ultimately have "\<turnstile> \<lambda>x\<^bsub>\<alpha>\<^esub>. A =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<lambda>x\<^bsub>\<alpha>\<^esub>. rename_bound_var (y, \<gamma>) z A"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+    then show ?thesis
+      using False by auto
+  qed
+qed
+
+proposition prop_5207:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "is_free_for A (x, \<alpha>) B"
+  shows "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+using assms proof (induction "form_size B" arbitrary: B \<beta> rule: less_induct)
+  case less
+  from less(3,1,2,4) show ?case
+  proof (cases B rule: wffs_of_type_cases)
+    case (var_is_wff y)
+    then show ?thesis
+    proof (cases "y\<^bsub>\<beta>\<^esub> = x\<^bsub>\<alpha>\<^esub>")
+      case True
+      then have "\<alpha> = \<beta>"
+        by simp
+      moreover from assms(1) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A"
+        using axiom_4_2 by (intro axiom_is_derivable_from_no_hyps)
+      moreover have "\<^bold>S {(x, \<alpha>) \<Zinj> A} (x\<^bsub>\<alpha>\<^esub>) = A"
+        by force
+      ultimately show ?thesis
+        unfolding True and var_is_wff by simp
+    next
+      case False
+      with assms(1) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub>"
+        using axiom_4_1_var by (intro axiom_is_derivable_from_no_hyps)
+      moreover from False have "\<^bold>S {(x, \<alpha>) \<Zinj> A} (y\<^bsub>\<beta>\<^esub>) = y\<^bsub>\<beta>\<^esub>"
+        by auto
+      ultimately show ?thesis
+        unfolding False and var_is_wff by simp
+    qed
+  next
+    case (con_is_wff c)
+     from assms(1) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>"
+      using axiom_4_1_con by (intro axiom_is_derivable_from_no_hyps)
+    moreover have "\<^bold>S {(x, \<alpha>) \<Zinj> A} (\<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) = \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>"
+      by auto
+    ultimately show ?thesis
+      by (simp only: con_is_wff)
+  next
+    case (app_is_wff \<gamma> D C)
+    have "form_size D < form_size B" and "form_size C < form_size B"
+      unfolding app_is_wff(1) by simp_all
+    from less(4)[unfolded app_is_wff(1)] have "is_free_for A (x, \<alpha>) D" and "is_free_for A (x, \<alpha>) C"
+      using is_free_for_from_app by iprover+
+    from \<open>is_free_for A (x, \<alpha>) D\<close> have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} D"
+      by (fact less(1)[OF \<open>form_size D < form_size B\<close> assms(1) app_is_wff(2)])
+    moreover from \<open>is_free_for A (x, \<alpha>) C\<close> have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A =\<^bsub>\<gamma>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} C"
+      by (fact less(1)[OF \<open>form_size C < form_size B\<close> assms(1) app_is_wff(3)])
+    moreover have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D \<sqdot> C) \<sqdot> A =\<^bsub>\<beta>\<^esub> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A) \<sqdot> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A)"
+      by (fact axiom_4_3[OF assms(1) app_is_wff(2,3), THEN axiom_is_derivable_from_no_hyps])
+    ultimately show ?thesis
+      unfolding app_is_wff(1) using Equality_Rules(3,4) and substitute.simps(3) by presburger
+  next
+    case (abs_is_wff \<delta> D \<gamma> y)
+    then show ?thesis
+    proof (cases "y\<^bsub>\<gamma>\<^esub> = x\<^bsub>\<alpha>\<^esub>")
+      case True
+      with abs_is_wff(1) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. D"
+        using axiom_4_5[OF assms(1) abs_is_wff(3)] by (simp add: axiom_is_derivable_from_no_hyps)
+      moreover have "\<^bold>S {(x, \<alpha>) \<Zinj> A} (\<lambda>y\<^bsub>\<gamma>\<^esub>. D) = \<lambda>y\<^bsub>\<gamma>\<^esub>. D"
+        using True by (simp add: empty_substitution_neutrality fmdrop_fmupd_same)
+      ultimately show ?thesis
+        unfolding abs_is_wff(2) by (simp only:)
+    next
+      case False
+      have "form_size D < form_size B"
+        unfolding abs_is_wff(2) by simp
+      have "is_free_for A (x, \<alpha>) D"
+        using is_free_for_from_abs[OF less(4)[unfolded abs_is_wff(2)]] and \<open>y\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>\<close> by blast
+      have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. (\<lambda>y\<^bsub>\<gamma>\<^esub>. D)) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. \<^bold>S {(x, \<alpha>) \<Zinj> A} D"
+      proof (cases "(y, \<gamma>) \<notin> vars A")
+        case True
+        with \<open>y\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>\<close> have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A"
+          using axiom_4_4[OF assms(1) abs_is_wff(3)] and axiom_is_derivable_from_no_hyps by auto
+        moreover have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A =\<^bsub>\<delta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} D"
+          by
+            (
+              fact less(1)
+                [OF \<open>form_size D < form_size B\<close> assms(1) \<open>D \<in> wffs\<^bsub>\<delta>\<^esub>\<close> \<open>is_free_for A (x, \<alpha>) D\<close>]
+            )
+        ultimately show ?thesis
+          unfolding abs_is_wff(1) by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+      next
+        case False
+        have "finite (vars {A, D})"
+          using vars_form_finiteness and vars_form_set_finiteness by simp
+        then obtain z where "(z, \<gamma>) \<notin> ({(x, \<alpha>), (y, \<gamma>)} \<union> vars {A, D})"
+          using fresh_var_existence by (metis Un_insert_left finite.simps insert_is_Un)
+        then have "z\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>" and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>" and "(z, \<gamma>) \<notin> vars {A, D}"
+          by simp_all
+        then show ?thesis
+        proof (cases "(x, \<alpha>) \<notin> free_vars D")
+          case True
+          define D' where "D' = \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} D"
+          have "is_substitution {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>}"
+            by auto
+          with \<open>D \<in> wffs\<^bsub>\<delta>\<^esub>\<close> and D'_def have "D' \<in> wffs\<^bsub>\<delta>\<^esub>"
+            using substitution_preserves_typing by blast
+          then have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>z\<^bsub>\<gamma>\<^esub>. D') \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>z\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. D') \<sqdot> A"
+            using \<open>z\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>\<close> and \<open>(z, \<gamma>) \<notin> vars {A, D}\<close> and axiom_4_4[OF assms(1)]
+            and axiom_is_derivable_from_no_hyps
+            by auto
+          moreover have "\<section>2": "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D') \<sqdot> A =\<^bsub>\<delta>\<^esub> D'"
+          proof -
+            have "form_size D' = form_size D"
+              unfolding D'_def by (fact renaming_substitution_preserves_form_size)
+            then have "form_size D' < form_size B"
+              using \<open>form_size D < form_size B\<close> by simp
+            moreover from \<open>z\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>\<close> have "is_free_for A (x, \<alpha>) D'"
+              unfolding D'_def and is_free_for_def
+              using substitution_preserves_freeness[OF True] and is_free_at_in_free_vars
+              by fast
+            ultimately have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D') \<sqdot> A =\<^bsub>\<delta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} D'"
+              using less(1) and assms(1) and \<open>D' \<in> wffs\<^bsub>\<delta>\<^esub>\<close> by simp
+            moreover from \<open>z\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>\<close> have "(x, \<alpha>) \<notin> free_vars D'"
+              unfolding D'_def using substitution_preserves_freeness[OF True] by fast
+            then have "\<^bold>S {(x, \<alpha>) \<Zinj> A} D' = D'"
+              by (fact free_var_singleton_substitution_neutrality)
+            ultimately show ?thesis
+              by (simp only:)
+          qed
+          ultimately have "\<section>3": "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>z\<^bsub>\<gamma>\<^esub>. D') \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>z\<^bsub>\<gamma>\<^esub>. D'" (is \<open>\<turnstile> ?A3\<close>)
+            by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+          moreover have "\<section>4": "\<turnstile> (\<lambda>y\<^bsub>\<gamma>\<^esub>. D) =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>z\<^bsub>\<gamma>\<^esub>. D'"
+          proof -
+            have "(z, \<gamma>) \<notin> free_vars D"
+              using \<open>(z, \<gamma>) \<notin> vars {A, D}\<close> and free_vars_in_all_vars_set by auto
+            moreover have "is_free_for (z\<^bsub>\<gamma>\<^esub>) (y, \<gamma>) D"
+              using \<open>(z, \<gamma>) \<notin> vars {A, D}\<close> and absent_var_is_free_for by force
+            ultimately have "\<turnstile> \<lambda>y\<^bsub>\<gamma>\<^esub>. D =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>z\<^bsub>\<gamma>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} D"
+              using "\<alpha>"[OF \<open>D \<in> wffs\<^bsub>\<delta>\<^esub>\<close>] by fast
+            then show ?thesis
+              using D'_def by blast
+          qed
+          ultimately have "\<section>5": "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. D"
+          proof -
+            note rule_RR' = rule_RR[OF disjI2]
+            have "\<section>5\<^sub>1": "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>z\<^bsub>\<gamma>\<^esub>. D'" (is \<open>\<turnstile> ?A5\<^sub>1\<close>)
+              by (rule rule_RR'[OF "\<section>4", where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotleft>]" and C = "?A3"]) (use "\<section>3" in \<open>force+\<close>)
+            show ?thesis
+              by (rule rule_RR'[OF "\<section>4", where p = "[\<guillemotright>]" and C = "?A5\<^sub>1"]) (use "\<section>5\<^sub>1" in \<open>force+\<close>)
+          qed
+          then show ?thesis
+            using free_var_singleton_substitution_neutrality[OF \<open>(x, \<alpha>) \<notin> free_vars D\<close>]
+            by (simp only: \<open>\<beta> = \<gamma>\<rightarrow>\<delta>\<close>)
+        next
+          case False
+          have "(y, \<gamma>) \<notin> free_vars A"
+          proof (rule ccontr)
+            assume "\<not> (y, \<gamma>) \<notin> free_vars A"
+            moreover from \<open>\<not> (x, \<alpha>) \<notin> free_vars D\<close> obtain p
+              where "p \<in> positions D" and "is_free_at (x, \<alpha>) p D"
+              using free_vars_in_is_free_at by blast
+            then have "\<guillemotleft> # p \<in> positions (\<lambda>y\<^bsub>\<gamma>\<^esub>. D)" and "is_free_at (x, \<alpha>) (\<guillemotleft> # p) (\<lambda>y\<^bsub>\<gamma>\<^esub>. D)"
+              using is_free_at_to_abs[OF \<open>is_free_at (x, \<alpha>) p D\<close>] and \<open>y\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>\<close> by (simp, fast)
+            moreover have "in_scope_of_abs (y, \<gamma>) (\<guillemotleft> # p) (\<lambda>y\<^bsub>\<gamma>\<^esub>. D)"
+              by force
+            ultimately have "\<not> is_free_for A (x, \<alpha>) (\<lambda>y\<^bsub>\<gamma>\<^esub>. D)"
+              by blast
+            with \<open>is_free_for A (x, \<alpha>) B\<close>[unfolded abs_is_wff(2)] show False
+              by contradiction
+          qed
+          define A' where "A' = rename_bound_var (y, \<gamma>) z A"
+          have "A' \<in> wffs\<^bsub>\<alpha>\<^esub>"
+            unfolding A'_def by (fact rename_bound_var_preserves_typing[OF assms(1)])
+          from \<open>(z, \<gamma>) \<notin> vars {A, D}\<close> have "(y, \<gamma>) \<notin> vars A'"
+            using
+              old_var_not_free_not_occurring_after_rename
+              [
+                OF assms(1) \<open>z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>\<close> \<open>(y, \<gamma>) \<notin> free_vars A\<close>
+              ]
+            unfolding A'_def by simp
+          from A'_def have "\<section>6": "\<turnstile> A =\<^bsub>\<alpha>\<^esub> A'"
+            using bound_var_renaming_equality[OF assms(1) \<open>z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>\<close>] and \<open>(z, \<gamma>) \<notin> vars {A, D}\<close>
+            by simp
+          moreover have "\<section>7": "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A' =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A'" (is \<open>\<turnstile> ?A7\<close>)
+            using axiom_4_4[OF \<open>A' \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> \<open>D \<in> wffs\<^bsub>\<delta>\<^esub>\<close>]
+            and \<open>(y, \<gamma>) \<notin> vars A'\<close> and \<open>y\<^bsub>\<gamma>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>\<close> and axiom_is_derivable_from_no_hyps
+            by auto
+          ultimately have "\<section>8": "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A"
+          proof -
+            note rule_RR' = rule_RR[OF disjI2]
+            have "\<section>8\<^sub>1": "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. D) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>y\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A'" (is \<open>\<turnstile> ?A8\<^sub>1\<close>)
+              by (rule rule_RR'[OF "\<section>6", where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = "?A7"]) (use "\<section>7" in \<open>force+\<close>)
+            show ?thesis
+              by (rule rule_RR'[OF "\<section>6", where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = "?A8\<^sub>1"]) (use "\<section>8\<^sub>1" in \<open>force+\<close>)
+          qed
+          moreover have "form_size D < form_size B"
+            unfolding abs_is_wff(2) by (simp only: form_size.simps(4) lessI)
+          with assms(1) have "\<section>9": "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. D) \<sqdot> A =\<^bsub>\<delta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} D"
+            using less(1) and \<open>D \<in> wffs\<^bsub>\<delta>\<^esub>\<close> and \<open>is_free_for A (x, \<alpha>) D\<close> by (simp only:)
+          ultimately show ?thesis
+            unfolding \<open>\<beta> = \<gamma>\<rightarrow>\<delta>\<close> by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+        qed
+      qed
+      then show ?thesis
+        unfolding abs_is_wff(2) using False and singleton_substitution_simps(4) by simp
+    qed
+  qed
+qed
+
+end
+
+subsection \<open>Proposition 5208\<close>
+
+proposition prop_5208:
+  assumes "vs \<noteq> []" and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  shows "\<turnstile> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs) =\<^bsub>\<beta>\<^esub> B"
+using assms(1) proof (induction vs rule: list_nonempty_induct)
+  case (single v)
+  obtain x and \<alpha> where "v = (x, \<alpha>)"
+    by fastforce
+  then have "\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> [v] B) (map FVar [v]) = (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> x\<^bsub>\<alpha>\<^esub>"
+    by simp
+  moreover have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> x\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> B"
+  proof -
+    have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) B"
+      by fastforce
+    then have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> x\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> x\<^bsub>\<alpha>\<^esub>} B"
+      by (rule prop_5207 [OF wffs_of_type_intros(1) assms(2)])
+    then show ?thesis
+      using identity_singleton_substitution_neutrality by (simp only:)
+  qed
+  ultimately show ?case
+    by (simp only:)
+next
+  case (cons v vs)
+  obtain x and \<alpha> where "v = (x, \<alpha>)"
+    by fastforce
+  have "\<turnstile> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B) (map FVar (v # vs)) =\<^bsub>\<beta>\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs)"
+  proof -
+    have "\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B) (map FVar (v # vs)) \<in> wffs\<^bsub>\<beta>\<^esub>"
+    proof -
+      have "\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B \<in> wffs\<^bsub>foldr (\<rightarrow>) (map snd (v # vs)) \<beta>\<^esub>"
+        using generalized_abs_wff [OF assms(2)] by blast
+      moreover
+      have "\<forall>k < length (map FVar (v # vs)). map FVar (v # vs) ! k \<in> wffs\<^bsub>map snd (v # vs) ! k\<^esub>"
+      proof safe
+        fix k
+        assume *: "k < length (map FVar (v # vs))"
+        moreover obtain x and \<alpha> where "(v # vs) ! k = (x, \<alpha>)"
+          by fastforce
+        with * have "map FVar (v # vs) ! k = x\<^bsub>\<alpha>\<^esub>" and "map snd (v # vs) ! k = \<alpha>"
+          by (metis length_map nth_map snd_conv)+
+        ultimately show "map FVar (v # vs) ! k \<in> wffs\<^bsub>map snd (v # vs) ! k\<^esub>"
+          by fastforce
+      qed
+      ultimately show ?thesis
+        using generalized_app_wff[where As = "map FVar (v # vs)" and ts = "map snd (v # vs)"] by simp
+    qed
+    then have "
+      \<turnstile> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B) (map FVar (v # vs)) =\<^bsub>\<beta>\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B) (map FVar (v # vs))"
+      by (fact prop_5200)
+    then have "
+      \<turnstile> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B) (map FVar (v # vs)) =\<^bsub>\<beta>\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> ((\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B) \<sqdot> FVar v) (map FVar vs)"
+      by simp
+    moreover have "\<turnstile> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B) \<sqdot> FVar v =\<^bsub>foldr (\<rightarrow>) (map snd vs) \<beta>\<^esub> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B)"
+    proof -
+      have "\<turnstile> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B) \<sqdot> FVar v =\<^bsub>foldr (\<rightarrow>) (map snd vs) \<beta>\<^esub> \<^bold>S {v \<Zinj> FVar v} (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B)"
+      proof -
+        from \<open>v = (x, \<alpha>)\<close> have "\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B = \<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B"
+          by simp
+        have "\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B \<in> wffs\<^bsub>foldr (\<rightarrow>) (map snd vs) \<beta>\<^esub>"
+          using generalized_abs_wff[OF assms(2)] by blast
+        moreover have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B)"
+          by fastforce
+        ultimately
+        have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) \<sqdot> x\<^bsub>\<alpha>\<^esub> =\<^bsub>foldr (\<rightarrow>) (map snd vs) \<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> x\<^bsub>\<alpha>\<^esub>} \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B"
+          by (rule prop_5207 [OF wffs_of_type_intros(1)])
+        with \<open>v = (x, \<alpha>)\<close> show ?thesis
+          by simp
+      qed
+    then show ?thesis
+      using identity_singleton_substitution_neutrality by (simp only:)
+    qed
+    ultimately show ?thesis
+    proof (induction rule: rule_R [where p = "[\<guillemotright>] @ replicate (length vs) \<guillemotleft>"])
+      case occ_subform
+      then show ?case
+        unfolding equality_of_type_def using leftmost_subform_in_generalized_app
+        by (metis append_Cons append_Nil is_subform_at.simps(3) length_map)
+    next
+      case replacement
+      then show ?case
+        unfolding equality_of_type_def using leftmost_subform_in_generalized_app_replacement
+        and is_subform_implies_in_positions and leftmost_subform_in_generalized_app
+        by (metis append_Cons append_Nil length_map replace_right_app)
+    qed
+  qed
+  moreover have "\<turnstile> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs) =\<^bsub>\<beta>\<^esub> B"
+    by (fact cons.IH)
+  ultimately show ?case
+    by (rule rule_R [where p = "[\<guillemotright>]"]) auto
+qed
+
+subsection \<open>Proposition 5209\<close>
+
+proposition prop_5209:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<beta>\<^esub>" and "C \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "\<turnstile> B =\<^bsub>\<beta>\<^esub> C"
+  and "is_free_for A (x, \<alpha>) (B =\<^bsub>\<beta>\<^esub> C)"
+  shows "\<turnstile> \<^bold>S {(x, \<alpha>) \<Zinj> A} (B =\<^bsub>\<beta>\<^esub> C)"
+proof -
+  have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<beta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A"
+  proof -
+    have "(\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A \<in> wffs\<^bsub>\<beta>\<^esub>"
+      using assms(1,2) by blast
+    then show ?thesis
+      by (fact prop_5200)
+  qed
+  from this and assms(4) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<beta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A"
+    by (rule rule_R [where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotleft>]"]) force+
+  moreover have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+  proof -
+    from assms(5)[unfolded equality_of_type_def] have "is_free_for A (x, \<alpha>) (Q\<^bsub>\<beta>\<^esub> \<sqdot> B)"
+      by (rule is_free_for_from_app)
+    then have "is_free_for A (x, \<alpha>) B"
+      by (rule is_free_for_from_app)
+    with assms(1,2) show ?thesis
+      by (rule prop_5207)
+  qed
+  moreover have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} C"
+  proof -
+    from assms(5)[unfolded equality_of_type_def] have "is_free_for A (x, \<alpha>) C"
+      by (rule is_free_for_from_app)
+    with assms(1,3) show ?thesis
+      by (rule prop_5207)
+  qed
+  ultimately have "\<turnstile> (\<^bold>S {(x, \<alpha>) \<Zinj> A} B) =\<^bsub>\<beta>\<^esub> (\<^bold>S {(x, \<alpha>) \<Zinj> A} C)"
+    using Equality_Rules(2,3) by blast
+  then show ?thesis
+    by simp
+qed
+
+subsection \<open>Proposition 5210\<close>
+
+proposition prop_5210:
+  assumes "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  shows "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (B =\<^bsub>\<beta>\<^esub> B)"
+proof -
+  have "\<section>1": "
+    \<turnstile>
+      ((\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) =\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub> (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>))
+      =\<^bsub>o\<^esub>
+      \<forall>\<xx>\<^bsub>\<beta>\<^esub>. ((\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<sqdot> \<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<sqdot> \<xx>\<^bsub>\<beta>\<^esub>)"
+  proof -
+    have "\<turnstile> (\<ff>\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>\<beta>\<^esub>. (\<ff>\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<beta>\<^esub>)" (is "\<turnstile> ?B =\<^bsub>o\<^esub> ?C")
+      using axiom_3[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    moreover have "(\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<in> wffs\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub>" and "?B \<in> wffs\<^bsub>o\<^esub>" and "?C \<in> wffs\<^bsub>o\<^esub>"
+      by auto
+    moreover have "is_free_for (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) (\<ff>, \<beta>\<rightarrow>\<beta>) (?B =\<^bsub>o\<^esub> ?C)"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S {(\<ff>, \<beta>\<rightarrow>\<beta>) \<Zinj> (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>)} (?B =\<^bsub>o\<^esub> ?C)" (is "\<turnstile> ?S")
+      using prop_5209 by presburger
+    moreover have "?S =
+      (
+        (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) =\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>\<beta>\<^esub>. ((\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<sqdot> \<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<beta>\<^esub>
+      )" (is "_ = ?B' =\<^bsub>o\<^esub> ?C'")
+      by simp
+    ultimately have "\<turnstile> ?B' =\<^bsub>o\<^esub> ?C'"
+      by (simp only:)
+    moreover from \<open>(\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<in> wffs\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub>\<close> have "?B' \<in> wffs\<^bsub>o\<^esub>" and "?C' \<in> wffs\<^bsub>o\<^esub>"
+      by auto
+    moreover have "is_free_for (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) (\<gg>, \<beta>\<rightarrow>\<beta>) (?B' =\<^bsub>o\<^esub> ?C')"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S {(\<gg>, \<beta>\<rightarrow>\<beta>) \<Zinj> (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>)} (?B' =\<^bsub>o\<^esub> ?C')" (is "\<turnstile> ?S'")
+      using prop_5209[OF \<open>(\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<in> wffs\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub>\<close>] by blast
+    then show ?thesis
+      by simp
+  qed
+  then have "\<turnstile> (\<lambda>\<xx>\<^bsub>\<beta>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>\<beta>\<rightarrow>o\<^esub> (\<lambda>\<xx>\<^bsub>\<beta>\<^esub>. (\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>))"
+  proof -
+    have "\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub> \<in> wffs\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub>"
+      by blast
+    then have "\<turnstile> \<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<rightarrow>\<beta>\<^esub> \<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>"
+      by (fact prop_5200)
+    with "\<section>1" have "\<turnstile> \<forall>\<xx>\<^bsub>\<beta>\<^esub>. ((\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<sqdot> \<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<sqdot> \<xx>\<^bsub>\<beta>\<^esub>)"
+      using rule_R and is_subform_at.simps(1) by blast
+    moreover have "\<turnstile> (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<sqdot> \<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>"
+      using axiom_4_2[OF wffs_of_type_intros(1)] by (rule axiom_is_derivable_from_no_hyps)
+    ultimately have "\<turnstile> \<forall>\<xx>\<^bsub>\<beta>\<^esub>. (\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<sqdot> \<xx>\<^bsub>\<beta>\<^esub>)"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotleft>,\<guillemotright>]"]) auto
+    from this and \<open>\<turnstile> (\<lambda>\<yy>\<^bsub>\<beta>\<^esub>. \<yy>\<^bsub>\<beta>\<^esub>) \<sqdot> \<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>\<close> have "\<turnstile> \<forall>\<xx>\<^bsub>\<beta>\<^esub>. (\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>)"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) auto
+    then show ?thesis
+      unfolding forall_def and PI_def by (fold equality_of_type_def)
+  qed
+  from this and assms have 3: "\<turnstile> (\<lambda>\<xx>\<^bsub>\<beta>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> B =\<^bsub>o\<^esub> (\<lambda>\<xx>\<^bsub>\<beta>\<^esub>. (\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>)) \<sqdot> B"
+    by (rule Equality_Rules(5))
+  then show ?thesis
+  proof -
+    have "\<turnstile> (\<lambda>\<xx>\<^bsub>\<beta>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+      using prop_5207[OF assms true_wff] by fastforce
+    from 3 and this have "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (\<lambda>\<xx>\<^bsub>\<beta>\<^esub>. (\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>)) \<sqdot> B"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>]"]) auto
+    moreover have "\<turnstile> (\<lambda>\<xx>\<^bsub>\<beta>\<^esub>. (\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>)) \<sqdot> B =\<^bsub>o\<^esub> (B =\<^bsub>\<beta>\<^esub> B)"
+    proof -
+      have "\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub> \<in> wffs\<^bsub>o\<^esub>" and "is_free_for B (\<xx>, \<beta>) (\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>)"
+        by (blast, intro is_free_for_in_equality is_free_for_in_var)
+      moreover have "\<^bold>S {(\<xx>, \<beta>) \<Zinj> B} (\<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> \<xx>\<^bsub>\<beta>\<^esub>) = (B =\<^bsub>\<beta>\<^esub> B)"
+        by simp
+      ultimately show ?thesis
+        using prop_5207[OF assms] by metis
+    qed
+    ultimately show ?thesis
+      by (rule rule_R [where p = "[\<guillemotright>]"]) auto
+  qed
+qed
+
+subsection \<open>Proposition 5211\<close>
+
+proposition prop_5211:
+  shows "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+proof -
+  have const_T_wff: "(\<lambda>x\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>" for x
+   by blast
+  have "\<section>1": "\<turnstile> (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub>"
+  proof -
+    have "\<turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>" (is "\<turnstile> ?B =\<^bsub>o\<^esub> ?C")
+      using axiom_1[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    moreover have "?B \<in> wffs\<^bsub>o\<^esub>" and "?C \<in> wffs\<^bsub>o\<^esub>"
+      by auto
+    moreover have "is_free_for (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) (\<gg>, o\<rightarrow>o) (?B =\<^bsub>o\<^esub> ?C)"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S {(\<gg>, o\<rightarrow>o) \<Zinj> (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>)} (?B =\<^bsub>o\<^esub> ?C)"
+      using const_T_wff and prop_5209 by presburger
+    then show ?thesis
+      by simp
+  qed
+  then have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>"
+  proof -
+    have T_\<beta>_redex: "\<turnstile> (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" if "A \<in> wffs\<^bsub>o\<^esub>" for A
+      using that and prop_5207[OF that true_wff] by fastforce
+    from "\<section>1" and T_\<beta>_redex[OF true_wff]
+    have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    from this and T_\<beta>_redex[OF false_wff] have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (\<lambda>\<yy>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]"]) force+
+    from this and T_\<beta>_redex[OF wffs_of_type_intros(1)] show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+  qed
+  moreover have "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>"
+    using prop_5210[OF const_T_wff] by simp
+  ultimately show ?thesis
+    using Equality_Rules(2,3) by blast
+qed
+
+lemma true_is_derivable:
+  shows "\<turnstile> T\<^bsub>o\<^esub>"
+  unfolding true_def using Q_wff by (rule prop_5200)
+
+subsection \<open>Proposition 5212\<close>
+
+proposition prop_5212:
+  shows "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>"
+proof -
+  have "\<turnstile> T\<^bsub>o\<^esub>"
+    by (fact true_is_derivable)
+  moreover have "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    by (fact prop_5211)
+  then have "\<turnstile> T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>)"
+    unfolding equivalence_def by (fact Equality_Rules(2))
+  ultimately show ?thesis
+    by (rule Equality_Rules(1))
+qed
+
+subsection \<open>Proposition 5213\<close>
+
+proposition prop_5213:
+  assumes "\<turnstile> A =\<^bsub>\<alpha>\<^esub> B" and "\<turnstile> C =\<^bsub>\<beta>\<^esub> D"
+  shows "\<turnstile> (A =\<^bsub>\<alpha>\<^esub> B) \<and>\<^sup>\<Q> (C =\<^bsub>\<beta>\<^esub> D)"
+proof -
+  from assms have "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "C \<in> wffs\<^bsub>\<beta>\<^esub>"
+    using hyp_derivable_form_is_wffso and wffs_from_equality by blast+
+  have "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (A =\<^bsub>\<alpha>\<^esub> A)"
+    by (fact prop_5210[OF \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close>])
+  moreover have "\<turnstile> A =\<^bsub>\<alpha>\<^esub> B"
+    by fact
+  ultimately have "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (A =\<^bsub>\<alpha>\<^esub> B)"
+    by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>]"]) force+
+  have "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (C =\<^bsub>\<beta>\<^esub> C)"
+    by (fact prop_5210[OF \<open>C \<in> wffs\<^bsub>\<beta>\<^esub>\<close>])
+  moreover have "\<turnstile> C =\<^bsub>\<beta>\<^esub> D"
+    by fact
+  ultimately have "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (C =\<^bsub>\<beta>\<^esub> D)"
+    by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>]"]) force+
+  then show ?thesis
+  proof -
+    have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>"
+      by (fact prop_5212)
+    from this and \<open>\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (A =\<^bsub>\<alpha>\<^esub> B)\<close> have "\<turnstile> (A =\<^bsub>\<alpha>\<^esub> B) \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>]"]) force+
+    from this and \<open>\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (C =\<^bsub>\<beta>\<^esub> D)\<close> show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>]"]) force+
+  qed
+qed
+
+subsection \<open>Proposition 5214\<close>
+
+proposition prop_5214:
+  shows "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+proof -
+  have id_on_o_is_wff: "(\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by blast
+  have "\<section>1": "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub>"
+  proof -
+    have "\<turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>" (is "\<turnstile> ?B =\<^bsub>o\<^esub> ?C")
+      using axiom_1[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    moreover have "?B \<in> wffs\<^bsub>o\<^esub>" and "?C \<in> wffs\<^bsub>o\<^esub>" and "is_free_for (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) (\<gg>, o\<rightarrow>o) (?B =\<^bsub>o\<^esub> ?C)"
+      by auto
+    ultimately have "\<turnstile> \<^bold>S {(\<gg>, o\<rightarrow>o) \<Zinj> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)} (?B =\<^bsub>o\<^esub> ?C)"
+      using id_on_o_is_wff and prop_5209 by presburger
+    then show ?thesis
+      by simp
+  qed
+  then have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>"
+  proof -
+    have id_\<beta>_redex: "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> A =\<^bsub>o\<^esub> A" if "A \<in> wffs\<^bsub>o\<^esub>" for A
+      by (fact axiom_is_derivable_from_no_hyps[OF axiom_4_2[OF that]])
+    from "\<section>1" and id_\<beta>_redex[OF true_wff]
+    have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    from this and id_\<beta>_redex[OF false_wff] have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]"]) force+
+    from this and id_\<beta>_redex[OF wffs_of_type_intros(1)] show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+  qed
+  then show ?thesis
+    by simp
+qed
+
+subsection \<open>Proposition 5215 (Universal Instantiation)\<close>
+
+proposition prop_5215:
+  assumes "\<H> \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. B" and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "is_free_for A (x, \<alpha>) B"
+  shows "\<H> \<turnstile> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+proof -
+  from assms(1) have "is_hyps \<H>"
+    by (blast elim: is_derivable_from_hyps.cases)
+  from assms(1) have "\<H> \<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>\<alpha>\<rightarrow>o\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+    by simp
+  with assms(2) have "\<H> \<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> A =\<^bsub>o\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A"
+    by (intro Equality_Rules(5))
+  then have "\<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+  proof -
+    have "\<H> \<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    proof -
+      have "\<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using prop_5207[OF assms(2) true_wff is_free_for_in_true] and derived_substitution_simps(1)
+        by (simp only:)
+      from this and \<open>is_hyps \<H>\<close> show ?thesis
+        by (rule derivability_implies_hyp_derivability)
+    qed
+    moreover have "\<H> \<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>o\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+    proof -
+      have "B \<in> wffs\<^bsub>o\<^esub>"
+        using hyp_derivable_form_is_wffso[OF assms(1)] by (fastforce elim: wffs_from_forall)
+      with assms(2,3) have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>o\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+        using prop_5207 by (simp only:)
+      from this and \<open>is_hyps \<H>\<close> show ?thesis
+        by (rule derivability_implies_hyp_derivability)
+    qed
+    ultimately show ?thesis
+      using \<open>\<H> \<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> A =\<^bsub>o\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A\<close> and Equality_Rules(2,3) by meson
+  qed
+  then show ?thesis
+  proof -
+    have "\<H> \<turnstile> T\<^bsub>o\<^esub>"
+      by (fact derivability_implies_hyp_derivability[OF true_is_derivable \<open>is_hyps \<H>\<close>])
+    from this and \<open>\<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B\<close> show ?thesis
+      by (rule Equality_Rules(1)[unfolded equivalence_def])
+  qed
+qed
+
+lemmas "\<forall>I" = prop_5215 (* synonym *)
+
+subsection \<open>Proposition 5216\<close>
+
+proposition prop_5216:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> A) =\<^bsub>o\<^esub> A"
+proof -
+  let ?B = "\<lambda>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+  have B_is_wff: "?B \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by auto
+  have "\<section>1": "\<turnstile> ?B \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> ?B \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+  proof -
+    have "\<turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>" (is "\<turnstile> ?C =\<^bsub>o\<^esub> ?D")
+      using axiom_1[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    moreover have "?C \<in> wffs\<^bsub>o\<^esub>" and "?D \<in> wffs\<^bsub>o\<^esub>" and "is_free_for ?B (\<gg>, o\<rightarrow>o) (?C =\<^bsub>o\<^esub> ?D)"
+      by auto
+    ultimately have "\<turnstile> \<^bold>S {(\<gg>, o\<rightarrow>o) \<Zinj> ?B} (?C =\<^bsub>o\<^esub> ?D)"
+      using B_is_wff and prop_5209 by presburger
+    then show ?thesis
+      by simp
+  qed
+  have *: "is_free_for A (\<xx>, o) (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)" for A
+    by (intro is_free_for_in_conj is_free_for_in_equality is_free_for_in_true is_free_for_in_var)
+  have "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>)"
+    by (fact prop_5213[OF prop_5211 prop_5214])
+  moreover
+  have "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+  proof -
+    have B_\<beta>_redex: "\<turnstile> ?B \<sqdot> A =\<^bsub>o\<^esub> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> A =\<^bsub>o\<^esub> A)" if "A \<in> wffs\<^bsub>o\<^esub>" for A
+    proof -
+      have "T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<^bold>S {(\<xx>, o) \<Zinj> A} (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) = (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> A =\<^bsub>o\<^esub> A)"
+        by simp
+      ultimately show ?thesis
+        using * and prop_5207[OF that] by metis
+    qed
+    from "\<section>1" and B_\<beta>_redex[OF true_wff]
+    have "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> ?B \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    from this and B_\<beta>_redex[OF false_wff]
+    have "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]"]) force+
+    from this and B_\<beta>_redex[OF wffs_of_type_intros(1)] show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+  qed
+  ultimately have "\<turnstile> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+    by (rule rule_R[where p = "[]"]) fastforce+
+  show ?thesis
+    using "\<forall>I"[OF \<open>\<turnstile> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)\<close> assms *] by simp
+qed
+
+subsection \<open>Proposition 5217\<close>
+
+proposition prop_5217:
+  shows "\<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+proof -
+  let ?B = "\<lambda>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+  have B_is_wff: "?B \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by auto
+  have *: "is_free_for A (\<xx>, o) (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)" for A
+    by (intro is_free_for_in_equality is_free_for_in_true is_free_for_in_var)
+  have "\<section>1": "\<turnstile> ?B \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> ?B \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+  proof -
+    have "\<turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>" (is "\<turnstile> ?C =\<^bsub>o\<^esub> ?D")
+      using axiom_1[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    moreover have "?C \<in> wffs\<^bsub>o\<^esub>" and "?D \<in> wffs\<^bsub>o\<^esub>" and "is_free_for ?B (\<gg>, o\<rightarrow>o) (?C =\<^bsub>o\<^esub> ?D)"
+      by auto
+    ultimately have "\<turnstile> \<^bold>S {(\<gg>, o\<rightarrow>o) \<Zinj> ?B} (?C =\<^bsub>o\<^esub> ?D)"
+      using B_is_wff and prop_5209 by presburger
+    then show ?thesis
+      by simp
+  qed
+  then have "\<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)" (is "\<turnstile> ?A")
+  proof -
+    have B_\<beta>_redex: "\<turnstile> ?B \<sqdot> A =\<^bsub>o\<^esub> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A)" if "A \<in> wffs\<^bsub>o\<^esub>" for A
+    proof -
+      have "T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+        by auto
+      moreover have "\<^bold>S {(\<xx>, o) \<Zinj> A} (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) = (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A)"
+        by simp
+      ultimately show ?thesis
+        using * and prop_5207[OF that] by metis
+    qed
+    from "\<section>1" and B_\<beta>_redex[OF true_wff] have "\<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> ?B \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    from this and B_\<beta>_redex[OF false_wff]
+    have "\<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]"]) force+
+    from this and B_\<beta>_redex[OF wffs_of_type_intros(1)] show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+  qed
+  from prop_5210[OF true_wff] have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+    by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A]) (force+, fact)
+  from this and prop_5216[where A = "T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"]
+  have "\<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+    by (rule rule_R [where p = "[\<guillemotleft>,\<guillemotright>]"]) force+
+  moreover have "\<section>5": "
+    \<turnstile> ((\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>o\<rightarrow>o\<^esub> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ((\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub>)"
+  proof -
+    have "\<turnstile> (\<ff>\<^bsub>o\<rightarrow>o\<^esub> =\<^bsub>o\<rightarrow>o\<^esub> \<gg>\<^bsub>o\<rightarrow>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (\<ff>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>)" (is "\<turnstile> ?C =\<^bsub>o\<^esub> ?D")
+      using axiom_3[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    moreover have "is_free_for ((\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>)) (\<ff>, o\<rightarrow>o) (?C =\<^bsub>o\<^esub> ?D)"
+      by fastforce
+    moreover have "(\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>" and "?C \<in> wffs\<^bsub>o\<^esub>" and "?D \<in> wffs\<^bsub>o\<^esub>"
+      by auto
+    ultimately have "\<turnstile> \<^bold>S {(\<ff>, o\<rightarrow>o) \<Zinj> (\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>)} (?C =\<^bsub>o\<^esub> ?D)"
+      using prop_5209 by presburger
+    then have "\<turnstile> ((\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>o\<rightarrow>o\<^esub> \<gg>\<^bsub>o\<rightarrow>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ((\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>)"
+      (is "\<turnstile> ?C' =\<^bsub>o\<^esub> ?D'")
+      by simp
+    moreover have "is_free_for ((\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)) (\<gg>, o\<rightarrow>o) (?C' =\<^bsub>o\<^esub> ?D')"
+      by fastforce
+    moreover have "(\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>" and "?C' \<in> wffs\<^bsub>o\<^esub>" and "?D' \<in> wffs\<^bsub>o\<^esub>"
+      using \<open>(\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> by auto
+    ultimately have "\<turnstile> \<^bold>S {(\<gg>, o\<rightarrow>o) \<Zinj> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)} (?C' =\<^bsub>o\<^esub> ?D')"
+      using prop_5209 by presburger
+    then show ?thesis
+      by simp
+  qed
+  then have "\<turnstile> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+  proof -
+    have "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+      using prop_5208[where vs = "[(\<xx>, o)]"] and true_wff by simp
+    with "\<section>5" have *: "
+      \<turnstile> ((\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>o\<rightarrow>o\<^esub> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub>)"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>,\<guillemotleft>,\<guillemotright>]"]) force+
+    have "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>"
+      using prop_5208[where vs = "[(\<xx>, o)]"] by fastforce
+    with * have "\<turnstile> ((\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>o\<rightarrow>o\<^esub> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    then show ?thesis
+      by simp
+  qed
+  ultimately show ?thesis
+    using Equality_Rules(2,3) by blast
+qed
+
+subsection \<open>Proposition 5218\<close>
+
+proposition prop_5218:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A) =\<^bsub>o\<^esub> A"
+proof -
+  let ?B = "\<lambda>\<xx>\<^bsub>o\<^esub>. ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+  have B_is_wff: "?B \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by auto
+  have "\<section>1": "\<turnstile> ?B \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> ?B \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+  proof -
+    have "\<turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>" (is "\<turnstile> ?C =\<^bsub>o\<^esub> ?D")
+      using axiom_1[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    moreover have "?C \<in> wffs\<^bsub>o\<^esub>" and "?D \<in> wffs\<^bsub>o\<^esub>" and "is_free_for ?B (\<gg>, o\<rightarrow>o) (?C =\<^bsub>o\<^esub> ?D)"
+      by auto
+    ultimately have "\<turnstile> \<^bold>S {(\<gg>, o\<rightarrow>o) \<Zinj> ?B} (?C =\<^bsub>o\<^esub> ?D)"
+      using prop_5209[OF B_is_wff] by presburger
+    then show ?thesis
+      by simp
+  qed
+  have *: "is_free_for A (\<xx>, o) ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)" for A
+    by (intro is_free_for_in_equality is_free_for_in_true is_free_for_in_var)
+  have "\<section>2": "
+    \<turnstile>
+      ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>)
+      =\<^bsub>o\<^esub>
+      \<forall>\<xx>\<^bsub>o\<^esub>. ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+  proof -
+    have B_\<beta>_redex: "\<turnstile> ?B \<sqdot> A =\<^bsub>o\<^esub> ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A) =\<^bsub>o\<^esub> A)" if "A \<in> wffs\<^bsub>o\<^esub>" for A
+    proof -
+      have "(T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+        by auto
+      moreover have "\<^bold>S {(\<xx>, o) \<Zinj> A} ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) = ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A) =\<^bsub>o\<^esub> A)"
+        by simp
+      ultimately show ?thesis
+        using * and prop_5207[OF that] by metis
+    qed
+    from "\<section>1" and B_\<beta>_redex[OF true_wff]
+    have "\<turnstile> ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> ?B \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    from this and B_\<beta>_redex[OF false_wff]
+    have "\<turnstile> ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. ?B \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]"]) force+
+    from this and B_\<beta>_redex[OF wffs_of_type_intros(1)] show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+  qed
+  have "\<section>3": "\<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    by (fact Equality_Rules(2)[OF prop_5210 [OF true_wff]])
+  have "\<turnstile> ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>)"
+    by (fact prop_5213[OF "\<section>3" prop_5217])
+  from this and "\<section>2" have "\<section>4": "\<turnstile> \<forall>\<xx>\<^bsub>o\<^esub>. ((T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<xx>\<^bsub>o\<^esub>)"
+    by (rule rule_R[where p = "[]"]) fastforce+
+  then show ?thesis
+    using "\<forall>I"[OF "\<section>4" assms *] by simp
+qed
+
+subsection \<open>Proposition 5219 (Rule T)\<close>
+
+proposition prop_5219_1:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<H> \<turnstile> A \<longleftrightarrow> \<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A"
+proof safe
+  assume "\<H> \<turnstile> A"
+  then have "is_hyps \<H>"
+    by (blast dest: is_derivable_from_hyps.cases)
+  then have "\<H> \<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A) =\<^bsub>o\<^esub> A"
+    by (fact derivability_implies_hyp_derivability[OF prop_5218[OF assms]])
+  with \<open>\<H> \<turnstile> A\<close> show "\<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A"
+    using Equality_Rules(1)[unfolded equivalence_def] and Equality_Rules(2) by blast
+next
+  assume "\<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A"
+  then have "is_hyps \<H>"
+    by (blast dest: is_derivable_from_hyps.cases)
+  then have "\<H> \<turnstile> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A) =\<^bsub>o\<^esub> A"
+    by (fact derivability_implies_hyp_derivability[OF prop_5218[OF assms]])
+  with \<open>\<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A\<close> show "\<H> \<turnstile> A"
+    by (rule Equality_Rules(1)[unfolded equivalence_def])
+qed
+
+proposition prop_5219_2:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<H> \<turnstile> A \<longleftrightarrow> \<H> \<turnstile> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  using prop_5219_1[OF assms] and Equality_Rules(2) by blast
+
+lemmas rule_T = prop_5219_1 prop_5219_2
+
+subsection \<open>Proposition 5220 (Universal Generalization)\<close>
+
+context
+begin
+
+private lemma const_true_\<alpha>_conversion:
+  shows "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>\<alpha>\<rightarrow>o\<^esub> (\<lambda>z\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>)"
+proof -
+  have "(z, \<alpha>) \<notin> free_vars T\<^bsub>o\<^esub>" and "is_free_for (z\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) T\<^bsub>o\<^esub>"
+    by auto
+  then have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<lambda>z\<^bsub>\<alpha>\<^esub>. \<^bold>S {(x, \<alpha>) \<Zinj> z\<^bsub>\<alpha>\<^esub>} T\<^bsub>o\<^esub>"
+    by (rule prop_5206[OF true_wff])
+  then show ?thesis
+    by simp
+qed
+
+proposition prop_5220:
+  assumes "\<H> \<turnstile> A"
+  and "(x, \<alpha>) \<notin> free_vars \<H>"
+  shows "\<H> \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. A"
+proof -
+  from \<open>\<H> \<turnstile> A\<close> have "is_hyps \<H>"
+    by (blast dest: is_derivable_from_hyps.cases)
+  have "\<H> \<turnstile> A"
+    by fact
+  then have "\<section>2": "\<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A"
+    using rule_T(1)[OF hyp_derivable_form_is_wffso[OF \<open>\<H> \<turnstile> A\<close>]] by simp
+  have "\<section>3": "\<H> \<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>\<alpha>\<rightarrow>o\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>)"
+    by (fact derivability_implies_hyp_derivability[OF const_true_\<alpha>_conversion \<open>is_hyps \<H>\<close>])
+  from "\<section>3" and "\<section>2" have "\<H> \<turnstile> \<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> =\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<lambda>x\<^bsub>\<alpha>\<^esub>. A"
+  proof (induction rule: rule_R'[where p = "[\<guillemotright>, \<guillemotleft>]"])
+    case no_capture
+    have *: "[\<guillemotright>,\<guillemotleft>] \<in> positions (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> =\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<lambda>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>)"
+      by simp
+    show ?case
+      unfolding rule_R'_side_condition_def and capture_exposed_vars_at_alt_def[OF *] using assms(2)
+      by simp
+  qed force+
+  then show ?thesis
+    unfolding forall_def[unfolded PI_def, folded equality_of_type_def] .
+qed
+
+end
+
+lemmas Gen = prop_5220 (* synonym *)
+
+proposition generalized_Gen:
+  assumes "\<H> \<turnstile> A"
+  and "lset vs \<inter> free_vars \<H> = {}"
+  shows "\<H> \<turnstile> \<forall>\<^sup>\<Q>\<^sub>\<star> vs A"
+using assms(2) proof (induction vs)
+  case Nil
+  then show ?case
+    using assms(1) by simp
+next
+  case (Cons v vs)
+  obtain x and \<alpha> where "v = (x, \<alpha>)"
+    by fastforce
+  with Cons.prems have "lset vs \<inter> free_vars \<H> = {}" and "(x, \<alpha>) \<notin> free_vars \<H>"
+    by simp_all
+  from \<open>lset vs \<inter> free_vars \<H> = {}\<close> have "\<H> \<turnstile> \<forall>\<^sup>\<Q>\<^sub>\<star> vs A"
+    by (fact Cons.IH)
+  with \<open>(x, \<alpha>) \<notin> free_vars \<H>\<close> and \<open>v = (x, \<alpha>)\<close> show ?case
+    using Gen by simp
+qed
+
+subsection \<open>Proposition 5221 (Substitution)\<close>
+
+context
+begin
+
+private lemma prop_5221_aux:
+  assumes "\<H> \<turnstile> B"
+  and "(x, \<alpha>) \<notin> free_vars \<H>"
+  and "is_free_for A (x, \<alpha>) B"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<H> \<turnstile> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+proof -
+  have "\<H> \<turnstile> B"
+    by fact
+  from this and assms(2) have "\<H> \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. B"
+    by (rule Gen)
+  from this and assms(4,3) show ?thesis
+    by (rule "\<forall>I")
+qed
+
+proposition prop_5221:
+  assumes "\<H> \<turnstile> B"
+  and "is_substitution \<theta>"
+  and "\<forall>v \<in> fmdom' \<theta>. var_name v \<notin> free_var_names \<H> \<and> is_free_for (\<theta> $$! v) v B"
+  and "\<theta> \<noteq> {$$}"
+  shows "\<H> \<turnstile> \<^bold>S \<theta> B"
+proof -
+  obtain xs and As
+    where "lset xs = fmdom' \<theta>" \<comment> \<open>i.e., $x^1_{\alpha_1},\dots,x^n_{\alpha_n}$\<close>
+    and "As = map (($$!) \<theta>) xs" \<comment> \<open>i.e., $A^1_{\alpha_1},\dots,A^n_{\alpha_n}$\<close>
+    and "length xs = card (fmdom' \<theta>)"
+    by (metis distinct_card finite_distinct_list finite_fmdom')
+  then have "distinct xs"
+    by (simp add: card_distinct)
+  from \<open>lset xs = fmdom' \<theta>\<close> and \<open>As = map (($$!) \<theta>) xs\<close> have "lset As = fmran' \<theta>"
+    by (intro subset_antisym subsetI) (force simp add: fmlookup_dom'_iff fmlookup_ran'_iff)+
+  from assms(1) have "finite (var_name ` (vars B \<union> vars (lset As) \<union> vars \<H>))"
+    by (cases rule: is_derivable_from_hyps.cases) (simp_all add: finite_Domain vars_form_finiteness)
+  then obtain ys \<comment> \<open>i.e., $y^1_{\alpha_1},\dots,y^n_{\alpha_n}$\<close>
+    where "length ys = length xs"
+    and "distinct ys"
+    and ys_fresh: "
+      (var_name ` lset ys) \<inter> (var_name ` (vars B \<union> vars (lset As) \<union> vars \<H> \<union> lset xs)) = {}"
+    and "map var_type ys = map var_type xs"
+    using fresh_var_list_existence by (metis image_Un)
+  have "length xs = length As"
+    by (simp add: \<open>As = map (($$!) \<theta>) xs\<close>)
+  \<comment> \<open>$\mathcal{H}\;\vdash\;\d{\textsf{S}}\;
+      ^{x^1_{\alpha_1}\;\dots\;x^k_{\alpha_k} x^{k+1}_{\alpha_{k+1}}\;\dots\;x^n_{\alpha_n}}
+      _{A^1_{\alpha_1}\;\dots\;A^k_{\alpha_k} y^{k+1}_{\alpha_{k+1}}\;\dots\;y^n_{\alpha_n}} B$\<close>
+  have "\<H> \<turnstile> \<^bold>S (fmap_of_list (zip xs (take k As @ drop k (map FVar ys)))) B" if "k \<le> length xs" for k
+  using that proof (induction k)
+    case 0
+    have "\<H> \<turnstile> \<^bold>S (fmap_of_list (zip xs (map FVar ys))) B"
+      using \<open>length ys = length xs\<close>
+      and \<open>length xs = length As\<close>
+      and \<open>(var_name ` lset ys) \<inter> (var_name ` (vars B \<union> vars (lset As) \<union> vars \<H> \<union> lset xs)) = {}\<close>
+      and \<open>lset xs = fmdom' \<theta>\<close>
+      and \<open>distinct ys\<close>
+      and assms(3)
+      and \<open>map var_type ys = map var_type xs\<close>
+      and \<open>distinct xs\<close>
+      and \<open>length xs = card (fmdom' \<theta>)\<close>
+    proof (induction ys xs As arbitrary: \<theta> rule: list_induct3)
+      case Nil
+      with assms(1) show ?case
+        using empty_substitution_neutrality by auto
+    next
+      \<comment> \<open>In the following:
+        \begin{itemize}
+        \item $\vartheta =
+          \{x^1_{\alpha_1} \rightarrowtail y^1_{\alpha_1},\dots,x^n_{\alpha_n} \rightarrowtail y^n_{\alpha_n}\}$
+        \item \emph?$\vartheta =
+          \{x^2_{\alpha_2} \rightarrowtail y^2_{\alpha_2},\dots,x^n_{\alpha_n} \rightarrowtail y^n_{\alpha_n}\}$
+        \item $v_x = x^1_{\alpha_1}$, and $v_y = y^1_{\alpha_1}$
+        \end{itemize}
+      \<close>
+      case (Cons v\<^sub>y ys v\<^sub>x xs A' As')
+      let ?\<theta> = "fmap_of_list (zip xs (map FVar ys))"
+      from Cons.hyps(1) have "lset xs = fmdom' ?\<theta>"
+        by simp
+      from Cons.hyps(1) and Cons.prems(6) have "fmran' ?\<theta> = FVar ` lset ys"
+        by force
+      have "is_substitution ?\<theta>"
+      unfolding is_substitution_def proof
+        fix v
+        assume "v \<in> fmdom' ?\<theta>"
+        with \<open>lset xs = fmdom' ?\<theta>\<close> obtain k where "v = xs ! k" and "k < length xs"
+          by (metis in_set_conv_nth)
+        moreover obtain \<alpha> where "var_type v = \<alpha>"
+          by blast
+        moreover from \<open>k < length xs\<close> and \<open>v = xs ! k\<close> have "?\<theta> $$! v = (map FVar ys) ! k"
+          using Cons.hyps(1) and Cons.prems(6) by auto
+        moreover from this and \<open>k < length xs\<close> obtain y and \<beta> where "?\<theta> $$! v = y\<^bsub>\<beta>\<^esub>"
+          using Cons.hyps(1) by force
+        ultimately have "\<alpha> = \<beta>"
+          using Cons.hyps(1) and Cons.prems(5)
+          by (metis form.inject(1) list.inject list.simps(9) nth_map snd_conv)
+        then show "case v of (x, \<alpha>) \<Rightarrow> ?\<theta> $$! (x, \<alpha>) \<in> wffs\<^bsub>\<alpha>\<^esub>"
+          using \<open>?\<theta> $$! v = y\<^bsub>\<beta>\<^esub>\<close> and \<open>var_type v = \<alpha>\<close> by fastforce
+      qed
+      have "v\<^sub>x \<notin> fmdom' ?\<theta>"
+        using Cons.prems(6) and \<open>lset xs = fmdom' ?\<theta>\<close> by auto
+      obtain x and \<alpha> where "v\<^sub>x = (x, \<alpha>)"
+        by fastforce
+      have "FVar v\<^sub>y \<in> wffs\<^bsub>\<alpha>\<^esub>"
+        using Cons.prems(5) and surj_pair[of v\<^sub>y] unfolding \<open>v\<^sub>x = (x, \<alpha>)\<close> by fastforce
+      have "distinct xs"
+        using Cons.prems(6) by fastforce
+      moreover have ys_fresh': "
+        (var_name ` lset ys) \<inter> (var_name ` (vars B \<union> vars (lset As') \<union> vars \<H> \<union> lset xs)) = {}"
+      proof -
+        have "vars (lset (A' # As')) = vars {A'} \<union> vars (lset As')"
+          by simp
+        moreover have "var_name ` (lset (v\<^sub>x # xs)) = {var_name v\<^sub>x} \<union> var_name ` (lset xs)"
+          by simp
+        moreover from Cons.prems(1) have "
+          var_name ` lset ys
+          \<inter>
+          (
+            var_name ` (vars B) \<union> var_name ` (vars (lset (A' # As'))) \<union> var_name ` (vars \<H>)
+            \<union> var_name ` (lset (v\<^sub>x # xs))
+          )
+          = {}"
+          by (simp add: image_Un)
+        ultimately have "
+          var_name ` lset ys
+          \<inter>
+          (
+            var_name ` (vars B) \<union> var_name ` (vars (lset As')) \<union> var_name ` (vars \<H>)
+            \<union> var_name ` (lset (v\<^sub>x # xs))
+          )
+          = {}"
+          by fast
+        then show ?thesis
+          by (simp add: image_Un)
+      qed
+      moreover have "distinct ys"
+        using Cons.prems(3) by auto
+      moreover have "\<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names \<H> \<and> is_free_for (?\<theta> $$! v) v B"
+      proof
+        fix v
+        assume "v \<in> fmdom' ?\<theta>"
+        with Cons.hyps(1) obtain y where "?\<theta> $$! v = FVar y" and "y \<in> lset ys"
+          by (metis (mono_tags, lifting) fmap_of_zipped_list_range image_iff length_map list.set_map)
+        moreover from Cons.prems(2,4) have "var_name v \<notin> free_var_names \<H>"
+          using \<open>lset xs = fmdom' ?\<theta>\<close> and \<open>v \<in> fmdom' ?\<theta>\<close> by auto
+        moreover from \<open>y \<in> lset ys\<close> have "y \<notin> vars B"
+          using ys_fresh' by blast
+        then have "is_free_for (FVar y) v B"
+          by (intro absent_var_is_free_for)
+        ultimately show "var_name v \<notin> free_var_names \<H> \<and> is_free_for (?\<theta> $$! v) v B"
+          by simp
+      qed
+      moreover have "map var_type ys = map var_type xs"
+        using Cons.prems(5) by simp
+      moreover have "length xs = card (fmdom' ?\<theta>)"
+        by (fact distinct_card[OF \<open>distinct xs\<close>, unfolded \<open>lset xs = fmdom' ?\<theta>\<close>, symmetric])
+      \<comment> \<open>$\mathcal{H}\;\vdash\;\d{\textsf{S}}\;
+          ^{x^2_{\alpha_2}\;\dots\;x^n_{\alpha_n}}
+          _{y^2_{\alpha_2}\;\dots\;y^n_{\alpha_n}} B$\<close>
+      ultimately have "\<H> \<turnstile> \<^bold>S ?\<theta> B"
+        using Cons.IH and \<open>lset xs = fmdom' ?\<theta>\<close> by blast
+      moreover from Cons.prems(2,4) have "(x, \<alpha>) \<notin> free_vars \<H>"
+        using \<open>v\<^sub>x = (x, \<alpha>)\<close> by auto
+      moreover have "is_free_for (FVar v\<^sub>y) (x, \<alpha>) (\<^bold>S ?\<theta> B)"
+      proof -
+        have "v\<^sub>y \<notin> fmdom' ?\<theta>"
+          using Cons.prems(1) and \<open>lset xs = fmdom' ?\<theta>\<close> by force
+        moreover have "fmran' ?\<theta> = lset (map FVar ys)"
+          using Cons.hyps(1) and \<open>distinct xs\<close> by simp
+        then have "v\<^sub>y \<notin> vars (fmran' ?\<theta>)"
+          using Cons.prems(3) by force
+        moreover have "v\<^sub>y \<notin> vars B"
+          using Cons.prems(1) by fastforce
+        ultimately have "v\<^sub>y \<notin> vars (\<^bold>S ?\<theta> B)"
+          by (rule excluded_var_from_substitution[OF \<open>is_substitution ?\<theta>\<close>])
+        then show ?thesis
+          by (fact absent_var_is_free_for)
+      qed
+      \<comment> \<open>$\mathcal{H}\;\vdash\;\d{\textsf{S}}\;^{x^1_{\alpha_1}}_{y^1_{\alpha_1}}\;\d{\textsf{S}}\;
+          ^{x^2_{\alpha_2}\;\dots\;x^n_{\alpha_n}}_{y^2_{\alpha_2}\;\dots\;y^n_{\alpha_n}} B$\<close>
+      ultimately have "\<H> \<turnstile> \<^bold>S {(x, \<alpha>) \<Zinj> FVar v\<^sub>y} (\<^bold>S ?\<theta> B)"
+        using \<open>FVar v\<^sub>y \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> by (rule prop_5221_aux)
+      \<comment> \<open>$\d{\textsf{S}}\;^{x^1_{\alpha_1}}_{y^1_{\alpha_1}}\;\d{\textsf{S}}\;
+          ^{x^2_{\alpha_2}\;\dots\;x^n_{\alpha_n}}_{y^2_{\alpha_2}\;\dots\;y^n_{\alpha_n}} B =
+          \d{\textsf{S}}\;^{x^1_{\alpha_1}\;\dots\;x^n_{\alpha_n}}_{y^1_{\alpha_1}\;\dots\;y^n_{\alpha_n}} B$\<close>
+      moreover have "\<^bold>S {v\<^sub>x \<Zinj> FVar v\<^sub>y} \<^bold>S ?\<theta> B = \<^bold>S ({v\<^sub>x \<Zinj> FVar v\<^sub>y} ++\<^sub>f ?\<theta>) B"
+      proof -
+        have "v\<^sub>x \<notin> lset ys"
+          using Cons.prems(1) by fastforce
+        then have "\<^bold>S {v\<^sub>x \<Zinj> FVar v\<^sub>y} (FVar y) = FVar y" if "y \<in> lset ys" for y
+          using that and free_var_singleton_substitution_neutrality and surj_pair[of y] by fastforce
+        with \<open>fmran' ?\<theta> = FVar ` lset ys\<close> have "fmmap (\<lambda>A'. \<^bold>S {v\<^sub>x \<Zinj> FVar v\<^sub>y} A') ?\<theta> = ?\<theta>"
+          by (fastforce intro: fmap.map_ident_strong)
+        with \<open>v\<^sub>x \<notin> fmdom' ?\<theta>\<close> show ?thesis
+          using \<open>\<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names \<H> \<and> is_free_for (?\<theta> $$! v) v B\<close>
+          and substitution_consolidation by auto
+      qed
+      \<comment> \<open>$\mathcal{H}\;\vdash\;\d{\textsf{S}}\;
+          ^{x^1_{\alpha_1}\;\dots\;x^n_{\alpha_n}}_{y^1_{\alpha_1}\;\dots\;y^n_{\alpha_n}} B$\<close>
+      ultimately show ?case
+        using \<open>v\<^sub>x = (x, \<alpha>)\<close> and \<open>v\<^sub>x \<notin> fmdom' ?\<theta>\<close> and fmap_singleton_comm by fastforce
+    qed
+    with 0 and that show ?case
+      by auto
+  next
+    case (Suc k)
+    let ?ps = "\<lambda>k. zip xs (take k As @ drop k (map FVar ys))"
+    let ?y = "ys ! k" and ?A = "As ! k"
+    let ?\<theta> = "\<lambda>k. fmap_of_list (?ps k)"
+    let ?\<theta>' = "\<lambda>k. fmap_of_list (map (\<lambda>(v', A'). (v', \<^bold>S {?y \<Zinj> ?A} A')) (?ps k))"
+    have "fmdom' (?\<theta> k') = lset xs" for k'
+      by (simp add: \<open>length xs = length As\<close> \<open>length ys = length xs\<close>)
+    have "fmdom' (?\<theta>' k') = lset xs" for k'
+      using \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> and fmdom'_fmap_of_list by simp
+    have "?y \<in> lset ys"
+      using Suc.prems \<open>length ys = length xs\<close> by simp
+    have "\<forall>j < length ys. ys ! j \<notin> vars (\<H>::form set) \<and> ys ! j \<notin> vars B"
+      using \<open>(var_name ` lset ys) \<inter> (var_name ` (vars B \<union> vars (lset As) \<union> vars \<H> \<union> lset xs)) = {}\<close>
+      by force
+    obtain n\<^sub>y and \<alpha>\<^sub>y where "(n\<^sub>y, \<alpha>\<^sub>y) = ?y"
+      using surj_pair[of ?y] by fastforce
+    moreover have "?A \<in> wffs\<^bsub>\<alpha>\<^sub>y\<^esub>"
+    proof -
+      from Suc.prems and \<open>(n\<^sub>y, \<alpha>\<^sub>y) = ?y\<close> have "var_type (xs ! k) = \<alpha>\<^sub>y"
+        using \<open>length ys = length xs\<close> and \<open>map var_type ys = map var_type xs\<close> and Suc_le_lessD
+        by (metis nth_map snd_conv)
+      with Suc.prems and assms(2) and \<open>lset xs = fmdom' \<theta>\<close> and \<open>As = map (($$!) \<theta>) xs\<close> show ?thesis
+        using less_eq_Suc_le and nth_mem by fastforce
+    qed
+    ultimately have "is_substitution {?y \<Zinj> ?A}"
+      by auto
+    have wfs: "is_substitution (?\<theta> k)" for k
+    unfolding is_substitution_def proof
+      fix v
+      assume "v \<in> fmdom' (?\<theta> k)"
+      with \<open>fmdom' (?\<theta> k) = lset xs\<close> obtain j where "v = xs ! j" and "j < length xs"
+        by (fastforce simp add: in_set_conv_nth)
+      obtain \<alpha> where "var_type v = \<alpha>"
+        by blast
+      show "case v of (x, \<alpha>) \<Rightarrow> (?\<theta> k) $$! (x, \<alpha>) \<in> wffs\<^bsub>\<alpha>\<^esub>"
+      proof (cases "j < k")
+        case True
+        with \<open>j < length xs\<close> and \<open>v = xs ! j\<close> have "(?\<theta> k) $$! v = As ! j"
+          using \<open>distinct xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+        with assms(2) \<open>v = xs ! j\<close> and \<open>v \<in> fmdom' (?\<theta> k)\<close> and \<open>var_type v = \<alpha>\<close> and \<open>j < length xs\<close>
+        have "(?\<theta> k) $$! v \<in> wffs\<^bsub>\<alpha>\<^esub>"
+          using \<open>As = map (($$!) \<theta>) xs\<close> and \<open>fmdom' (?\<theta> k) = lset xs\<close> and \<open>lset xs = fmdom' \<theta>\<close>
+          by auto
+        then show ?thesis
+          using \<open>var_type v = \<alpha>\<close> by force
+      next
+        case False
+        with \<open>j < length xs\<close> and \<open>v = xs ! j\<close> have "(?\<theta> k) $$! v = FVar (ys ! j)"
+          using \<open>distinct xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+        with \<open>j < length xs\<close> and \<open>v = xs ! j\<close> and \<open>var_type v = \<alpha>\<close> and \<open>length ys = length xs\<close>
+        have "(?\<theta> k) $$! v \<in> wffs\<^bsub>\<alpha>\<^esub>"
+          using \<open>map var_type ys = map var_type xs\<close> and surj_pair[of "ys ! j"]
+          by (metis nth_map snd_conv wffs_of_type_intros(1))
+        then show ?thesis
+          using \<open>var_type v = \<alpha>\<close> by force
+      qed
+    qed
+    have \<theta>'_alt_def: "?\<theta>' k = fmap_of_list
+      (zip xs
+        (take k (map (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') As)
+        @
+        (drop k (map (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') (map FVar ys)))))"
+    proof -
+      have "
+        fmap_of_list (zip xs (map (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') (take k As @ drop k (map FVar ys))))
+        =
+        fmap_of_list
+          (zip xs
+            (map (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') (take k As)
+            @
+            (drop k (map (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') (map FVar ys)))))"
+        by (simp add: drop_map)
+      then show ?thesis
+        by (metis take_map zip_map2)
+    qed
+    \<comment> \<open>$\mathcal{H}\;\vdash\;\d{\textsf{S}}\;
+        ^{x^1_{\alpha_1}\;\dots\;x^k_{\alpha_k} x^{k+1}_{\alpha_{k+1}}\;\dots\;x^n_{\alpha_n}}
+        _{A^1_{\alpha_1}\;\dots\;A^k_{\alpha_k} y^{k+1}_{\alpha_{k+1}}\;\dots\;y^n_{\alpha_n}} B$\<close>
+    have "\<H> \<turnstile> \<^bold>S (?\<theta> k) B"
+      by (fact Suc.IH[OF Suc_leD[OF Suc.prems]])
+    \<comment> \<open>$\mathcal{H}\;\vdash\;\d{\textsf{S}}\;^{y^{k+1}_{\alpha_{k+1}}}_{A^{k+1}_{\alpha_{k+1}}}\;
+        \d{\textsf{S}}\;
+        ^{x^1_{\alpha_1}\;\dots\;x^k_{\alpha_k} x^{k+1}_{\alpha_{k+1}}\;\dots\;x^n_{\alpha_n}}
+        _{A^1_{\alpha_1}\;\dots\;A^k_{\alpha_k} y^{k+1}_{\alpha_{k+1}}\;\dots\;y^n_{\alpha_n}} B$\<close>
+    then have "\<H> \<turnstile> \<^bold>S {?y \<Zinj> ?A} \<^bold>S (?\<theta> k) B"
+    proof -
+      from \<open>(n\<^sub>y, \<alpha>\<^sub>y) = ?y\<close> and \<open>length ys = length xs\<close> have "(n\<^sub>y, \<alpha>\<^sub>y) \<notin> free_vars \<H>"
+        using \<open>\<forall>j < length ys. ys ! j \<notin> vars (\<H>::form set) \<and> ys ! j \<notin> vars B\<close>
+        and free_vars_in_all_vars_set and Suc_le_lessD[OF Suc.prems] by fastforce
+      moreover have "is_free_for ?A (n\<^sub>y, \<alpha>\<^sub>y) (\<^bold>S (?\<theta> k) B)"
+      proof -
+        have "is_substitution (fmdrop (xs ! k) (?\<theta> k))"
+          using wfs and \<open>fmdom' (?\<theta> k) = lset xs\<close> by force
+        moreover from Suc_le_lessD[OF Suc.prems] have "var_type (xs ! k) = var_type (ys ! k)"
+          using \<open>length ys = length xs\<close> and \<open>map var_type ys = map var_type xs\<close> by (metis nth_map)
+        then have "is_substitution {xs ! k \<Zinj> FVar ?y}"
+          unfolding is_substitution_def using \<open>(n\<^sub>y, \<alpha>\<^sub>y) = ?y\<close>
+          by (intro ballI) (clarsimp, metis snd_eqD wffs_of_type_intros(1))
+        moreover have "(xs ! k) \<notin> fmdom' (fmdrop (xs ! k) (?\<theta> k))"
+          by simp
+        moreover have "
+          \<forall>v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k)). ?y \<notin> vars (fmdrop (xs ! k) (?\<theta> k) $$! v)"
+        proof
+          fix v
+          assume "v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k))"
+          then have "v \<in> fmdom' (?\<theta> k)"
+            by simp
+          with \<open>fmdom' (?\<theta> k) = lset xs\<close> obtain j where "v = xs ! j" and "j < length xs" and "j \<noteq> k"
+            using \<open>v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close>
+            and \<open>(xs ! k) \<notin> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close> by (metis in_set_conv_nth)
+          then show "?y \<notin> vars ((fmdrop (xs ! k) (?\<theta> k)) $$! v)"
+          proof (cases "j < k")
+            case True
+            with \<open>j < length xs\<close> and \<open>v = xs ! j\<close> have "(?\<theta> k) $$! v = As ! j"
+              using \<open>distinct xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+            moreover from \<open>j < length xs\<close> and \<open>length xs = length As\<close> have "?y \<notin> vars (As ! j)"
+              using \<open>?y \<in> lset ys\<close> and ys_fresh by fastforce
+            ultimately show ?thesis
+              using \<open>v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close> by auto
+          next
+            case False
+            with \<open>j < length xs\<close> and \<open>v = xs ! j\<close> have "(?\<theta> k) $$! v = FVar (ys ! j)"
+              using \<open>distinct xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+            moreover from Suc_le_lessD[OF Suc.prems] and \<open>j \<noteq> k\<close> have "?y \<noteq> ys ! j"
+              by (simp add: \<open>distinct ys\<close> \<open>j < length xs\<close> \<open>length ys = length xs\<close> nth_eq_iff_index_eq)
+            ultimately show ?thesis
+              using \<open>v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close>
+              and \<open>xs ! k \<notin> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close> and surj_pair[of "ys ! j"] by fastforce
+          qed
+        qed
+        moreover from \<open>k < length xs\<close> and \<open>length ys = length xs\<close> have "?y \<notin> vars B"
+          by (simp add: \<open>\<forall>j < length ys. ys ! j \<notin> vars \<H> \<and> ys ! j \<notin> vars B\<close>)
+        moreover have "is_free_for ?A (xs ! k) B"
+        proof -
+          from Suc_le_lessD[OF Suc.prems] and \<open>lset xs = fmdom' \<theta>\<close> have "xs ! k \<in> fmdom' \<theta>"
+            using nth_mem by blast
+          moreover from Suc.prems and \<open>As = map (($$!) \<theta>) xs\<close> have "\<theta> $$! (xs ! k) = ?A"
+            by fastforce
+          ultimately show ?thesis
+            using assms(3) by simp
+        qed
+        moreover
+        have "\<forall>v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k)). is_free_for (fmdrop (xs ! k) (?\<theta> k) $$! v) v B"
+        proof
+          fix v
+          assume "v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k))"
+          then have "v \<in> fmdom' (?\<theta> k)"
+            by simp
+          with \<open>fmdom' (?\<theta> k) = lset xs\<close> obtain j where "v = xs ! j" and "j < length xs" and "j \<noteq> k"
+            using \<open>v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close>
+            and \<open>(xs ! k) \<notin> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close> by (metis in_set_conv_nth)
+          then show "is_free_for (fmdrop (xs ! k) (?\<theta> k) $$! v) v B"
+          proof (cases "j < k")
+            case True
+            with \<open>j < length xs\<close> and \<open>v = xs ! j\<close> have "(?\<theta> k) $$! v = As ! j"
+              using \<open>distinct xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+            moreover have "is_free_for (As ! j) v B"
+            proof -
+              from \<open>j < length xs\<close> and \<open>lset xs = fmdom' \<theta>\<close> and \<open>v = xs ! j\<close> have "v \<in> fmdom' \<theta>"
+                using nth_mem by blast
+              moreover have "\<theta> $$! v = As ! j"
+                by (simp add: \<open>As = map (($$!) \<theta>) xs\<close> \<open>j < length xs\<close> \<open>v = xs ! j\<close>)
+              ultimately show ?thesis
+                using assms(3) by simp
+              qed
+            ultimately show ?thesis
+              using \<open>v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close> by auto
+          next
+            case False
+            with \<open>j < length xs\<close> and \<open>v = xs ! j\<close> have "(?\<theta> k) $$! v = FVar (ys ! j)"
+              using \<open>distinct xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+            moreover from \<open>j < length xs\<close> and \<open>length ys = length xs\<close> have "ys ! j \<notin> vars B"
+              using \<open>\<forall>j < length ys. ys ! j \<notin> vars \<H> \<and> ys ! j \<notin> vars B\<close> by simp
+            then have "is_free_for (FVar (ys ! j)) v B"
+              by (fact absent_var_is_free_for)
+            ultimately show ?thesis
+              using \<open>v \<in> fmdom' (fmdrop (xs ! k) (?\<theta> k))\<close> by auto
+          qed
+        qed
+        ultimately have "is_free_for ?A (ys ! k) \<^bold>S ({xs ! k \<Zinj> FVar ?y} ++\<^sub>f fmdrop (xs ! k) (?\<theta> k)) B"
+          using is_free_for_with_renaming_substitution by presburger
+        moreover have "\<^bold>S ({xs ! k \<Zinj> FVar ?y} ++\<^sub>f fmdrop (xs ! k) (?\<theta> k)) B = \<^bold>S (?\<theta> k) B"
+          using \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> and Suc_le_eq and Suc.prems
+          and \<open>distinct xs\<close> by simp
+        ultimately show ?thesis
+          unfolding \<open>(n\<^sub>y, \<alpha>\<^sub>y) = ?y\<close> by simp
+      qed
+      ultimately show ?thesis
+        using prop_5221_aux[OF \<open>\<H> \<turnstile> \<^bold>S (?\<theta> k) B\<close>] and \<open>?A \<in> wffs\<^bsub>\<alpha>\<^sub>y\<^esub>\<close> and \<open>(n\<^sub>y, \<alpha>\<^sub>y) = ?y\<close> by metis
+    qed
+    \<comment> \<open>$\d{\textsf{S}}\;^{y^{k+1}_{\alpha_{k+1}}}_{A^{k+1}_{\alpha_{k+1}}}\;
+        \d{\textsf{S}}\;
+        ^{x^1_{\alpha_1}\;\dots\;x^k_{\alpha_k} x^{k+1}_{\alpha_{k+1}}\;\dots\;x^n_{\alpha_n}}
+        _{A^1_{\alpha_1}\;\dots\;A^k_{\alpha_k} y^{k+1}_{\alpha_{k+1}}\;\dots\;y^n_{\alpha_n}} B =
+        \d{\textsf{S}}\;
+        ^{x^1_{\alpha_1}\;\dots\;x^k_{\alpha_k} x^{k+1}_{\alpha_{k+1}} x^{k+2}_{\alpha_{k+2}}
+         \;\dots\;x^n_{\alpha_n}}
+        _{A^1_{\alpha_1}\;\dots\;A^k_{\alpha_k} A^{k+1}_{\alpha_{k+1}} y^{k+2}_{\alpha_{k+2}}
+         \;\dots\;y^n_{\alpha_n}} B$\<close>
+    moreover have "\<^bold>S {?y \<Zinj> ?A} \<^bold>S (?\<theta> k) B = \<^bold>S (?\<theta> (Suc k)) B"
+    proof -
+      have "\<^bold>S {?y \<Zinj> ?A} \<^bold>S (?\<theta> k) B = \<^bold>S {?y \<Zinj> ?A} ++\<^sub>f (?\<theta>' k) B"
+      proof -
+        have "?y \<notin> fmdom' (?\<theta> k)"
+          using \<open>?y \<in> lset ys\<close> and \<open>fmdom' (?\<theta> k) = lset xs\<close> and ys_fresh by blast
+        moreover have "(?\<theta>' k) = fmmap (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') (?\<theta> k)"
+          using \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by simp
+        moreover have "\<forall>v' \<in> fmdom' (?\<theta> k). is_free_for (?\<theta> k $$! v') v' B"
+        proof
+          fix v'
+          assume "v' \<in> fmdom' (?\<theta> k)"
+          with \<open>fmdom' (?\<theta> k) = lset xs\<close> obtain j where "v' = xs ! j" and "j < length xs"
+            by (metis in_set_conv_nth)
+          obtain \<alpha> where "var_type v' = \<alpha>"
+            by blast
+          show "is_free_for (?\<theta> k $$! v') v' B"
+          proof (cases "j < k")
+            case True
+            with \<open>j < length xs\<close> and \<open>v' = xs ! j\<close> have "(?\<theta> k) $$! v' = As ! j"
+              using \<open>distinct xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+            moreover from \<open>lset xs = fmdom' \<theta>\<close> and assms(3) have "is_free_for (As ! j) (xs ! j) B"
+              by (metis \<open>As = map (($$!) \<theta>) xs\<close> \<open>j < length xs\<close> nth_map nth_mem)
+            ultimately show ?thesis
+              using \<open>v' = xs ! j\<close> by (simp only:)
+          next
+            case False
+            with \<open>j < length xs\<close> and \<open>v' = xs ! j\<close> have "(?\<theta> k) $$! v' = FVar (ys ! j)"
+              using \<open>distinct xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+            moreover from \<open>j < length xs\<close> have "is_free_for (FVar (ys ! j)) (xs ! j) B"
+              using \<open>\<forall>j < length ys. ys ! j \<notin> vars \<H> \<and> ys ! j \<notin> vars B\<close> and \<open>length ys = length xs\<close>
+              and absent_var_is_free_for by presburger
+            ultimately show ?thesis
+              using \<open>v' = xs ! j\<close> by (simp only:)
+          qed
+        qed
+        ultimately show ?thesis
+          using substitution_consolidation by simp
+      qed
+      also have "\<dots> = \<^bold>S {?y \<Zinj> ?A} ++\<^sub>f (?\<theta> (Suc k)) B"
+      proof -
+        have "?\<theta>' k = ?\<theta> (Suc k)"
+        proof (intro fsubset_antisym[unfolded fmsubset_alt_def] fmpredI)
+          {
+            fix v' and A'
+            assume "?\<theta>' k $$ v' = Some A'"
+            then have "v' \<in> fmdom' (?\<theta>' k)"
+              by (intro fmdom'I)
+            then obtain j where "j < length xs" and "xs ! j = v'"
+              using \<open>fmdom' (?\<theta>' k) = lset xs\<close> by (metis in_set_conv_nth)
+            then consider (a) "j < k" | (b) "j = k" | (c) "j \<in> {k<..< length xs}"
+              by fastforce
+            then show "?\<theta> (Suc k) $$ v' = Some A'"
+            proof cases
+              case a
+              with \<theta>'_alt_def and \<open>distinct xs\<close> and \<open>j < length xs\<close>
+              have "?\<theta>' k $$ (xs ! j) = Some (take k (map (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') As) ! j)"
+                using \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by auto
+              also from a and Suc.prems have "\<dots> = Some (\<^bold>S {?y \<Zinj> ?A} (As ! j))"
+                using \<open>length xs = length As\<close> by auto
+              also have "\<dots> = Some (As ! j)"
+              proof -
+                from Suc.prems and \<open>length ys = length xs\<close> have "Suc k \<le> length ys"
+                  by (simp only:)
+                moreover have "j < length As"
+                  using \<open>j < length xs\<close> and \<open>length xs = length As\<close> by (simp only:)
+                ultimately have "?y \<notin> vars (As ! j)"
+                  using ys_fresh by force
+                then show ?thesis
+                  using free_var_singleton_substitution_neutrality and free_vars_in_all_vars by blast
+              qed
+              also from a and \<open>xs ! j = v'\<close> and \<open>distinct xs\<close> have "\<dots> = ?\<theta> (Suc k) $$ v'"
+                using \<open>j < length xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close>
+                by fastforce
+              finally show ?thesis
+                using \<open>?\<theta>' k $$ v' = Some A'\<close> and \<open>xs ! j = v'\<close> by simp
+            next
+              case b
+              then have "
+                ?\<theta>' k $$ (xs ! k) = Some (drop k (map (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') (map FVar ys)) ! 0)"
+                using \<open>distinct xs\<close> and \<open>j < length xs\<close> and \<open>length xs = length As\<close>
+                and \<open>length ys = length xs\<close> and fmap_of_list_nth_split by simp
+              also from Suc.prems have "\<dots> = Some (\<^bold>S {?y \<Zinj> ?A} (FVar ?y))"
+                using \<open>length ys = length xs\<close> by simp
+              also from \<open>(n\<^sub>y, \<alpha>\<^sub>y) = ys ! k\<close> have "\<dots> = Some ?A"
+                by (metis singleton_substitution_simps(1))
+              also from b and \<open>xs ! j = v'\<close> and \<open>distinct xs\<close> have "\<dots> = ?\<theta> (Suc k) $$ v'"
+                using \<open>j < length xs\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close>
+                by fastforce
+              finally show ?thesis
+                using b and \<open>?\<theta>' k $$ v' = Some A'\<close> and \<open>xs ! j = v'\<close> by force
+            next
+              case c
+              then have "j > k"
+                by simp
+              with \<theta>'_alt_def and \<open>distinct xs\<close> and \<open>j < length xs\<close> have "
+                ?\<theta>' k $$ (xs ! j) = Some (drop k (map (\<lambda>A'. \<^bold>S {?y \<Zinj> ?A} A') (map FVar ys)) ! (j - k))"
+                using fmap_of_list_nth_split and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close>
+                by simp
+              also from Suc.prems and c have "\<dots> = Some (\<^bold>S {?y \<Zinj> ?A} (FVar (ys ! j)))"
+                using \<open>length ys = length xs\<close> by simp
+              also from Suc_le_lessD[OF Suc.prems] and \<open>distinct ys\<close> have "\<dots> = Some (FVar (ys ! j))"
+                using \<open>j < length xs\<close> and \<open>k < j\<close> and \<open>length ys = length xs\<close>
+                by (metis nless_le nth_eq_iff_index_eq prod.exhaust_sel singleton_substitution_simps(1))
+              also from c and \<open>distinct xs\<close> have "\<dots> = ?\<theta> (Suc k) $$ v'"
+                using \<open>xs ! j = v'\<close> and \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+              finally show ?thesis
+                using \<open>?\<theta>' k $$ v' = Some A'\<close> and \<open>xs ! j = v'\<close> by force
+            qed
+          }
+          note \<theta>_k_in_Sub_k = this
+          {
+            fix v' and A'
+            assume "?\<theta> (Suc k) $$ v' = Some A'"
+            then have "v' \<in> fmdom' (?\<theta> (Suc k))"
+              by (intro fmdom'I)
+            then obtain j where "j < length xs" and "xs ! j = v'"
+              using \<open>fmdom' (?\<theta> (Suc k)) = lset xs\<close> by (metis in_set_conv_nth)
+            then consider (a) "j < k" | (b) "j = k" | (c) "j \<in> {k<..< length xs}"
+              by fastforce
+            with \<open>j < length xs\<close> and \<open>xs ! j = v'\<close> and \<theta>_k_in_Sub_k show "?\<theta>' k $$ v' = Some A'"
+              using \<open>\<And>k'. fmdom' (?\<theta>' k') = lset xs\<close> and \<open>?\<theta> (Suc k) $$ v' = Some A'\<close>
+              by (metis (mono_tags, lifting) fmlookup_dom'_iff nth_mem)+
+          }
+        qed
+        then show ?thesis
+          by presburger
+      qed
+      also have "\<dots> = \<^bold>S (?\<theta> (Suc k)) B"
+      proof -
+        have "?\<theta> (Suc k) $$ ?y = None"
+          using \<open>?y \<in> lset ys\<close> \<open>\<And>k'. fmdom' (?\<theta> k') = lset xs\<close> and ys_fresh by blast
+        moreover from Suc_le_lessD[OF Suc.prems] have "?y \<notin> vars B"
+          using \<open>\<forall>j < length ys. ys ! j \<notin> vars \<H> \<and> ys ! j \<notin> vars B\<close> and \<open>length ys = length xs\<close>
+          by auto
+        ultimately show ?thesis
+          by (rule substitution_absorption)
+      qed
+      finally show ?thesis .
+    qed
+    \<comment> \<open>$\mathcal{H}\;\vdash\;\d{\textsf{S}}\;
+        ^{x^1_{\alpha_1}\;\dots\;x^k_{\alpha_k} x^{k+1}_{\alpha_{k+1}} x^{k+2}_{\alpha_{k+2}}
+         \;\dots\;x^n_{\alpha_n}}
+        _{A^1_{\alpha_1}\;\dots\;A^k_{\alpha_k} A^{k+1}_{\alpha_{k+1}} y^{k+2}_{\alpha_{k+2}}
+         \;\dots\;y^n_{\alpha_n}} B$\<close>
+    ultimately show ?case
+      by (simp only:)
+  qed
+  \<comment> \<open>$\mathcal{H}\;\vdash\;\d{\textsf{S}}\;
+      ^{x^1_{\alpha_1}\;\dots\;x^n_{\alpha_n}} _{A^1_{\alpha_1}\;\dots\;A^n_{\alpha_n}} B$\<close>
+  then have "\<H> \<turnstile> \<^bold>S (fmap_of_list (zip xs As)) B"
+    using \<open>length xs = length As\<close> and \<open>length ys = length xs\<close> by force
+  moreover have "fmap_of_list (zip xs As) = \<theta>"
+  proof (intro fsubset_antisym[unfolded fmsubset_alt_def] fmpredI)
+    fix v and A
+    assume "fmap_of_list (zip xs As) $$ v = Some A"
+    with \<open>lset xs = fmdom' \<theta>\<close> have "v \<in> fmdom' \<theta>"
+      by (fast dest: fmap_of_list_SomeD set_zip_leftD)
+    with \<open>fmap_of_list (zip xs As) $$ v = Some A\<close> and \<open>As = map (($$!) \<theta>) xs\<close> show "\<theta> $$ v = Some A"
+      by
+        (simp add: map_of_zip_map fmap_of_list.rep_eq split: if_splits)
+        (meson fmdom'_notI option.exhaust_sel)
+  next
+    fix v and A
+    assume "\<theta> $$ v = Some A"
+    with \<open>As = map (($$!) \<theta>) xs\<close> show "fmap_of_list (zip xs As) $$ v = Some A"
+      using \<open>lset xs = fmdom' \<theta>\<close> by (simp add: fmap_of_list.rep_eq fmdom'I map_of_zip_map)
+  qed
+  ultimately show ?thesis
+    by (simp only:)
+qed
+
+end
+
+lemmas Sub = prop_5221 (* synonym *)
+
+subsection \<open>Proposition 5222 (Rule of Cases)\<close>
+
+lemma forall_\<alpha>_conversion:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  and "(z, \<beta>) \<notin> free_vars A"
+  and "is_free_for (z\<^bsub>\<beta>\<^esub>) (x, \<beta>) A"
+  shows "\<turnstile> \<forall>x\<^bsub>\<beta>\<^esub>. A =\<^bsub>o\<^esub> \<forall>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A"
+proof -
+  from assms(1) have "\<forall>x\<^bsub>\<beta>\<^esub>. A \<in> wffs\<^bsub>o\<^esub>"
+    by (intro forall_wff)
+  then have "\<turnstile> \<forall>x\<^bsub>\<beta>\<^esub>. A =\<^bsub>o\<^esub> \<forall>x\<^bsub>\<beta>\<^esub>. A"
+    by (fact prop_5200)
+  moreover from assms have "\<turnstile> (\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>\<beta>\<rightarrow>o\<^esub> (\<lambda>z\<^bsub>\<beta>\<^esub>. \<^bold>S {(x, \<beta>) \<Zinj> z\<^bsub>\<beta>\<^esub>} A)"
+    by (rule prop_5206)
+  ultimately show ?thesis
+    unfolding forall_def and PI_def by (rule rule_R [where p = "[\<guillemotright>,\<guillemotright>]"]) force+
+qed
+
+proposition prop_5222:
+  assumes "\<H> \<turnstile> \<^bold>S {(x, o) \<Zinj> T\<^bsub>o\<^esub>} A" and "\<H> \<turnstile> \<^bold>S {(x, o) \<Zinj> F\<^bsub>o\<^esub>} A"
+  and "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<H> \<turnstile> A"
+proof -
+  from assms(1) have "is_hyps \<H>"
+    by (blast elim: is_derivable_from_hyps.cases)
+  have "\<section>1": "\<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub>"
+  proof -
+    have "\<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<^bold>S {(x, o) \<Zinj> T\<^bsub>o\<^esub>} A"
+      using prop_5207[OF true_wff assms(3) closed_is_free_for] by simp
+    from this and assms(1) have "\<H> \<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub>"
+      using rule_RR[OF disjI2, where p = "[]"] by fastforce
+    moreover have "(\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+      by (fact hyp_derivable_form_is_wffso[OF \<open>\<H> \<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub>\<close>])
+    ultimately show ?thesis
+      using rule_T(1) by blast
+  qed
+  moreover have "\<section>2": "\<H> \<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> F\<^bsub>o\<^esub>"
+  proof -
+    have "\<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<^bold>S {(x, o) \<Zinj> F\<^bsub>o\<^esub>} A"
+      using prop_5207[OF false_wff assms(3) closed_is_free_for] by simp
+    from this and assms(2) have "\<H> \<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> F\<^bsub>o\<^esub>"
+      using rule_RR[OF disjI2, where p = "[]"] by fastforce
+    moreover have "(\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> F\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+      by (fact hyp_derivable_form_is_wffso[OF \<open>\<H> \<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> F\<^bsub>o\<^esub>\<close>])
+    ultimately show ?thesis
+      using rule_T(1) by blast
+  qed
+  moreover from prop_5212 and \<open>is_hyps \<H>\<close> have "\<section>3": "\<H> \<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>"
+    by (rule derivability_implies_hyp_derivability)
+  ultimately have "\<H> \<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> F\<^bsub>o\<^esub>"
+  proof -
+    from "\<section>3" and "\<section>1" have "\<H> \<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>"
+      by (rule rule_R'[where p = "[\<guillemotleft>,\<guillemotright>]"]) (force+, fastforce dest: subforms_from_app)
+    from this and "\<section>2" show ?thesis
+      by (rule rule_R'[where p = "[\<guillemotright>]"]) (force+, fastforce dest: subforms_from_app)
+  qed
+  moreover have "\<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>x\<^bsub>o\<^esub>. A"
+  proof -
+    have "\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+      by blast
+    have "\<turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      using axiom_1[unfolded equivalence_def] by (rule axiom_is_derivable_from_no_hyps)
+    \<comment> \<open>By $\alpha$-conversion\<close>
+    then have "\<turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>x\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> x\<^bsub>o\<^esub>" (is "\<turnstile> ?B =\<^bsub>o\<^esub> ?C")
+    proof -
+      have "\<turnstile> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>x\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> x\<^bsub>o\<^esub>"
+      proof (cases "x = \<xx>")
+        case True
+        from \<open>\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>\<close> have "\<turnstile> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>"
+          by (fact prop_5200[OF forall_wff])
+        with True show ?thesis
+          using identity_singleton_substitution_neutrality by simp
+      next
+        case False
+        from \<open>\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>\<close>
+        have "\<turnstile> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>x\<^bsub>o\<^esub>. \<^bold>S {(\<xx>, o) \<Zinj> x\<^bsub>o\<^esub>} (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>)"
+          by
+            (rule forall_\<alpha>_conversion)
+            (simp add: False, intro is_free_for_to_app is_free_for_in_var)
+        then show ?thesis
+          by force
+      qed
+      with \<open>\<turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>\<close> show ?thesis
+        using Equality_Rules(3) by blast
+    qed
+    \<comment> \<open>By Sub\<close>
+    then have *: "\<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<forall>x\<^bsub>o\<^esub>. (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> x\<^bsub>o\<^esub>"
+    proof -
+      let ?\<theta> = "{(\<gg>, o\<rightarrow>o) \<Zinj> \<lambda>x\<^bsub>o\<^esub>. A}"
+      from assms(3) have "is_substitution ?\<theta>"
+        by auto
+      moreover have "
+        \<forall>v \<in> fmdom' ?\<theta>.
+          var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v (?B =\<^bsub>o\<^esub> ?C)"
+        by (code_simp, (unfold atomize_conj[symmetric])?, simp)+ blast
+      moreover have "?\<theta> \<noteq> {$$}"
+        by simp
+      ultimately have "\<turnstile> \<^bold>S ?\<theta> (?B =\<^bsub>o\<^esub> ?C)"
+        by (rule Sub [OF \<open>\<turnstile> ?B =\<^bsub>o\<^esub> ?C\<close>])
+      then show ?thesis
+        by simp
+    qed
+    \<comment> \<open>By $\lambda$-conversion\<close>
+    then show ?thesis
+    proof -
+      have "\<turnstile> (\<lambda>x\<^bsub>o\<^esub>. A) \<sqdot> x\<^bsub>o\<^esub> =\<^bsub>o\<^esub> A"
+        using prop_5208[where vs = "[(x, o)]"] and assms(3) by simp
+      from * and this show ?thesis
+        by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+    qed
+  qed
+  ultimately have "\<H> \<turnstile> \<forall>x\<^bsub>o\<^esub>. A"
+    using rule_RR and is_subform_at.simps(1) by (blast intro: empty_is_position)
+  then show ?thesis
+  proof -
+    have "is_free_for (x\<^bsub>o\<^esub>) (x, o) A"
+      by fastforce
+    from \<open>\<H> \<turnstile> \<forall>x\<^bsub>o\<^esub>. A\<close> and wffs_of_type_intros(1) and this show ?thesis
+      by (rule "\<forall>I"[of \<H> x o A "x\<^bsub>o\<^esub>", unfolded identity_singleton_substitution_neutrality])
+  qed
+qed
+
+lemmas Cases = prop_5222 (* synonym *)
+
+subsection \<open>Proposition 5223\<close>
+
+proposition prop_5223:
+  shows "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<yy>\<^bsub>o\<^esub>"
+proof -
+  have "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>))"
+  proof -
+    let ?A = "(\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> T\<^bsub>o\<^esub> \<sqdot> \<yy>\<^bsub>o\<^esub>"
+    have "?A \<in> wffs\<^bsub>o\<^esub>"
+      by force
+    then have "\<turnstile> ?A =\<^bsub>o\<^esub> ?A"
+      by (fact prop_5200)
+    then have "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> ?A"
+      unfolding imp_fun_def and imp_op_def .
+    moreover
+    have "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> T\<^bsub>o\<^esub> =\<^bsub>o\<rightarrow>o\<^esub> \<lambda>\<yy>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+    proof -
+      have "\<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+        by auto
+      moreover
+      have "is_free_for T\<^bsub>o\<^esub> (\<xx>, o) (\<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>))"
+        by fastforce
+      moreover
+      have "\<^bold>S {(\<xx>, o) \<Zinj> T\<^bsub>o\<^esub>} (\<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) = (\<lambda>\<yy>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>))"
+        by simp
+      ultimately show ?thesis
+        using prop_5207[OF true_wff] by metis
+    qed
+    ultimately have *: "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> (\<lambda>\<yy>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> \<yy>\<^bsub>o\<^esub>"
+      by (rule rule_R [where p = "[\<guillemotright>,\<guillemotleft>]"]) force+
+    have "T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+      by auto
+    then have "\<turnstile> (\<lambda>\<yy>\<^bsub>o\<^esub>. (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> \<yy>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+      using prop_5208[where vs = "[(\<yy>, o)]"] by simp
+    from * and this show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>]"]) force+
+  qed
+  with prop_5218 have "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+    using rule_R and Equality_Rules(3) by (meson conj_op_wff true_wff wffs_of_type_intros(1))
+  with prop_5216 show ?thesis
+    using rule_R and Equality_Rules(3) by (meson conj_op_wff true_wff wffs_of_type_intros(1))
+qed
+
+corollary generalized_prop_5223:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> A) =\<^bsub>o\<^esub> A"
+proof -
+  have "T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>" and "is_free_for A (\<yy>, o) ((T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<yy>\<^bsub>o\<^esub>)"
+   by (blast, intro is_free_for_in_equality is_free_for_in_imp is_free_for_in_true is_free_for_in_var)
+  from this(2) have "\<turnstile> \<^bold>S {(\<yy>, o) \<Zinj> A} ((T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<yy>\<^bsub>o\<^esub>)"
+    by (rule prop_5209[OF assms \<open>T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>\<close> wffs_of_type_intros(1) prop_5223])
+  then show ?thesis
+    by simp
+qed
+
+subsection \<open>Proposition 5224 (Modus Ponens)\<close>
+
+proposition prop_5224:
+  assumes "\<H> \<turnstile> A" and "\<H> \<turnstile> A \<supset>\<^sup>\<Q> B"
+  shows "\<H> \<turnstile> B"
+proof -
+  have "\<H> \<turnstile> A \<supset>\<^sup>\<Q> B"
+    by fact
+  moreover from assms(1) have "A \<in> wffs\<^bsub>o\<^esub>"
+    by (fact hyp_derivable_form_is_wffso)
+  from this and assms(1) have "\<H> \<turnstile> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    using rule_T(2) by blast
+  ultimately have "\<H> \<turnstile> T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B"
+    by (rule rule_R'[where p = "[\<guillemotleft>,\<guillemotright>]"]) (force+, fastforce dest: subforms_from_app)
+  have "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B) =\<^bsub>o\<^esub> B"
+  proof -
+    let ?\<theta> = "{(\<yy>, o) \<Zinj> B}"
+    have "B \<in> wffs\<^bsub>o\<^esub>"
+      by (fact hyp_derivable_form_is_wffso[OF assms(2), THEN wffs_from_imp_op(2)])
+    then have "is_substitution ?\<theta>"
+      by simp
+    moreover have "
+      \<forall>v \<in> fmdom' ?\<theta>.
+        var_name v \<notin> free_var_names ({}::form set) \<and>
+        is_free_for (?\<theta> $$! v) v ((T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<yy>\<^bsub>o\<^esub>)"
+      by (code_simp, (unfold atomize_conj[symmetric])?, simp)+ blast
+    moreover have "?\<theta> \<noteq> {$$}"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S ?\<theta> ((T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> \<yy>\<^bsub>o\<^esub>)"
+      by (rule Sub[OF prop_5223])
+    then show ?thesis
+      by simp
+  qed
+  then show ?thesis
+    by (rule rule_RR[OF disjI1, where p = "[]"]) (use \<open>\<H> \<turnstile> T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B\<close> in \<open>force+\<close>)
+qed
+
+lemmas MP = prop_5224 (* synonym *)
+
+corollary generalized_modus_ponens:
+  assumes "\<H> \<turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> B" and "\<forall>H \<in> lset hs. \<H> \<turnstile> H"
+  shows "\<H> \<turnstile> B"
+using assms proof (induction hs arbitrary: B rule: rev_induct)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (snoc H' hs)
+  from \<open>\<forall>H \<in> lset (hs @ [H']). \<H> \<turnstile> H\<close> have "\<H> \<turnstile> H'"
+    by simp
+  moreover have "\<H> \<turnstile> H' \<supset>\<^sup>\<Q> B"
+  proof -
+    from \<open>\<H> \<turnstile> (hs @ [H']) \<supset>\<^sup>\<Q>\<^sub>\<star> B\<close> have "\<H> \<turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> (H' \<supset>\<^sup>\<Q> B)"
+      by simp
+    moreover from \<open>\<forall>H \<in> lset (hs @ [H']). \<H> \<turnstile> H\<close> have "\<forall>H \<in> lset hs. \<H> \<turnstile> H"
+      by simp
+    ultimately show ?thesis
+      by (elim snoc.IH)
+  qed
+  ultimately show ?case
+    by (rule MP)
+qed
+
+subsection \<open>Proposition 5225\<close>
+
+proposition prop_5225:
+  shows "\<turnstile> \<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<supset>\<^sup>\<Q> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+proof -
+  have "\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+    by blast
+  have "\<section>1": "
+    \<turnstile>
+      \<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<supset>\<^sup>\<Q> (((\<lambda>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>))
+      =\<^bsub>o\<^esub>
+      ((\<lambda>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>))"
+  proof -
+    let ?\<theta> = "{(\<hh>, (\<alpha>\<rightarrow>o)\<rightarrow>o) \<Zinj> \<lambda>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>, (\<xx>, \<alpha>\<rightarrow>o) \<Zinj> \<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>, (\<yy>, \<alpha>\<rightarrow>o) \<Zinj> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>}"
+      and ?A = "(\<xx>\<^bsub>\<alpha>\<rightarrow>o\<^esub> =\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<yy>\<^bsub>\<alpha>\<rightarrow>o\<^esub>) \<supset>\<^sup>\<Q> (\<hh>\<^bsub>(\<alpha>\<rightarrow>o)\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<equiv>\<^sup>\<Q> \<hh>\<^bsub>(\<alpha>\<rightarrow>o)\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<rightarrow>o\<^esub>)"
+    have "\<turnstile> ?A"
+      by (fact axiom_is_derivable_from_no_hyps[OF axiom_2])
+    moreover have "\<lambda>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>(\<alpha>\<rightarrow>o)\<rightarrow>o\<^esub>" and "\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> \<in> wffs\<^bsub>\<alpha>\<rightarrow>o\<^esub>"
+      and "\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<in> wffs\<^bsub>\<alpha>\<rightarrow>o\<^esub>"
+      by blast+
+    then have "is_substitution ?\<theta>"
+      by simp
+    moreover have "
+      \<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?A"
+      by (code_simp, (unfold atomize_conj[symmetric])?, simp)+ blast
+    moreover have "?\<theta> \<noteq> {$$}"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S ?\<theta> ?A"
+      by (rule Sub)
+    then show ?thesis
+      by simp
+  qed
+  have "\<turnstile> \<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<supset>\<^sup>\<Q> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)"
+  proof -
+    have "
+      \<turnstile> (\<lambda>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+      (is "\<turnstile> (\<lambda>?x\<^bsub>?\<beta>\<^esub>. ?B) \<sqdot> ?A =\<^bsub>o\<^esub> ?C")
+    proof -
+      have "\<turnstile> (\<lambda>?x\<^bsub>?\<beta>\<^esub>. ?B) \<sqdot> ?A =\<^bsub>o\<^esub> \<^bold>S {(?x, ?\<beta>) \<Zinj> ?A} ?B"
+        using prop_5207[OF wffs_of_type_intros(4)[OF true_wff] \<open>?B \<in> wffs\<^bsub>o\<^esub>\<close>] by fastforce
+      then show ?thesis
+        by simp
+    qed
+    moreover have "\<turnstile> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+      using prop_5208[where vs = "[(\<xx>, \<alpha>)]"] and true_wff by simp
+    ultimately have "\<turnstile> (\<lambda>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+      by (rule Equality_Rules(3))
+    from "\<section>1" and this have "\<turnstile> \<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<supset>\<^sup>\<Q> (T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> ((\<lambda>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>))"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    moreover have "\<turnstile> (\<lambda>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub>. \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> =\<^bsub>o\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+      using prop_5208[where vs = "[(\<ff>, \<alpha>\<rightarrow>o)]"] by force
+    ultimately show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>]"]) force+
+  qed
+  from this and prop_5218[OF \<open>\<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>o\<^esub>\<close>] show ?thesis
+    by (rule rule_R[where p = "[\<guillemotright>]"]) auto
+qed
+
+subsection \<open>Proposition 5226\<close>
+
+proposition prop_5226:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  and "is_free_for A (x, \<alpha>) B"
+  shows "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+proof -
+  have "\<turnstile> \<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<supset>\<^sup>\<Q> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A"
+  proof -
+    let ?\<theta> = "{(\<ff>, \<alpha>\<rightarrow>o) \<Zinj> \<lambda>x\<^bsub>\<alpha>\<^esub>. B, (\<xx>, \<alpha>) \<Zinj> A}"
+    have "\<turnstile> \<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<supset>\<^sup>\<Q> \<ff>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>" (is "\<turnstile> ?C")
+      by (fact prop_5225)
+    moreover from assms have "is_substitution ?\<theta>"
+      by auto
+    moreover have "
+      \<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?C"
+      by (code_simp, (unfold atomize_conj[symmetric])?, fastforce)+ blast
+    moreover have "?\<theta> \<noteq> {$$}"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S ?\<theta> ?C"
+      by (rule Sub)
+    moreover have "\<^bold>S ?\<theta> ?C = \<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<supset>\<^sup>\<Q> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A"
+      by simp
+    ultimately show ?thesis
+      by (simp only:)
+  qed
+  moreover from assms have "\<turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>o\<^esub> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+    by (rule prop_5207)
+  ultimately show ?thesis
+    by (rule rule_R [where p = "[\<guillemotright>]"]) force+
+qed
+
+subsection \<open>Proposition 5227\<close>
+
+corollary prop_5227:
+  shows "\<turnstile> F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>"
+proof -
+  have "\<turnstile> \<forall>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<^bold>S {(\<xx>, o) \<Zinj> \<xx>\<^bsub>o\<^esub>} (\<xx>\<^bsub>o\<^esub>)"
+    by (rule prop_5226) auto
+  then show ?thesis
+    using identity_singleton_substitution_neutrality by simp
+qed
+
+corollary generalized_prop_5227:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<turnstile> F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> A"
+proof -
+  let ?\<theta> = "{(\<xx>, o) \<Zinj> A}" and ?B = "F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>"
+  from assms have "is_substitution ?\<theta>"
+    by simp
+  moreover have "is_free_for A (\<xx>, o) ?B"
+    by (intro is_free_for_in_false is_free_for_in_imp is_free_for_in_var)
+  then have "
+    \<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?B"
+    by force
+  ultimately have "\<turnstile> \<^bold>S {(\<xx>, o) \<Zinj> A} (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>)"
+    using Sub[OF prop_5227, where \<theta> = ?\<theta>] by fastforce
+  then show ?thesis
+    by simp
+qed
+
+subsection \<open>Proposition 5228\<close>
+
+proposition prop_5228:
+  shows "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  and "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+  and "\<turnstile> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  and "\<turnstile> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+proof -
+  show "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" and "\<turnstile> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+    using generalized_prop_5223 by blast+
+next
+  have "\<turnstile> F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub>" and "\<turnstile> F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub>"
+    using generalized_prop_5227 by blast+
+  then show "\<turnstile> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" and "\<turnstile> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    using rule_T(2) by blast+
+qed
+
+subsection \<open>Proposition 5229\<close>
+
+lemma false_in_conj_provability:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<turnstile> F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> A \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>"
+proof -
+  have "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> F\<^bsub>o\<^esub> \<sqdot> A"
+    by (intro generalized_prop_5227[OF assms, unfolded imp_op_def imp_fun_def])
+  moreover have "
+    \<turnstile>
+      (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> F\<^bsub>o\<^esub>
+      =\<^bsub>o\<rightarrow>o\<^esub>
+      \<lambda>\<yy>\<^bsub>o\<^esub>. (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+    (is "\<turnstile> (\<lambda>?x\<^bsub>?\<beta>\<^esub>. ?A) \<sqdot> ?B =\<^bsub>?\<gamma>\<^esub> ?C")
+  proof -
+    have "?B \<in> wffs\<^bsub>?\<beta>\<^esub>" and "?A \<in> wffs\<^bsub>?\<gamma>\<^esub>" and "is_free_for ?B (?x, ?\<beta>) ?A"
+      by auto
+    then have "\<turnstile> (\<lambda>?x\<^bsub>?\<beta>\<^esub>. ?A) \<sqdot> ?B =\<^bsub>?\<gamma>\<^esub> \<^bold>S {(?x, ?\<beta>) \<Zinj> ?B} ?A"
+      by (rule prop_5207)
+    moreover have "\<^bold>S {(?x, ?\<beta>) \<Zinj> ?B} ?A = ?C"
+      by simp
+    ultimately show ?thesis
+      by (simp only:)
+  qed
+  ultimately have "\<turnstile> (\<lambda>\<yy>\<^bsub>o\<^esub>. (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> A"
+    by (rule rule_R[where p = "[\<guillemotleft>]"]) auto
+  moreover have "
+    \<turnstile>
+      (\<lambda>\<yy>\<^bsub>o\<^esub>. (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> A
+      =\<^bsub>o\<^esub>
+      (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> A)"
+    (is "\<turnstile> (\<lambda>?x\<^bsub>?\<beta>\<^esub>. ?A) \<sqdot> ?B =\<^bsub>o\<^esub> ?C")
+  proof -
+    have "?B \<in> wffs\<^bsub>?\<beta>\<^esub>" and "?A \<in> wffs\<^bsub>o\<^esub>"
+      using assms by auto
+    moreover have "is_free_for ?B (?x, ?\<beta>) ?A"
+      by (intro is_free_for_in_equivalence is_free_for_in_conj is_free_for_in_false) fastforce
+    ultimately have "\<turnstile> (\<lambda>?x\<^bsub>?\<beta>\<^esub>. ?A) \<sqdot> ?B =\<^bsub>o\<^esub> \<^bold>S {(?x, ?\<beta>) \<Zinj> ?B} ?A"
+      by (rule prop_5207)
+    moreover
+    have "\<^bold>S {(?x, ?\<beta>) \<Zinj> ?B} ?A = ?C"
+      by simp
+    ultimately show ?thesis
+      by (simp only:)
+  qed
+  ultimately have "\<turnstile> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> A"
+    by (rule rule_R[where p = "[]"]) auto
+  then show ?thesis
+    unfolding equivalence_def by (rule Equality_Rules(2))
+qed
+
+proposition prop_5229:
+  shows "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  and "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+  and "\<turnstile> (F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+  and "\<turnstile> (F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+proof -
+  show "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" and "\<turnstile> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+    using prop_5216 by blast+
+next
+  show "\<turnstile> (F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" and "\<turnstile> (F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+    using false_in_conj_provability and true_wff and false_wff by simp_all
+qed
+
+subsection \<open>Proposition 5230\<close>
+
+proposition prop_5230:
+  shows "\<turnstile> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  and "\<turnstile> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+  and "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+  and "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+proof -
+  show "\<turnstile> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" and "\<turnstile> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+    unfolding equivalence_def using prop_5218 by blast+
+next
+  show "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    unfolding equivalence_def by (rule Equality_Rules(2)[OF prop_5210[OF false_wff]])
+next
+  have "\<section>1": "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> ((\<lambda>\<xx>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)) \<sqdot> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (\<lambda>\<xx>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)) \<sqdot> T\<^bsub>o\<^esub>)"
+  proof -
+    let ?\<theta> = "{(\<hh>, o\<rightarrow>o) \<Zinj> \<lambda>\<xx>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>), (\<xx>, o) \<Zinj> F\<^bsub>o\<^esub>, (\<yy>, o) \<Zinj> T\<^bsub>o\<^esub>}"
+      and ?A = "(\<xx>\<^bsub>o\<^esub> =\<^bsub>o\<^esub> \<yy>\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> (\<hh>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<hh>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>o\<^esub>)"
+    have "\<turnstile> ?A"
+      by (fact axiom_is_derivable_from_no_hyps[OF axiom_2])
+    moreover have "is_substitution ?\<theta>"
+      by auto
+    moreover have "
+      \<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?A"
+      by (code_simp, unfold atomize_conj[symmetric], simp, force)+ blast
+    moreover have "?\<theta> \<noteq> {$$}"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S ?\<theta> ?A"
+      by (rule Sub)
+    then show ?thesis
+      by simp
+  qed
+  then have "\<section>2": "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> ((F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) \<equiv>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>))" (is "\<turnstile> ?A2")
+  proof -
+    have "is_free_for A (\<xx>, o) (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)" for A
+      by code_simp blast
+    have \<beta>_reduction: "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)) \<sqdot> A =\<^bsub>o\<^esub> (A \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)" if "A \<in> wffs\<^bsub>o\<^esub>" for A
+      using
+        prop_5207
+        [
+          OF that equivalence_wff[OF wffs_of_type_intros(1) false_wff]
+          \<open>is_free_for A (\<xx>, o) (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)\<close>
+        ]
+      by simp
+    from "\<section>1" and \<beta>_reduction[OF false_wff] have "
+      \<turnstile> (F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> ((F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) \<equiv>\<^sup>\<Q> (\<lambda>\<xx>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)) \<sqdot> T\<^bsub>o\<^esub>)"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    from this and \<beta>_reduction[OF true_wff] show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>]"]) force+
+  qed
+  then have "\<section>3": "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub>"
+  proof -
+    note r1 = rule_RR[OF disjI1] and r2 = rule_RR[OF disjI2]
+    have "\<section>3\<^sub>1": "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> ((F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)" (is \<open>\<turnstile> ?A3\<^sub>1\<close>)
+      by (rule r1[OF prop_5218[OF false_wff], where p = "[\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use "\<section>2" in \<open>force+\<close>)
+    have "\<section>3\<^sub>2": "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)" (is \<open>\<turnstile> ?A3\<^sub>2\<close>)
+      by (rule r2[OF prop_5210[OF false_wff], where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A3\<^sub>1]) (use "\<section>3\<^sub>1" in \<open>force+\<close>)
+    show ?thesis
+      by (rule r1[OF prop_5218[OF false_wff], where p = "[\<guillemotright>]" and C = ?A3\<^sub>2]) (use "\<section>3\<^sub>2" in \<open>force+\<close>)
+  qed
+  then have "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<equiv>\<^sup>\<Q> ((F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> F\<^bsub>o\<^esub>)"
+  proof -
+    have "
+      \<turnstile>
+        (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>)
+        =\<^bsub>o\<rightarrow>o\<^esub>
+        \<^bold>S {(\<xx>, o) \<Zinj> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>} (\<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>))"
+      by (rule prop_5207) auto
+    from "\<section>3"[unfolded imp_op_def imp_fun_def] and this
+    have "\<turnstile> (\<lambda>\<yy>\<^bsub>o\<^esub>. ((F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> F\<^bsub>o\<^esub>"
+      by (rule rule_R[where p = "[\<guillemotleft>]"]) force+
+    moreover have "
+      \<turnstile>
+        (\<lambda>\<yy>\<^bsub>o\<^esub>. ((F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> F\<^bsub>o\<^esub>
+        =\<^bsub>o\<^esub>
+        \<^bold>S {(\<yy>, o) \<Zinj> F\<^bsub>o\<^esub>} ((F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+      by (rule prop_5207) auto
+    ultimately show ?thesis
+      by (rule rule_R[where p = "[]"]) force+
+  qed
+  moreover have "\<section>5": "\<turnstile> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>"
+  proof -
+    from prop_5229(2,4) have "
+      \<turnstile> \<^bold>S {(\<xx>, o) \<Zinj> T\<^bsub>o\<^esub>} (\<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)" and "\<turnstile> \<^bold>S {(\<xx>, o) \<Zinj> F\<^bsub>o\<^esub>} (\<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)"
+      by simp_all
+    moreover have "\<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+      by auto
+    ultimately show ?thesis
+      by (rule Cases)
+  qed
+  then have "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>"
+  proof -
+    let ?\<theta> = "{(\<xx>, o) \<Zinj> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>}"
+    have "is_substitution ?\<theta>"
+      by auto
+    moreover have "\<forall>v \<in> fmdom' ?\<theta>.
+      var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v (\<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)"
+      by simp
+    moreover have "?\<theta> \<noteq> {$$}"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S ?\<theta> (\<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>)"
+      by (rule Sub[OF \<open>\<turnstile> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>\<close>])
+    then show ?thesis
+      by simp
+  qed
+  ultimately show "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+    unfolding equivalence_def by (rule Equality_Rules(3))
+qed
+
+subsection \<open>Proposition 5231\<close>
+
+proposition prop_5231:
+  shows "\<turnstile> \<sim>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+  and "\<turnstile> \<sim>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  using prop_5230(3,4) unfolding neg_def and equivalence_def and equality_of_type_def .
+
+subsection \<open>Proposition 5232\<close>
+
+lemma disj_op_alt_def_provability:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<turnstile> A \<or>\<^sup>\<Q> B =\<^bsub>o\<^esub> \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> B)"
+proof -
+  let ?C = "(\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> A \<sqdot> B"
+  from assms have "?C \<in> wffs\<^bsub>o\<^esub>"
+    by blast
+  have "(\<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<in> wffs\<^bsub>o\<^esub>"
+    by auto
+  moreover obtain z where "(z, o) \<notin> {(\<xx>, o), (\<yy>, o)}" and "(z, o) \<notin> free_vars A"
+    using free_vars_form_finiteness and fresh_var_existence
+    by (metis Un_iff Un_insert_right free_vars_form.simps(1,3) inf_sup_aci(5) sup_bot_left)
+  then have "(z, o) \<notin> free_vars (\<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>))"
+    by simp
+  moreover have "is_free_for (z\<^bsub>o\<^esub>) (\<yy>, o) (\<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>))"
+    by (intro is_free_for_in_conj is_free_for_in_neg is_free_for_in_var)
+  ultimately have "
+    \<turnstile> (\<lambda>\<yy>\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) =\<^bsub>o\<rightarrow>o\<^esub> (\<lambda>z\<^bsub>o\<^esub>. \<^bold>S {(\<yy>, o) \<Zinj> z\<^bsub>o\<^esub>} \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>))"
+    by (rule "\<alpha>")
+  then have "\<turnstile> (\<lambda>\<yy>\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) =\<^bsub>o\<rightarrow>o\<^esub> (\<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>))"
+    by simp
+  from prop_5200[OF \<open>?C \<in> wffs\<^bsub>o\<^esub>\<close>] and this have "
+    \<turnstile>
+      (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>)) \<sqdot> A \<sqdot> B
+      =\<^bsub>o\<^esub>
+      (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> A \<sqdot> B"
+    by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotleft>,\<guillemotleft>]"]) force+
+  moreover have "\<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by blast
+  have "
+    \<turnstile>
+      (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>)) \<sqdot> A
+      =\<^bsub>o\<rightarrow>o\<^esub>
+      \<^bold>S {(\<xx>, o) \<Zinj> A} (\<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>))"
+    by
+      (rule prop_5207)
+      (
+        fact, blast, intro is_free_for_in_neg is_free_for_in_conj is_free_for_to_abs,
+        (fastforce simp add: \<open>(z, o) \<notin> free_vars A\<close>)+
+      )
+  then have "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>)) \<sqdot> A =\<^bsub>o\<rightarrow>o\<^esub> (\<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>))"
+    using \<open>(z, o) \<notin> free_vars (\<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>))\<close> by simp
+  ultimately have "
+    \<turnstile> (\<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>)) \<sqdot> B =\<^bsub>o\<^esub> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> A \<sqdot> B"
+    by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>]"]) force+
+  moreover have "\<turnstile> (\<lambda>z\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>)) \<sqdot> B =\<^bsub>o\<^esub> \<^bold>S {(z, o) \<Zinj> B} (\<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>))"
+    by
+      (rule prop_5207)
+      (
+        fact, blast intro: assms(1), intro is_free_for_in_neg is_free_for_in_conj,
+        use \<open>(z, o) \<notin> free_vars A\<close> is_free_at_in_free_vars in \<open>fastforce+\<close>
+      )
+  moreover have "\<^bold>S {(z, o) \<Zinj> B} (\<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> z\<^bsub>o\<^esub>)) = \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> B)"
+    using free_var_singleton_substitution_neutrality[OF \<open>(z, o) \<notin> free_vars A\<close>] by simp
+  ultimately have "\<turnstile> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<sqdot> A \<sqdot> B =\<^bsub>o\<^esub> \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> B)"
+    using Equality_Rules(2,3) by metis
+  then show ?thesis
+    by simp
+qed
+
+context begin
+
+private lemma prop_5232_aux:
+  assumes "\<turnstile> \<sim>\<^sup>\<Q> (A \<and>\<^sup>\<Q> B) =\<^bsub>o\<^esub> C"
+  and "\<turnstile> \<sim>\<^sup>\<Q> A' =\<^bsub>o\<^esub> A" and "\<turnstile> \<sim>\<^sup>\<Q> B' =\<^bsub>o\<^esub> B"
+  shows "\<turnstile> A' \<or>\<^sup>\<Q> B' =\<^bsub>o\<^esub> C"
+proof -
+  let ?D = "\<sim>\<^sup>\<Q> (A \<and>\<^sup>\<Q> B) =\<^bsub>o\<^esub> C"
+  from assms(2) have "\<turnstile> \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A' \<and>\<^sup>\<Q> B) =\<^bsub>o\<^esub> C" (is \<open>\<turnstile> ?A1\<close>)
+    by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?D]) (use assms(1) in \<open>force+\<close>)
+  from assms(3) have "\<turnstile> \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A' \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> B') =\<^bsub>o\<^esub> C"
+    by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+  moreover from assms(2,3) have "A' \<in> wffs\<^bsub>o\<^esub>" and "B' \<in> wffs\<^bsub>o\<^esub>"
+    using hyp_derivable_form_is_wffso by (blast dest: wffs_from_equality wffs_from_neg)+
+  then have "\<turnstile> A' \<or>\<^sup>\<Q> B' =\<^bsub>o\<^esub> \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> A' \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> B')"
+    by (rule disj_op_alt_def_provability)
+  ultimately show ?thesis
+    using prop_5201_3 by blast
+qed
+
+proposition prop_5232:
+  shows "\<turnstile> (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  and "\<turnstile> (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  and "\<turnstile> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+  and "\<turnstile> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+proof -
+  from prop_5231(2) have "\<turnstile> \<sim>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A\<close>) .
+  from prop_5229(4) have "\<turnstile> \<sim>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A]) (use \<open>\<turnstile> ?A\<close> in \<open>force+\<close>)
+  from prop_5232_aux[OF this prop_5231(1) prop_5231(1)] show "\<turnstile> (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" .
+  from prop_5229(3) have "\<turnstile> \<sim>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A]) (use \<open>\<turnstile> ?A\<close> in \<open>force+\<close>)
+  from prop_5232_aux[OF this prop_5231(1) prop_5231(2)] show "\<turnstile> (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" .
+  from prop_5229(2) have "\<turnstile> \<sim>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+    by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A]) (use \<open>\<turnstile> ?A\<close> in \<open>force+\<close>)
+  from prop_5232_aux[OF this prop_5231(2) prop_5231(1)] show "\<turnstile> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" .
+next
+  from prop_5231(1) have "\<turnstile> \<sim>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A\<close>) .
+  from prop_5229(1) have "\<turnstile> \<sim>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+    by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A]) (use \<open>\<turnstile> ?A\<close> in \<open>force+\<close>)
+  from prop_5232_aux[OF this prop_5231(2) prop_5231(2)] show "\<turnstile> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" .
+qed
+
+end
+
+subsection \<open>Proposition 5233\<close>
+
+context begin
+
+private lemma lem_prop_5233_no_free_vars:
+  assumes "A \<in> pwffs" and "free_vars A = {}"
+  shows "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> A = \<^bold>T) \<longrightarrow> \<turnstile> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is "?A\<^sub>T \<longrightarrow> _")
+  and "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> A = \<^bold>F) \<longrightarrow> \<turnstile> A =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is "?A\<^sub>F \<longrightarrow> _")
+proof -
+  from assms have "(?A\<^sub>T \<longrightarrow> \<turnstile> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>) \<and> (?A\<^sub>F \<longrightarrow> \<turnstile> A =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>)"
+  proof induction
+    case T_pwff
+    have "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+      by (rule prop_5200[OF true_wff])
+    moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> T\<^bsub>o\<^esub> = \<^bold>T"
+      using \<V>\<^sub>B_T by blast
+    then have "\<not> (\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> T\<^bsub>o\<^esub> = \<^bold>F)"
+      by (auto simp: inj_eq)
+    ultimately show ?case
+      by blast
+  next
+    case F_pwff
+    have "\<turnstile> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+      by (rule prop_5200[OF false_wff])
+    moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> F\<^bsub>o\<^esub> = \<^bold>F"
+      using \<V>\<^sub>B_F by blast
+    then have "\<not> (\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> F\<^bsub>o\<^esub> = \<^bold>T)"
+      by (auto simp: inj_eq)
+    ultimately show ?case
+      by blast
+  next
+    case (var_pwff p) \<comment> \<open>impossible case\<close>
+    then show ?case
+      by simp
+  next
+    case (neg_pwff B)
+    from neg_pwff.hyps have "\<sim>\<^sup>\<Q> B \<in> pwffs" and "free_vars B = {}"
+      using neg_pwff.prems by (force, auto elim: free_vars_form.elims)
+    consider
+      (a) "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> B = \<^bold>T"
+    | (b) "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> B = \<^bold>F"
+      using closed_pwff_denotation_uniqueness[OF neg_pwff.hyps \<open>free_vars B = {}\<close>]
+      and neg_pwff.hyps[THEN \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<V>\<^sub>B_graph_\<V>\<^sub>B]]
+      by (auto dest: tv_cases) metis
+    then show ?case
+    proof cases
+      case a
+      with \<open>free_vars B = {}\<close> have "\<turnstile> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> B"
+        using neg_pwff.IH and Equality_Rules(2) by blast
+      from prop_5231(1)[unfolded neg_def, folded equality_of_type_def] and this
+      have "\<turnstile> \<sim>\<^sup>\<Q> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        unfolding neg_def[folded equality_of_type_def] by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]"]) force+
+      moreover from a have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (\<sim>\<^sup>\<Q> B) = \<^bold>F"
+        using \<V>\<^sub>B_neg[OF neg_pwff.hyps] by simp
+      ultimately show ?thesis
+        by (auto simp: inj_eq)
+    next
+      case b
+      with \<open>free_vars B = {}\<close> have "\<turnstile> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> B"
+        using neg_pwff.IH and Equality_Rules(2) by blast
+      then have "\<turnstile> \<sim>\<^sup>\<Q> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        unfolding neg_def[folded equality_of_type_def]
+        using rule_T(2)[OF hyp_derivable_form_is_wffso] by blast
+      moreover from b have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (\<sim>\<^sup>\<Q> B) = \<^bold>T"
+        using \<V>\<^sub>B_neg[OF neg_pwff.hyps] by simp
+      ultimately show ?thesis
+        by (auto simp: inj_eq)
+    qed
+  next
+    case (conj_pwff B C)
+    from conj_pwff.prems have "free_vars B = {}" and "free_vars C = {}"
+      by simp_all
+    with conj_pwff.hyps obtain b and b'
+      where B_den: "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> B = b"
+      and C_den: "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> C = b'"
+      using closed_pwff_denotation_uniqueness by metis
+    then have "b \<in> elts \<bool>" and "b' \<in> elts \<bool>"
+      using closed_pwff_denotation_uniqueness[OF conj_pwff.hyps(1) \<open>free_vars B = {}\<close>]
+      and closed_pwff_denotation_uniqueness[OF conj_pwff.hyps(2) \<open>free_vars C = {}\<close>]
+      and conj_pwff.hyps[THEN \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<V>\<^sub>B_graph_\<V>\<^sub>B]]
+      by force+
+    with conj_pwff.hyps consider
+      (a) "b = \<^bold>T" and "b' = \<^bold>T"
+    | (b) "b = \<^bold>T" and "b' = \<^bold>F"
+    | (c) "b = \<^bold>F" and "b' = \<^bold>T"
+    | (d) "b = \<^bold>F" and "b' = \<^bold>F"
+      by auto
+    then show ?case
+    proof cases
+      case a
+      from prop_5229(1) have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded a(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using conj_pwff.IH(1) by simp
+      then have "\<turnstile> B \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"  (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded a(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using conj_pwff.IH(2) by simp
+      then have "\<turnstile> B \<and>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<and>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> B \<and>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<and>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_conj[OF conj_pwff.hyps] and B_den[unfolded a(1)] and C_den[unfolded a(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case b
+      from prop_5229(2) have "\<turnstile> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded b(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using conj_pwff.IH(1) by simp
+      then have "\<turnstile> B \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"  (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded b(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using conj_pwff.IH(2) by simp
+      then have "\<turnstile> B \<and>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<and>\<^sup>\<Q> C) = \<^bold>F) \<longrightarrow> \<turnstile> B \<and>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<and>\<^sup>\<Q> C) \<noteq> \<^bold>T"
+        using \<V>\<^sub>B_conj[OF conj_pwff.hyps] and B_den[unfolded b(1)] and C_den[unfolded b(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case c
+      from prop_5229(3) have "\<turnstile> F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded c(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using conj_pwff.IH(1) by simp
+      then have "\<turnstile> B \<and>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"  (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded c(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using conj_pwff.IH(2) by simp
+      then have "\<turnstile> B \<and>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<and>\<^sup>\<Q> C) = \<^bold>F) \<longrightarrow> \<turnstile> B \<and>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<and>\<^sup>\<Q> C) \<noteq> \<^bold>T"
+        using \<V>\<^sub>B_conj[OF conj_pwff.hyps] and B_den[unfolded c(1)] and C_den[unfolded c(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case d
+      from prop_5229(4) have "\<turnstile> F\<^bsub>o\<^esub> \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded d(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using conj_pwff.IH(1) by simp
+      then have "\<turnstile> B \<and>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"  (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded d(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using conj_pwff.IH(2) by simp
+      then have "\<turnstile> B \<and>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<and>\<^sup>\<Q> C) = \<^bold>F) \<longrightarrow> \<turnstile> B \<and>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<and>\<^sup>\<Q> C) \<noteq> \<^bold>T"
+        using \<V>\<^sub>B_conj[OF conj_pwff.hyps] and B_den[unfolded d(1)] and C_den[unfolded d(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    qed
+  next
+    case (disj_pwff B C)
+    from disj_pwff.prems have "free_vars B = {}" and "free_vars C = {}"
+      by simp_all
+    with disj_pwff.hyps obtain b and b'
+      where B_den: "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> B = b"
+      and C_den: "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> C = b'"
+      using closed_pwff_denotation_uniqueness by metis
+    then have "b \<in> elts \<bool>" and "b' \<in> elts \<bool>"
+      using closed_pwff_denotation_uniqueness[OF disj_pwff.hyps(1) \<open>free_vars B = {}\<close>]
+      and closed_pwff_denotation_uniqueness[OF disj_pwff.hyps(2) \<open>free_vars C = {}\<close>]
+      and disj_pwff.hyps[THEN \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<V>\<^sub>B_graph_\<V>\<^sub>B]]
+      by force+
+    with disj_pwff.hyps consider
+      (a) "b = \<^bold>T" and "b' = \<^bold>T"
+    | (b) "b = \<^bold>T" and "b' = \<^bold>F"
+    | (c) "b = \<^bold>F" and "b' = \<^bold>T"
+    | (d) "b = \<^bold>F" and "b' = \<^bold>F"
+      by auto
+    then show ?case
+    proof cases
+      case a
+      from prop_5232(1) have "\<turnstile> T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded a(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using disj_pwff.IH(1) by simp
+      then have "\<turnstile> B \<or>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded a(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using disj_pwff.IH(2) by simp
+      then have "\<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<or>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<or>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_disj[OF disj_pwff.hyps] and B_den[unfolded a(1)] and C_den[unfolded a(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case b
+      from prop_5232(2) have "\<turnstile> T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded b(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using disj_pwff.IH(1) by simp
+      then have "\<turnstile> B \<or>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded b(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using disj_pwff.IH(2) by simp
+      then have "\<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<or>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<or>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_disj[OF disj_pwff.hyps] and B_den[unfolded b(1)] and C_den[unfolded b(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case c
+      from prop_5232(3) have "\<turnstile> F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded c(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using disj_pwff.IH(1) by simp
+      then have "\<turnstile> B \<or>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"  (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded c(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using disj_pwff.IH(2) by simp
+      then have "\<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<or>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<or>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_disj[OF disj_pwff.hyps] and B_den[unfolded c(1)] and C_den[unfolded c(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case d
+      from prop_5232(4) have "\<turnstile> F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded d(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using disj_pwff.IH(1) by simp
+      then have "\<turnstile> B \<or>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded d(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using disj_pwff.IH(2) by simp
+      then have "\<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<or>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<or>\<^sup>\<Q> C) \<noteq> \<^bold>T"
+        using \<V>\<^sub>B_disj[OF disj_pwff.hyps] and B_den[unfolded d(1)] and C_den[unfolded d(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        using \<open>\<turnstile> B \<or>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>\<close> by auto
+    qed
+  next
+    case (imp_pwff B C)
+    from imp_pwff.prems have "free_vars B = {}" and "free_vars C = {}"
+      by simp_all
+    with imp_pwff.hyps obtain b and b'
+      where B_den: "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> B = b"
+      and C_den: "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> C = b'"
+      using closed_pwff_denotation_uniqueness by metis
+    then have "b \<in> elts \<bool>" and "b' \<in> elts \<bool>"
+      using closed_pwff_denotation_uniqueness[OF imp_pwff.hyps(1) \<open>free_vars B = {}\<close>]
+      and closed_pwff_denotation_uniqueness[OF imp_pwff.hyps(2) \<open>free_vars C = {}\<close>]
+      and imp_pwff.hyps[THEN \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<V>\<^sub>B_graph_\<V>\<^sub>B]]
+      by force+
+    with imp_pwff.hyps consider
+      (a) "b = \<^bold>T" and "b' = \<^bold>T"
+    | (b) "b = \<^bold>T" and "b' = \<^bold>F"
+    | (c) "b = \<^bold>F" and "b' = \<^bold>T"
+    | (d) "b = \<^bold>F" and "b' = \<^bold>F"
+      by auto
+    then show ?case
+    proof cases
+      case a
+      from prop_5228(1) have "\<turnstile> T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded a(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using imp_pwff.IH(1) by simp
+      then have "\<turnstile> B \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded a(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using imp_pwff.IH(2) by simp
+      then have "\<turnstile> B \<supset>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<supset>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> B \<supset>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<supset>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_imp[OF imp_pwff.hyps] and B_den[unfolded a(1)] and C_den[unfolded a(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case b
+      from prop_5228(2) have "\<turnstile> T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded b(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using imp_pwff.IH(1) by simp
+      then have "\<turnstile> B \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded b(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using imp_pwff.IH(2) by simp
+      then have "\<turnstile> B \<supset>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<supset>\<^sup>\<Q> C) = \<^bold>F) \<longrightarrow> \<turnstile> B \<supset>\<^sup>\<Q> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<supset>\<^sup>\<Q> C) \<noteq> \<^bold>T"
+        using \<V>\<^sub>B_imp[OF imp_pwff.hyps] and B_den[unfolded b(1)] and C_den[unfolded b(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case c
+      from prop_5228(3) have "\<turnstile> F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded c(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using imp_pwff.IH(1) by simp
+      then have "\<turnstile> B \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded c(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using imp_pwff.IH(2) by simp
+      then have "\<turnstile> B \<supset>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<supset>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> B \<supset>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<supset>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_imp[OF imp_pwff.hyps] and B_den[unfolded c(1)] and C_den[unfolded c(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case d
+      from prop_5228(4) have "\<turnstile> F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded d(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using imp_pwff.IH(1) by simp
+      then have "\<turnstile> B \<supset>\<^sup>\<Q> F\<^bsub>o\<^esub> =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded d(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using imp_pwff.IH(2) by simp
+      then have "\<turnstile> B \<supset>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<supset>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> B \<supset>\<^sup>\<Q> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<supset>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_imp[OF imp_pwff.hyps] and B_den[unfolded d(1)] and C_den[unfolded d(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    qed
+  next
+    case (eqv_pwff B C)
+    from eqv_pwff.prems have "free_vars B = {}" and "free_vars C = {}"
+      by simp_all
+    with eqv_pwff.hyps obtain b and b'
+      where B_den: "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> B = b"
+      and C_den: "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> C = b'"
+      using closed_pwff_denotation_uniqueness by metis
+    then have "b \<in> elts \<bool>" and "b' \<in> elts \<bool>"
+      using closed_pwff_denotation_uniqueness[OF eqv_pwff.hyps(1) \<open>free_vars B = {}\<close>]
+      and closed_pwff_denotation_uniqueness[OF eqv_pwff.hyps(2) \<open>free_vars C = {}\<close>]
+      and eqv_pwff.hyps[THEN \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<V>\<^sub>B_graph_\<V>\<^sub>B]]
+      by force+
+    with eqv_pwff.hyps consider
+      (a) "b = \<^bold>T" and "b' = \<^bold>T"
+    | (b) "b = \<^bold>T" and "b' = \<^bold>F"
+    | (c) "b = \<^bold>F" and "b' = \<^bold>T"
+    | (d) "b = \<^bold>F" and "b' = \<^bold>F"
+      by auto
+    then show ?case
+    proof cases
+      case a
+      from prop_5230(1) have "\<turnstile> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded a(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using eqv_pwff.IH(1) by simp
+      then have "\<turnstile> (B \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded a(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using eqv_pwff.IH(2) by simp
+      then have "\<turnstile> (B \<equiv>\<^sup>\<Q> C) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<equiv>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> (B \<equiv>\<^sup>\<Q> C) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<equiv>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_eqv[OF eqv_pwff.hyps] and B_den[unfolded a(1)] and C_den[unfolded a(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case b
+      from prop_5230(2) have "\<turnstile> (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded b(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using eqv_pwff.IH(1) by simp
+      then have "\<turnstile> (B \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded b(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using eqv_pwff.IH(2) by simp
+      then have "\<turnstile> (B \<equiv>\<^sup>\<Q> C) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<equiv>\<^sup>\<Q> C) = \<^bold>F) \<longrightarrow> \<turnstile> (B \<equiv>\<^sup>\<Q> C) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<equiv>\<^sup>\<Q> C) \<noteq> \<^bold>T"
+        using \<V>\<^sub>B_eqv[OF eqv_pwff.hyps] and B_den[unfolded b(1)] and C_den[unfolded b(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case c
+      from prop_5230(3) have "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded c(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using eqv_pwff.IH(1) by simp
+      then have "\<turnstile> (B \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded c(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        using eqv_pwff.IH(2) by simp
+      then have "\<turnstile> (B \<equiv>\<^sup>\<Q> C) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<equiv>\<^sup>\<Q> C) = \<^bold>F) \<longrightarrow> \<turnstile> (B \<equiv>\<^sup>\<Q> C) =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<equiv>\<^sup>\<Q> C) \<noteq> \<^bold>T"
+        using \<V>\<^sub>B_eqv[OF eqv_pwff.hyps] and B_den[unfolded c(1)] and C_den[unfolded c(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    next
+      case d
+      from prop_5230(4) have "\<turnstile> (F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A1\<close>) .
+      from B_den[unfolded d(1)] and \<open>free_vars B = {}\<close> have "\<turnstile> B =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using eqv_pwff.IH(1) by simp
+      then have "\<turnstile> (B \<equiv>\<^sup>\<Q> F\<^bsub>o\<^esub>) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" (is \<open>\<turnstile> ?A2\<close>)
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]" and C = ?A1]) (use \<open>\<turnstile> ?A1\<close> in \<open>force+\<close>)
+      from C_den[unfolded d(2)] and \<open>free_vars C = {}\<close> have "\<turnstile> C =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+        using eqv_pwff.IH(2) by simp
+      then have "\<turnstile> (B \<equiv>\<^sup>\<Q> C) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by (rule rule_RR[OF disjI2, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>]" and C = ?A2]) (use \<open>\<turnstile> ?A2\<close> in \<open>force+\<close>)
+      then have "(\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<equiv>\<^sup>\<Q> C) = \<^bold>T) \<longrightarrow> \<turnstile> (B \<equiv>\<^sup>\<Q> C) =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+        by blast
+      moreover have "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> (B \<equiv>\<^sup>\<Q> C) \<noteq> \<^bold>F"
+        using \<V>\<^sub>B_eqv[OF eqv_pwff.hyps] and B_den[unfolded d(1)] and C_den[unfolded d(2)]
+        by (auto simp: inj_eq)
+      ultimately show ?thesis
+        by force
+    qed
+  qed
+  then show "?A\<^sub>T \<longrightarrow> \<turnstile> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>" and "?A\<^sub>F \<longrightarrow> \<turnstile> A =\<^bsub>o\<^esub> F\<^bsub>o\<^esub>"
+    by blast+
+qed
+
+proposition prop_5233:
+  assumes "is_tautology A"
+  shows "\<turnstile> A"
+proof -
+  have "finite (free_vars A)"
+    using free_vars_form_finiteness by presburger
+  from this and assms show ?thesis
+  proof (induction "free_vars A" arbitrary: A)
+    case empty
+    from empty(2) have "A \<in> pwffs" and "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> A = \<^bold>T"
+      unfolding is_tautology_def by blast+
+    with empty(1) have "\<turnstile> A =\<^bsub>o\<^esub> T\<^bsub>o\<^esub>"
+      using lem_prop_5233_no_free_vars(1) by (simp only:)
+    then show ?case
+      using rule_T(2)[OF tautology_is_wffo[OF empty(2)]] by (simp only:)
+  next
+    case (insert v F)
+    from insert.prems have "A \<in> pwffs"
+      by blast
+    with insert.hyps(4) obtain p where "v = (p, o)"
+      using pwffs_free_vars_are_propositional by blast
+    from \<open>v = (p, o)\<close> and insert.hyps(4) have "
+      is_tautology (\<^bold>S {(p, o) \<Zinj> T\<^bsub>o\<^esub>} A)" and "is_tautology (\<^bold>S {(p, o) \<Zinj> F\<^bsub>o\<^esub>} A)"
+      using pwff_substitution_tautology_preservation [OF insert.prems] by blast+
+    moreover from insert.hyps(2,4) and \<open>v = (p, o)\<close> and \<open>A \<in> pwffs\<close>
+    have "free_vars (\<^bold>S {(p, o) \<Zinj> T\<^bsub>o\<^esub>} A) = F" and "free_vars (\<^bold>S {(p, o) \<Zinj> F\<^bsub>o\<^esub>} A) = F"
+      using closed_pwff_substitution_free_vars and T_pwff and F_pwff and T_fv and F_fv
+      by (metis Diff_insert_absorb insertI1)+
+    ultimately have "\<turnstile> \<^bold>S {(p, o) \<Zinj> T\<^bsub>o\<^esub>} A" and "\<turnstile> \<^bold>S {(p, o) \<Zinj> F\<^bsub>o\<^esub>} A"
+      using insert.hyps(3) by (simp_all only:)
+    from this and tautology_is_wffo[OF insert.prems] show ?case
+      by (rule Cases)
+  qed
+qed
+
+end
+
+subsection \<open>Proposition 5234 (Rule P)\<close>
+
+text \<open>
+  According to the proof in @{cite "andrews:2002"}, if $[A^1 \wedge \dots \wedge A^n] \supset B$ is
+  tautologous, then clearly $A^1 \supset (\dots (A^n \supset B) \dots)$ is also tautologous.
+  Since this is not clear to us, we prove instead the version of Rule P found in @{cite "andrews:1965"}:
+\<close>
+
+proposition tautologous_horn_clause_is_hyp_derivable:
+  assumes "is_hyps \<H>" and "is_hyps \<G>"
+  and "\<forall>A \<in> \<G>. \<H> \<turnstile> A"
+  and "lset hs = \<G>"
+  and "is_tautologous (hs \<supset>\<^sup>\<Q>\<^sub>\<star> B)"
+  shows "\<H> \<turnstile> B"
+proof -
+  from assms(5) obtain \<theta> and C
+    where "is_tautology C"
+    and "is_substitution \<theta>"
+    and "\<forall>(x, \<alpha>) \<in> fmdom' \<theta>. \<alpha> = o"
+    and "hs \<supset>\<^sup>\<Q>\<^sub>\<star> B = \<^bold>S \<theta> C"
+    by blast
+  then have "\<turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> B"
+  proof (cases "\<theta> = {$$}")
+    case True
+    with \<open>hs \<supset>\<^sup>\<Q>\<^sub>\<star> B = \<^bold>S \<theta> C\<close> have "C = hs \<supset>\<^sup>\<Q>\<^sub>\<star> B"
+      using empty_substitution_neutrality by simp
+    with \<open>hs \<supset>\<^sup>\<Q>\<^sub>\<star> B = \<^bold>S \<theta> C\<close> and \<open>is_tautology C\<close> show ?thesis
+      using prop_5233 by (simp only:)
+  next
+    case False
+    from \<open>is_tautology C\<close> have "\<turnstile> C" and "C \<in> pwffs"
+      using prop_5233 by simp_all
+    moreover have "
+      \<forall>v \<in> fmdom' \<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (\<theta> $$! v) v C"
+    proof
+      fix v
+      assume "v \<in> fmdom' \<theta>"
+      then show "var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (\<theta> $$! v) v C"
+      proof (cases "v \<in> free_vars C")
+        case True
+        with \<open>C \<in> pwffs\<close> show ?thesis
+          using is_free_for_in_pwff by simp
+      next
+        case False
+        then have "is_free_for (\<theta> $$! v) v C"
+          unfolding is_free_for_def using is_free_at_in_free_vars by blast
+        then show ?thesis
+          by simp
+      qed
+    qed
+    ultimately show ?thesis
+      using False and \<open>is_substitution \<theta>\<close> and Sub
+      by (simp add: \<open>hs \<supset>\<^sup>\<Q>\<^sub>\<star> B = \<^bold>S \<theta> C\<close>[unfolded generalized_imp_op_def])
+  qed
+  from this and assms(1) have "\<H> \<turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> B"
+    by (rule derivability_implies_hyp_derivability)
+  with assms(3,4) show ?thesis
+    using generalized_modus_ponens by blast
+qed
+
+corollary tautologous_is_hyp_derivable:
+  assumes "is_hyps \<H>"
+  and "is_tautologous B"
+  shows "\<H> \<turnstile> B"
+  using assms and tautologous_horn_clause_is_hyp_derivable[where \<G> = "{}"] by simp
+
+lemmas prop_5234 = tautologous_horn_clause_is_hyp_derivable tautologous_is_hyp_derivable
+
+lemmas rule_P = prop_5234 (* synonym *)
+
+subsection \<open>Proposition 5235\<close>
+
+proposition prop_5235:
+  assumes "A \<in> pwffs" and "B \<in> pwffs"
+  and "(x, \<alpha>) \<notin> free_vars A"
+  shows "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (A \<or>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> (A \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+proof -
+  have "\<section>1": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+  proof (intro rule_P(2))
+    show "is_tautologous (\<forall>x\<^bsub>\<alpha>\<^esub>. (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> \<forall>x\<^bsub>\<alpha>\<^esub>. (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B), (\<yy>, o) \<Zinj> \<forall>x\<^bsub>\<alpha>\<^esub>. B}" and ?C = "\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> (\<yy>\<^bsub>o\<^esub>))"
+      have "is_tautology ?C"
+        using \<V>\<^sub>B_simps by simp
+      moreover from assms(2) have "is_pwff_substitution ?\<theta>"
+        using pwffs_subset_of_wffso by fastforce
+      moreover have "\<forall>x\<^bsub>\<alpha>\<^esub>. (T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> T\<^bsub>o\<^esub> \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B = \<^bold>S ?\<theta> ?C"
+        by simp
+      ultimately show ?thesis
+        by blast
+    qed
+  qed simp
+  have "\<section>2": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+  proof (intro rule_P(2))
+    show "is_tautologous (\<forall>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B))"
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> \<forall>x\<^bsub>\<alpha>\<^esub>. B}" and ?C = "\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> (\<xx>\<^bsub>o\<^esub>))"
+      have "is_tautology (\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> (\<xx>\<^bsub>o\<^esub>)))" (is \<open>is_tautology ?C\<close>)
+        using \<V>\<^sub>B_simps by simp
+      moreover from assms(2) have "is_pwff_substitution ?\<theta>"
+        using pwffs_subset_of_wffso by auto
+      moreover have "\<forall>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B) = \<^bold>S ?\<theta> ?C"
+        by simp
+      ultimately show ?thesis
+        by blast
+    qed
+  qed simp
+  have "\<section>3": "\<turnstile> B \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B)"
+  proof (intro rule_P(2))
+    show "is_tautologous (B \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B))"
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> B}" and ?C = "\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> (\<xx>\<^bsub>o\<^esub>))"
+      have "is_tautology ?C"
+        using \<V>\<^sub>B_simps by simp
+      moreover from assms(2) have "is_pwff_substitution ?\<theta>"
+        using pwffs_subset_of_wffso by auto
+      moreover have "B \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B) = \<^bold>S ?\<theta> ?C"
+        by simp
+      ultimately show ?thesis
+        by blast
+    qed
+  qed simp
+  from "\<section>2" and "\<section>3"[unfolded equivalence_def] have "\<section>4":
+    "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+    by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+  obtain p where "(p, o) \<notin> vars (\<forall>x\<^bsub>\<alpha>\<^esub>. (A \<or>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> (A \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B))"
+    by (meson fresh_var_existence vars_form_finiteness)
+  then have "(p, o) \<noteq> (x, \<alpha>)" and "(p, o) \<notin> vars A" and "(p, o) \<notin> vars B"
+    by simp_all
+  from \<open>(p, o) \<notin> vars B\<close> have sub: "\<^bold>S {(p, o) \<Zinj> C} B = B" for C
+    using free_var_singleton_substitution_neutrality and free_vars_in_all_vars by blast
+  have "\<section>5": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (p\<^bsub>o\<^esub> \<or>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> (p\<^bsub>o\<^esub> \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)" (is \<open>\<turnstile> ?C\<close>)
+  proof -
+    from sub and "\<section>1" have "\<turnstile> \<^bold>S {(p, o) \<Zinj> T\<^bsub>o\<^esub>} ?C"
+      using \<open>(p, o) \<noteq> (x, \<alpha>)\<close> by auto
+    moreover from sub and "\<section>4" have "\<turnstile> \<^bold>S {(p, o) \<Zinj> F\<^bsub>o\<^esub>} ?C"
+      using \<open>(p, o) \<noteq> (x, \<alpha>)\<close> by auto
+    moreover from assms(2) have "?C \<in> wffs\<^bsub>o\<^esub>"
+      using pwffs_subset_of_wffso by auto
+    ultimately show ?thesis
+      by (rule Cases)
+  qed
+  then show ?thesis
+  proof -
+    let ?\<theta> = "{(p, o) \<Zinj> A}"
+    from assms(1) have "is_substitution ?\<theta>"
+      using pwffs_subset_of_wffso by auto
+    moreover have "
+      \<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?C"
+    proof
+      fix v
+      assume "v \<in> fmdom' ?\<theta>"
+      then have "v = (p, o)"
+        by simp
+      with assms(3) and \<open>(p, o) \<notin> vars B\<close> have "is_free_for (?\<theta> $$! v) v ?C"
+        using occurs_in_vars
+        by (intro is_free_for_in_imp is_free_for_in_forall is_free_for_in_disj) auto
+      moreover have "var_name v \<notin> free_var_names ({}::form set)"
+        by simp
+      ultimately show "var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?C"
+        unfolding \<open>v = (p, o)\<close> by blast
+    qed
+    moreover have "?\<theta> \<noteq> {$$}"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S ?\<theta> ?C"
+      by (rule Sub[OF "\<section>5"])
+    moreover have "\<^bold>S ?\<theta> ?C = \<forall>x\<^bsub>\<alpha>\<^esub>. (A \<or>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> (A \<or>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+      using \<open>(p, o) \<noteq> (x, \<alpha>)\<close> and sub[of A] by simp fast
+    ultimately show ?thesis
+      by (simp only:)
+  qed
+qed
+
+subsection \<open>Proposition 5237 ($\supset \forall$ Rule)\<close>
+
+text \<open>
+  The proof in @{cite "andrews:2002"} uses the pseudo-rule Q and the axiom 5 of \<open>\<F>\<close>. Therefore, we
+  prove such axiom, following the proof of Theorem 143 in @{cite "andrews:1965"}:
+\<close>
+
+context begin
+
+private lemma prop_5237_aux:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  and "(x, \<alpha>) \<notin> free_vars A"
+  shows "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (A \<supset>\<^sup>\<Q> B) \<equiv>\<^sup>\<Q> (A \<supset>\<^sup>\<Q> (\<forall>x\<^bsub>\<alpha>\<^esub>. B))"
+proof -
+  have "is_tautology (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>))" (is \<open>is_tautology ?C\<^sub>1\<close>)
+    using \<V>\<^sub>B_simps by simp
+  have "is_tautology (\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)))" (is \<open>is_tautology ?C\<^sub>2\<close>)
+    using \<V>\<^sub>B_simps by simp
+  have "\<section>1": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. B \<equiv>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+  proof (intro rule_P(2))
+    show "is_tautologous (\<forall>x\<^bsub>\<alpha>\<^esub>. B \<equiv>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B))"
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> \<forall>x\<^bsub>\<alpha>\<^esub>. B}"
+      from assms(2) have "is_pwff_substitution ?\<theta>"
+        using pwffs_subset_of_wffso by auto
+      moreover have "\<forall>x\<^bsub>\<alpha>\<^esub>. B \<equiv>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B) = \<^bold>S ?\<theta> ?C\<^sub>1"
+        by simp
+      ultimately show ?thesis
+        using \<open>is_tautology ?C\<^sub>1\<close> by blast
+    qed
+  qed simp
+  have "\<section>2": "\<turnstile> B \<equiv>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B)"
+  proof (intro rule_P(2))
+    show "is_tautologous (B \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B)"
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> B}"
+      from assms(2) have "is_pwff_substitution ?\<theta>"
+        using pwffs_subset_of_wffso by auto
+      moreover have "B \<equiv>\<^sup>\<Q> T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B = \<^bold>S ?\<theta> ?C\<^sub>1"
+        by simp
+      ultimately show ?thesis
+        using \<open>is_tautology ?C\<^sub>1\<close> by blast
+    qed
+  qed simp
+  have "\<turnstile> T\<^bsub>o\<^esub>"
+    by (fact true_is_derivable)
+  then have "\<section>3": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>"
+    using Gen by simp
+  have "\<section>4": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+  proof (intro rule_P(1)[where \<G> = "{\<forall>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>}"])
+    show "is_tautologous ([\<forall>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>] \<supset>\<^sup>\<Q>\<^sub>\<star> (\<forall>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)))"
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> \<forall>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>, (\<yy>, o) \<Zinj> \<forall>x\<^bsub>\<alpha>\<^esub>. B}"
+      from assms(2) have "is_pwff_substitution ?\<theta>"
+        using pwffs_subset_of_wffso by auto
+      moreover have "[\<forall>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>] \<supset>\<^sup>\<Q>\<^sub>\<star> (\<forall>x\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)) = \<^bold>S ?\<theta> ?C\<^sub>2"
+        by simp
+      ultimately show ?thesis
+        using \<open>is_tautology ?C\<^sub>2\<close> by blast
+    qed
+  qed (use "\<section>3" in fastforce)+
+  have "\<section>5": "\<turnstile> T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B)"
+  proof (intro rule_P(2))
+    show "is_tautologous (T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B))"
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> B}" and ?C = "T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>)"
+      have "is_tautology ?C"
+        using \<V>\<^sub>B_simps by simp
+      moreover from assms(2) have "is_pwff_substitution ?\<theta>"
+        using pwffs_subset_of_wffso by auto
+      moreover have "T\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B) = \<^bold>S ?\<theta> ?C"
+        by simp
+      ultimately show ?thesis
+        by blast
+    qed
+  qed simp
+  from "\<section>4" and "\<section>5" have "\<section>6": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B) \<equiv>\<^sup>\<Q> (F\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+    unfolding equivalence_def by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+  from "\<section>1" and "\<section>2" have "\<section>7": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B) \<equiv>\<^sup>\<Q> (T\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+    unfolding equivalence_def by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>,\<guillemotleft>]"]) force+
+  obtain p where "(p, o) \<notin> vars B" and "p \<noteq> x"
+    using fresh_var_existence and vars_form_finiteness by (metis finite_insert insert_iff)
+  from \<open>(p, o) \<notin> vars B\<close> have sub: "\<^bold>S {(p, o) \<Zinj> C} B = B" for C
+    using free_var_singleton_substitution_neutrality and free_vars_in_all_vars by blast
+  have "\<section>8": "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (p\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> B) \<equiv>\<^sup>\<Q> (p\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)" (is \<open>\<turnstile> ?C\<^sub>3\<close>)
+  proof -
+    from sub and "\<section>7" have "\<turnstile> \<^bold>S {(p, o) \<Zinj> T\<^bsub>o\<^esub>} ?C\<^sub>3"
+      using \<open>p \<noteq> x\<close> by auto
+    moreover from sub and "\<section>6" have "\<turnstile> \<^bold>S {(p, o) \<Zinj> F\<^bsub>o\<^esub>} ?C\<^sub>3"
+      using \<open>p \<noteq> x\<close> by auto
+    moreover from assms(2) have "?C\<^sub>3 \<in> wffs\<^bsub>o\<^esub>"
+      using pwffs_subset_of_wffso by auto
+    ultimately show ?thesis
+      by (rule Cases)
+  qed
+  then show ?thesis
+  proof -
+    let ?\<theta> = "{(p, o) \<Zinj> A}"
+    from assms(1) have "is_substitution ?\<theta>"
+      using pwffs_subset_of_wffso by auto
+    moreover have "
+      \<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?C\<^sub>3"
+    proof
+      fix v
+      assume "v \<in> fmdom' ?\<theta>"
+      then have "v = (p, o)"
+        by simp
+      with assms(3) and \<open>(p, o) \<notin> vars B\<close> have "is_free_for (?\<theta> $$! v) v ?C\<^sub>3"
+        using occurs_in_vars
+        by (intro is_free_for_in_imp is_free_for_in_forall is_free_for_in_equivalence) auto
+      moreover have "var_name v \<notin> free_var_names ({}::form set)"
+        by simp
+      ultimately show "var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?C\<^sub>3"
+        unfolding \<open>v = (p, o)\<close> by blast
+    qed
+    moreover have "?\<theta> \<noteq> {$$}"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S ?\<theta> ?C\<^sub>3"
+      by (rule Sub[OF "\<section>8"])
+    moreover have "\<^bold>S ?\<theta> ?C\<^sub>3 = \<forall>x\<^bsub>\<alpha>\<^esub>. (A \<supset>\<^sup>\<Q> B) \<equiv>\<^sup>\<Q> (A \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+      using \<open>p \<noteq> x\<close> and sub[of A] by simp
+    ultimately show ?thesis
+      by (simp only:)
+  qed
+qed
+
+proposition prop_5237:
+  assumes "is_hyps \<H>"
+  and "\<H> \<turnstile> A \<supset>\<^sup>\<Q> B"
+  and "(x, \<alpha>) \<notin> free_vars ({A} \<union> \<H>)"
+  shows "\<H> \<turnstile> A \<supset>\<^sup>\<Q> (\<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+proof -
+  have "\<H> \<turnstile> A \<supset>\<^sup>\<Q> B"
+    by fact
+  with assms(3) have "\<H> \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (A \<supset>\<^sup>\<Q> B)"
+    using Gen by simp
+  moreover have "\<H> \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (A \<supset>\<^sup>\<Q> B) \<equiv>\<^sup>\<Q> (A \<supset>\<^sup>\<Q> (\<forall>x\<^bsub>\<alpha>\<^esub>. B))"
+  proof -
+    from assms(2) have "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+      using hyp_derivable_form_is_wffso by (blast dest: wffs_from_imp_op)+
+    with assms(1,3) show ?thesis
+      using prop_5237_aux and derivability_implies_hyp_derivability by simp
+  qed
+  ultimately show ?thesis
+    by (rule Equality_Rules(1))
+qed
+
+lemmas "\<supset>\<forall>" = prop_5237 (* synonym *)
+
+corollary generalized_prop_5237:
+  assumes "is_hyps \<H>"
+  and "\<H> \<turnstile> A \<supset>\<^sup>\<Q> B"
+  and "\<forall>v \<in> S. v \<notin> free_vars ({A} \<union> \<H>)"
+  and "lset vs = S"
+  shows "\<H> \<turnstile> A \<supset>\<^sup>\<Q> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+using assms proof (induction vs arbitrary: S)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (Cons v vs)
+  obtain x and \<alpha> where "v = (x, \<alpha>)"
+    by fastforce
+  from Cons.prems(3) have *: "\<forall>v' \<in> S. v' \<notin> free_vars ({A} \<union> \<H>)"
+    by blast
+  then show ?case
+  proof (cases "v \<in> lset vs")
+    case True
+    with Cons.prems(4) have "lset vs = S"
+      by auto
+    with assms(1,2) and * have "\<H> \<turnstile> A \<supset>\<^sup>\<Q> \<forall>\<^sup>\<Q>\<^sub>\<star> vs B"
+      by (fact Cons.IH)
+    with True and \<open>lset vs = S\<close> and \<open>v = (x, \<alpha>)\<close> and * have "\<H> \<turnstile> A \<supset>\<^sup>\<Q> (\<forall>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+      using prop_5237[OF assms(1)] by simp
+    with \<open>v = (x, \<alpha>)\<close> show ?thesis
+      by simp
+  next
+    case False
+    with \<open>lset (v # vs) = S\<close> have "lset vs = S - {v}"
+      by auto
+    moreover from * have "\<forall>v' \<in> S - {v}. v' \<notin> free_vars ({A} \<union> \<H>)"
+      by blast
+    ultimately have "\<H> \<turnstile> A \<supset>\<^sup>\<Q> \<forall>\<^sup>\<Q>\<^sub>\<star> vs B"
+      using assms(1,2) by (intro Cons.IH)
+    moreover from Cons.prems(4) and \<open>v = (x, \<alpha>)\<close> and * have "(x, \<alpha>) \<notin> free_vars ({A} \<union> \<H>)"
+      by auto
+    ultimately have "\<H> \<turnstile> A \<supset>\<^sup>\<Q> (\<forall>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+      using assms(1) by (intro prop_5237)
+    with \<open>v = (x, \<alpha>)\<close> show ?thesis
+      by simp
+  qed
+qed
+
+end
+
+subsection \<open>Proposition 5238\<close>
+
+context begin
+
+private lemma prop_5238_aux:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<turnstile> ((\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>x\<^bsub>\<beta>\<^esub>. B)) \<equiv>\<^sup>\<Q> \<forall>x\<^bsub>\<beta>\<^esub>. (A =\<^bsub>\<alpha>\<^esub> B)"
+proof -
+  have "\<section>1": "
+    \<turnstile> (\<ff>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<gg>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>) \<equiv>\<^sup>\<Q> \<forall>\<xx>\<^bsub>\<beta>\<^esub>. (\<ff>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<sqdot> \<xx>\<^bsub>\<beta>\<^esub> =\<^bsub>\<alpha>\<^esub> \<gg>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<sqdot> \<xx>\<^bsub>\<beta>\<^esub>)" (is \<open>\<turnstile> _ \<equiv>\<^sup>\<Q> \<forall>\<xx>\<^bsub>\<beta>\<^esub>. ?C\<^sub>1\<close>)
+    by (fact axiom_is_derivable_from_no_hyps[OF axiom_3])
+  then have "\<section>2": "
+    \<turnstile> (\<ff>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<gg>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>) \<equiv>\<^sup>\<Q> \<forall>x\<^bsub>\<beta>\<^esub>. (\<ff>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<sqdot> x\<^bsub>\<beta>\<^esub> =\<^bsub>\<alpha>\<^esub> \<gg>\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<sqdot> x\<^bsub>\<beta>\<^esub>)" (is \<open>\<turnstile> ?C\<^sub>2\<close>)
+  proof (cases "x = \<xx>")
+    case True
+    with "\<section>1" show ?thesis
+      by (simp only:)
+  next
+    case False
+    have "?C\<^sub>1 \<in> wffs\<^bsub>o\<^esub>"
+      by blast
+    moreover from False have "(x, \<beta>) \<notin> free_vars ?C\<^sub>1"
+      by simp
+    moreover have "is_free_for (x\<^bsub>\<beta>\<^esub>) (\<xx>, \<beta>) ?C\<^sub>1"
+      by (intro is_free_for_in_equality is_free_for_to_app) simp_all
+    ultimately have "\<turnstile> \<lambda>\<xx>\<^bsub>\<beta>\<^esub>. ?C\<^sub>1 =\<^bsub>\<beta>\<rightarrow>o\<^esub> \<lambda>x\<^bsub>\<beta>\<^esub>. (\<^bold>S {(\<xx>, \<beta>) \<Zinj> x\<^bsub>\<beta>\<^esub>} ?C\<^sub>1)"
+      by (rule "\<alpha>")
+    from "\<section>1" and this show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>]"]) force+
+  qed
+  then have "\<section>3": "
+    \<turnstile> ((\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>x\<^bsub>\<beta>\<^esub>. B)) \<equiv>\<^sup>\<Q> \<forall>x\<^bsub>\<beta>\<^esub>. ((\<lambda>x\<^bsub>\<beta>\<^esub>. A) \<sqdot> x\<^bsub>\<beta>\<^esub> =\<^bsub>\<alpha>\<^esub> (\<lambda>x\<^bsub>\<beta>\<^esub>. B) \<sqdot> x\<^bsub>\<beta>\<^esub>)"
+  proof -
+    let ?\<theta> = "{(\<ff>, \<beta>\<rightarrow>\<alpha>) \<Zinj> \<lambda>x\<^bsub>\<beta>\<^esub>. A, (\<gg>, \<beta>\<rightarrow>\<alpha>) \<Zinj> \<lambda>x\<^bsub>\<beta>\<^esub>. B}"
+    have "\<lambda>x\<^bsub>\<beta>\<^esub>. A \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>" and "\<lambda>x\<^bsub>\<beta>\<^esub>. B \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>"
+      by (blast intro: assms(1,2))+
+    then have "is_substitution ?\<theta>"
+      by simp
+    moreover have "
+      \<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?C\<^sub>2"
+    proof
+      fix v
+      assume "v \<in> fmdom' ?\<theta>"
+      then consider (a) "v = (\<ff>, \<beta>\<rightarrow>\<alpha>)" | (b) "v = (\<gg>, \<beta>\<rightarrow>\<alpha>)"
+        by fastforce
+      then show "var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?C\<^sub>2"
+      proof cases
+        case a
+        have "(x, \<beta>) \<notin> free_vars (\<lambda>x\<^bsub>\<beta>\<^esub>. A)"
+          by simp
+        then have "is_free_for (\<lambda>x\<^bsub>\<beta>\<^esub>. A) (\<ff>, \<beta>\<rightarrow>\<alpha>) ?C\<^sub>2"
+          unfolding equivalence_def
+          by (intro is_free_for_in_equality is_free_for_in_forall is_free_for_to_app, simp_all)
+        with a show ?thesis
+          by force
+      next
+        case b
+        have "(x, \<beta>) \<notin> free_vars (\<lambda>x\<^bsub>\<beta>\<^esub>. B)"
+          by simp
+        then have "is_free_for (\<lambda>x\<^bsub>\<beta>\<^esub>. B) (\<gg>, \<beta>\<rightarrow>\<alpha>) ?C\<^sub>2"
+          unfolding equivalence_def
+          by (intro is_free_for_in_equality is_free_for_in_forall is_free_for_to_app, simp_all)
+        with b show ?thesis
+          by force
+      qed
+    qed
+    moreover have "?\<theta> \<noteq> {$$}"
+      by simp
+    ultimately have "\<turnstile> \<^bold>S ?\<theta> ?C\<^sub>2"
+      by (rule Sub[OF "\<section>2"])
+    then show ?thesis
+      by simp
+  qed
+  then have "\<section>4": "\<turnstile> ((\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>x\<^bsub>\<beta>\<^esub>. B)) \<equiv>\<^sup>\<Q> \<forall>x\<^bsub>\<beta>\<^esub>. (A =\<^bsub>\<alpha>\<^esub> (\<lambda>x\<^bsub>\<beta>\<^esub>. B) \<sqdot> x\<^bsub>\<beta>\<^esub>)"
+  proof -
+    have "\<turnstile> (\<lambda>x\<^bsub>\<beta>\<^esub>. A) \<sqdot> x\<^bsub>\<beta>\<^esub> =\<^bsub>\<alpha>\<^esub> A"
+      using prop_5208[where vs = "[(x, \<beta>)]"] and assms(1) by simp
+    from "\<section>3" and this show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>,\<guillemotleft>,\<guillemotright>]"]) force+
+  qed
+  then show ?thesis
+  proof -
+    have "\<turnstile> (\<lambda>x\<^bsub>\<beta>\<^esub>. B) \<sqdot> x\<^bsub>\<beta>\<^esub> =\<^bsub>\<alpha>\<^esub> B"
+      using prop_5208[where vs = "[(x, \<beta>)]"] and assms(2) by simp
+    from "\<section>4" and this show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+  qed
+qed
+
+proposition prop_5238:
+  assumes "vs \<noteq> []" and "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<turnstile> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A =\<^bsub>foldr (\<rightarrow>) (map var_type vs) \<alpha>\<^esub> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B \<equiv>\<^sup>\<Q> \<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B)"
+using assms proof (induction vs arbitrary: A B \<alpha> rule: rev_nonempty_induct)
+  case (single v)
+  obtain x and \<beta> where "v = (x, \<beta>)"
+    by fastforce
+  from single.prems have "
+    \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A =\<^bsub>foldr (\<rightarrow>) (map var_type vs) \<alpha>\<^esub> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B \<equiv>\<^sup>\<Q> \<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B) \<in> wffs\<^bsub>o\<^esub>"
+    by blast
+  with single.prems and \<open>v = (x, \<beta>)\<close> show ?case
+    using prop_5238_aux by simp
+next
+  case (snoc v vs)
+  obtain x and \<beta> where "v = (x, \<beta>)"
+    by fastforce
+  from snoc.prems have "\<lambda>x\<^bsub>\<beta>\<^esub>. A \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>" and "\<lambda>x\<^bsub>\<beta>\<^esub>. B \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>"
+    by auto
+  then have "
+    \<turnstile>
+      \<lambda>\<^sup>\<Q>\<^sub>\<star> vs (\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>foldr (\<rightarrow>) (map var_type vs) (\<beta>\<rightarrow>\<alpha>)\<^esub> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs (\<lambda>x\<^bsub>\<beta>\<^esub>. B)
+      \<equiv>\<^sup>\<Q>
+      \<forall>\<^sup>\<Q>\<^sub>\<star> vs ((\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> (\<lambda>x\<^bsub>\<beta>\<^esub>. B))"
+    by (fact snoc.IH)
+  moreover from snoc.prems have "\<turnstile> \<lambda>x\<^bsub>\<beta>\<^esub>. A =\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<lambda>x\<^bsub>\<beta>\<^esub>. B \<equiv>\<^sup>\<Q> \<forall>x\<^bsub>\<beta>\<^esub>. (A =\<^bsub>\<alpha>\<^esub> B)"
+    by (fact prop_5238_aux)
+  ultimately have "
+    \<turnstile>
+      \<lambda>\<^sup>\<Q>\<^sub>\<star> vs (\<lambda>x\<^bsub>\<beta>\<^esub>. A) =\<^bsub>foldr (\<rightarrow>) (map var_type vs) (\<beta>\<rightarrow>\<alpha>)\<^esub> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs (\<lambda>x\<^bsub>\<beta>\<^esub>. B)
+      \<equiv>\<^sup>\<Q>
+      \<forall>\<^sup>\<Q>\<^sub>\<star> vs \<forall>x\<^bsub>\<beta>\<^esub>. (A =\<^bsub>\<alpha>\<^esub> B)"
+  unfolding equivalence_def proof (induction rule: rule_R[where p = "\<guillemotright> # foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs []"])
+    case occ_subform
+    then show ?case
+      using innermost_subform_in_generalized_forall[OF snoc.hyps] and is_subform_at.simps(3)
+      by fastforce
+  next
+    case replacement
+    then show ?case
+      using innermost_replacement_in_generalized_forall[OF snoc.hyps]
+      and is_replacement_at_implies_in_positions and replace_right_app by force
+  qed
+  with \<open>v = (x, \<beta>)\<close> show ?case
+    by simp
+qed
+
+end
+
+subsection \<open>Proposition 5239\<close>
+
+lemma replacement_derivability:
+  assumes "C \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "A \<preceq>\<^bsub>p\<^esub> C"
+  and "\<turnstile> A =\<^bsub>\<alpha>\<^esub> B"
+  and "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D"
+  shows "\<turnstile> C =\<^bsub>\<beta>\<^esub> D"
+using assms proof (induction arbitrary: D p)
+  case (var_is_wff \<gamma> x)
+  from var_is_wff.prems(1) have "p = []" and "A = x\<^bsub>\<gamma>\<^esub>"
+    by (auto elim: is_subform_at.elims(2))
+  with var_is_wff.prems(2) have "\<alpha> = \<gamma>"
+    using hyp_derivable_form_is_wffso and wff_has_unique_type and wffs_from_equality by blast
+  moreover from \<open>p = []\<close> and var_is_wff.prems(3) have "D = B"
+    using is_replacement_at_minimal_change(1) and is_subform_at.simps(1) by iprover
+  ultimately show ?case
+    using \<open>A = x\<^bsub>\<gamma>\<^esub>\<close> and var_is_wff.prems(2) by (simp only:)
+next
+  case (con_is_wff \<gamma> c)
+  from con_is_wff.prems(1) have "p = []" and "A = \<lbrace>c\<rbrace>\<^bsub>\<gamma>\<^esub>"
+    by (auto elim: is_subform_at.elims(2))
+  with con_is_wff.prems(2) have "\<alpha> = \<gamma>"
+    using hyp_derivable_form_is_wffso and wff_has_unique_type
+    by (meson wffs_from_equality wffs_of_type_intros(2))
+  moreover from \<open>p = []\<close> and con_is_wff.prems(3) have "D = B"
+    using is_replacement_at_minimal_change(1) and is_subform_at.simps(1) by iprover
+  ultimately show ?case
+    using \<open>A = \<lbrace>c\<rbrace>\<^bsub>\<gamma>\<^esub>\<close> and con_is_wff.prems(2) by (simp only:)
+next
+  case (app_is_wff \<gamma> \<delta> C\<^sub>1 C\<^sub>2)
+  from app_is_wff.prems(1) consider
+    (a) "p = []"
+  | (b) "\<exists>p'. p = \<guillemotleft> # p' \<and> A \<preceq>\<^bsub>p'\<^esub> C\<^sub>1"
+  | (c) "\<exists>p'. p = \<guillemotright> # p' \<and> A \<preceq>\<^bsub>p'\<^esub> C\<^sub>2"
+    using subforms_from_app by blast
+  then show ?case
+  proof cases
+    case a
+    with app_is_wff.prems(1) have "A = C\<^sub>1 \<sqdot> C\<^sub>2"
+      by simp
+    moreover from a and app_is_wff.prems(3) have "D = B"
+      using is_replacement_at_minimal_change(1) and at_top_is_self_subform by blast
+    moreover from \<open>A = C\<^sub>1 \<sqdot> C\<^sub>2\<close> and \<open>D = B\<close> and app_is_wff.hyps(1,2) and assms(3) have "\<alpha> = \<delta>"
+      using hyp_derivable_form_is_wffso and wff_has_unique_type
+      by (blast dest: wffs_from_equality)
+    ultimately show ?thesis
+      using assms(3) by (simp only:)
+  next
+    case b
+    then obtain p' where "p = \<guillemotleft> # p'" and "A \<preceq>\<^bsub>p'\<^esub> C\<^sub>1"
+      by blast
+    moreover obtain D\<^sub>1 where "D = D\<^sub>1 \<sqdot> C\<^sub>2" and "C\<^sub>1\<lblot>p' \<leftarrow> B\<rblot> \<rhd> D\<^sub>1"
+      using app_is_wff.prems(3) and \<open>p = \<guillemotleft> # p'\<close> by (force dest: is_replacement_at.cases)
+    ultimately have "\<turnstile> C\<^sub>1 =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> D\<^sub>1"
+      using app_is_wff.IH(1) and assms(3) by blast
+    moreover have "\<turnstile> C\<^sub>2 =\<^bsub>\<gamma>\<^esub> C\<^sub>2"
+      by (fact prop_5200[OF app_is_wff.hyps(2)])
+    ultimately have "\<turnstile> C\<^sub>1 \<sqdot> C\<^sub>2 =\<^bsub>\<delta>\<^esub> D\<^sub>1 \<sqdot> C\<^sub>2"
+      using Equality_Rules(4) by (simp only:)
+    with \<open>D = D\<^sub>1 \<sqdot> C\<^sub>2\<close> show ?thesis
+      by (simp only:)
+  next
+    case c
+    then obtain p' where "p = \<guillemotright> # p'" and "A \<preceq>\<^bsub>p'\<^esub> C\<^sub>2"
+      by blast
+    moreover obtain D\<^sub>2 where "D = C\<^sub>1 \<sqdot> D\<^sub>2" and "C\<^sub>2\<lblot>p' \<leftarrow> B\<rblot> \<rhd> D\<^sub>2"
+      using app_is_wff.prems(3) and \<open>p = \<guillemotright> # p'\<close> by (force dest: is_replacement_at.cases)
+    ultimately have "\<turnstile> C\<^sub>2 =\<^bsub>\<gamma>\<^esub> D\<^sub>2"
+      using app_is_wff.IH(2) and assms(3) by blast
+    moreover have "\<turnstile> C\<^sub>1 =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> C\<^sub>1"
+      by (fact prop_5200[OF app_is_wff.hyps(1)])
+    ultimately have "\<turnstile> C\<^sub>1 \<sqdot> C\<^sub>2 =\<^bsub>\<delta>\<^esub> C\<^sub>1 \<sqdot> D\<^sub>2"
+      using Equality_Rules(4) by (simp only:)
+    with \<open>D = C\<^sub>1 \<sqdot> D\<^sub>2\<close> show ?thesis
+      by (simp only:)
+  qed
+next
+  case (abs_is_wff \<delta> C' \<gamma> x)
+  from abs_is_wff.prems(1) consider (a) "p = []" | (b) "\<exists>p'. p = \<guillemotleft> # p' \<and> A \<preceq>\<^bsub>p'\<^esub> C'"
+    using subforms_from_abs by blast
+  then show ?case
+  proof cases
+    case a
+    with abs_is_wff.prems(1) have "A = \<lambda>x\<^bsub>\<gamma>\<^esub>. C'"
+      by simp
+    moreover from a and abs_is_wff.prems(3) have "D = B"
+      using is_replacement_at_minimal_change(1) and at_top_is_self_subform by blast
+    moreover from \<open>A = \<lambda>x\<^bsub>\<gamma>\<^esub>. C'\<close> and \<open>D = B\<close> and abs_is_wff.hyps(1) and assms(3) have "\<alpha> = \<gamma>\<rightarrow>\<delta>"
+      using hyp_derivable_form_is_wffso and wff_has_unique_type
+      by (blast dest: wffs_from_abs wffs_from_equality)
+    ultimately show ?thesis
+      using assms(3) by (simp only:)
+  next
+    case b
+    then obtain p' where "p = \<guillemotleft> # p'" and "A \<preceq>\<^bsub>p'\<^esub> C'"
+      by blast
+    moreover obtain D' where "D = \<lambda>x\<^bsub>\<gamma>\<^esub>. D'" and "C'\<lblot>p' \<leftarrow> B\<rblot> \<rhd> D'"
+      using abs_is_wff.prems(3) and \<open>p = \<guillemotleft> # p'\<close> by (force dest: is_replacement_at.cases)
+    ultimately have "\<turnstile> C' =\<^bsub>\<delta>\<^esub> D'"
+      using abs_is_wff.IH and assms(3) by blast
+    then have "\<turnstile> \<lambda>x\<^bsub>\<gamma>\<^esub>. C' =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>x\<^bsub>\<gamma>\<^esub>. D'"
+    proof -
+      from \<open>\<turnstile> C' =\<^bsub>\<delta>\<^esub> D'\<close> have "\<turnstile> \<forall>x\<^bsub>\<gamma>\<^esub>. (C' =\<^bsub>\<delta>\<^esub> D')"
+        using Gen by simp
+      moreover from \<open>\<turnstile> C' =\<^bsub>\<delta>\<^esub> D'\<close> and abs_is_wff.hyps have "D' \<in> wffs\<^bsub>\<delta>\<^esub>"
+        using hyp_derivable_form_is_wffso by (blast dest: wffs_from_equality)
+      with abs_is_wff.hyps have "\<turnstile> (\<lambda>x\<^bsub>\<gamma>\<^esub>. C' =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> \<lambda>x\<^bsub>\<gamma>\<^esub>. D') \<equiv>\<^sup>\<Q> \<forall>x\<^bsub>\<gamma>\<^esub>. (C' =\<^bsub>\<delta>\<^esub> D')"
+        using prop_5238[where vs = "[(x, \<gamma>)]"] by simp
+      ultimately show ?thesis
+        using Equality_Rules(1,2) unfolding equivalence_def by blast
+    qed
+    with \<open>D = \<lambda>x\<^bsub>\<gamma>\<^esub>. D'\<close> show ?thesis
+      by (simp only:)
+  qed
+qed
+
+context
+begin
+
+private lemma prop_5239_aux_1:
+  assumes "p \<in> positions (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar v) (map FVar vs))"
+  and "p \<noteq> replicate (length vs) \<guillemotleft>"
+  shows "
+    (\<exists>A B. A \<sqdot> B \<preceq>\<^bsub>p\<^esub> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar v) (map FVar vs)))
+    \<or>
+    (\<exists>v \<in> lset vs. occurs_at v p (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar v) (map FVar vs)))"
+using assms proof (induction vs arbitrary: p rule: rev_induct)
+  case Nil
+  then show ?case
+    using surj_pair[of v] by fastforce
+next
+  case (snoc v' vs)
+  from snoc.prems(1) consider
+    (a) "p = []"
+  | (b) "p = [\<guillemotright>]"
+  | (c) "\<exists>p' \<in> positions (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar v) (map FVar vs)). p = \<guillemotleft> # p'"
+    using surj_pair[of v'] by fastforce
+  then show ?case
+  proof cases
+    case c
+    then obtain p' where "p' \<in> positions (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar v) (map FVar vs))" and "p = \<guillemotleft> # p'"
+      by blast
+    from \<open>p = \<guillemotleft> # p'\<close> and snoc.prems(2) have "p' \<noteq> replicate (length vs) \<guillemotleft>"
+      by force
+    then have "
+      (\<exists>A B. A \<sqdot> B \<preceq>\<^bsub>p'\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar v) (map FVar vs))
+      \<or>
+      (\<exists>v \<in> lset vs. occurs_at v p' (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar v) (map FVar vs)))"
+      using \<open>p' \<in> positions (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar v) (map FVar vs))\<close> and snoc.IH by simp
+    with \<open>p = \<guillemotleft> # p'\<close> show ?thesis
+      by auto
+  qed simp_all
+qed
+
+private lemma prop_5239_aux_2:
+  assumes "t \<notin> lset vs \<union> vars C"
+  and "C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))\<rblot> \<rhd> G"
+  and "C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs))\<rblot> \<rhd> G'"
+  shows "\<^bold>S {t \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A} G = G'" (is \<open>\<^bold>S ?\<theta> G = G'\<close>)
+proof -
+  have "\<^bold>S ?\<theta> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs)) = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<^bold>S ?\<theta> (FVar t)) (map (\<lambda>v'. \<^bold>S ?\<theta> v') (map FVar vs))"
+    using generalized_app_substitution by blast
+  moreover have "\<^bold>S ?\<theta> (FVar t) = \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A"
+    using surj_pair[of t] by fastforce
+  moreover from assms(1) have "map (\<lambda>v'. \<^bold>S ?\<theta> v') (map FVar vs) = map FVar vs"
+    by (induction vs) auto
+  ultimately show ?thesis
+  using assms proof (induction C arbitrary: G G' p)
+    case (FVar v)
+    from FVar.prems(5) have "p = []" and "G = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs)"
+      by (blast dest: is_replacement_at.cases)+
+    moreover from FVar.prems(6) and \<open>p = []\<close> have "G' = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs)"
+      by (blast dest: is_replacement_at.cases)
+    ultimately show ?case
+      using FVar.prems(1-3) by (simp only:)
+  next
+    case (FCon k)
+    from FCon.prems(5) have "p = []" and "G = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs)"
+      by (blast dest: is_replacement_at.cases)+
+    moreover from FCon.prems(6) and \<open>p = []\<close> have "G' = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs)"
+      by (blast dest: is_replacement_at.cases)
+    ultimately show ?case
+      using FCon.prems(1-3) by (simp only:)
+  next
+    case (FApp C\<^sub>1 C\<^sub>2)
+    from FApp.prems(4) have "t \<notin> lset vs \<union> vars C\<^sub>1" and "t \<notin> lset vs \<union> vars C\<^sub>2"
+      by auto
+    consider (a) "p = []" | (b) "\<exists>p'. p = \<guillemotleft> # p'" | (c) "\<exists>p'. p = \<guillemotright> # p'"
+      by (metis direction.exhaust list.exhaust)
+    then show ?case
+    proof cases
+      case a
+      with FApp.prems(5) have "G = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs)"
+        by (blast dest: is_replacement_at.cases)
+      moreover from FApp.prems(6) and \<open>p = []\<close> have "G' = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs)"
+        by (blast dest: is_replacement_at.cases)
+      ultimately show ?thesis
+        using FApp.prems(1-3) by (simp only:)
+    next
+      case b
+      then obtain p' where "p = \<guillemotleft> # p'"
+        by blast
+      with FApp.prems(5) obtain G\<^sub>1 where "G = G\<^sub>1 \<sqdot> C\<^sub>2" and "C\<^sub>1\<lblot>p' \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))\<rblot> \<rhd> G\<^sub>1"
+        by (blast elim: is_replacement_at.cases)
+      moreover from \<open>p = \<guillemotleft> # p'\<close> and FApp.prems(6)
+      obtain G'\<^sub>1 where "G' = G'\<^sub>1 \<sqdot> C\<^sub>2" and "C\<^sub>1\<lblot>p' \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs))\<rblot> \<rhd> G'\<^sub>1"
+        by (blast elim: is_replacement_at.cases)
+      moreover from \<open>t \<notin> lset vs \<union> vars C\<^sub>2\<close> have "\<^bold>S {t \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A} C\<^sub>2 = C\<^sub>2"
+        using surj_pair[of t] and free_var_singleton_substitution_neutrality
+        by (simp add: vars_is_free_and_bound_vars)
+      ultimately show ?thesis
+        using FApp.IH(1)[OF FApp.prems(1-3) \<open>t \<notin> lset vs \<union> vars C\<^sub>1\<close>] by simp
+    next
+      case c
+      then obtain p' where "p = \<guillemotright> # p'"
+        by blast
+      with FApp.prems(5) obtain G\<^sub>2 where "G = C\<^sub>1 \<sqdot> G\<^sub>2" and "C\<^sub>2\<lblot>p' \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))\<rblot> \<rhd> G\<^sub>2"
+        by (blast elim: is_replacement_at.cases)
+      moreover from \<open>p = \<guillemotright> # p'\<close> and FApp.prems(6)
+      obtain G'\<^sub>2 where "G' = C\<^sub>1 \<sqdot> G'\<^sub>2" and "C\<^sub>2\<lblot>p' \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs))\<rblot> \<rhd> G'\<^sub>2"
+        by (blast elim: is_replacement_at.cases)
+      moreover from \<open>t \<notin> lset vs \<union> vars C\<^sub>1\<close> have "\<^bold>S {t \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A} C\<^sub>1 = C\<^sub>1"
+        using surj_pair[of t] and free_var_singleton_substitution_neutrality
+        by (simp add: vars_is_free_and_bound_vars)
+      ultimately show ?thesis
+        using FApp.IH(2)[OF FApp.prems(1-3) \<open>t \<notin> lset vs \<union> vars C\<^sub>2\<close>] by simp
+    qed
+  next
+    case (FAbs v C')
+    from FAbs.prems(4) have "t \<notin> lset vs \<union> vars C'" and "t \<noteq> v"
+      using vars_form.elims by blast+
+    from FAbs.prems(5) consider (a) "p = []" | (b) "\<exists>p'. p = \<guillemotleft> # p'"
+      using is_replacement_at.simps by blast
+    then show ?case
+    proof cases
+      case a
+      with FAbs.prems(5) have "G = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs)"
+        by (blast dest: is_replacement_at.cases)
+      moreover from FAbs.prems(6) and \<open>p = []\<close> have "G' = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs)"
+        by (blast dest: is_replacement_at.cases)
+      ultimately show ?thesis
+        using FAbs.prems(1-3) by (simp only:)
+    next
+      case b
+      then obtain p' where "p = \<guillemotleft> # p'"
+        by blast
+      then obtain G\<^sub>1 where "G = FAbs v G\<^sub>1" and "C'\<lblot>p' \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))\<rblot> \<rhd> G\<^sub>1"
+        using FAbs.prems(5) by (blast elim: is_replacement_at.cases)
+      moreover from \<open>p = \<guillemotleft> # p'\<close> and FAbs.prems(6)
+      obtain G'\<^sub>1 where "G' = FAbs v G'\<^sub>1" and "C'\<lblot>p' \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs))\<rblot> \<rhd> G'\<^sub>1"
+        by (blast elim: is_replacement_at.cases)
+      ultimately have "\<^bold>S {t \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A} G\<^sub>1 = G'\<^sub>1"
+        using FAbs.IH[OF FAbs.prems(1-3) \<open>t \<notin> lset vs \<union> vars C'\<close>] by simp
+      with \<open>G = FAbs v G\<^sub>1\<close> and \<open>G' = FAbs v G'\<^sub>1\<close> and \<open>t \<noteq> v\<close> show ?thesis
+        using surj_pair[of v] by fastforce
+    qed
+  qed
+qed
+
+private lemma prop_5239_aux_3:
+  assumes "t \<notin> lset vs \<union> vars {A, C}"
+  and "C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))\<rblot> \<rhd> G"
+  and "occurs_at t p' G"
+  shows "p' = p @ replicate (length vs) \<guillemotleft>" (is \<open>p' = ?p\<^sub>t\<close>)
+proof (cases "vs = []")
+  case True
+  then have "t \<notin> vars C"
+    using assms(1) by auto
+  moreover from True and assms(2) have "C\<lblot>p \<leftarrow> FVar t\<rblot> \<rhd> G"
+    by force
+  ultimately show ?thesis
+    using assms(3) and True and fresh_var_replacement_position_uniqueness by simp
+next
+  case False
+  show ?thesis
+  proof (rule ccontr)
+    assume "p' \<noteq> ?p\<^sub>t"
+    have "\<not> prefix ?p\<^sub>t p"
+      by (simp add: False)
+    from assms(3) have "p' \<in> positions G"
+      using is_subform_implies_in_positions by fastforce
+    from assms(2) have "?p\<^sub>t \<in> positions G"
+      using is_replacement_at_minimal_change(1) and is_subform_at_transitivity
+      and is_subform_implies_in_positions and leftmost_subform_in_generalized_app
+      by (metis length_map)
+    from assms(2) have "occurs_at t ?p\<^sub>t G"
+      unfolding occurs_at_def using is_replacement_at_minimal_change(1) and is_subform_at_transitivity
+      and leftmost_subform_in_generalized_app
+      by (metis length_map)
+    moreover from assms(2) and \<open>p' \<in> positions G\<close> have *: "
+      subform_at C p' = subform_at G p'" if "\<not> prefix p' p" and "\<not> prefix p p'"
+      using  is_replacement_at_minimal_change(2) by (simp add: that(1,2))
+    ultimately show False
+    proof (cases "\<not> prefix p' p \<and> \<not> prefix p p'")
+      case True
+      with assms(3) and * have "occurs_at t p' C"
+        using is_replacement_at_occurs[OF assms(2)] by blast
+      then have "t \<in> vars C"
+        using is_subform_implies_in_positions and occurs_in_vars by fastforce
+      with assms(1) show ?thesis
+        by simp
+    next
+      case False
+      then consider (a) "prefix p' p" | (b) "prefix p p'"
+        by blast
+      then show ?thesis
+      proof cases
+        case a
+        with \<open>occurs_at t ?p\<^sub>t G\<close> and \<open>p' \<noteq> ?p\<^sub>t\<close> and assms(3) show ?thesis
+          unfolding occurs_at_def using loop_subform_impossibility
+          by (metis prefix_order.dual_order.order_iff_strict prefix_prefix)
+      next
+        case b
+        have "strict_prefix p' ?p\<^sub>t"
+        proof (rule ccontr)
+          assume "\<not> strict_prefix p' ?p\<^sub>t"
+          then consider
+            (b\<^sub>1) "p' = ?p\<^sub>t"
+          | (b\<^sub>2) "strict_prefix ?p\<^sub>t p'"
+          | (b\<^sub>3) "\<not> prefix p' ?p\<^sub>t" and "\<not> prefix ?p\<^sub>t p'"
+            by fastforce
+          then show False
+          proof cases
+            case b\<^sub>1
+            with \<open>p' \<noteq> ?p\<^sub>t\<close> show ?thesis
+              by contradiction
+          next
+            case b\<^sub>2
+            with \<open>occurs_at t ?p\<^sub>t G\<close> and assms(3) show ?thesis
+              using loop_subform_impossibility by blast
+          next
+            case b\<^sub>3
+            from b obtain p'' where "p' = p @ p''" and "p'' \<in> positions (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))"
+              using is_replacement_at_new_positions and \<open>p' \<in> positions G\<close> and assms(2) by blast
+            moreover have "p'' \<noteq> replicate (length vs) \<guillemotleft>"
+              using \<open>p' = p @ p''\<close> and \<open>p' \<noteq> ?p\<^sub>t\<close> by blast
+            ultimately consider
+              (b\<^sub>3\<^sub>_\<^sub>1) "\<exists>F\<^sub>1 F\<^sub>2. F\<^sub>1 \<sqdot> F\<^sub>2 \<preceq>\<^bsub>p''\<^esub> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))"
+            | (b\<^sub>3\<^sub>_\<^sub>2) "\<exists>v \<in> lset vs. occurs_at v p'' (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))"
+              using prop_5239_aux_1 and b\<^sub>3(1,2) and is_replacement_at_occurs
+              and leftmost_subform_in_generalized_app_replacement
+              by (metis (no_types, opaque_lifting) length_map prefix_append)
+            then show ?thesis
+            proof cases
+              case b\<^sub>3\<^sub>_\<^sub>1
+              with assms(2) and \<open>p' = p @ p''\<close> have "\<exists>F\<^sub>1 F\<^sub>2. F\<^sub>1 \<sqdot> F\<^sub>2 \<preceq>\<^bsub>p'\<^esub> G"
+                using is_replacement_at_minimal_change(1) and is_subform_at_transitivity by meson
+              with \<open>occurs_at t p' G\<close> show ?thesis
+                using is_subform_at_uniqueness by fastforce
+            next
+              case b\<^sub>3\<^sub>_\<^sub>2
+              with assms(2) and \<open>p' = p @ p''\<close> have "\<exists>v \<in> lset vs. occurs_at v p' G"
+                unfolding occurs_at_def
+                using is_replacement_at_minimal_change(1) and is_subform_at_transitivity by meson
+              with assms(1,3) show ?thesis
+                using is_subform_at_uniqueness by fastforce
+            qed
+          qed
+        qed
+        with \<open>occurs_at t ?p\<^sub>t G\<close> and assms(3) show ?thesis
+          using loop_subform_impossibility by blast
+      qed
+    qed
+  qed
+qed
+
+private lemma prop_5239_aux_4:
+  assumes "t \<notin> lset vs \<union> vars {A, C}"
+  and "A \<preceq>\<^bsub>p\<^esub> C"
+  and "lset vs \<supseteq> capture_exposed_vars_at p C A"
+  and "C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs))\<rblot> \<rhd> G"
+  shows "is_free_for (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) t G"
+unfolding is_free_for_def proof (intro ballI impI)
+  let ?p\<^sub>t = "p @ replicate (length vs) \<guillemotleft>"
+  from assms(4) have "FVar t \<preceq>\<^bsub>?p\<^sub>t\<^esub> G"
+    using is_replacement_at_minimal_change(1) and is_subform_at_transitivity
+    and leftmost_subform_in_generalized_app by (metis length_map)
+  fix v' and p'
+  assume "v' \<in> free_vars (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A)" and "p' \<in> positions G" and "is_free_at t p' G"
+  have "v' \<notin> binders_at G ?p\<^sub>t"
+  proof -
+    have "free_vars (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) = free_vars A - lset vs"
+      by (fact free_vars_of_generalized_abs)
+    also from assms(2,3) have "\<dots> \<subseteq> free_vars A - (binders_at C p \<inter> free_vars A)"
+      using capture_exposed_vars_at_alt_def and is_subform_implies_in_positions by fastforce
+    also have "\<dots> = free_vars A - (binders_at G p \<inter> free_vars A)"
+      using assms(2,4) is_replacement_at_binders is_subform_implies_in_positions by blast
+    finally have "free_vars (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) \<subseteq> free_vars A - (binders_at G p \<inter> free_vars A)" .
+    moreover have "binders_at (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (FVar t) (map FVar vs)) (replicate (length vs) \<guillemotleft>) = {}"
+      by (induction vs rule: rev_induct) simp_all
+    with assms(4) have "binders_at G ?p\<^sub>t = binders_at G p"
+      using binders_at_concat and is_replacement_at_minimal_change(1) by blast
+    ultimately show ?thesis
+      using \<open>v' \<in> free_vars (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A)\<close> by blast
+  qed
+  moreover have "p' = ?p\<^sub>t"
+    by
+      (
+        fact prop_5239_aux_3
+          [OF assms(1,4) \<open>is_free_at t p' G\<close>[unfolded is_free_at_def, THEN conjunct1]]
+      )
+  ultimately show "\<not> in_scope_of_abs v' p' G"
+    using binders_at_alt_def[OF \<open>p' \<in> positions G\<close>] and in_scope_of_abs_alt_def by auto
+qed
+
+proposition prop_5239:
+  assumes "is_rule_R_app p D C (A =\<^bsub>\<alpha>\<^esub> B)"
+  and "lset vs =
+    {(x, \<beta>) | x \<beta> p' E. strict_prefix p' p \<and> \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> C \<and> (x, \<beta>) \<in> free_vars (A =\<^bsub>\<alpha>\<^esub> B)}"
+  shows "\<turnstile> \<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B) \<supset>\<^sup>\<Q> (C \<equiv>\<^sup>\<Q> D)"
+proof -
+  let ?\<gamma> = "foldr (\<rightarrow>) (map var_type vs) \<alpha>"
+  obtain t where "(t, ?\<gamma>) \<notin> lset vs \<union> vars {A,B,C,D}"
+    using fresh_var_existence and vars_form_set_finiteness
+    by (metis List.finite_set finite.simps finite_UnI)
+  from assms(1) have "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>" and "A \<preceq>\<^bsub>p\<^esub> C"
+    using wffs_from_equality[OF equality_wff] by simp_all
+  from assms(1) have "C \<in> wffs\<^bsub>o\<^esub>" and "D \<in> wffs\<^bsub>o\<^esub>"
+    using replacement_preserves_typing by fastforce+
+  have "\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> (map FVar vs) \<in> wffs\<^bsub>\<alpha>\<^esub>"
+    using generalized_app_wff[where As = "map FVar vs" and ts = "map var_type vs"]
+    by (metis eq_snd_iff length_map nth_map wffs_of_type_intros(1))
+  from assms(1) have "p \<in> positions C"
+    using is_subform_implies_in_positions by fastforce
+  then obtain G where "C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> (map FVar vs))\<rblot> \<rhd> G"
+    using is_replacement_at_existence by blast
+  with  \<open>A \<preceq>\<^bsub>p\<^esub> C\<close> and \<open>\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> (map FVar vs) \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> have "G \<in> wffs\<^bsub>o\<^esub>"
+    using \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> and \<open>C \<in> wffs\<^bsub>o\<^esub>\<close> and replacement_preserves_typing by blast
+  let ?\<theta> = "{(\<hh>, ?\<gamma>\<rightarrow>o) \<Zinj> \<lambda>t\<^bsub>?\<gamma>\<^esub>. G, (\<xx>, ?\<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A, (\<yy>, ?\<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B}"
+    and ?A = "(\<xx>\<^bsub>?\<gamma>\<^esub> =\<^bsub>?\<gamma>\<^esub> \<yy>\<^bsub>?\<gamma>\<^esub>) \<supset>\<^sup>\<Q> (\<hh>\<^bsub>?\<gamma>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>?\<gamma>\<^esub> \<equiv>\<^sup>\<Q> \<hh>\<^bsub>?\<gamma>\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>?\<gamma>\<^esub>)"
+  have "\<turnstile> ?A"
+    by (fact axiom_is_derivable_from_no_hyps[OF axiom_2])
+  moreover have "\<lambda>t\<^bsub>?\<gamma>\<^esub>. G \<in> wffs\<^bsub>?\<gamma>\<rightarrow>o\<^esub>" and "\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A \<in> wffs\<^bsub>?\<gamma>\<^esub>" and "\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B \<in> wffs\<^bsub>?\<gamma>\<^esub>"
+    by (blast intro: \<open>G \<in> wffs\<^bsub>o\<^esub>\<close> \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> \<open>B \<in> wffs\<^bsub>\<alpha>\<^esub>\<close>)+
+  then have "is_substitution ?\<theta>"
+    by simp
+  moreover have "
+    \<forall>v \<in> fmdom' ?\<theta>. var_name v \<notin> free_var_names ({}::form set) \<and> is_free_for (?\<theta> $$! v) v ?A"
+    by
+    (
+      (
+        code_simp, unfold atomize_conj[symmetric], simp,
+        use is_free_for_in_equality is_free_for_in_equivalence is_free_for_in_imp is_free_for_in_var
+        is_free_for_to_app in presburger
+      )+,
+      blast
+    )
+  moreover have "?\<theta> \<noteq> {$$}"
+    by simp
+  ultimately have "\<turnstile> \<^bold>S ?\<theta> ?A"
+    by (rule Sub)
+  moreover have "
+    \<^bold>S ?\<theta> ?A = (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A =\<^bsub>?\<gamma>\<^esub> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) \<supset>\<^sup>\<Q> ((\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) \<equiv>\<^sup>\<Q> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B))"
+    by simp
+  ultimately have "\<section>1": "
+    \<turnstile> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A =\<^bsub>?\<gamma>\<^esub> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) \<supset>\<^sup>\<Q> ((\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) \<equiv>\<^sup>\<Q> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B))"
+    by (simp only:)
+  then have "\<section>2": "\<turnstile> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B)) \<supset>\<^sup>\<Q> ((\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) \<equiv>\<^sup>\<Q> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B))"
+  proof (cases "vs = []")
+    case True
+    with "\<section>1" show ?thesis
+      by simp
+  next
+    case False
+    from "\<section>1" and prop_5238[OF False \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> \<open>B \<in> wffs\<^bsub>\<alpha>\<^esub>\<close>] show ?thesis
+      unfolding equivalence_def by (rule rule_R[where p = "[\<guillemotleft>,\<guillemotright>]"]) force+
+  qed
+  moreover have "\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) =\<^bsub>o\<^esub> C" and "\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) =\<^bsub>o\<^esub> D"
+  proof -
+    from assms(1) have "B \<preceq>\<^bsub>p\<^esub> D"
+      using is_replacement_at_minimal_change(1) by force
+    from assms(1) have "D\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> (map FVar vs))\<rblot> \<rhd> G"
+      using \<open>C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> (map FVar vs))\<rblot> \<rhd> G\<close> and replacement_override
+      by (meson is_rule_R_app_def)
+    from \<open>B \<preceq>\<^bsub>p\<^esub> D\<close> have "p \<in> positions D"
+      using is_subform_implies_in_positions by auto
+    from assms(1) have "binders_at D p = binders_at C p"
+      using is_replacement_at_binders by fastforce
+    then have "binders_at D p \<inter> free_vars B = binders_at C p \<inter> free_vars B"
+      by simp
+    with assms(2)
+      [
+        folded capture_exposed_vars_at_def,
+        unfolded capture_exposed_vars_at_alt_def[OF \<open>p \<in> positions C\<close>]
+      ] have "lset vs \<supseteq> capture_exposed_vars_at p D B"
+      unfolding capture_exposed_vars_at_alt_def[OF \<open>p \<in> positions D\<close>] by auto
+    have "is_free_for (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (t, ?\<gamma>) G" and "is_free_for (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (t, ?\<gamma>) G"
+    proof -
+      have "(t, ?\<gamma>) \<notin> lset vs \<union> vars {A, C}" and "(t, ?\<gamma>) \<notin> lset vs \<union> vars {B, D}"
+        using \<open>(t, ?\<gamma>) \<notin> lset vs \<union> vars {A, B, C, D}\<close> by simp_all
+      moreover from assms(2) have "
+        lset vs \<supseteq> capture_exposed_vars_at p C A" and "lset vs \<supseteq> capture_exposed_vars_at p D B"
+        by fastforce fact
+      ultimately show "is_free_for (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (t, ?\<gamma>) G" and "is_free_for (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (t, ?\<gamma>) G"
+        using prop_5239_aux_4 and \<open>B \<preceq>\<^bsub>p\<^esub> D\<close> and \<open>A \<preceq>\<^bsub>p\<^esub> C\<close> and \<open>C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> (map FVar vs))\<rblot> \<rhd> G\<close>
+        and \<open>D\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> (map FVar vs))\<rblot> \<rhd> G\<close> by meson+
+    qed
+    then have "\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) =\<^bsub>o\<^esub> \<^bold>S {(t, ?\<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A} G"
+      and "\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) =\<^bsub>o\<^esub> \<^bold>S {(t, ?\<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B} G"
+      using prop_5207[OF \<open>\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A \<in> wffs\<^bsub>?\<gamma>\<^esub>\<close> \<open>G \<in> wffs\<^bsub>o\<^esub>\<close>]
+      and prop_5207[OF \<open>\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B \<in> wffs\<^bsub>?\<gamma>\<^esub>\<close> \<open>G \<in> wffs\<^bsub>o\<^esub>\<close>] by auto
+    moreover obtain G'\<^sub>1 and G'\<^sub>2
+      where "C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs))\<rblot> \<rhd> G'\<^sub>1"
+      and "D\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs))\<rblot> \<rhd> G'\<^sub>2"
+      using is_replacement_at_existence[OF \<open>p \<in> positions C\<close>]
+      and is_replacement_at_existence[OF \<open>p \<in> positions D\<close>] by metis
+    then have "\<^bold>S {(t, ?\<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A} G = G'\<^sub>1" and "\<^bold>S {(t, ?\<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B} G = G'\<^sub>2"
+    proof -
+      have "(t, ?\<gamma>) \<notin> lset vs \<union> vars C" and "(t, ?\<gamma>) \<notin> lset vs \<union> vars D"
+        using \<open>(t, ?\<gamma>) \<notin> lset vs \<union> vars {A, B, C, D}\<close> by simp_all
+      then show "\<^bold>S {(t, ?\<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs A} G = G'\<^sub>1" and "\<^bold>S {(t, ?\<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B} G = G'\<^sub>2"
+        using \<open>C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> (map FVar vs))\<rblot> \<rhd> G\<close> and \<open>D\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> t\<^bsub>?\<gamma>\<^esub> map FVar vs)\<rblot> \<rhd> G\<close>
+        and \<open>C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs))\<rblot> \<rhd> G'\<^sub>1\<close>
+        and \<open>D\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs))\<rblot> \<rhd> G'\<^sub>2\<close> and prop_5239_aux_2 by blast+
+    qed
+    ultimately have "\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) =\<^bsub>o\<^esub> G'\<^sub>1" and "\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) =\<^bsub>o\<^esub> G'\<^sub>2"
+      by (simp_all only:)
+    moreover
+    have "\<turnstile> A =\<^bsub>\<alpha>\<^esub> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs))" and "\<turnstile> B =\<^bsub>\<alpha>\<^esub> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs))"
+    unfolding atomize_conj proof (cases "vs = []")
+      assume "vs = []"
+      show "\<turnstile> A =\<^bsub>\<alpha>\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs) \<and> \<turnstile> B =\<^bsub>\<alpha>\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs)"
+        unfolding \<open>vs = []\<close> using prop_5200 and \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> and \<open>B \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> by simp
+    next
+      assume "vs \<noteq> []"
+      show "\<turnstile> A =\<^bsub>\<alpha>\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs) \<and> \<turnstile> B =\<^bsub>\<alpha>\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs)"
+        using Equality_Rules(2)[OF prop_5208[OF \<open>vs \<noteq> []\<close>]] and \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> and \<open>B \<in> wffs\<^bsub>\<alpha>\<^esub>\<close>
+        by blast+
+    qed
+    with
+      \<open>C\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) (map FVar vs))\<rblot> \<rhd> G'\<^sub>1\<close>
+    and
+      \<open>D\<lblot>p \<leftarrow> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs))\<rblot> \<rhd> G'\<^sub>2\<close>
+    have "\<turnstile> G'\<^sub>1 =\<^bsub>o\<^esub> C" and "\<turnstile> G'\<^sub>2 =\<^bsub>o\<^esub> D"
+      using Equality_Rules(2)[OF replacement_derivability] and \<open>C \<in> wffs\<^bsub>o\<^esub>\<close> and \<open>D \<in> wffs\<^bsub>o\<^esub>\<close>
+      and \<open>A \<preceq>\<^bsub>p\<^esub> C\<close> and \<open>B \<preceq>\<^bsub>p\<^esub> D\<close> by blast+
+    ultimately show "\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) =\<^bsub>o\<^esub> C" and "\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) =\<^bsub>o\<^esub> D"
+      using Equality_Rules(3) by blast+
+  qed
+  ultimately show ?thesis
+  proof -
+    from "\<section>2" and \<open>\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) =\<^bsub>o\<^esub> C\<close> have "
+      \<turnstile> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B)) \<supset>\<^sup>\<Q> (C \<equiv>\<^sup>\<Q> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B))"
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotleft>,\<guillemotright>]"]) force+
+    from this and \<open>\<turnstile> (\<lambda>t\<^bsub>?\<gamma>\<^esub>. G) \<sqdot> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) =\<^bsub>o\<^esub> D\<close> show ?thesis
+      by (rule rule_R[where p = "[\<guillemotright>,\<guillemotright>]"]) force+
+  qed
+qed
+
+end
+
+subsection \<open>Theorem 5240 (Deduction Theorem)\<close>
+
+lemma pseudo_rule_R_is_tautologous:
+  assumes "C \<in> wffs\<^bsub>o\<^esub>" and "D \<in> wffs\<^bsub>o\<^esub>" and "E \<in> wffs\<^bsub>o\<^esub>" and "H \<in> wffs\<^bsub>o\<^esub>"
+  shows "is_tautologous (((H \<supset>\<^sup>\<Q> C) \<supset>\<^sup>\<Q> ((H \<supset>\<^sup>\<Q> E) \<supset>\<^sup>\<Q> ((E \<supset>\<^sup>\<Q> (C \<equiv>\<^sup>\<Q> D)) \<supset>\<^sup>\<Q> (H \<supset>\<^sup>\<Q> D)))))"
+proof -
+  let ?\<theta> = "{(\<xx>, o) \<Zinj> C, (\<yy>, o) \<Zinj> D, (\<zz>, o) \<Zinj> E, (\<hh>, o) \<Zinj> H}"
+  have "
+    is_tautology
+      (((\<hh>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> ((\<hh>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<zz>\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> ((\<zz>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<supset>\<^sup>\<Q> (\<hh>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)))))"
+    using \<V>\<^sub>B_simps by simp
+  moreover have "is_substitution ?\<theta>"
+    using assms by auto
+  moreover have "\<forall>(x, \<alpha>) \<in> fmdom' ?\<theta>. \<alpha> = o"
+    by simp
+  moreover have "
+    ((H \<supset>\<^sup>\<Q> C) \<supset>\<^sup>\<Q> ((H \<supset>\<^sup>\<Q> E) \<supset>\<^sup>\<Q> ((E \<supset>\<^sup>\<Q> (C \<equiv>\<^sup>\<Q> D)) \<supset>\<^sup>\<Q> (H \<supset>\<^sup>\<Q> D))))
+    =
+    \<^bold>S ?\<theta> (((\<hh>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> ((\<hh>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<zz>\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> ((\<zz>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<supset>\<^sup>\<Q> (\<hh>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)))))"
+    by simp
+  ultimately show ?thesis
+    by blast
+qed
+
+syntax
+  "_HypDer" :: "form \<Rightarrow> form set \<Rightarrow> form \<Rightarrow> bool" ("_,_ \<turnstile> _" [50, 50, 50] 50)
+translations
+  "\<H>, H \<turnstile> P" \<rightharpoonup> "\<H> \<union> {H} \<turnstile> P"
+
+theorem thm_5240:
+  assumes "finite \<H>"
+  and "\<H>, H \<turnstile> P"
+  shows "\<H> \<turnstile> H \<supset>\<^sup>\<Q> P"
+proof -
+  from \<open>\<H>, H \<turnstile> P\<close> obtain \<S>\<^sub>1 and \<S>\<^sub>2 where *: "is_hyp_proof_of (\<H> \<union> {H}) \<S>\<^sub>1 \<S>\<^sub>2 P"
+    using hyp_derivability_implies_hyp_proof_existence by blast
+  have "\<H> \<turnstile> H \<supset>\<^sup>\<Q> (\<S>\<^sub>2 ! i')" if "i' <length \<S>\<^sub>2" for i'
+  using that proof (induction i' rule: less_induct)
+    case (less i')
+    let ?R = "\<S>\<^sub>2 ! i'"
+    from less.prems(1) and * have "is_hyps \<H>"
+      by fastforce
+    from less.prems and * have "?R \<in> wffs\<^bsub>o\<^esub>"
+      using elem_of_proof_is_wffo[simplified] by auto
+    from less.prems and * have "is_hyp_proof_step (\<H> \<union> {H}) \<S>\<^sub>1 \<S>\<^sub>2 i'"
+      by simp
+    then consider
+      (hyp) "?R \<in> \<H> \<union> {H}"
+    | (seq) "?R \<in> lset \<S>\<^sub>1"
+    | (rule_R') "\<exists>j k p. {j, k} \<subseteq> {0..<i'} \<and> is_rule_R'_app (\<H> \<union> {H}) p ?R (\<S>\<^sub>2 ! j) (\<S>\<^sub>2 ! k)"
+      by force
+    then show ?case
+    proof cases
+      case hyp
+      then show ?thesis
+      proof (cases "?R = H")
+        case True
+        with \<open>?R \<in> wffs\<^bsub>o\<^esub>\<close> have "is_tautologous (H \<supset>\<^sup>\<Q> ?R)"
+          using implication_reflexivity_is_tautologous by (simp only:)
+        with \<open>is_hyps \<H>\<close> show ?thesis
+          by (rule rule_P(2))
+      next
+        case False
+        with hyp have "?R \<in> \<H>"
+          by blast
+        with \<open>is_hyps \<H>\<close> have "\<H> \<turnstile> ?R"
+          by (intro dv_hyp)
+        moreover from less.prems(1) and * have "is_tautologous (?R \<supset>\<^sup>\<Q> (H \<supset>\<^sup>\<Q> ?R))"
+          using principle_of_simplification_is_tautologous[OF \<open>?R \<in> wffs\<^bsub>o\<^esub>\<close>] by force
+        moreover from \<open>?R \<in> wffs\<^bsub>o\<^esub>\<close> have "is_hyps {?R}"
+          by simp
+        ultimately show ?thesis
+          using rule_P(1)[where \<G> = "{?R}" and hs = "[?R]", OF \<open>is_hyps \<H>\<close>] by simp
+      qed
+    next
+      case seq
+      then have "\<S>\<^sub>1 \<noteq> []"
+        by force
+      moreover from less.prems(1) and * have "is_proof \<S>\<^sub>1"
+        by fastforce
+      moreover from seq obtain i'' where "i'' < length \<S>\<^sub>1" and "?R = \<S>\<^sub>1 ! i''"
+        by (metis in_set_conv_nth)
+      ultimately have "is_theorem ?R"
+        using proof_form_is_theorem by fastforce
+      with \<open>is_hyps \<H>\<close> have "\<H> \<turnstile> ?R"
+        by (intro dv_thm)
+      moreover from \<open>?R \<in> wffs\<^bsub>o\<^esub>\<close> and less.prems(1) and * have "is_tautologous (?R \<supset>\<^sup>\<Q> (H \<supset>\<^sup>\<Q> ?R))"
+        using principle_of_simplification_is_tautologous by force
+      moreover from \<open>?R \<in> wffs\<^bsub>o\<^esub>\<close> have "is_hyps {?R}"
+        by simp
+      ultimately show ?thesis
+        using rule_P(1)[where \<G> = "{?R}" and hs = "[?R]", OF \<open>is_hyps \<H>\<close>] by simp
+    next
+      case rule_R'
+      then obtain j and k and p
+        where "{j, k} \<subseteq> {0..<i'}" and rule_R'_app: "is_rule_R'_app (\<H> \<union> {H}) p ?R (\<S>\<^sub>2 ! j) (\<S>\<^sub>2 ! k)"
+        by auto
+      then obtain A and B and C and \<alpha> where "C = \<S>\<^sub>2 ! j" and "\<S>\<^sub>2 ! k = A =\<^bsub>\<alpha>\<^esub> B"
+        by fastforce
+      with \<open>{j, k} \<subseteq> {0..<i'}\<close> have "\<H> \<turnstile> H \<supset>\<^sup>\<Q> C" and "\<H> \<turnstile> H \<supset>\<^sup>\<Q> (A =\<^bsub>\<alpha>\<^esub> B)"
+        using less.IH and less.prems(1) by (simp, force)
+      define S where "S \<equiv>
+        {(x, \<beta>) | x \<beta> p' E. strict_prefix p' p \<and> \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> C \<and> (x, \<beta>) \<in> free_vars (A =\<^bsub>\<alpha>\<^esub> B)}"
+      with \<open>C = \<S>\<^sub>2 ! j\<close> and \<open>\<S>\<^sub>2 ! k = A =\<^bsub>\<alpha>\<^esub> B\<close> have "\<forall>v \<in> S. v \<notin> free_vars (\<H> \<union> {H})"
+        using rule_R'_app by fastforce
+      moreover have "S \<subseteq> free_vars (A =\<^bsub>\<alpha>\<^esub> B)"
+        unfolding S_def by blast
+      then have "finite S"
+        by (fact rev_finite_subset[OF free_vars_form_finiteness])
+      then obtain vs where "lset vs = S"
+        using finite_list by blast
+      ultimately have "\<H> \<turnstile> H \<supset>\<^sup>\<Q> \<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B)"
+        using generalized_prop_5237[OF \<open>is_hyps \<H>\<close> \<open>\<H> \<turnstile> H \<supset>\<^sup>\<Q> (A =\<^bsub>\<alpha>\<^esub> B)\<close>] by simp
+      moreover have rule_R_app: "is_rule_R_app p ?R (\<S>\<^sub>2 ! j) (\<S>\<^sub>2 ! k)"
+        using rule_R'_app by fastforce
+      with S_def and \<open>lset vs = S\<close> have "\<turnstile> \<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B) \<supset>\<^sup>\<Q> (C \<equiv>\<^sup>\<Q> ?R)"
+        unfolding \<open>C = \<S>\<^sub>2 ! j\<close> and \<open>\<S>\<^sub>2 ! k = A =\<^bsub>\<alpha>\<^esub> B\<close> using prop_5239 by (simp only:)
+      with \<open>is_hyps \<H>\<close> have "\<H> \<turnstile> \<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B) \<supset>\<^sup>\<Q> (C \<equiv>\<^sup>\<Q> ?R)"
+        by (elim derivability_implies_hyp_derivability)
+      ultimately show ?thesis
+      proof -
+        let ?A\<^sub>1 = "H \<supset>\<^sup>\<Q> C" and ?A\<^sub>2 = "H \<supset>\<^sup>\<Q> \<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B)"
+          and ?A\<^sub>3 = "\<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B) \<supset>\<^sup>\<Q> (C \<equiv>\<^sup>\<Q> ?R)"
+        let ?hs = "[?A\<^sub>1, ?A\<^sub>2, ?A\<^sub>3]"
+        let ?\<G> = "lset ?hs"
+        from \<open>\<H> \<turnstile> ?A\<^sub>1\<close> have "H \<in> wffs\<^bsub>o\<^esub>"
+          using hyp_derivable_form_is_wffso by (blast dest: wffs_from_imp_op(1))
+        moreover from \<open>\<H> \<turnstile> ?A\<^sub>2\<close> have "\<forall>\<^sup>\<Q>\<^sub>\<star> vs (A =\<^bsub>\<alpha>\<^esub> B) \<in> wffs\<^bsub>o\<^esub>"
+          using hyp_derivable_form_is_wffso by (blast dest: wffs_from_imp_op(2))
+        moreover from \<open>C = \<S>\<^sub>2 ! j\<close> and rule_R_app have "C \<in> wffs\<^bsub>o\<^esub>"
+          using replacement_preserves_typing by fastforce
+        ultimately have *: "is_tautologous (?A\<^sub>1 \<supset>\<^sup>\<Q> (?A\<^sub>2 \<supset>\<^sup>\<Q> (?A\<^sub>3 \<supset>\<^sup>\<Q> (H \<supset>\<^sup>\<Q> ?R))))"
+          using \<open>?R \<in> wffs\<^bsub>o\<^esub>\<close> by (intro pseudo_rule_R_is_tautologous)
+        moreover from \<open>\<H> \<turnstile> ?A\<^sub>1\<close> and \<open>\<H> \<turnstile> ?A\<^sub>2\<close> and \<open>\<H> \<turnstile> ?A\<^sub>3\<close> have "is_hyps ?\<G>"
+          using hyp_derivable_form_is_wffso by simp
+        moreover from \<open>\<H> \<turnstile> ?A\<^sub>1\<close> and \<open>\<H> \<turnstile> ?A\<^sub>2\<close> and \<open>\<H> \<turnstile> ?A\<^sub>3\<close> have "\<forall>A \<in> ?\<G>. \<H> \<turnstile> A"
+          by force
+        ultimately show ?thesis
+          using rule_P(1)[where \<G> = ?\<G> and hs = ?hs and B = "H \<supset>\<^sup>\<Q> ?R", OF \<open>is_hyps \<H>\<close>] by simp
+      qed
+    qed
+  qed
+  moreover from \<open>is_hyp_proof_of (\<H> \<union> {H}) \<S>\<^sub>1 \<S>\<^sub>2 P\<close> have "\<S>\<^sub>2 ! (length \<S>\<^sub>2 - 1) = P"
+    using last_conv_nth by fastforce
+  ultimately show ?thesis
+    using \<open>is_hyp_proof_of (\<H> \<union> {H}) \<S>\<^sub>1 \<S>\<^sub>2 P\<close> by force
+qed
+
+lemmas Deduction_Theorem = thm_5240 (* synonym *)
+
+text \<open>
+  We prove a generalization of the Deduction Theorem, namely that if \<open>\<H> \<union> {H\<^sub>1, \<dots> ,H\<^sub>n} \<turnstile> P\<close> then
+  \<open>\<H> \<turnstile> H\<^sub>1 \<supset>\<^sup>\<Q> (\<cdots> \<supset>\<^sup>\<Q> (H\<^sub>n \<supset>\<^sup>\<Q> P) \<cdots>)\<close>:
+\<close>
+
+corollary generalized_deduction_theorem:
+  assumes "finite \<H>" and "finite \<H>'"
+  and "\<H> \<union> \<H>' \<turnstile> P"
+  and "lset hs = \<H>'"
+  shows "\<H> \<turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> P"
+using assms proof (induction hs arbitrary: \<H>' P rule: rev_induct)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (snoc H hs)
+  from \<open>lset (hs @ [H]) = \<H>'\<close> have "H \<in> \<H>'"
+    by fastforce
+  from \<open>lset (hs @ [H]) = \<H>'\<close> obtain \<H>'' where "\<H>'' \<union> {H} = \<H>'" and "\<H>'' = lset hs"
+    by simp
+  from \<open>\<H>'' \<union> {H} = \<H>'\<close> and \<open>\<H> \<union> \<H>' \<turnstile> P\<close> have "\<H> \<union> \<H>'' \<union> {H} \<turnstile> P"
+    by fastforce
+  with \<open>finite \<H>\<close> and \<open>finite \<H>'\<close> and \<open>\<H>'' = lset hs\<close> have "\<H> \<union> \<H>'' \<turnstile> H \<supset>\<^sup>\<Q> P"
+    using Deduction_Theorem by simp
+  with \<open>\<H>'' = lset hs\<close> and \<open>finite \<H>\<close> have "\<H> \<turnstile> foldr (\<supset>\<^sup>\<Q>) hs (H \<supset>\<^sup>\<Q> P)"
+    using snoc.IH by fastforce
+  moreover have "(hs @ [H]) \<supset>\<^sup>\<Q>\<^sub>\<star> P = hs \<supset>\<^sup>\<Q>\<^sub>\<star> (H \<supset>\<^sup>\<Q> P)"
+    by simp
+  ultimately show ?case
+    by auto
+qed
+
+subsection \<open>Proposition 5241\<close>
+
+proposition prop_5241:
+  assumes "is_hyps \<G>"
+  and "\<H> \<turnstile> A" and "\<H> \<subseteq> \<G>"
+  shows "\<G> \<turnstile> A"
+proof (cases "\<H> = {}")
+  case True
+  show ?thesis
+    by (fact derivability_implies_hyp_derivability[OF assms(2)[unfolded True] assms(1)])
+next
+  case False
+  then obtain hs where "lset hs = \<H>" and "hs \<noteq> []"
+    using hyp_derivability_implies_hyp_proof_existence[OF assms(2)] unfolding is_hyp_proof_of_def
+    by (metis empty_set finite_list)
+  with assms(2) have "\<turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> A"
+    using generalized_deduction_theorem by force
+  moreover from \<open>lset hs = \<H>\<close> and assms(1,3) have "\<G> \<turnstile> H" if "H \<in> lset hs" for H
+    using that by (blast intro: dv_hyp)
+  ultimately show ?thesis
+    using assms(1) and generalized_modus_ponens and derivability_implies_hyp_derivability by meson
+qed
+
+subsection \<open>Proposition 5242 (Rule of Existential Generalization)\<close>
+
+proposition prop_5242:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  and "\<H> \<turnstile> \<^bold>S {(x, \<alpha>) \<Zinj> A} B"
+  and "is_free_for A (x, \<alpha>) B"
+  shows "\<H> \<turnstile> \<exists>x\<^bsub>\<alpha>\<^esub>. B"
+proof -
+  from assms(3) have "is_hyps \<H>"
+    by (blast dest: is_derivable_from_hyps.cases)
+  then have "\<H> \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. \<sim>\<^sup>\<Q> B \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<^bold>S {(x, \<alpha>) \<Zinj> A} B" (is \<open>\<H> \<turnstile> ?C \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> ?D\<close>)
+    using prop_5226[OF assms(1) neg_wff[OF assms(2)] is_free_for_in_neg[OF assms(4)]]
+    unfolding derived_substitution_simps(4) using derivability_implies_hyp_derivability by (simp only:)
+  moreover have *: "is_tautologous ((?C \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> ?D) \<supset>\<^sup>\<Q> (?D \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> ?C))"
+  proof -
+    have "?C \<in> wffs\<^bsub>o\<^esub>" and "?D \<in> wffs\<^bsub>o\<^esub>"
+      using assms(2) and hyp_derivable_form_is_wffso[OF assms(3)] by auto
+    then show ?thesis
+      by (fact pseudo_modus_tollens_is_tautologous)
+  qed
+  moreover from assms(3) and \<open>\<H> \<turnstile> ?C \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> ?D\<close> have "is_hyps {?C \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> ?D, ?D}"
+    using hyp_derivable_form_is_wffso by force
+  ultimately show ?thesis
+    unfolding exists_def using assms(3)
+    and rule_P(1)
+      [
+        where \<G> = "{?C \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> ?D, ?D}" and hs = "[?C \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> ?D, ?D]" and B = "\<sim>\<^sup>\<Q> ?C",
+        OF \<open>is_hyps \<H>\<close>
+      ]
+    by simp
+qed
+
+lemmas "\<exists>Gen" = prop_5242 (* synonym *)
+
+subsection \<open>Proposition 5243 (Comprehension Theorem)\<close>
+
+context
+begin
+
+private lemma prop_5243_aux:
+  assumes "\<sqdot>\<^sup>\<Q>\<^sub>\<star> B (map FVar vs) \<in> wffs\<^bsub>\<gamma>\<^esub>"
+  and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "k < length vs"
+  shows "\<beta> \<noteq> var_type (vs ! k)"
+proof -
+  from assms(1) obtain ts
+    where "length ts = length (map FVar vs)"
+    and *: "\<forall>k < length (map FVar vs). (map FVar vs) ! k \<in> wffs\<^bsub>ts ! k\<^esub>"
+    and "B \<in> wffs\<^bsub>foldr (\<rightarrow>) ts \<gamma>\<^esub>"
+    using wffs_from_generalized_app by force
+  have "\<beta> = foldr (\<rightarrow>) ts \<gamma>"
+    by (fact wff_has_unique_type[OF assms(2) \<open>B \<in> wffs\<^bsub>foldr (\<rightarrow>) ts \<gamma>\<^esub>\<close>])
+  have "ts = map var_type vs"
+  proof -
+    have "length ts = length (map var_type vs)"
+      by (simp add: \<open>length ts = length (map FVar vs)\<close>)
+    moreover have "\<forall>k < length ts. ts ! k = (map var_type vs) ! k"
+    proof (intro allI impI)
+      fix k
+      assume "k < length ts"
+      with * have "(map FVar vs) ! k \<in> wffs\<^bsub>ts ! k\<^esub>"
+        by (simp add: \<open>length ts = length (map FVar vs)\<close>)
+      with \<open>k < length ts\<close> and \<open>length ts = length (map var_type vs)\<close>
+      show "ts ! k = (map var_type vs) ! k"
+        using surj_pair[of "vs ! k"] and wff_has_unique_type and wffs_of_type_intros(1) by force
+    qed
+    ultimately show ?thesis
+      using list_eq_iff_nth_eq by blast
+  qed
+  with \<open>\<beta> = foldr (\<rightarrow>) ts \<gamma>\<close> and assms(3) show ?thesis
+    using fun_type_atoms_neq_fun_type by (metis length_map nth_map)
+qed
+
+proposition prop_5243:
+  assumes "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "\<gamma> = foldr (\<rightarrow>) (map var_type vs) \<beta>"
+  and "(u, \<gamma>) \<notin> free_vars B"
+  shows "\<turnstile> \<exists>u\<^bsub>\<gamma>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs ((\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs)) =\<^bsub>\<beta>\<^esub> B)"
+proof (cases "vs = []")
+  case True
+  with assms(2) have "\<gamma> = \<beta>"
+    by simp
+  from assms(1) have "u\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> B \<in> wffs\<^bsub>o\<^esub>"
+    by blast
+  moreover have "\<turnstile> B =\<^bsub>\<beta>\<^esub> B"
+    by (fact prop_5200[OF assms(1)])
+  then have "\<turnstile> \<^bold>S {(u, \<beta>) \<Zinj> B} (u\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> B)"
+    using free_var_singleton_substitution_neutrality[OF assms(3)] unfolding \<open>\<gamma> = \<beta>\<close> by simp
+  moreover from assms(3)[unfolded \<open>\<gamma> = \<beta>\<close>] have "is_free_for B (u, \<beta>) (u\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> B)"
+    by (intro is_free_for_in_equality) (use is_free_at_in_free_vars in auto)
+  ultimately have "\<turnstile> \<exists>u\<^bsub>\<beta>\<^esub>. (u\<^bsub>\<beta>\<^esub> =\<^bsub>\<beta>\<^esub> B)"
+    by (rule "\<exists>Gen"[OF assms(1)])
+  with \<open>\<gamma> = \<beta>\<close> and True show ?thesis
+    by simp
+next
+  case False
+  let ?\<theta> = "{(u, \<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B}"
+  from assms(2) have *: "(u, \<gamma>) \<noteq> v" if "v \<in> lset vs" for v
+    using that and fun_type_atoms_neq_fun_type by (metis in_set_conv_nth length_map nth_map snd_conv)
+  from False and assms(1) have "\<turnstile> \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs) =\<^bsub>\<beta>\<^esub> B"
+    by (fact prop_5208)
+  then have "\<turnstile> \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs) =\<^bsub>\<beta>\<^esub> B)"
+    using generalized_Gen by simp
+  moreover
+  have "\<^bold>S ?\<theta> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs ((\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs)) =\<^bsub>\<beta>\<^esub> B)) = \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs) =\<^bsub>\<beta>\<^esub> B)"
+  proof -
+    from * have **: "map (\<lambda>A. \<^bold>S {(u, \<gamma>) \<Zinj> B} A) (map FVar vs) = map FVar vs" for B
+      by (induction vs) fastforce+
+    from * have "
+      \<^bold>S ?\<theta> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs ((\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs)) =\<^bsub>\<beta>\<^esub> B)) = \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<^bold>S ?\<theta> ((\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs)) =\<^bsub>\<beta>\<^esub> B))"
+      using generalized_forall_substitution by force
+    also have "\<dots> = \<forall>\<^sup>\<Q>\<^sub>\<star> vs ((\<^bold>S ?\<theta> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs))) =\<^bsub>\<beta>\<^esub> \<^bold>S {(u, \<gamma>) \<Zinj> \<lambda>\<^sup>\<Q>\<^sub>\<star> vs B} B)"
+      by simp
+    also from assms(3) have "\<dots> = \<forall>\<^sup>\<Q>\<^sub>\<star> vs ((\<^bold>S ?\<theta> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs))) =\<^bsub>\<beta>\<^esub> B)"
+      using free_var_singleton_substitution_neutrality by simp
+    also have "\<dots> = \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> \<^bold>S ?\<theta> (u\<^bsub>\<gamma>\<^esub>) (map (\<lambda>A. \<^bold>S ?\<theta> A) (map FVar vs)) =\<^bsub>\<beta>\<^esub> B)"
+      using generalized_app_substitution by simp
+    also have "\<dots> = \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map (\<lambda>A. \<^bold>S ?\<theta> A) (map FVar vs)) =\<^bsub>\<beta>\<^esub> B)"
+      by simp
+    also from ** have "\<dots> = \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (map FVar vs) =\<^bsub>\<beta>\<^esub> B)"
+      by presburger
+    finally show ?thesis .
+  qed
+  ultimately have "\<turnstile> \<^bold>S ?\<theta> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs) =\<^bsub>\<beta>\<^esub> B))"
+    by simp
+  moreover from assms(3) have "is_free_for (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) (u, \<gamma>) (\<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs) =\<^bsub>\<beta>\<^esub> B))"
+    by
+      (intro is_free_for_in_generalized_forall is_free_for_in_equality is_free_for_in_generalized_app)
+      (use free_vars_of_generalized_abs is_free_at_in_free_vars in \<open>fastforce+\<close>)
+  moreover have "\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B \<in> wffs\<^bsub>\<gamma>\<^esub>" and "\<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs) =\<^bsub>\<beta>\<^esub> B) \<in> wffs\<^bsub>o\<^esub>"
+  proof -
+    have "FVar (vs ! k) \<in> wffs\<^bsub>var_type (vs ! k)\<^esub>" if "k < length vs" for k
+      using that and surj_pair[of "vs ! k"] by fastforce
+    with assms(2) have "\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs) \<in> wffs\<^bsub>\<beta>\<^esub>"
+      using generalized_app_wff[where ts = "map var_type vs"] by force
+    with assms(1) show "\<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<sqdot>\<^sup>\<Q>\<^sub>\<star> u\<^bsub>\<gamma>\<^esub> (map FVar vs) =\<^bsub>\<beta>\<^esub> B) \<in> wffs\<^bsub>o\<^esub>"
+      by (auto simp only:)
+  qed (use assms(1,2) in blast)
+  ultimately show ?thesis
+    using "\<exists>Gen" by (simp only:)
+qed
+
+end
+
+subsection \<open>Proposition 5244 (Existential Rule)\<close>
+
+text \<open>
+  The proof in @{cite "andrews:2002"} uses the pseudo-rule Q and 2123 of \<open>\<F>\<close>. Therefore, we instead
+  base our proof on the proof of Theorem 170 in @{cite "andrews:1965"}:
+\<close>
+
+lemma prop_5244_aux:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  and "(x, \<alpha>) \<notin> free_vars A"
+  shows "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A) \<supset>\<^sup>\<Q> (\<exists>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> A)"
+proof -
+  have "B \<supset>\<^sup>\<Q> A \<in> wffs\<^bsub>o\<^esub>"
+    using assms by blast
+  moreover have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) (B \<supset>\<^sup>\<Q> A)"
+    by simp
+  ultimately have "\<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A) \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> A)"
+    using prop_5226[where A = "x\<^bsub>\<alpha>\<^esub>" and B = "B \<supset>\<^sup>\<Q> A", OF wffs_of_type_intros(1)]
+    and identity_singleton_substitution_neutrality by metis
+  moreover have "is_hyps {\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)}"
+    using \<open>B \<supset>\<^sup>\<Q> A \<in> wffs\<^bsub>o\<^esub>\<close> by blast
+  ultimately have "\<section>1": "{\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)} \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A) \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> A)"
+    by (fact derivability_implies_hyp_derivability)
+  have "\<section>2": "{\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)} \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)"
+    using \<open>B \<supset>\<^sup>\<Q> A \<in> wffs\<^bsub>o\<^esub>\<close> by (blast intro: dv_hyp)
+  have "\<section>3": "{\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)} \<turnstile> \<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> B"
+  proof (intro rule_P(1)
+    [where \<H> = "{\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)}" and \<G> = "{\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A) \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> A), \<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)}"])
+    have "is_tautologous ([C \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> A), C] \<supset>\<^sup>\<Q>\<^sub>\<star> (\<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> B))" if "C \<in> wffs\<^bsub>o\<^esub>" for C
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> A, (\<yy>, o) \<Zinj> B, (\<zz>, o) \<Zinj> C}"
+      have "is_tautology ((\<zz>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (\<yy>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>)) \<supset>\<^sup>\<Q> (\<zz>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)))"
+        (is "is_tautology ?A")
+        using \<V>\<^sub>B_simps by (auto simp add: inj_eq)
+      moreover have "is_pwff_substitution ?\<theta>"
+        using assms(1,2) and that by auto
+      moreover have "[C \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> A), C] \<supset>\<^sup>\<Q>\<^sub>\<star> (\<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> B) = \<^bold>S ?\<theta> ?A"
+        by simp
+      ultimately show ?thesis
+        by blast
+    qed
+    then show "is_tautologous ([\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A) \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> A), \<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)] \<supset>\<^sup>\<Q>\<^sub>\<star> (\<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> B))"
+      using \<open>B \<supset>\<^sup>\<Q> A \<in> wffs\<^bsub>o\<^esub>\<close> and forall_wff by simp
+  qed (use "\<section>1" "\<section>2" \<open>is_hyps {\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)}\<close> hyp_derivable_form_is_wffso[OF "\<section>1"] in force)+
+  have "\<section>4": "{\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)} \<turnstile> \<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. \<sim>\<^sup>\<Q> B"
+    using prop_5237[OF \<open>is_hyps {\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)}\<close> "\<section>3"] and assms(3) by auto
+  have "\<section>5": "{\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)} \<turnstile> \<exists>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> A"
+  unfolding exists_def
+  proof (intro rule_P(1)[where \<H> = "{\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)}" and \<G> = "{\<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. \<sim>\<^sup>\<Q> B}"])
+    have "is_tautologous ([\<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> C] \<supset>\<^sup>\<Q>\<^sub>\<star> (\<sim>\<^sup>\<Q> C \<supset>\<^sup>\<Q> A))" if "C \<in> wffs\<^bsub>o\<^esub>" for C
+    proof -
+      let ?\<theta> = "{(\<xx>, o) \<Zinj> A, (\<yy>, o) \<Zinj> C}"
+      have "is_tautology ((\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>))" (is "is_tautology ?A")
+        using \<V>\<^sub>B_simps by (auto simp add: inj_eq)
+      moreover have "is_pwff_substitution ?\<theta>"
+        using assms(1) and that by auto
+      moreover have "[\<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> C] \<supset>\<^sup>\<Q>\<^sub>\<star> (\<sim>\<^sup>\<Q> C \<supset>\<^sup>\<Q> A) = \<^bold>S ?\<theta> ?A"
+        by simp
+      ultimately show ?thesis
+        by blast
+    qed
+    then show "is_tautologous ([\<sim>\<^sup>\<Q> A \<supset>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. \<sim>\<^sup>\<Q> B] \<supset>\<^sup>\<Q>\<^sub>\<star> (\<sim>\<^sup>\<Q> \<forall>x\<^bsub>\<alpha>\<^esub>. \<sim>\<^sup>\<Q> B \<supset>\<^sup>\<Q> A))"
+      using forall_wff[OF neg_wff[OF assms(2)]] by (simp only:)
+  qed (use "\<section>4" \<open>is_hyps {\<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)}\<close> hyp_derivable_form_is_wffso[OF "\<section>4"] in force)+
+  then show ?thesis
+    using Deduction_Theorem by simp
+qed
+
+proposition prop_5244:
+  assumes "\<H>, B \<turnstile> A"
+  and "(x, \<alpha>) \<notin> free_vars (\<H> \<union> {A})"
+  shows "\<H>, \<exists>x\<^bsub>\<alpha>\<^esub>. B \<turnstile> A"
+proof -
+  from assms(1) have "is_hyps \<H>"
+    using hyp_derivability_implies_hyp_proof_existence by force
+  then have "\<H> \<turnstile> B \<supset>\<^sup>\<Q> A"
+    using assms(1) and Deduction_Theorem by simp
+  then have "\<H> \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A)"
+    using Gen and assms(2) by simp
+  moreover have "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+    by
+    (
+      fact hyp_derivable_form_is_wffso[OF assms(1)],
+      fact hyp_derivable_form_is_wffso[OF \<open>\<H> \<turnstile> B \<supset>\<^sup>\<Q> A\<close>, THEN wffs_from_imp_op(1)]
+    )
+  with assms(2) and \<open>is_hyps \<H>\<close> have "\<H> \<turnstile> \<forall>x\<^bsub>\<alpha>\<^esub>. (B \<supset>\<^sup>\<Q> A) \<supset>\<^sup>\<Q> (\<exists>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> A)"
+    using prop_5244_aux[THEN derivability_implies_hyp_derivability] by simp
+  ultimately have "\<H> \<turnstile> \<exists>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> A"
+    by (rule MP)
+  then have "\<H>, \<exists>x\<^bsub>\<alpha>\<^esub>. B \<turnstile> \<exists>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> A"
+    using prop_5241 and exists_wff[OF \<open>B \<in> wffs\<^bsub>o\<^esub>\<close>] and \<open>is_hyps \<H>\<close>
+    by (meson Un_subset_iff empty_subsetI finite.simps finite_Un inf_sup_ord(3) insert_subsetI)
+  moreover from \<open>is_hyps \<H>\<close> and \<open>B \<in> wffs\<^bsub>o\<^esub>\<close> have "is_hyps (\<H> \<union> {\<exists>x\<^bsub>\<alpha>\<^esub>. B})"
+    by auto
+  then have "\<H>, \<exists>x\<^bsub>\<alpha>\<^esub>. B \<turnstile> \<exists>x\<^bsub>\<alpha>\<^esub>. B"
+    using dv_hyp by simp
+  ultimately show ?thesis
+    using MP by blast
+qed
+
+lemmas "\<exists>_Rule" = prop_5244 (* synonym *)
+
+subsection \<open>Proposition 5245 (Rule C)\<close>
+
+lemma prop_5245_aux:
+  assumes "x \<noteq> y"
+  and "(y, \<alpha>) \<notin> free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. B)"
+  and "is_free_for (y\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) B"
+  shows "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B"
+using assms(2,3) proof (induction B)
+  case (FVar v)
+  then show ?case
+    using surj_pair[of v] by fastforce
+next
+  case (FCon k)
+  then show ?case
+    using surj_pair[of k] by fastforce
+next
+  case (FApp B\<^sub>1 B\<^sub>2)
+  from FApp.prems(1) have "(y, \<alpha>) \<notin> free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. B\<^sub>1)" and "(y, \<alpha>) \<notin> free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. B\<^sub>2)"
+    by force+
+  moreover from FApp.prems(2) have "is_free_for (y\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) B\<^sub>1" and "is_free_for (y\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) B\<^sub>2"
+    using is_free_for_from_app by iprover+
+  ultimately have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B\<^sub>1"
+    and "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B\<^sub>2"
+    using FApp.IH by simp_all
+  then have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) ((\<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B\<^sub>1) \<sqdot> (\<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B\<^sub>2))"
+    by (intro is_free_for_to_app)
+  then show ?case
+    unfolding singleton_substitution_simps(3) .
+next
+  case (FAbs v B')
+  obtain z and \<beta> where "v = (z, \<beta>)"
+    by fastforce
+  then show ?case
+  proof (cases "v = (x, \<alpha>)")
+    case True
+    with FAbs.prems(1) have "(y, \<alpha>) \<notin> free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. B')"
+      by simp
+    moreover from assms(1) have "(y, \<alpha>) \<noteq> (x, \<alpha>)"
+      by blast
+    ultimately have "(y, \<alpha>) \<notin> free_vars B'"
+      using FAbs.prems(1) by simp
+    with \<open>(y, \<alpha>) \<noteq> (x, \<alpha>)\<close> have "(y, \<alpha>) \<notin> free_vars (\<lambda>x\<^bsub>\<alpha>\<^esub>. B')"
+      by simp
+    then have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) (\<lambda>x\<^bsub>\<alpha>\<^esub>. B')"
+      unfolding is_free_for_def using is_free_at_in_free_vars by blast
+    then have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} (\<lambda>x\<^bsub>\<alpha>\<^esub>. B')"
+      using singleton_substitution_simps(4) by presburger
+    then show ?thesis
+      unfolding True .
+  next
+    case False
+    from assms(1) have "(y, \<alpha>) \<noteq> (x, \<alpha>)"
+      by blast
+    with FAbs.prems(1) have *: "(y, \<alpha>) \<notin> free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. (\<lambda>z\<^bsub>\<beta>\<^esub>. B'))"
+      using \<open>v = (z, \<beta>)\<close> by fastforce
+    then show ?thesis
+    proof (cases "(y, \<alpha>) \<noteq> v")
+      case True
+      from True[unfolded \<open>v = (z, \<beta>)\<close>] and * have "(y, \<alpha>) \<notin> free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. B')"
+        by simp
+      moreover from False[unfolded \<open>v = (z, \<beta>)\<close>] have "is_free_for (y\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) B'"
+        using is_free_for_from_abs[OF FAbs.prems(2)[unfolded \<open>v = (z, \<beta>)\<close>]] by blast
+      ultimately have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) (\<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B')"
+        by (fact FAbs.IH)
+      then have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) (\<lambda>z\<^bsub>\<beta>\<^esub>. (\<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B'))"
+        using False[unfolded \<open>v = (z, \<beta>)\<close>] by (intro is_free_for_to_abs, fastforce+)
+      then show ?thesis
+        unfolding singleton_substitution_simps(4) and \<open>v = (z, \<beta>)\<close> using \<open>(z, \<beta>) \<noteq> (x, \<alpha>)\<close> by auto
+    next
+      case False
+      then have "v = (y, \<alpha>)"
+        by simp
+      have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) (\<lambda>y\<^bsub>\<alpha>\<^esub>. \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B')"
+      proof-
+        have "(y, \<alpha>) \<notin> free_vars (\<lambda>y\<^bsub>\<alpha>\<^esub>. \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B')"
+          by simp
+        then show ?thesis
+          using is_free_at_in_free_vars by blast
+      qed
+      with\<open>v = (y, \<alpha>)\<close> and \<open>(y, \<alpha>) \<noteq> (x, \<alpha>)\<close> show ?thesis
+       using singleton_substitution_simps(4) by presburger
+    qed
+  qed
+qed
+
+proposition prop_5245:
+  assumes "\<H> \<turnstile> \<exists>x\<^bsub>\<alpha>\<^esub>. B"
+  and "\<H>, \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B \<turnstile> A"
+  and "is_free_for (y\<^bsub>\<alpha>\<^esub>) (x, \<alpha>) B"
+  and "(y, \<alpha>) \<notin> free_vars (\<H> \<union> {\<exists>x\<^bsub>\<alpha>\<^esub>. B, A})"
+  shows "\<H> \<turnstile> A"
+proof -
+  from assms(1) have "is_hyps \<H>"
+    by (blast elim: is_derivable_from_hyps.cases)
+  from assms(2,4) have "\<H>, \<exists>y\<^bsub>\<alpha>\<^esub>. \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B \<turnstile> A"
+    using "\<exists>_Rule" by simp
+  then have *: "\<H> \<turnstile> (\<exists>y\<^bsub>\<alpha>\<^esub>. \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B) \<supset>\<^sup>\<Q> A" (is \<open>_ \<turnstile> ?F\<close>)
+    using Deduction_Theorem and \<open>is_hyps \<H>\<close> by blast
+  then have "\<H> \<turnstile> \<exists>x\<^bsub>\<alpha>\<^esub>. B \<supset>\<^sup>\<Q> A"
+  proof (cases "x = y")
+    case True
+    with * show ?thesis
+      using identity_singleton_substitution_neutrality by force
+  next
+    case False
+    from assms(4) have "(y, \<alpha>) \<notin> free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. B)"
+      using free_vars_in_all_vars by auto
+    have "\<sim>\<^sup>\<Q> \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B \<in> wffs\<^bsub>o\<^esub>"
+      by
+        (
+          fact hyp_derivable_form_is_wffso
+          [OF *, THEN wffs_from_imp_op(1), THEN wffs_from_exists, THEN neg_wff]
+        )
+    moreover from False have "(x, \<alpha>) \<notin> free_vars (\<sim>\<^sup>\<Q> \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B)"
+      using free_var_in_renaming_substitution by simp
+    moreover have "is_free_for (x\<^bsub>\<alpha>\<^esub>) (y, \<alpha>) (\<sim>\<^sup>\<Q> \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B)"
+      by (intro is_free_for_in_neg prop_5245_aux[OF False \<open>(y, \<alpha>) \<notin> free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. B)\<close> assms(3)])
+    moreover from assms(3,4) have "\<^bold>S {(y, \<alpha>) \<Zinj> x\<^bsub>\<alpha>\<^esub>} \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B = B"
+      using identity_singleton_substitution_neutrality and renaming_substitution_composability
+      by force
+    ultimately have "\<turnstile> (\<lambda>y\<^bsub>\<alpha>\<^esub>. \<sim>\<^sup>\<Q> \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B) =\<^bsub>\<alpha>\<rightarrow>o\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<sim>\<^sup>\<Q> B)"
+      using "\<alpha>"[where A = "\<sim>\<^sup>\<Q> \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B"] by (metis derived_substitution_simps(4))
+    then show ?thesis
+      by (rule rule_RR[OF disjI1, where p = "[\<guillemotleft>,\<guillemotright>,\<guillemotright>,\<guillemotright>]" and C = "?F"]) (use * in force)+
+  qed
+  with assms(1) show ?thesis
+    by (rule MP)
+qed
+
+lemmas Rule_C = prop_5245 (* synonym *)
+
+end
diff --git a/thys/Q0_Metatheory/Proof_System.thy b/thys/Q0_Metatheory/Proof_System.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Proof_System.thy
@@ -0,0 +1,1114 @@
+section \<open>Proof System\<close>
+
+theory Proof_System
+  imports
+    Syntax
+begin
+
+subsection \<open>Axioms\<close>
+
+inductive_set
+  axioms :: "form set"
+where
+  axiom_1:
+    "\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<in> axioms"
+| axiom_2:
+    "(\<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<alpha>\<^esub> \<yy>\<^bsub>\<alpha>\<^esub>) \<supset>\<^sup>\<Q> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> \<equiv>\<^sup>\<Q> \<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>) \<in> axioms"
+| axiom_3:
+    "(\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<equiv>\<^sup>\<Q> \<forall>\<xx>\<^bsub>\<alpha>\<^esub>. (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<in> axioms"
+| axiom_4_1_con:
+    "(\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub> \<in> axioms" if "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+| axiom_4_1_var:
+    "(\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub> \<in> axioms" if "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "y\<^bsub>\<beta>\<^esub> \<noteq> x\<^bsub>\<alpha>\<^esub>"
+| axiom_4_2:
+    "(\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A \<in> axioms" if "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+| axiom_4_3:
+    "(\<lambda>x\<^bsub>\<alpha>\<^esub>. B \<sqdot> C) \<sqdot> A =\<^bsub>\<beta>\<^esub> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) \<sqdot> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A) \<in> axioms"
+      if "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>" and "C \<in> wffs\<^bsub>\<gamma>\<^esub>"
+| axiom_4_4:
+    "(\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. B) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> (\<lambda>y\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) \<in> axioms"
+      if "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<delta>\<^esub>" and "(y, \<gamma>) \<notin> {(x, \<alpha>)} \<union> vars A"
+| axiom_4_5:
+    "(\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<alpha>\<rightarrow>\<delta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<in> axioms" if "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<delta>\<^esub>"
+| axiom_5:
+    "\<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>) =\<^bsub>i\<^esub> \<yy>\<^bsub>i\<^esub> \<in> axioms"
+
+lemma axioms_are_wffs_of_type_o:
+  shows "axioms \<subseteq> wffs\<^bsub>o\<^esub>"
+  by (intro subsetI, cases rule: axioms.cases) auto
+
+subsection \<open>Inference rule R\<close>
+
+definition is_rule_R_app :: "position \<Rightarrow> form \<Rightarrow> form \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_rule_R_app p D C E \<longleftrightarrow>
+    (
+      \<exists>\<alpha> A B.
+        E = A =\<^bsub>\<alpha>\<^esub> B \<and> A \<in> wffs\<^bsub>\<alpha>\<^esub> \<and> B \<in> wffs\<^bsub>\<alpha>\<^esub> \<and> \<comment> \<open>\<^term>\<open>E\<close> is a well-formed equality\<close>
+        A \<preceq>\<^bsub>p\<^esub> C \<and>
+        D \<in> wffs\<^bsub>o\<^esub> \<and>
+        C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D
+    )"
+
+lemma rule_R_original_form_is_wffo:
+  assumes "is_rule_R_app p D C E"
+  shows "C \<in> wffs\<^bsub>o\<^esub>"
+  using assms and replacement_preserves_typing by fastforce
+
+subsection \<open>Proof and derivability\<close>
+
+inductive is_derivable :: "form \<Rightarrow> bool" where
+  dv_axiom: "is_derivable A" if "A \<in> axioms"
+| dv_rule_R: "is_derivable D" if "is_derivable C" and "is_derivable E" and "is_rule_R_app p D C E"
+
+lemma derivable_form_is_wffso:
+  assumes "is_derivable A"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+  using assms and axioms_are_wffs_of_type_o by (fastforce elim: is_derivable.cases)
+
+definition is_proof_step :: "form list \<Rightarrow> nat \<Rightarrow> bool" where
+  [iff]: "is_proof_step \<S> i' \<longleftrightarrow>
+    \<S> ! i' \<in> axioms \<or>
+    (\<exists>p j k. {j, k} \<subseteq> {0..<i'} \<and> is_rule_R_app p (\<S> ! i') (\<S> ! j) (\<S> ! k))"
+
+definition is_proof :: "form list \<Rightarrow> bool" where
+  [iff]: "is_proof \<S> \<longleftrightarrow> (\<forall>i' < length \<S>. is_proof_step \<S> i')"
+
+lemma common_prefix_is_subproof:
+  assumes "is_proof (\<S> @ \<S>\<^sub>1)"
+  and "i' < length \<S>"
+  shows "is_proof_step (\<S> @ \<S>\<^sub>2) i'"
+proof -
+  from assms(2) have *: "(\<S> @ \<S>\<^sub>1) ! i' = (\<S> @ \<S>\<^sub>2) ! i'"
+    by (simp add: nth_append)
+  moreover from assms(2) have "i' < length (\<S> @ \<S>\<^sub>1)"
+    by simp
+  ultimately obtain p and j and k where **:
+    "(\<S> @ \<S>\<^sub>1) ! i' \<in> axioms \<or>
+    {j, k} \<subseteq> {0..<i'} \<and> is_rule_R_app p ((\<S> @ \<S>\<^sub>1) ! i') ((\<S> @ \<S>\<^sub>1) ! j) ((\<S> @ \<S>\<^sub>1) ! k)"
+    using assms(1) by fastforce
+  then consider
+    (axiom) "(\<S> @ \<S>\<^sub>1) ! i' \<in> axioms"
+  | (rule_R) "{j, k} \<subseteq> {0..<i'} \<and> is_rule_R_app p ((\<S> @ \<S>\<^sub>1) ! i') ((\<S> @ \<S>\<^sub>1) ! j) ((\<S> @ \<S>\<^sub>1) ! k)"
+    by blast
+  then have "
+    (\<S> @ \<S>\<^sub>2) ! i' \<in> axioms \<or>
+    ({j, k} \<subseteq> {0..<i'} \<and> is_rule_R_app p ((\<S> @ \<S>\<^sub>2) ! i') ((\<S> @ \<S>\<^sub>2) ! j) ((\<S> @ \<S>\<^sub>2) ! k))"
+  proof cases
+    case axiom
+    with * have "(\<S> @ \<S>\<^sub>2) ! i' \<in> axioms"
+      by (simp only:)
+    then show ?thesis ..
+  next
+    case rule_R
+    with assms(2) have "(\<S> @ \<S>\<^sub>1) ! j = (\<S> @ \<S>\<^sub>2) ! j" and "(\<S> @ \<S>\<^sub>1) ! k = (\<S> @ \<S>\<^sub>2) ! k"
+      by (simp_all add: nth_append)
+    then have "{j, k} \<subseteq> {0..<i'} \<and> is_rule_R_app p ((\<S> @ \<S>\<^sub>2) ! i') ((\<S> @ \<S>\<^sub>2) ! j) ((\<S> @ \<S>\<^sub>2) ! k)"
+      using * and rule_R by simp
+    then show ?thesis ..
+  qed
+  with ** show ?thesis
+    by fastforce
+qed
+
+lemma added_suffix_proof_preservation:
+  assumes "is_proof \<S>"
+  and "i' < length (\<S> @ \<S>') - length \<S>'"
+  shows "is_proof_step (\<S> @ \<S>') i'"
+  using assms and common_prefix_is_subproof[where \<S>\<^sub>1 = "[]"] by simp
+
+lemma append_proof_step_is_proof:
+  assumes "is_proof \<S>"
+  and "is_proof_step (\<S> @ [A]) (length (\<S> @ [A]) - 1)"
+  shows "is_proof (\<S> @ [A])"
+  using assms and added_suffix_proof_preservation by (simp add: All_less_Suc)
+
+lemma added_prefix_proof_preservation:
+  assumes "is_proof \<S>'"
+  and "i' \<in> {length \<S>..<length (\<S> @ \<S>')}"
+  shows "is_proof_step (\<S> @ \<S>') i'"
+proof -
+  let ?\<S> = "\<S> @ \<S>'"
+  let ?i = "i' - length \<S>"
+  from assms(2) have "?\<S> ! i' = \<S>' ! ?i" and "?i < length \<S>'"
+    by (simp_all add: nth_append less_diff_conv2)
+  then have "is_proof_step ?\<S> i' = is_proof_step \<S>' ?i"
+  proof -
+    from assms(1) and \<open>?i < length \<S>'\<close> obtain j and k and p where *:
+      "\<S>' ! ?i \<in> axioms \<or> ({j, k} \<subseteq> {0..<?i} \<and> is_rule_R_app p (\<S>' ! ?i) (\<S>' ! j) (\<S>' ! k))"
+      by fastforce
+    then consider
+      (axiom) "\<S>' ! ?i \<in> axioms"
+    | (rule_R) "{j, k} \<subseteq> {0..<?i} \<and> is_rule_R_app p (\<S>' ! ?i) (\<S>' ! j) (\<S>' ! k)"
+      by blast
+    then have "
+      ?\<S> ! i' \<in> axioms \<or>
+      (
+        {j + length \<S>, k + length \<S>} \<subseteq> {0..<i'} \<and>
+        is_rule_R_app p (?\<S> ! i') (?\<S> ! (j + length \<S>)) (?\<S> ! (k + length \<S>))
+      )"
+    proof cases
+      case axiom
+      with \<open>?\<S> ! i' = \<S>' ! ?i\<close> have "?\<S> ! i' \<in> axioms"
+        by (simp only:)
+      then show ?thesis ..
+    next
+      case rule_R
+      with assms(2) have "?\<S> ! (j + length \<S>) = \<S>' ! j" and "?\<S> ! (k + length \<S>) = \<S>' ! k"
+        by (simp_all add: nth_append)
+      with \<open>?\<S> ! i' = \<S>' ! ?i\<close> and rule_R have "
+        {j + length \<S>, k + length \<S>} \<subseteq> {0..<i'} \<and>
+        is_rule_R_app p (?\<S> ! i') (?\<S> ! (j + length \<S>)) (?\<S> ! (k + length \<S>))"
+        by auto
+      then show ?thesis ..
+    qed
+    with * show ?thesis
+      by fastforce
+  qed
+  with assms(1) and \<open>?i < length \<S>'\<close> show ?thesis
+    by simp
+qed
+
+lemma proof_but_last_is_proof:
+  assumes "is_proof (\<S> @ [A])"
+  shows "is_proof \<S>"
+  using assms and common_prefix_is_subproof[where \<S>\<^sub>1 = "[A]" and \<S>\<^sub>2 = "[]"] by simp
+
+lemma proof_prefix_is_proof:
+  assumes "is_proof (\<S>\<^sub>1 @ \<S>\<^sub>2)"
+  shows "is_proof \<S>\<^sub>1"
+  using assms and proof_but_last_is_proof
+  by (induction \<S>\<^sub>2 arbitrary: \<S>\<^sub>1 rule: rev_induct) (simp, metis append.assoc)
+
+lemma single_axiom_is_proof:
+  assumes "A \<in> axioms"
+  shows "is_proof [A]"
+  using assms by fastforce
+
+lemma proofs_concatenation_is_proof:
+  assumes "is_proof \<S>\<^sub>1" and "is_proof \<S>\<^sub>2"
+  shows "is_proof (\<S>\<^sub>1 @ \<S>\<^sub>2)"
+proof -
+  from assms(1) have "\<forall>i' < length \<S>\<^sub>1. is_proof_step (\<S>\<^sub>1 @ \<S>\<^sub>2) i'"
+    using added_suffix_proof_preservation by auto
+  moreover from assms(2) have "\<forall>i' \<in> {length \<S>\<^sub>1..<length (\<S>\<^sub>1 @ \<S>\<^sub>2)}. is_proof_step (\<S>\<^sub>1 @ \<S>\<^sub>2) i'"
+    using added_prefix_proof_preservation by auto
+  ultimately show ?thesis
+    unfolding is_proof_def by (meson atLeastLessThan_iff linorder_not_le)
+qed
+
+lemma elem_of_proof_is_wffo:
+  assumes "is_proof \<S>" and "A \<in> lset \<S>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+  using assms and axioms_are_wffs_of_type_o
+  unfolding is_rule_R_app_def and is_proof_step_def and is_proof_def
+  by (induction \<S>) (simp, metis (full_types) in_mono in_set_conv_nth)
+
+lemma axiom_prepended_to_proof_is_proof:
+  assumes "is_proof \<S>"
+  and "A \<in> axioms"
+  shows "is_proof ([A] @ \<S>)"
+  using proofs_concatenation_is_proof[OF single_axiom_is_proof[OF assms(2)] assms(1)] .
+
+lemma axiom_appended_to_proof_is_proof:
+  assumes "is_proof \<S>"
+  and "A \<in> axioms"
+  shows "is_proof (\<S> @ [A])"
+  using proofs_concatenation_is_proof[OF assms(1) single_axiom_is_proof[OF assms(2)]] .
+
+lemma rule_R_app_appended_to_proof_is_proof:
+  assumes "is_proof \<S>"
+  and "i\<^sub>C < length \<S>" and "\<S> ! i\<^sub>C = C"
+  and "i\<^sub>E < length \<S>" and "\<S> ! i\<^sub>E = E"
+  and "is_rule_R_app p D C E"
+  shows "is_proof (\<S> @ [D])"
+proof -
+  let ?\<S> = "\<S> @ [D]"
+  let ?i\<^sub>D = "length \<S>"
+  from assms(2,4) have "i\<^sub>C < ?i\<^sub>D" and "i\<^sub>E < ?i\<^sub>D"
+    by fastforce+
+  with assms(3,5,6) have "is_rule_R_app p (?\<S> ! ?i\<^sub>D) (?\<S> ! i\<^sub>C) (?\<S> ! i\<^sub>E)"
+    by (simp add: nth_append)
+  with assms(2,4) have "\<exists>p j k. {j, k} \<subseteq> {0..<?i\<^sub>D} \<and> is_rule_R_app p (?\<S> ! ?i\<^sub>D) (?\<S> ! j) (?\<S> ! k)"
+    by fastforce
+  then have "is_proof_step ?\<S> (length ?\<S> - 1)"
+    by simp
+  moreover from assms(1) have "\<forall>i' < length ?\<S> - 1. is_proof_step ?\<S> i'"
+    using added_suffix_proof_preservation by auto
+  ultimately show ?thesis
+    using less_Suc_eq by auto
+qed
+
+definition is_proof_of :: "form list \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_proof_of \<S> A \<longleftrightarrow> \<S> \<noteq> [] \<and> is_proof \<S> \<and> last \<S> = A"
+
+lemma proof_prefix_is_proof_of_last:
+  assumes "is_proof (\<S> @ \<S>')" and "\<S> \<noteq> []"
+  shows "is_proof_of \<S> (last \<S>)"
+proof -
+  from assms(1) have "is_proof \<S>"
+    by (fact proof_prefix_is_proof)
+  with assms(2) show ?thesis
+    by fastforce
+qed
+
+definition is_theorem :: "form \<Rightarrow> bool" where
+  [iff]: "is_theorem A \<longleftrightarrow> (\<exists>\<S>. is_proof_of \<S> A)"
+
+lemma proof_form_is_wffo:
+  assumes "is_proof_of \<S> A"
+  and "B \<in> lset \<S>"
+  shows "B \<in> wffs\<^bsub>o\<^esub>"
+  using assms and elem_of_proof_is_wffo by blast
+
+lemma proof_form_is_theorem:
+  assumes "is_proof \<S>" and "\<S> \<noteq> []"
+  and "i' < length \<S>"
+  shows "is_theorem (\<S> ! i')"
+proof -
+  let ?\<S>\<^sub>1 = "take (Suc i') \<S>"
+  from assms(1) obtain \<S>\<^sub>2 where "is_proof (?\<S>\<^sub>1 @ \<S>\<^sub>2)"
+    by (metis append_take_drop_id)
+  then have "is_proof ?\<S>\<^sub>1"
+    by (fact proof_prefix_is_proof)
+  moreover from assms(3) have "last ?\<S>\<^sub>1 = \<S> ! i'"
+    by (simp add: take_Suc_conv_app_nth)
+  ultimately show ?thesis
+    using assms(2) unfolding is_proof_of_def and is_theorem_def by (metis Zero_neq_Suc take_eq_Nil2)
+qed
+
+theorem derivable_form_is_theorem:
+  assumes "is_derivable A"
+  shows "is_theorem A"
+using assms proof (induction rule: is_derivable.induct)
+  case (dv_axiom A)
+  then have "is_proof [A]"
+    by (fact single_axiom_is_proof)
+  moreover have "last [A] = A"
+    by simp
+  ultimately show ?case
+    by blast
+next
+  case (dv_rule_R C E p D)
+  obtain \<S>\<^sub>C and \<S>\<^sub>E where
+    "is_proof \<S>\<^sub>C" and "\<S>\<^sub>C \<noteq> []" and "last \<S>\<^sub>C = C" and
+    "is_proof \<S>\<^sub>E" and "\<S>\<^sub>E \<noteq> []" and "last \<S>\<^sub>E = E"
+    using dv_rule_R.IH by fastforce
+  let ?i\<^sub>C = "length \<S>\<^sub>C - 1" and ?i\<^sub>E = "length \<S>\<^sub>C + length \<S>\<^sub>E - 1" and ?i\<^sub>D = "length \<S>\<^sub>C + length \<S>\<^sub>E"
+  let ?\<S> = "\<S>\<^sub>C @ \<S>\<^sub>E @ [D]"
+  from \<open>\<S>\<^sub>C \<noteq> []\<close> have "?i\<^sub>C < length (\<S>\<^sub>C @ \<S>\<^sub>E)" and "?i\<^sub>E < length (\<S>\<^sub>C @ \<S>\<^sub>E)"
+    using linorder_not_le by fastforce+
+  moreover have "(\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>C = C" and "(\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>E = E"
+    using \<open>\<S>\<^sub>C \<noteq> []\<close> and \<open>last \<S>\<^sub>C = C\<close>
+    by
+      (
+        simp add: last_conv_nth nth_append,
+        metis \<open>last \<S>\<^sub>E = E\<close> \<open>\<S>\<^sub>E \<noteq> []\<close> append_is_Nil_conv last_appendR last_conv_nth length_append
+      )
+  with \<open>is_rule_R_app p D C E\<close> have "is_rule_R_app p D ((\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>C) ((\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>E)"
+    using \<open>(\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>C = C\<close> by fastforce
+  moreover from \<open>is_proof \<S>\<^sub>C\<close> and \<open>is_proof \<S>\<^sub>E\<close> have "is_proof (\<S>\<^sub>C @ \<S>\<^sub>E)"
+    by (fact proofs_concatenation_is_proof)
+  ultimately have "is_proof ((\<S>\<^sub>C @ \<S>\<^sub>E) @ [D])"
+    using rule_R_app_appended_to_proof_is_proof by presburger
+  with \<open>\<S>\<^sub>C \<noteq> []\<close> show ?case
+    unfolding is_proof_of_def and is_theorem_def by (metis snoc_eq_iff_butlast)
+qed
+
+theorem theorem_is_derivable_form:
+  assumes "is_theorem A"
+  shows "is_derivable A"
+proof -
+  from assms obtain \<S> where "is_proof \<S>" and "\<S> \<noteq> []" and "last \<S> = A"
+    by fastforce
+  then show ?thesis
+  proof (induction "length \<S>" arbitrary: \<S> A rule: less_induct)
+    case less
+    let ?i' = "length \<S> - 1"
+    from \<open>\<S> \<noteq> []\<close> and \<open>last \<S> = A\<close> have "\<S> ! ?i' = A"
+      by (simp add: last_conv_nth)
+    from \<open>is_proof \<S>\<close> and \<open>\<S> \<noteq> []\<close> and \<open>last \<S> = A\<close> have "is_proof_step \<S> ?i'"
+      using added_suffix_proof_preservation[where \<S>' = "[]"] by simp
+    then consider
+      (axiom) "\<S> ! ?i' \<in> axioms"
+    | (rule_R) "\<exists>p j k. {j, k} \<subseteq> {0..<?i'} \<and> is_rule_R_app p (\<S> ! ?i') (\<S> ! j) (\<S> ! k)"
+      by fastforce
+    then show ?case
+    proof cases
+      case axiom
+      with \<open>\<S> ! ?i' = A\<close> show ?thesis
+        by (fastforce intro: dv_axiom)
+    next
+      case rule_R
+      then obtain p and j and k
+        where "{j, k} \<subseteq> {0..<?i'}" and "is_rule_R_app p (\<S> ! ?i') (\<S> ! j) (\<S> ! k)"
+        by force
+      let ?\<S>\<^sub>j = "take (Suc j) \<S>"
+      let ?\<S>\<^sub>k = "take (Suc k) \<S>"
+      obtain \<S>\<^sub>j' and \<S>\<^sub>k' where "\<S> = ?\<S>\<^sub>j @ \<S>\<^sub>j'" and "\<S> = ?\<S>\<^sub>k @ \<S>\<^sub>k'"
+        by (metis append_take_drop_id)
+      with \<open>is_proof \<S>\<close> have "is_proof (?\<S>\<^sub>j @ \<S>\<^sub>j')" and "is_proof (?\<S>\<^sub>k @ \<S>\<^sub>k')"
+        by (simp_all only:)
+      moreover
+      from \<open>\<S> = ?\<S>\<^sub>j @ \<S>\<^sub>j'\<close> and \<open>\<S> = ?\<S>\<^sub>k @ \<S>\<^sub>k'\<close> and \<open>last \<S> = A\<close> and \<open>{j, k} \<subseteq> {0..<length \<S> - 1}\<close>
+      have "last \<S>\<^sub>j' = A" and "last \<S>\<^sub>k' = A"
+        using length_Cons and less_le_not_le and take_Suc and take_tl and append.right_neutral
+        by (metis atLeastLessThan_iff diff_Suc_1 insert_subset last_appendR take_all_iff)+
+      moreover from \<open>\<S> \<noteq> []\<close> have "?\<S>\<^sub>j \<noteq> []" and "?\<S>\<^sub>k \<noteq> []"
+        by simp_all
+      ultimately have "is_proof_of ?\<S>\<^sub>j (last ?\<S>\<^sub>j)" and "is_proof_of ?\<S>\<^sub>k (last ?\<S>\<^sub>k)"
+        using proof_prefix_is_proof_of_last [where \<S> = ?\<S>\<^sub>j and \<S>' = \<S>\<^sub>j']
+        and proof_prefix_is_proof_of_last [where \<S> = ?\<S>\<^sub>k and \<S>' = \<S>\<^sub>k']
+        by fastforce+
+      moreover from \<open>last \<S>\<^sub>j' = A\<close> and \<open>last \<S>\<^sub>k' = A\<close>
+      have "length ?\<S>\<^sub>j < length \<S>" and "length ?\<S>\<^sub>k < length \<S>"
+        using \<open>{j, k} \<subseteq> {0..<length \<S> - 1}\<close> by force+
+      moreover from calculation(3,4) have "last ?\<S>\<^sub>j = \<S> ! j" and "last ?\<S>\<^sub>k = \<S> ! k"
+        by (metis Suc_lessD last_snoc linorder_not_le nat_neq_iff take_Suc_conv_app_nth take_all_iff)+
+      ultimately have "is_derivable (\<S> ! j)" and "is_derivable (\<S> ! k)"
+        using \<open>?\<S>\<^sub>j \<noteq> []\<close> and \<open>?\<S>\<^sub>k \<noteq> []\<close> and less(1) by blast+
+      with \<open>is_rule_R_app p (\<S> ! ?i') (\<S> ! j) (\<S> ! k)\<close> and \<open>\<S> ! ?i' = A\<close> show ?thesis
+        by (blast intro: dv_rule_R)
+    qed
+  qed
+qed
+
+theorem theoremhood_derivability_equivalence:
+  shows "is_theorem A \<longleftrightarrow> is_derivable A"
+  using derivable_form_is_theorem and theorem_is_derivable_form by blast
+
+lemma theorem_is_wffo:
+  assumes "is_theorem A"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+proof -
+  from assms obtain \<S> where "is_proof_of \<S> A"
+    by blast
+  then have "A \<in> lset \<S>"
+    by auto
+  with \<open>is_proof_of \<S> A\<close> show ?thesis
+    using proof_form_is_wffo by blast
+qed
+
+lemma equality_reflexivity:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "is_theorem (A =\<^bsub>\<alpha>\<^esub> A)" (is "is_theorem ?A\<^sub>2")
+proof -
+  let ?A\<^sub>1 = "(\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A"
+  let ?\<S> = "[?A\<^sub>1, ?A\<^sub>2]"
+  \<comment> \<open> (.1) Axiom 4.2 \<close>
+  have "is_proof_step ?\<S> 0"
+  proof -
+    from assms have "?A\<^sub>1 \<in> axioms"
+      by (intro axiom_4_2)
+    then show ?thesis
+      by simp
+  qed
+  \<comment> \<open> (.2) Rule R: .1,.1 \<close>
+  moreover have "is_proof_step ?\<S> 1"
+  proof -
+    let ?p = "[\<guillemotleft>, \<guillemotright>]"
+    have "\<exists>p j k. {j::nat, k} \<subseteq> {0..<1} \<and> is_rule_R_app ?p ?A\<^sub>2 (?\<S> ! j) (?\<S> ! k)"
+    proof -
+      let ?D = "?A\<^sub>2" and ?j = "0::nat" and ?k = "0"
+      have "{?j, ?k} \<subseteq> {0..<1}"
+        by simp
+      moreover have "is_rule_R_app ?p ?A\<^sub>2 (?\<S> ! ?j) (?\<S> ! ?k)"
+      proof -
+        have "(\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> A \<preceq>\<^bsub>?p\<^esub> (?\<S> ! ?j)"
+          by force
+        moreover have "(?\<S> ! ?j)\<lblot>?p \<leftarrow> A\<rblot> \<rhd> ?D"
+          by force
+        moreover from \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> have "?D \<in> wffs\<^bsub>o\<^esub>"
+          by (intro equality_wff)
+        moreover from \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> have "(\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+          by (meson wffs_of_type_simps)
+        ultimately show ?thesis
+          using \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> by simp
+      qed
+      ultimately show ?thesis
+        by meson
+    qed
+    then show ?thesis
+      by auto
+  qed
+  moreover have "last ?\<S> = ?A\<^sub>2"
+    by simp
+  moreover have "{0..<length ?\<S>} = {0, 1}"
+    by (simp add: atLeast0_lessThan_Suc insert_commute)
+  ultimately show ?thesis
+    unfolding is_theorem_def and is_proof_def and is_proof_of_def
+    by (metis One_nat_def Suc_1 length_Cons less_2_cases list.distinct(1) list.size(3))
+qed
+
+lemma equality_reflexivity':
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "is_theorem (A =\<^bsub>\<alpha>\<^esub> A)" (is "is_theorem ?A\<^sub>2")
+proof (intro derivable_form_is_theorem)
+  let ?A\<^sub>1 = "(\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A"
+  \<comment> \<open> (.1) Axiom 4.2 \<close>
+  from assms have "?A\<^sub>1 \<in> axioms"
+    by (intro axiom_4_2)
+  then have step_1: "is_derivable ?A\<^sub>1"
+    by (intro dv_axiom)
+  \<comment> \<open> (.2) Rule R: .1,.1 \<close>
+  then show "is_derivable ?A\<^sub>2"
+  proof -
+    let ?p = "[\<guillemotleft>, \<guillemotright>]" and ?C = "?A\<^sub>1" and ?E = "?A\<^sub>1" and ?D = "?A\<^sub>2"
+    have "is_rule_R_app ?p ?D ?C ?E"
+    proof -
+      have "(\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> A \<preceq>\<^bsub>?p\<^esub> ?C"
+        by force
+      moreover have "?C\<lblot>?p \<leftarrow> A\<rblot> \<rhd> ?D"
+        by force
+      moreover from \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> have "?D \<in> wffs\<^bsub>o\<^esub>"
+        by (intro equality_wff)
+      moreover from \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> have "(\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. \<xx>\<^bsub>\<alpha>\<^esub>) \<sqdot> A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+        by (meson wffs_of_type_simps)
+      ultimately show ?thesis
+        using \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> by simp
+    qed
+    with step_1 show ?thesis
+      by (blast intro: dv_rule_R)
+  qed
+qed
+
+subsection \<open>Hypothetical proof and derivability\<close>
+
+text \<open>The set of free variables in \<open>\<X>\<close> that are exposed to capture at position \<open>p\<close> in \<open>A\<close>:\<close>
+
+definition capture_exposed_vars_at :: "position \<Rightarrow> form \<Rightarrow> 'a \<Rightarrow> var set" where
+  [simp]: "capture_exposed_vars_at p A \<X> =
+    {(x, \<beta>) | x \<beta> p' E. strict_prefix p' p \<and> \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> A \<and> (x, \<beta>) \<in> free_vars \<X>}"
+
+lemma capture_exposed_vars_at_alt_def:
+  assumes "p \<in> positions A"
+  shows "capture_exposed_vars_at p A \<X> = binders_at A p \<inter> free_vars \<X>"
+  unfolding binders_at_alt_def[OF assms] and in_scope_of_abs_alt_def
+  using is_subform_implies_in_positions by auto
+
+text \<open>Inference rule R$'$:\<close>
+
+definition rule_R'_side_condition :: "form set \<Rightarrow> position \<Rightarrow> form \<Rightarrow> form \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "rule_R'_side_condition \<H> p D C E \<longleftrightarrow>
+    capture_exposed_vars_at p C E \<inter> capture_exposed_vars_at p C \<H> = {}"
+
+lemma rule_R'_side_condition_alt_def:
+  fixes \<H> :: "form set"
+  assumes "C \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "
+    rule_R'_side_condition \<H> p D C (A =\<^bsub>\<alpha>\<^esub> B)
+    \<longleftrightarrow>
+    (
+      \<nexists>x \<beta> E p'.
+        strict_prefix p' p \<and>
+        \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> C \<and>
+        (x, \<beta>) \<in> free_vars (A =\<^bsub>\<alpha>\<^esub> B) \<and>
+        (\<exists>H \<in> \<H>. (x, \<beta>) \<in> free_vars H)
+    )"
+proof -
+  have "
+    capture_exposed_vars_at p C (A =\<^bsub>\<alpha>\<^esub> B)
+    =
+    {(x, \<beta>) | x \<beta> p' E. strict_prefix p' p \<and> \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> C \<and> (x, \<beta>) \<in> free_vars (A =\<^bsub>\<alpha>\<^esub> B)}"
+    using assms and capture_exposed_vars_at_alt_def unfolding capture_exposed_vars_at_def by fast
+  moreover have "
+    capture_exposed_vars_at p C \<H>
+    =
+    {(x, \<beta>) | x \<beta> p' E. strict_prefix p' p \<and> \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> C \<and> (x, \<beta>) \<in> free_vars \<H>}"
+    using assms and capture_exposed_vars_at_alt_def unfolding capture_exposed_vars_at_def by fast
+  ultimately have "
+    capture_exposed_vars_at p C (A =\<^bsub>\<alpha>\<^esub> B) \<inter> capture_exposed_vars_at p C \<H>
+    =
+    {(x, \<beta>) | x \<beta> p' E. strict_prefix p' p \<and> \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> C \<and> (x, \<beta>) \<in> free_vars (A =\<^bsub>\<alpha>\<^esub> B) \<and>
+      (x, \<beta>) \<in> free_vars \<H>}"
+    by auto
+  also have "
+    \<dots>
+    =
+    {(x, \<beta>) | x \<beta> p' E. strict_prefix p' p \<and> \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> C \<and> (x, \<beta>) \<in> free_vars (A =\<^bsub>\<alpha>\<^esub> B) \<and>
+      (\<exists>H \<in> \<H>. (x, \<beta>) \<in> free_vars H)}"
+    by auto
+  finally show ?thesis
+    by fast
+qed
+
+definition is_rule_R'_app :: "form set \<Rightarrow> position \<Rightarrow> form \<Rightarrow> form \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_rule_R'_app \<H> p D C E \<longleftrightarrow> is_rule_R_app p D C E \<and> rule_R'_side_condition \<H> p D C E"
+
+lemma is_rule_R'_app_alt_def:
+  shows "
+    is_rule_R'_app \<H> p D C E
+    \<longleftrightarrow>
+    (
+      \<exists>\<alpha> A B.
+        E = A =\<^bsub>\<alpha>\<^esub> B \<and> A \<in> wffs\<^bsub>\<alpha>\<^esub> \<and> B \<in> wffs\<^bsub>\<alpha>\<^esub> \<and> \<comment> \<open>\<^term>\<open>E\<close> is a well-formed equality\<close>
+        A \<preceq>\<^bsub>p\<^esub> C \<and> D \<in> wffs\<^bsub>o\<^esub> \<and>
+        C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D \<and>
+        (
+          \<nexists>x \<beta> E p'.
+            strict_prefix p' p \<and>
+            \<lambda>x\<^bsub>\<beta>\<^esub>. E \<preceq>\<^bsub>p'\<^esub> C \<and>
+            (x, \<beta>) \<in> free_vars (A =\<^bsub>\<alpha>\<^esub> B) \<and>
+            (\<exists>H \<in> \<H>. (x, \<beta>) \<in> free_vars H)
+        )
+    )"
+  using rule_R'_side_condition_alt_def by fastforce
+
+lemma rule_R'_preserves_typing:
+  assumes "is_rule_R'_app \<H> p D C E"
+  shows "C \<in> wffs\<^bsub>o\<^esub> \<longleftrightarrow> D \<in> wffs\<^bsub>o\<^esub>"
+  using assms and replacement_preserves_typing unfolding is_rule_R_app_def and is_rule_R'_app_def
+  by meson
+
+abbreviation is_hyps :: "form set \<Rightarrow> bool" where
+  "is_hyps \<H> \<equiv> \<H> \<subseteq> wffs\<^bsub>o\<^esub> \<and> finite \<H>"
+
+inductive is_derivable_from_hyps :: "form set \<Rightarrow> form \<Rightarrow> bool" ("_ \<turnstile> _" [50, 50] 50) for \<H> where
+  dv_hyp: "\<H> \<turnstile> A" if "A \<in> \<H>" and "is_hyps \<H>"
+| dv_thm: "\<H> \<turnstile> A" if "is_theorem A" and "is_hyps \<H>"
+| dv_rule_R': "\<H> \<turnstile> D" if "\<H> \<turnstile> C" and "\<H> \<turnstile> E" and "is_rule_R'_app \<H> p D C E" and "is_hyps \<H>"
+
+lemma hyp_derivable_form_is_wffso:
+  assumes "is_derivable_from_hyps \<H> A"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+  using assms and theorem_is_wffo by (cases rule: is_derivable_from_hyps.cases) auto
+
+definition is_hyp_proof_step :: "form set \<Rightarrow> form list \<Rightarrow> form list \<Rightarrow> nat \<Rightarrow> bool" where
+  [iff]: "is_hyp_proof_step \<H> \<S>\<^sub>1 \<S>\<^sub>2 i' \<longleftrightarrow>
+    \<S>\<^sub>2 ! i' \<in> \<H> \<or>
+    \<S>\<^sub>2 ! i' \<in> lset \<S>\<^sub>1 \<or>
+    (\<exists>p j k. {j, k} \<subseteq> {0..<i'} \<and> is_rule_R'_app \<H> p (\<S>\<^sub>2 ! i') (\<S>\<^sub>2 ! j) (\<S>\<^sub>2 ! k))"
+
+type_synonym hyp_proof = "form list \<times> form list"
+
+definition is_hyp_proof :: "form set \<Rightarrow> form list \<Rightarrow> form list \<Rightarrow> bool" where
+  [iff]: "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2 \<longleftrightarrow> (\<forall>i' < length \<S>\<^sub>2. is_hyp_proof_step \<H> \<S>\<^sub>1 \<S>\<^sub>2 i')"
+
+lemma common_prefix_is_hyp_subproof_from:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ \<S>\<^sub>2')"
+  and "i' < length \<S>\<^sub>2"
+  shows "is_hyp_proof_step \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ \<S>\<^sub>2'') i'"
+proof -
+  let ?\<S> = "\<S>\<^sub>2 @ \<S>\<^sub>2'"
+  from assms(2) have "?\<S> ! i' = (\<S>\<^sub>2 @ \<S>\<^sub>2'') ! i'"
+    by (simp add: nth_append)
+  moreover from assms(2) have "i' < length ?\<S>"
+    by simp
+  ultimately obtain p and j and k where "
+    ?\<S> ! i' \<in> \<H> \<or>
+    ?\<S> ! i' \<in> lset \<S>\<^sub>1 \<or>
+    {j, k} \<subseteq> {0..<i'} \<and> is_rule_R'_app \<H> p (?\<S> ! i') (?\<S> ! j) (?\<S> ! k)"
+    using assms(1) unfolding is_hyp_proof_def and is_hyp_proof_step_def by meson
+  then consider
+    (hyp) "?\<S> ! i' \<in> \<H>"
+  | (seq) "?\<S> ! i' \<in> lset \<S>\<^sub>1"
+  | (rule_R') "{j, k} \<subseteq> {0..<i'} \<and> is_rule_R'_app \<H> p (?\<S> ! i') (?\<S> ! j) (?\<S> ! k)"
+    by blast
+  then have "
+    (\<S>\<^sub>2 @ \<S>\<^sub>2'') ! i' \<in> \<H> \<or>
+    (\<S>\<^sub>2 @ \<S>\<^sub>2'') ! i' \<in> lset \<S>\<^sub>1 \<or>
+    ({j, k} \<subseteq> {0..<i'} \<and> is_rule_R'_app \<H> p ((\<S>\<^sub>2 @ \<S>\<^sub>2'') ! i') ((\<S>\<^sub>2 @ \<S>\<^sub>2'') ! j) ((\<S>\<^sub>2 @ \<S>\<^sub>2'') ! k))"
+  proof cases
+    case hyp
+    with assms(2) have "(\<S>\<^sub>2 @ \<S>\<^sub>2'') ! i' \<in> \<H>"
+      by (simp add: nth_append)
+    then show ?thesis ..
+  next
+    case seq
+    with assms(2) have "(\<S>\<^sub>2 @ \<S>\<^sub>2'') ! i' \<in> lset \<S>\<^sub>1"
+      by (simp add: nth_append)
+    then show ?thesis
+      by (intro disjI1 disjI2)
+  next
+    case rule_R'
+    with assms(2) have "?\<S> ! j = (\<S>\<^sub>2 @ \<S>\<^sub>2'') ! j" and "?\<S> ! k = (\<S>\<^sub>2 @ \<S>\<^sub>2'') ! k"
+      by (simp_all add: nth_append)
+    with assms(2) and rule_R' have "
+      {j, k} \<subseteq> {0..<i'} \<and> is_rule_R'_app \<H> p ((\<S>\<^sub>2 @ \<S>\<^sub>2'') ! i') ((\<S>\<^sub>2 @ \<S>\<^sub>2'') ! j) ((\<S>\<^sub>2 @ \<S>\<^sub>2'') ! k)"
+      by (metis nth_append)
+    then show ?thesis
+      by (intro disjI2)
+  qed
+  then show ?thesis
+    unfolding is_hyp_proof_step_def by meson
+qed
+
+lemma added_suffix_thms_hyp_proof_preservation:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  shows "is_hyp_proof \<H> (\<S>\<^sub>1 @ \<S>\<^sub>1') \<S>\<^sub>2"
+  using assms by auto
+
+lemma added_suffix_hyp_proof_preservation:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  and "i' < length (\<S>\<^sub>2 @ \<S>\<^sub>2') - length \<S>\<^sub>2'"
+  shows "is_hyp_proof_step \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ \<S>\<^sub>2') i'"
+  using assms and common_prefix_is_hyp_subproof_from[where \<S>\<^sub>2' = "[]"] by auto
+
+lemma appended_hyp_proof_step_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  and "is_hyp_proof_step \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ [A]) (length (\<S>\<^sub>2 @ [A]) - 1)"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ [A])"
+proof (standard, intro allI impI)
+  fix i'
+  assume "i' < length (\<S>\<^sub>2 @ [A])"
+  then consider (a) "i' < length \<S>\<^sub>2" | (b) "i' = length \<S>\<^sub>2"
+    by fastforce
+  then show "is_hyp_proof_step \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ [A]) i'"
+  proof cases
+    case a
+    with assms(1) show ?thesis
+      using added_suffix_hyp_proof_preservation by simp
+  next
+    case b
+    with assms(2) show ?thesis
+      by simp
+  qed
+qed
+
+lemma added_prefix_hyp_proof_preservation:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2'"
+  and "i' \<in> {length \<S>\<^sub>2..<length (\<S>\<^sub>2 @ \<S>\<^sub>2')}"
+  shows "is_hyp_proof_step \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ \<S>\<^sub>2') i'"
+proof -
+  let ?\<S> = "\<S>\<^sub>2 @ \<S>\<^sub>2'"
+  let ?i = "i' - length \<S>\<^sub>2"
+  from assms(2) have "?\<S> ! i' = \<S>\<^sub>2' ! ?i" and "?i < length \<S>\<^sub>2'"
+    by (simp_all add: nth_append less_diff_conv2)
+  then have "is_hyp_proof_step \<H> \<S>\<^sub>1 ?\<S> i' = is_hyp_proof_step \<H> \<S>\<^sub>1 \<S>\<^sub>2' ?i"
+  proof -
+    from assms(1) and \<open>?i < length \<S>\<^sub>2'\<close> obtain j and k and p where "
+      \<S>\<^sub>2' ! ?i \<in> \<H> \<or>
+      \<S>\<^sub>2' ! ?i \<in> lset \<S>\<^sub>1 \<or>
+      ({j, k} \<subseteq> {0..<?i} \<and> is_rule_R'_app \<H> p (\<S>\<^sub>2' ! ?i) (\<S>\<^sub>2' ! j) (\<S>\<^sub>2' ! k))"
+      unfolding is_hyp_proof_def and is_hyp_proof_step_def by meson
+    then consider
+      (hyp) "\<S>\<^sub>2' ! ?i \<in> \<H>"
+    | (seq) "\<S>\<^sub>2' ! ?i \<in> lset \<S>\<^sub>1"
+    | (rule_R') "{j, k} \<subseteq> {0..<?i} \<and> is_rule_R'_app \<H> p (\<S>\<^sub>2' ! ?i) (\<S>\<^sub>2' ! j) (\<S>\<^sub>2' ! k)"
+      by blast
+    then have "
+      ?\<S> ! i' \<in> \<H> \<or>
+      ?\<S> ! i' \<in> lset \<S>\<^sub>1 \<or>
+      ({j + length \<S>\<^sub>2, k + length \<S>\<^sub>2} \<subseteq> {0..<i'} \<and>
+        is_rule_R'_app \<H> p (?\<S> ! i') (?\<S> ! (j + length \<S>\<^sub>2)) (?\<S> ! (k + length \<S>\<^sub>2)))"
+    proof cases
+      case hyp
+      with \<open>?\<S> ! i' = \<S>\<^sub>2' ! ?i\<close> have "?\<S> ! i' \<in> \<H>"
+        by (simp only:)
+      then show ?thesis ..
+    next
+      case seq
+      with \<open>?\<S> ! i' = \<S>\<^sub>2' ! ?i\<close> have "?\<S> ! i' \<in> lset \<S>\<^sub>1"
+        by (simp only:)
+      then show ?thesis
+        by (intro disjI1 disjI2)
+    next
+      case rule_R'
+      with assms(2) have "?\<S> ! (j + length \<S>\<^sub>2) = \<S>\<^sub>2' ! j" and "?\<S> ! (k + length \<S>\<^sub>2) = \<S>\<^sub>2' ! k"
+        by (simp_all add: nth_append)
+      with \<open>?\<S> ! i' = \<S>\<^sub>2' ! ?i\<close> and rule_R' have "
+        {j + length \<S>\<^sub>2, k + length \<S>\<^sub>2} \<subseteq> {0..<i'} \<and>
+        is_rule_R'_app \<H> p (?\<S> ! i') (?\<S> ! (j + length \<S>\<^sub>2)) (?\<S> ! (k + length \<S>\<^sub>2))"
+        by auto
+      then show ?thesis
+        by (intro disjI2)
+    qed
+    with assms(1) and \<open>?i < length \<S>\<^sub>2'\<close> show ?thesis
+      unfolding is_hyp_proof_def and is_hyp_proof_step_def by meson
+  qed
+  with assms(1) and \<open>?i < length \<S>\<^sub>2'\<close> show ?thesis
+    by simp
+qed
+
+lemma hyp_proof_but_last_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ [A])"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  using assms and common_prefix_is_hyp_subproof_from[where \<S>\<^sub>2' = "[A]" and \<S>\<^sub>2'' = "[]"]
+  by simp
+
+lemma hyp_proof_prefix_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ \<S>\<^sub>2')"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  using assms and hyp_proof_but_last_is_hyp_proof
+  by (induction \<S>\<^sub>2' arbitrary: \<S>\<^sub>2 rule: rev_induct) (simp, metis append.assoc)
+
+lemma single_hyp_is_hyp_proof:
+  assumes "A \<in> \<H>"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 [A]"
+  using assms by fastforce
+
+lemma single_thm_is_hyp_proof:
+  assumes "A \<in> lset \<S>\<^sub>1"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 [A]"
+  using assms by fastforce
+
+lemma hyp_proofs_from_concatenation_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>1'" and "is_hyp_proof \<H> \<S>\<^sub>2 \<S>\<^sub>2'"
+  shows "is_hyp_proof \<H> (\<S>\<^sub>1 @ \<S>\<^sub>2) (\<S>\<^sub>1' @ \<S>\<^sub>2')"
+proof (standard, intro allI impI)
+  let ?\<S> = "\<S>\<^sub>1 @ \<S>\<^sub>2" and ?\<S>' = "\<S>\<^sub>1' @ \<S>\<^sub>2'"
+  fix i'
+  assume "i' < length ?\<S>'"
+  then consider (a) "i' < length \<S>\<^sub>1'" | (b) "i' \<in> {length \<S>\<^sub>1'..<length ?\<S>'}"
+    by fastforce
+  then show "is_hyp_proof_step \<H> ?\<S> ?\<S>' i'"
+  proof cases
+    case a
+    from \<open>is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>1'\<close> have "is_hyp_proof \<H> (\<S>\<^sub>1 @ \<S>\<^sub>2) \<S>\<^sub>1'"
+      by auto
+    with assms(1) and a show ?thesis
+      using added_suffix_hyp_proof_preservation[where \<S>\<^sub>1 = "\<S>\<^sub>1 @ \<S>\<^sub>2"] by auto
+  next
+    case b
+    from assms(2) have "is_hyp_proof \<H> (\<S>\<^sub>1 @ \<S>\<^sub>2) \<S>\<^sub>2'"
+      by auto
+    with b show ?thesis
+      using added_prefix_hyp_proof_preservation[where \<S>\<^sub>1 = "\<S>\<^sub>1 @ \<S>\<^sub>2"] by auto
+  qed
+qed
+
+lemma elem_of_hyp_proof_is_wffo:
+  assumes "is_hyps \<H>"
+  and "lset \<S>\<^sub>1 \<subseteq> wffs\<^bsub>o\<^esub>"
+  and "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  and "A \<in> lset \<S>\<^sub>2"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+using assms proof (induction \<S>\<^sub>2 rule: rev_induct)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (snoc A' \<S>\<^sub>2)
+  from \<open>is_hyp_proof \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ [A'])\<close> have "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+    using hyp_proof_prefix_is_hyp_proof[where \<S>\<^sub>2' = "[A']"] by presburger
+  then show ?case
+  proof (cases "A \<in> lset \<S>\<^sub>2")
+    case True
+    with snoc.prems(1,2) and \<open>is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2\<close> show ?thesis
+      by (fact snoc.IH)
+  next
+    case False
+    with snoc.prems(4) have "A' = A"
+      by simp
+    with snoc.prems(3) have "
+      (\<S>\<^sub>2 @ [A]) ! i' \<in> \<H> \<or>
+      (\<S>\<^sub>2 @ [A]) ! i' \<in> lset \<S>\<^sub>1 \<or>
+      (\<S>\<^sub>2 @ [A]) ! i' \<in> wffs\<^bsub>o\<^esub>" if "i' \<in> {0..<length (\<S>\<^sub>2 @ [A])}" for i'
+      using that by auto
+    then have "A \<in> wffs\<^bsub>o\<^esub> \<or> A \<in> \<H> \<or> A \<in> lset \<S>\<^sub>1 \<or> length \<S>\<^sub>2 \<notin> {0..<Suc (length \<S>\<^sub>2)}"
+      by (metis (no_types) length_append_singleton nth_append_length)
+    with assms(1) and \<open>lset \<S>\<^sub>1 \<subseteq> wffs\<^bsub>o\<^esub>\<close> show ?thesis
+      using atLeast0_lessThan_Suc by blast
+  qed
+qed
+
+lemma hyp_prepended_to_hyp_proof_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  and "A \<in> \<H>"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 ([A] @ \<S>\<^sub>2)"
+  using
+    hyp_proofs_from_concatenation_is_hyp_proof
+    [
+      OF single_hyp_is_hyp_proof[OF assms(2)] assms(1),
+      where \<S>\<^sub>1 = "[]"
+    ]
+  by simp
+
+lemma hyp_appended_to_hyp_proof_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  and "A \<in> \<H>"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ [A])"
+  using
+    hyp_proofs_from_concatenation_is_hyp_proof
+    [
+      OF assms(1) single_hyp_is_hyp_proof[OF assms(2)],
+      where \<S>\<^sub>2 = "[]"
+    ]
+  by simp
+
+lemma dropped_duplicated_thm_in_hyp_proof_is_hyp_proof:
+  assumes "is_hyp_proof \<H> (A # \<S>\<^sub>1) \<S>\<^sub>2"
+  and "A \<in> lset \<S>\<^sub>1"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  using assms by auto
+
+lemma thm_prepended_to_hyp_proof_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  and "A \<in> lset \<S>\<^sub>1"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 ([A] @ \<S>\<^sub>2)"
+  using hyp_proofs_from_concatenation_is_hyp_proof[OF single_thm_is_hyp_proof[OF assms(2)] assms(1)]
+  and dropped_duplicated_thm_in_hyp_proof_is_hyp_proof by simp
+
+lemma thm_appended_to_hyp_proof_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2"
+  and "A \<in> lset \<S>\<^sub>1"
+  shows "is_hyp_proof \<H> \<S>\<^sub>1 (\<S>\<^sub>2 @ [A])"
+  using hyp_proofs_from_concatenation_is_hyp_proof[OF assms(1) single_thm_is_hyp_proof[OF assms(2)]]
+  and dropped_duplicated_thm_in_hyp_proof_is_hyp_proof by simp
+
+lemma rule_R'_app_appended_to_hyp_proof_is_hyp_proof:
+  assumes "is_hyp_proof \<H> \<S>' \<S>"
+  and "i\<^sub>C < length \<S>" and "\<S> ! i\<^sub>C = C"
+  and "i\<^sub>E < length \<S>" and "\<S> ! i\<^sub>E = E"
+  and "is_rule_R'_app \<H> p D C E"
+  shows "is_hyp_proof \<H> \<S>' (\<S> @ [D])"
+proof (standard, intro allI impI)
+  let ?\<S> = "\<S> @ [D]"
+  fix i'
+  assume "i' < length ?\<S>"
+  then consider (a) "i' < length \<S>" | (b) "i' = length \<S>"
+    by fastforce
+  then show "is_hyp_proof_step \<H> \<S>' (\<S> @ [D]) i'"
+  proof cases
+    case a
+    with assms(1) show ?thesis
+      using added_suffix_hyp_proof_preservation by auto
+  next
+    case b
+    let ?i\<^sub>D = "length \<S>"
+    from assms(2,4) have "i\<^sub>C < ?i\<^sub>D" and "i\<^sub>E < ?i\<^sub>D"
+      by fastforce+
+    with assms(3,5,6) have "is_rule_R'_app \<H> p (?\<S> ! ?i\<^sub>D) (?\<S> ! i\<^sub>C) (?\<S> ! i\<^sub>E)"
+      by (simp add: nth_append)
+    with assms(2,4) have "
+      \<exists>p j k. {j, k} \<subseteq> {0..<?i\<^sub>D} \<and> is_rule_R'_app \<H> p (?\<S> ! ?i\<^sub>D) (?\<S> ! j) (?\<S> ! k)"
+      by (intro exI)+ auto
+    then have "is_hyp_proof_step \<H> \<S>' ?\<S> (length ?\<S> - 1)"
+      by simp
+    moreover from b have "i' = length ?\<S> - 1"
+      by simp
+    ultimately show ?thesis
+      by fast
+  qed
+qed
+
+definition is_hyp_proof_of :: "form set \<Rightarrow> form list \<Rightarrow> form list \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_hyp_proof_of \<H> \<S>\<^sub>1 \<S>\<^sub>2 A \<longleftrightarrow>
+    is_hyps \<H> \<and>
+    is_proof \<S>\<^sub>1 \<and>
+    \<S>\<^sub>2 \<noteq> [] \<and>
+    is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2 \<and>
+    last \<S>\<^sub>2 = A"
+
+lemma hyp_proof_prefix_is_hyp_proof_of_last:
+  assumes "is_hyps \<H>"
+  and "is_proof \<S>''"
+  and "is_hyp_proof \<H> \<S>'' (\<S> @ \<S>')" and "\<S> \<noteq> []"
+  shows "is_hyp_proof_of \<H> \<S>'' \<S> (last \<S>)"
+  using assms and hyp_proof_prefix_is_hyp_proof by simp
+
+theorem hyp_derivability_implies_hyp_proof_existence:
+  assumes "\<H> \<turnstile> A"
+  shows "\<exists>\<S>\<^sub>1 \<S>\<^sub>2. is_hyp_proof_of \<H> \<S>\<^sub>1 \<S>\<^sub>2 A"
+using assms proof (induction rule: is_derivable_from_hyps.induct)
+  case (dv_hyp A)
+  from \<open>A \<in> \<H>\<close> have "is_hyp_proof \<H> [] [A]"
+    by (fact single_hyp_is_hyp_proof)
+  moreover have "last [A] = A"
+    by simp
+  moreover have "is_proof []"
+    by simp
+  ultimately show ?case
+    using \<open>is_hyps \<H>\<close> unfolding is_hyp_proof_of_def by (meson list.discI)
+next
+  case (dv_thm A)
+  then obtain \<S> where "is_proof \<S>" and "\<S> \<noteq> []" and "last \<S> = A"
+    by fastforce
+  then have "is_hyp_proof \<H> \<S> [A]"
+    using single_thm_is_hyp_proof by auto
+  with \<open>is_hyps \<H>\<close> and \<open>is_proof \<S>\<close> have "is_hyp_proof_of \<H> \<S> [A] A"
+    by fastforce
+  then show ?case
+    by (intro exI)
+next
+  case (dv_rule_R' C E p D)
+  from dv_rule_R'.IH obtain \<S>\<^sub>C and \<S>\<^sub>C' and \<S>\<^sub>E and \<S>\<^sub>E' where
+    "is_hyp_proof \<H> \<S>\<^sub>C' \<S>\<^sub>C" and "is_proof \<S>\<^sub>C'" and "\<S>\<^sub>C \<noteq> []" and "last \<S>\<^sub>C = C" and
+    "is_hyp_proof \<H> \<S>\<^sub>E' \<S>\<^sub>E" and "is_proof \<S>\<^sub>E'" and "\<S>\<^sub>E \<noteq> []" and "last \<S>\<^sub>E = E"
+    by auto
+  let ?i\<^sub>C = "length \<S>\<^sub>C - 1" and ?i\<^sub>E = "length \<S>\<^sub>C + length \<S>\<^sub>E - 1" and ?i\<^sub>D = "length \<S>\<^sub>C + length \<S>\<^sub>E"
+  let ?\<S> = "\<S>\<^sub>C @ \<S>\<^sub>E @ [D]"
+  from \<open>\<S>\<^sub>C \<noteq> []\<close> have "?i\<^sub>C < length (\<S>\<^sub>C @ \<S>\<^sub>E)" and "?i\<^sub>E < length (\<S>\<^sub>C @ \<S>\<^sub>E)"
+    using linorder_not_le by fastforce+
+  moreover have "(\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>C = C" and "(\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>E = E"
+    using \<open>\<S>\<^sub>C \<noteq> []\<close> and \<open>last \<S>\<^sub>C = C\<close> and \<open>\<S>\<^sub>E \<noteq> []\<close> and \<open>last \<S>\<^sub>E = E\<close>
+    by
+      (
+        simp add: last_conv_nth nth_append,
+        metis append_is_Nil_conv last_appendR last_conv_nth length_append
+      )
+  with \<open>is_rule_R'_app \<H> p D C E\<close> have "is_rule_R'_app \<H> p D ((\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>C) ((\<S>\<^sub>C @ \<S>\<^sub>E) ! ?i\<^sub>E)"
+    by fastforce
+  moreover from \<open>is_hyp_proof \<H> \<S>\<^sub>C' \<S>\<^sub>C\<close> and \<open>is_hyp_proof \<H> \<S>\<^sub>E' \<S>\<^sub>E\<close>
+  have "is_hyp_proof \<H> (\<S>\<^sub>C' @ \<S>\<^sub>E') (\<S>\<^sub>C @ \<S>\<^sub>E)"
+    by (fact hyp_proofs_from_concatenation_is_hyp_proof)
+  ultimately have "is_hyp_proof \<H> (\<S>\<^sub>C' @ \<S>\<^sub>E') ((\<S>\<^sub>C @ \<S>\<^sub>E) @ [D])"
+    using rule_R'_app_appended_to_hyp_proof_is_hyp_proof
+    by presburger
+  moreover from \<open>is_proof \<S>\<^sub>C'\<close> and \<open>is_proof \<S>\<^sub>E'\<close> have "is_proof (\<S>\<^sub>C' @ \<S>\<^sub>E')"
+    by (fact proofs_concatenation_is_proof)
+  ultimately have "is_hyp_proof_of \<H> (\<S>\<^sub>C' @ \<S>\<^sub>E') ((\<S>\<^sub>C @ \<S>\<^sub>E) @ [D]) D"
+    using \<open>is_hyps \<H>\<close> by fastforce
+  then show ?case
+    by (intro exI)
+qed
+
+theorem hyp_proof_existence_implies_hyp_derivability:
+  assumes "\<exists>\<S>\<^sub>1 \<S>\<^sub>2. is_hyp_proof_of \<H> \<S>\<^sub>1 \<S>\<^sub>2 A"
+  shows "\<H> \<turnstile> A"
+proof -
+  from assms obtain \<S>\<^sub>1 and \<S>\<^sub>2
+    where "is_hyps \<H>" and "is_proof \<S>\<^sub>1" and "\<S>\<^sub>2 \<noteq> []" and "is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2" and "last \<S>\<^sub>2 = A"
+    by fastforce
+  then show ?thesis
+  proof (induction "length \<S>\<^sub>2" arbitrary: \<S>\<^sub>2 A rule: less_induct)
+    case less
+    let ?i' = "length \<S>\<^sub>2 - 1"
+    from \<open>\<S>\<^sub>2 \<noteq> []\<close> and \<open>last \<S>\<^sub>2 = A\<close> have "\<S>\<^sub>2 ! ?i' = A"
+      by (simp add: last_conv_nth)
+    from \<open>is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2\<close> and \<open>\<S>\<^sub>2 \<noteq> []\<close> have "is_hyp_proof_step \<H> \<S>\<^sub>1 \<S>\<^sub>2 ?i'"
+      by simp
+    then consider
+      (hyp) "\<S>\<^sub>2 ! ?i' \<in> \<H>"
+    | (seq) "\<S>\<^sub>2 ! ?i' \<in> lset \<S>\<^sub>1"
+    | (rule_R') "\<exists>p j k. {j, k} \<subseteq> {0..<?i'} \<and> is_rule_R'_app \<H> p (\<S>\<^sub>2 ! ?i') (\<S>\<^sub>2 ! j) (\<S>\<^sub>2 ! k)"
+      by force
+    then show ?case
+    proof cases
+      case hyp
+      with \<open>\<S>\<^sub>2 ! ?i' = A\<close> and \<open>is_hyps \<H>\<close> show ?thesis
+        by (fastforce intro: dv_hyp)
+    next
+      case seq
+      from \<open>\<S>\<^sub>2 ! ?i' \<in> lset \<S>\<^sub>1\<close> and \<open>\<S>\<^sub>2 ! ?i' = A\<close>
+      obtain j where "\<S>\<^sub>1 ! j = A" and "\<S>\<^sub>1 \<noteq> []" and "j < length \<S>\<^sub>1"
+        by (metis empty_iff in_set_conv_nth list.set(1))
+      with \<open>is_proof \<S>\<^sub>1\<close> have "is_proof (take (Suc j) \<S>\<^sub>1)" and "take (Suc j) \<S>\<^sub>1 \<noteq> []"
+        using proof_prefix_is_proof[where \<S>\<^sub>1 = "take (Suc j) \<S>\<^sub>1" and \<S>\<^sub>2 = "drop (Suc j) \<S>\<^sub>1"]
+        by simp_all
+      moreover from \<open>\<S>\<^sub>1 ! j = A\<close> and \<open>j < length \<S>\<^sub>1\<close> have "last (take (Suc j) \<S>\<^sub>1) = A"
+        by (simp add: take_Suc_conv_app_nth)
+      ultimately have "is_proof_of (take (Suc j) \<S>\<^sub>1) A"
+        by fastforce
+      then have "is_theorem A"
+        using is_theorem_def by blast
+      with \<open>is_hyps \<H>\<close> show ?thesis
+        by (intro dv_thm)
+    next
+      case rule_R'
+      then obtain p and j and k
+        where "{j, k} \<subseteq> {0..<?i'}" and "is_rule_R'_app \<H> p (\<S>\<^sub>2 ! ?i') (\<S>\<^sub>2 ! j) (\<S>\<^sub>2 ! k)"
+        by force
+      let ?\<S>\<^sub>j = "take (Suc j) \<S>\<^sub>2" and ?\<S>\<^sub>k = "take (Suc k) \<S>\<^sub>2"
+      obtain \<S>\<^sub>j' and \<S>\<^sub>k' where "\<S>\<^sub>2 = ?\<S>\<^sub>j @ \<S>\<^sub>j'" and "\<S>\<^sub>2 = ?\<S>\<^sub>k @ \<S>\<^sub>k'"
+        by (metis append_take_drop_id)
+      then have "is_hyp_proof \<H> \<S>\<^sub>1 (?\<S>\<^sub>j @ \<S>\<^sub>j')" and "is_hyp_proof \<H> \<S>\<^sub>1 (?\<S>\<^sub>k @ \<S>\<^sub>k')"
+        by (simp_all only: \<open>is_hyp_proof \<H> \<S>\<^sub>1 \<S>\<^sub>2\<close>)
+      moreover from \<open>\<S>\<^sub>2 \<noteq> []\<close> and \<open>\<S>\<^sub>2 = ?\<S>\<^sub>j @ \<S>\<^sub>j'\<close> and \<open>\<S>\<^sub>2 = ?\<S>\<^sub>k @ \<S>\<^sub>k'\<close> and \<open>last \<S>\<^sub>2 = A\<close>
+      have "last \<S>\<^sub>j' = A" and "last \<S>\<^sub>k' = A"
+        using \<open>{j, k} \<subseteq> {0..<length \<S>\<^sub>2 - 1}\<close> and take_tl and less_le_not_le and append.right_neutral
+        by (metis atLeastLessThan_iff insert_subset last_appendR length_tl take_all_iff)+
+      moreover from \<open>\<S>\<^sub>2 \<noteq> []\<close> have "?\<S>\<^sub>j \<noteq> []" and "?\<S>\<^sub>k \<noteq> []"
+        by simp_all
+      ultimately have "is_hyp_proof_of \<H> \<S>\<^sub>1 ?\<S>\<^sub>j (last ?\<S>\<^sub>j)" and "is_hyp_proof_of \<H> \<S>\<^sub>1 ?\<S>\<^sub>k (last ?\<S>\<^sub>k)"
+        using hyp_proof_prefix_is_hyp_proof_of_last
+          [OF \<open>is_hyps \<H>\<close> \<open>is_proof \<S>\<^sub>1\<close> \<open>is_hyp_proof \<H> \<S>\<^sub>1 (?\<S>\<^sub>j @ \<S>\<^sub>j')\<close> \<open>?\<S>\<^sub>j \<noteq> []\<close>]
+        and hyp_proof_prefix_is_hyp_proof_of_last
+          [OF \<open>is_hyps \<H>\<close> \<open>is_proof \<S>\<^sub>1\<close> \<open>is_hyp_proof \<H> \<S>\<^sub>1 (?\<S>\<^sub>k @ \<S>\<^sub>k')\<close> \<open>?\<S>\<^sub>k \<noteq> []\<close>]
+        by fastforce+
+      moreover from \<open>last \<S>\<^sub>j' = A\<close> and \<open>last \<S>\<^sub>k' = A\<close>
+      have "length ?\<S>\<^sub>j < length \<S>\<^sub>2" and "length ?\<S>\<^sub>k < length \<S>\<^sub>2"
+        using \<open>{j, k} \<subseteq> {0..<length \<S>\<^sub>2 - 1}\<close> by force+
+      moreover from calculation(3,4) have "last ?\<S>\<^sub>j = \<S>\<^sub>2 ! j" and "last ?\<S>\<^sub>k = \<S>\<^sub>2 ! k"
+        by (metis Suc_lessD last_snoc linorder_not_le nat_neq_iff take_Suc_conv_app_nth take_all_iff)+
+      ultimately have "\<H> \<turnstile> \<S>\<^sub>2 ! j" and "\<H> \<turnstile> \<S>\<^sub>2 ! k"
+        using \<open>is_hyps \<H>\<close>
+        and less(1)[OF \<open>length ?\<S>\<^sub>j < length \<S>\<^sub>2\<close>] and less(1)[OF \<open>length ?\<S>\<^sub>k < length \<S>\<^sub>2\<close>]
+        by fast+
+      with \<open>is_hyps \<H>\<close> and \<open>\<S>\<^sub>2 ! ?i' = A\<close> show ?thesis
+        using \<open>is_rule_R'_app \<H> p (\<S>\<^sub>2 ! ?i') (\<S>\<^sub>2 ! j) (\<S>\<^sub>2 ! k)\<close> by (blast intro: dv_rule_R')
+    qed
+  qed
+qed
+
+theorem hypothetical_derivability_proof_existence_equivalence:
+  shows "\<H> \<turnstile> A \<longleftrightarrow> (\<exists>\<S>\<^sub>1 \<S>\<^sub>2. is_hyp_proof_of \<H> \<S>\<^sub>1 \<S>\<^sub>2 A)"
+  using hyp_derivability_implies_hyp_proof_existence and hyp_proof_existence_implies_hyp_derivability ..
+
+proposition derivability_from_no_hyps_theoremhood_equivalence:
+  shows "{} \<turnstile> A \<longleftrightarrow> is_theorem A"
+proof
+  assume "{} \<turnstile> A"
+  then show "is_theorem A"
+  proof (induction rule: is_derivable_from_hyps.induct)
+    case (dv_rule_R' C E p D)
+    from \<open>is_rule_R'_app {} p D C E\<close> have "is_rule_R_app p D C E"
+      by simp
+    moreover from \<open>is_theorem C\<close> and \<open>is_theorem E\<close> have "is_derivable C" and "is_derivable E"
+      using theoremhood_derivability_equivalence by (simp_all only:)
+    ultimately have "is_derivable D"
+      by (fastforce intro: dv_rule_R)
+    then show ?case
+      using theoremhood_derivability_equivalence by (simp only:)
+  qed simp
+next
+  assume "is_theorem A"
+  then show "{} \<turnstile> A"
+    by (blast intro: dv_thm)
+qed
+
+abbreviation is_derivable_from_no_hyps ("\<turnstile> _" [50] 50) where
+  "\<turnstile> A \<equiv> {} \<turnstile> A"
+
+corollary derivability_implies_hyp_derivability:
+  assumes "\<turnstile> A" and "is_hyps \<H>"
+  shows "\<H> \<turnstile> A"
+  using assms and derivability_from_no_hyps_theoremhood_equivalence and dv_thm by simp
+
+lemma axiom_is_derivable_from_no_hyps:
+  assumes "A \<in> axioms"
+  shows "\<turnstile> A"
+  using derivability_from_no_hyps_theoremhood_equivalence
+  and derivable_form_is_theorem[OF dv_axiom[OF assms]] by (simp only:)
+
+lemma axiom_is_derivable_from_hyps:
+  assumes "A \<in> axioms" and "is_hyps \<H>"
+  shows "\<H> \<turnstile> A"
+  using assms and axiom_is_derivable_from_no_hyps and derivability_implies_hyp_derivability by blast
+
+lemma rule_R [consumes 2, case_names occ_subform replacement]:
+  assumes "\<turnstile> C" and "\<turnstile> A =\<^bsub>\<alpha>\<^esub> B"
+  and "A \<preceq>\<^bsub>p\<^esub> C" and "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D"
+  shows "\<turnstile> D"
+proof -
+  from assms(1,2) have "is_derivable C" and "is_derivable (A =\<^bsub>\<alpha>\<^esub> B)"
+    using derivability_from_no_hyps_theoremhood_equivalence
+    and theoremhood_derivability_equivalence by blast+
+  moreover have "is_rule_R_app p D C (A =\<^bsub>\<alpha>\<^esub> B)"
+  proof -
+    from assms(1-4) have "D \<in> wffs\<^bsub>o\<^esub>" and "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+      by (meson hyp_derivable_form_is_wffso replacement_preserves_typing wffs_from_equality)+
+    with assms(3,4) show ?thesis
+      by fastforce
+  qed
+  ultimately have "is_derivable D"
+    by (rule dv_rule_R)
+  then show ?thesis
+    using derivability_from_no_hyps_theoremhood_equivalence and derivable_form_is_theorem by simp
+qed
+
+lemma rule_R' [consumes 2, case_names occ_subform replacement no_capture]:
+  assumes "\<H> \<turnstile> C" and "\<H> \<turnstile> A =\<^bsub>\<alpha>\<^esub> B"
+  and "A \<preceq>\<^bsub>p\<^esub> C" and "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D"
+  and "rule_R'_side_condition \<H> p D C (A =\<^bsub>\<alpha>\<^esub> B)"
+  shows "\<H> \<turnstile> D"
+using assms(1,2) proof (rule dv_rule_R')
+  from assms(1) show "is_hyps \<H>"
+    by (blast elim: is_derivable_from_hyps.cases)
+  moreover from assms(1-4) have "D \<in> wffs\<^bsub>o\<^esub>"
+    by (meson hyp_derivable_form_is_wffso replacement_preserves_typing wffs_from_equality)
+  ultimately show "is_rule_R'_app \<H> p D C (A =\<^bsub>\<alpha>\<^esub> B)"
+    using assms(2-5) and hyp_derivable_form_is_wffso and wffs_from_equality
+    unfolding is_rule_R_app_def and is_rule_R'_app_def by metis
+qed
+
+end
diff --git a/thys/Q0_Metatheory/Propositional_Wff.thy b/thys/Q0_Metatheory/Propositional_Wff.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Propositional_Wff.thy
@@ -0,0 +1,874 @@
+section \<open>Propositional Well-Formed Formulas\<close>
+
+theory Propositional_Wff
+  imports
+    Syntax
+    Boolean_Algebra
+begin
+
+subsection \<open>Syntax\<close>
+
+inductive_set pwffs :: "form set" where
+  T_pwff: "T\<^bsub>o\<^esub> \<in> pwffs"
+| F_pwff: "F\<^bsub>o\<^esub> \<in> pwffs"
+| var_pwff: "p\<^bsub>o\<^esub> \<in> pwffs"
+| neg_pwff: "\<sim>\<^sup>\<Q> A \<in> pwffs" if "A \<in> pwffs"
+| conj_pwff: "A \<and>\<^sup>\<Q> B \<in> pwffs" if "A \<in> pwffs" and "B \<in> pwffs"
+| disj_pwff: "A \<or>\<^sup>\<Q> B \<in> pwffs" if "A \<in> pwffs" and "B \<in> pwffs"
+| imp_pwff: "A \<supset>\<^sup>\<Q> B \<in> pwffs" if "A \<in> pwffs" and "B \<in> pwffs"
+| eqv_pwff: "A \<equiv>\<^sup>\<Q> B \<in> pwffs" if "A \<in> pwffs" and "B \<in> pwffs"
+
+lemmas [intro!] = pwffs.intros
+
+lemma pwffs_distinctnesses [induct_simp]:
+  shows "T\<^bsub>o\<^esub> \<noteq> F\<^bsub>o\<^esub>"
+  and "T\<^bsub>o\<^esub> \<noteq> p\<^bsub>o\<^esub>"
+  and "T\<^bsub>o\<^esub> \<noteq> \<sim>\<^sup>\<Q> A"
+  and "T\<^bsub>o\<^esub> \<noteq> A \<and>\<^sup>\<Q> B"
+  and "T\<^bsub>o\<^esub> \<noteq> A \<or>\<^sup>\<Q> B"
+  and "T\<^bsub>o\<^esub> \<noteq> A \<supset>\<^sup>\<Q> B"
+  and "T\<^bsub>o\<^esub> \<noteq> A \<equiv>\<^sup>\<Q> B"
+  and "F\<^bsub>o\<^esub> \<noteq> p\<^bsub>o\<^esub>"
+  and "F\<^bsub>o\<^esub> \<noteq> \<sim>\<^sup>\<Q> A"
+  and "F\<^bsub>o\<^esub> \<noteq> A \<and>\<^sup>\<Q> B"
+  and "F\<^bsub>o\<^esub> \<noteq> A \<or>\<^sup>\<Q> B"
+  and "F\<^bsub>o\<^esub> \<noteq> A \<supset>\<^sup>\<Q> B"
+  and "F\<^bsub>o\<^esub> \<noteq> A \<equiv>\<^sup>\<Q> B"
+  and "p\<^bsub>o\<^esub> \<noteq> \<sim>\<^sup>\<Q> A"
+  and "p\<^bsub>o\<^esub> \<noteq> A \<and>\<^sup>\<Q> B"
+  and "p\<^bsub>o\<^esub> \<noteq> A \<or>\<^sup>\<Q> B"
+  and "p\<^bsub>o\<^esub> \<noteq> A \<supset>\<^sup>\<Q> B"
+  and "p\<^bsub>o\<^esub> \<noteq> A \<equiv>\<^sup>\<Q> B"
+  and "\<sim>\<^sup>\<Q> A \<noteq> B \<and>\<^sup>\<Q> C"
+  and "\<sim>\<^sup>\<Q> A \<noteq> B \<or>\<^sup>\<Q> C"
+  and "\<sim>\<^sup>\<Q> A \<noteq> B \<supset>\<^sup>\<Q> C"
+  and "\<not> (B = F\<^bsub>o\<^esub> \<and> A = C) \<Longrightarrow> \<sim>\<^sup>\<Q> A \<noteq> B \<equiv>\<^sup>\<Q> C" \<comment> \<open>\<^term>\<open>\<sim>\<^sup>\<Q> A\<close> is the same as \<^term>\<open>F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> A\<close>\<close>
+  and "A \<and>\<^sup>\<Q> B \<noteq> C \<or>\<^sup>\<Q> D"
+  and "A \<and>\<^sup>\<Q> B \<noteq> C \<supset>\<^sup>\<Q> D"
+  and "A \<and>\<^sup>\<Q> B \<noteq> C \<equiv>\<^sup>\<Q> D"
+  and "A \<or>\<^sup>\<Q> B \<noteq> C \<supset>\<^sup>\<Q> D"
+  and "A \<or>\<^sup>\<Q> B \<noteq> C \<equiv>\<^sup>\<Q> D"
+  and "A \<supset>\<^sup>\<Q> B \<noteq> C \<equiv>\<^sup>\<Q> D"
+  by simp_all
+
+lemma pwffs_injectivities [induct_simp]:
+  shows "\<sim>\<^sup>\<Q> A = \<sim>\<^sup>\<Q> A' \<Longrightarrow> A = A'"
+  and "A \<and>\<^sup>\<Q> B = A' \<and>\<^sup>\<Q> B' \<Longrightarrow> A = A' \<and> B = B'"
+  and "A \<or>\<^sup>\<Q> B = A' \<or>\<^sup>\<Q> B' \<Longrightarrow> A = A' \<and> B = B'"
+  and "A \<supset>\<^sup>\<Q> B = A' \<supset>\<^sup>\<Q> B' \<Longrightarrow> A = A' \<and> B = B'"
+  and "A \<equiv>\<^sup>\<Q> B = A' \<equiv>\<^sup>\<Q> B' \<Longrightarrow> A = A' \<and> B = B'"
+  by simp_all
+
+lemma pwff_from_neg_pwff [elim!]:
+  assumes "\<sim>\<^sup>\<Q> A \<in> pwffs"
+  shows "A \<in> pwffs"
+  using assms by cases simp_all
+
+lemma pwffs_from_conj_pwff [elim!]:
+  assumes "A \<and>\<^sup>\<Q> B \<in> pwffs"
+  shows "{A, B} \<subseteq> pwffs"
+  using assms by cases simp_all
+
+lemma pwffs_from_disj_pwff [elim!]:
+  assumes "A \<or>\<^sup>\<Q> B \<in> pwffs"
+  shows "{A, B} \<subseteq> pwffs"
+  using assms by cases simp_all
+
+lemma pwffs_from_imp_pwff [elim!]:
+  assumes "A \<supset>\<^sup>\<Q> B \<in> pwffs"
+  shows "{A, B} \<subseteq> pwffs"
+  using assms by cases simp_all
+
+lemma pwffs_from_eqv_pwff [elim!]:
+  assumes "A \<equiv>\<^sup>\<Q> B \<in> pwffs"
+  shows "{A, B} \<subseteq> pwffs"
+  using assms by cases (simp_all, use F_pwff in fastforce)
+
+lemma pwffs_subset_of_wffso:
+  shows "pwffs \<subseteq> wffs\<^bsub>o\<^esub>"
+proof
+  fix A
+  assume "A \<in> pwffs"
+  then show "A \<in> wffs\<^bsub>o\<^esub>"
+    by induction auto
+qed
+
+lemma pwff_free_vars_simps [simp]:
+  shows T_fv: "free_vars T\<^bsub>o\<^esub> = {}"
+  and F_fv: "free_vars F\<^bsub>o\<^esub> = {}"
+  and var_fv: "free_vars (p\<^bsub>o\<^esub>) = {(p, o)}"
+  and neg_fv: "free_vars (\<sim>\<^sup>\<Q> A) = free_vars A"
+  and conj_fv: "free_vars (A \<and>\<^sup>\<Q> B) = free_vars A \<union> free_vars B"
+  and disj_fv: "free_vars (A \<or>\<^sup>\<Q> B) = free_vars A \<union> free_vars B"
+  and imp_fv: "free_vars (A \<supset>\<^sup>\<Q> B) = free_vars A \<union> free_vars B"
+  and eqv_fv: "free_vars (A \<equiv>\<^sup>\<Q> B) = free_vars A \<union> free_vars B"
+  by force+
+
+lemma pwffs_free_vars_are_propositional:
+  assumes "A \<in> pwffs"
+  and "v \<in> free_vars A"
+  obtains p where "v = (p, o)"
+using assms by (induction A arbitrary: thesis) auto
+
+lemma is_free_for_in_pwff [intro]:
+  assumes "A \<in> pwffs"
+  and "v \<in> free_vars A"
+  shows "is_free_for B v A"
+using assms proof (induction A)
+  case (neg_pwff C)
+  then show ?case
+    using is_free_for_in_neg by simp
+next
+  case (conj_pwff C D)
+  from conj_pwff.prems consider
+    (a) "v \<in> free_vars C" and "v \<in> free_vars D"
+  | (b) "v \<in> free_vars C" and "v \<notin> free_vars D"
+  | (c) "v \<notin> free_vars C" and "v \<in> free_vars D"
+    by auto
+  then show ?case
+  proof cases
+    case a
+    then show ?thesis
+      using conj_pwff.IH by (intro is_free_for_in_conj)
+  next
+    case b
+    have "is_free_for B v C"
+      by (fact conj_pwff.IH(1)[OF b(1)])
+    moreover from b(2) have "is_free_for B v D"
+      using is_free_at_in_free_vars by blast
+    ultimately show ?thesis
+      by (rule is_free_for_in_conj)
+  next
+    case c
+    from c(1) have "is_free_for B v C"
+      using is_free_at_in_free_vars by blast
+    moreover have "is_free_for B v D"
+      by (fact conj_pwff.IH(2)[OF c(2)])
+    ultimately show ?thesis
+      by (rule is_free_for_in_conj)
+  qed
+next
+  case (disj_pwff C D)
+  from disj_pwff.prems consider
+    (a) "v \<in> free_vars C" and "v \<in> free_vars D"
+  | (b) "v \<in> free_vars C" and "v \<notin> free_vars D"
+  | (c) "v \<notin> free_vars C" and "v \<in> free_vars D"
+    by auto
+  then show ?case
+  proof cases
+    case a
+    then show ?thesis
+      using disj_pwff.IH by (intro is_free_for_in_disj)
+  next
+    case b
+    have "is_free_for B v C"
+      by (fact disj_pwff.IH(1)[OF b(1)])
+    moreover from b(2) have "is_free_for B v D"
+      using is_free_at_in_free_vars by blast
+    ultimately show ?thesis
+      by (rule is_free_for_in_disj)
+  next
+    case c
+    from c(1) have "is_free_for B v C"
+      using is_free_at_in_free_vars by blast
+    moreover have "is_free_for B v D"
+      by (fact disj_pwff.IH(2)[OF c(2)])
+    ultimately show ?thesis
+      by (rule is_free_for_in_disj)
+  qed
+next
+  case (imp_pwff C D)
+  from imp_pwff.prems consider
+    (a) "v \<in> free_vars C" and "v \<in> free_vars D"
+  | (b) "v \<in> free_vars C" and "v \<notin> free_vars D"
+  | (c) "v \<notin> free_vars C" and "v \<in> free_vars D"
+    by auto
+  then show ?case
+  proof cases
+    case a
+    then show ?thesis
+      using imp_pwff.IH by (intro is_free_for_in_imp)
+  next
+    case b
+    have "is_free_for B v C"
+      by (fact imp_pwff.IH(1)[OF b(1)])
+    moreover from b(2) have "is_free_for B v D"
+      using is_free_at_in_free_vars by blast
+    ultimately show ?thesis
+      by (rule is_free_for_in_imp)
+  next
+    case c
+    from c(1) have "is_free_for B v C"
+      using is_free_at_in_free_vars by blast
+    moreover have "is_free_for B v D"
+      by (fact imp_pwff.IH(2)[OF c(2)])
+    ultimately show ?thesis
+      by (rule is_free_for_in_imp)
+  qed
+next
+  case (eqv_pwff C D)
+  from eqv_pwff.prems consider
+    (a) "v \<in> free_vars C" and "v \<in> free_vars D"
+  | (b) "v \<in> free_vars C" and "v \<notin> free_vars D"
+  | (c) "v \<notin> free_vars C" and "v \<in> free_vars D"
+    by auto
+  then show ?case
+  proof cases
+    case a
+    then show ?thesis
+      using eqv_pwff.IH by (intro is_free_for_in_equivalence)
+  next
+    case b
+    have "is_free_for B v C"
+      by (fact eqv_pwff.IH(1)[OF b(1)])
+    moreover from b(2) have "is_free_for B v D"
+      using is_free_at_in_free_vars by blast
+    ultimately show ?thesis
+      by (rule is_free_for_in_equivalence)
+  next
+    case c
+    from c(1) have "is_free_for B v C"
+      using is_free_at_in_free_vars by blast
+    moreover have "is_free_for B v D"
+      by (fact eqv_pwff.IH(2)[OF c(2)])
+    ultimately show ?thesis
+      by (rule is_free_for_in_equivalence)
+  qed
+qed auto
+
+subsection \<open>Semantics\<close>
+
+text \<open>Assignment of truth values to propositional variables:\<close>
+
+definition is_tv_assignment :: "(nat \<Rightarrow> V) \<Rightarrow> bool" where
+  [iff]: "is_tv_assignment \<phi> \<longleftrightarrow> (\<forall>p. \<phi> p \<in> elts \<bool>)"
+
+text \<open>Denotation of a pwff:\<close>
+
+definition is_pwff_denotation_function where
+  [iff]: "is_pwff_denotation_function \<V> \<longleftrightarrow>
+    (
+      \<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow>
+      (
+        \<V> \<phi> T\<^bsub>o\<^esub> = \<^bold>T \<and>
+        \<V> \<phi> F\<^bsub>o\<^esub> = \<^bold>F \<and>
+        (\<forall>p. \<V> \<phi> (p\<^bsub>o\<^esub>) = \<phi> p) \<and>
+        (\<forall>A. A \<in> pwffs \<longrightarrow> \<V> \<phi> (\<sim>\<^sup>\<Q> A) = \<sim> \<V> \<phi> A) \<and>
+        (\<forall>A B. A \<in> pwffs \<and> B \<in> pwffs \<longrightarrow> \<V> \<phi> (A \<and>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<and> \<V> \<phi> B) \<and>
+        (\<forall>A B. A \<in> pwffs \<and> B \<in> pwffs \<longrightarrow> \<V> \<phi> (A \<or>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<or> \<V> \<phi> B) \<and>
+        (\<forall>A B. A \<in> pwffs \<and> B \<in> pwffs \<longrightarrow> \<V> \<phi> (A \<supset>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<supset> \<V> \<phi> B) \<and>
+        (\<forall>A B. A \<in> pwffs \<and> B \<in> pwffs \<longrightarrow> \<V> \<phi> (A \<equiv>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<equiv> \<V> \<phi> B)
+      )
+    )"
+
+lemma pwff_denotation_is_truth_value:
+  assumes "A \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  and "is_pwff_denotation_function \<V>"
+  shows "\<V> \<phi> A \<in> elts \<bool>"
+using assms(1) proof induction
+  case (neg_pwff A)
+  then have "\<V> \<phi> (\<sim>\<^sup>\<Q> A) = \<sim> \<V> \<phi> A"
+    using assms(2,3) by auto
+  then show ?case
+    using neg_pwff.IH by auto
+next
+  case (conj_pwff A B)
+  then have "\<V> \<phi> (A \<and>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<and> \<V> \<phi> B"
+    using assms(2,3) by auto
+  then show ?case
+    using conj_pwff.IH by auto
+next
+  case (disj_pwff A B)
+  then have "\<V> \<phi> (A \<or>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<or> \<V> \<phi> B"
+    using assms(2,3) by auto
+  then show ?case
+    using disj_pwff.IH by auto
+next
+  case (imp_pwff A B)
+  then have "\<V> \<phi> (A \<supset>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<supset> \<V> \<phi> B"
+    using assms(2,3) by blast
+  then show ?case
+    using imp_pwff.IH by auto
+next
+  case (eqv_pwff A B)
+  then have "\<V> \<phi> (A \<equiv>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<equiv> \<V> \<phi> B"
+    using assms(2,3) by blast
+  then show ?case
+    using eqv_pwff.IH by auto
+qed (use assms(2,3) in auto)
+
+lemma closed_pwff_is_meaningful_regardless_of_assignment:
+  assumes "A \<in> pwffs"
+  and "free_vars A = {}"
+  and "is_tv_assignment \<phi>"
+  and "is_tv_assignment \<psi>"
+  and "is_pwff_denotation_function \<V>"
+  shows "\<V> \<phi> A = \<V> \<psi> A"
+using assms(1,2) proof induction
+  case T_pwff
+  have "\<V> \<phi> T\<^bsub>o\<^esub> = \<^bold>T"
+    using assms(3,5) by blast
+  also have "\<dots> = \<V> \<psi> T\<^bsub>o\<^esub>"
+    using assms(4,5) by force
+  finally show ?case .
+next
+  case F_pwff
+  have "\<V> \<phi> F\<^bsub>o\<^esub> = \<^bold>F"
+    using assms(3,5) by blast
+  also have "\<dots> = \<V> \<psi> F\<^bsub>o\<^esub>"
+    using assms(4,5) by force
+  finally show ?case .
+next
+  case (var_pwff p) \<comment> \<open>impossible case\<close>
+  then show ?case
+    by simp
+next
+  case (neg_pwff A)
+  from \<open>free_vars (\<sim>\<^sup>\<Q> A) = {}\<close> have "free_vars A = {}"
+    by simp
+  have "\<V> \<phi> (\<sim>\<^sup>\<Q> A) = \<sim> \<V> \<phi> A"
+    using assms(3,5) and neg_pwff.hyps by auto
+  also from \<open>free_vars A = {}\<close> have "\<dots> = \<sim> \<V> \<psi> A"
+    using assms(3-5) and neg_pwff.IH by presburger
+  also have "\<dots> = \<V> \<psi> (\<sim>\<^sup>\<Q> A)"
+    using assms(4,5) and neg_pwff.hyps by simp
+  finally show ?case .
+next
+  case (conj_pwff A B)
+  from \<open>free_vars (A \<and>\<^sup>\<Q> B) = {}\<close> have "free_vars A = {}" and "free_vars B = {}"
+    by simp_all
+  have "\<V> \<phi> (A \<and>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<and> \<V> \<phi> B"
+    using assms(3,5) and conj_pwff.hyps(1,2) by auto
+  also from \<open>free_vars A = {}\<close> and \<open>free_vars B = {}\<close> have "\<dots> = \<V> \<psi> A \<^bold>\<and> \<V> \<psi> B"
+    using conj_pwff.IH(1,2) by presburger
+  also have "\<dots> = \<V> \<psi> (A \<and>\<^sup>\<Q> B)"
+    using assms(4,5) and conj_pwff.hyps(1,2) by fastforce
+  finally show ?case .
+next
+  case (disj_pwff A B)
+  from \<open>free_vars (A \<or>\<^sup>\<Q> B) = {}\<close> have "free_vars A = {}" and "free_vars B = {}"
+    by simp_all
+  have "\<V> \<phi> (A \<or>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<or> \<V> \<phi> B"
+    using assms(3,5) and disj_pwff.hyps(1,2) by auto
+  also from \<open>free_vars A = {}\<close> and \<open>free_vars B = {}\<close> have "\<dots> = \<V> \<psi> A \<^bold>\<or> \<V> \<psi> B"
+    using disj_pwff.IH(1,2) by presburger
+  also have "\<dots> = \<V> \<psi> (A \<or>\<^sup>\<Q> B)"
+    using assms(4,5) and disj_pwff.hyps(1,2) by fastforce
+  finally show ?case .
+next
+  case (imp_pwff A B)
+  from \<open>free_vars (A \<supset>\<^sup>\<Q> B) = {}\<close> have "free_vars A = {}" and "free_vars B = {}"
+    by simp_all
+  have "\<V> \<phi> (A \<supset>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<supset> \<V> \<phi> B"
+    using assms(3,5) and imp_pwff.hyps(1,2) by auto
+  also from \<open>free_vars A = {}\<close> and \<open>free_vars B = {}\<close> have "\<dots> = \<V> \<psi> A \<^bold>\<supset> \<V> \<psi> B"
+    using imp_pwff.IH(1,2) by presburger
+  also have "\<dots> = \<V> \<psi> (A \<supset>\<^sup>\<Q> B)"
+    using assms(4,5) and imp_pwff.hyps(1,2) by fastforce
+  finally show ?case .
+next
+  case (eqv_pwff A B)
+  from \<open>free_vars (A \<equiv>\<^sup>\<Q> B) = {}\<close> have "free_vars A = {}" and "free_vars B = {}"
+    by simp_all
+  have "\<V> \<phi> (A \<equiv>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<equiv> \<V> \<phi> B"
+    using assms(3,5) and eqv_pwff.hyps(1,2) by auto
+  also from \<open>free_vars A = {}\<close> and \<open>free_vars B = {}\<close> have "\<dots> = \<V> \<psi> A \<^bold>\<equiv> \<V> \<psi> B"
+    using eqv_pwff.IH(1,2) by presburger
+  also have "\<dots> = \<V> \<psi> (A \<equiv>\<^sup>\<Q> B)"
+    using assms(4,5) and eqv_pwff.hyps(1,2) by fastforce
+  finally show ?case .
+qed
+
+inductive \<V>\<^sub>B_graph for \<phi> where
+  \<V>\<^sub>B_graph_T: "\<V>\<^sub>B_graph \<phi> T\<^bsub>o\<^esub> \<^bold>T"
+| \<V>\<^sub>B_graph_F: "\<V>\<^sub>B_graph \<phi> F\<^bsub>o\<^esub> \<^bold>F"
+| \<V>\<^sub>B_graph_var: "\<V>\<^sub>B_graph \<phi> (p\<^bsub>o\<^esub>) (\<phi> p)"
+| \<V>\<^sub>B_graph_neg: "\<V>\<^sub>B_graph \<phi> (\<sim>\<^sup>\<Q> A) (\<sim> b\<^sub>A)" if "\<V>\<^sub>B_graph \<phi> A b\<^sub>A"
+| \<V>\<^sub>B_graph_conj: "\<V>\<^sub>B_graph \<phi> (A \<and>\<^sup>\<Q> B) (b\<^sub>A \<^bold>\<and> b\<^sub>B)" if "\<V>\<^sub>B_graph \<phi> A b\<^sub>A" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B"
+| \<V>\<^sub>B_graph_disj: "\<V>\<^sub>B_graph \<phi> (A \<or>\<^sup>\<Q> B) (b\<^sub>A \<^bold>\<or> b\<^sub>B)" if "\<V>\<^sub>B_graph \<phi> A b\<^sub>A" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B"
+| \<V>\<^sub>B_graph_imp: "\<V>\<^sub>B_graph \<phi> (A \<supset>\<^sup>\<Q> B) (b\<^sub>A \<^bold>\<supset> b\<^sub>B)" if "\<V>\<^sub>B_graph \<phi> A b\<^sub>A" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B"
+| \<V>\<^sub>B_graph_eqv: "\<V>\<^sub>B_graph \<phi> (A \<equiv>\<^sup>\<Q> B) (b\<^sub>A \<^bold>\<equiv> b\<^sub>B)" if "\<V>\<^sub>B_graph \<phi> A b\<^sub>A" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B" and "A \<noteq> F\<^bsub>o\<^esub>"
+
+lemmas [intro!] = \<V>\<^sub>B_graph.intros
+
+lemma \<V>\<^sub>B_graph_denotation_is_truth_value [elim!]:
+  assumes "\<V>\<^sub>B_graph \<phi> A b"
+  and "is_tv_assignment \<phi>"
+  shows "b \<in> elts \<bool>"
+using assms proof induction
+  case (\<V>\<^sub>B_graph_neg A b\<^sub>A)
+  show ?case
+    using \<V>\<^sub>B_graph_neg.IH[OF assms(2)] by force
+next
+  case (\<V>\<^sub>B_graph_conj A b\<^sub>A B b\<^sub>B)
+  then show ?case
+    using \<V>\<^sub>B_graph_conj.IH and assms(2) by force
+next
+  case (\<V>\<^sub>B_graph_disj A b\<^sub>A B b\<^sub>B)
+  then show ?case
+    using \<V>\<^sub>B_graph_disj.IH and assms(2) by force
+next
+  case (\<V>\<^sub>B_graph_imp A b\<^sub>A B b\<^sub>B)
+  then show ?case
+    using \<V>\<^sub>B_graph_imp.IH and assms(2) by force
+next
+  case (\<V>\<^sub>B_graph_eqv A b\<^sub>A B b\<^sub>B)
+  then show ?case
+    using \<V>\<^sub>B_graph_eqv.IH and assms(2) by force
+qed simp_all
+
+lemma \<V>\<^sub>B_graph_denotation_uniqueness:
+  assumes "A \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  and "\<V>\<^sub>B_graph \<phi> A b" and "\<V>\<^sub>B_graph \<phi> A b'"
+  shows "b = b'"
+using assms(3,1,4) proof (induction arbitrary: b')
+  case \<V>\<^sub>B_graph_T
+  from \<open>\<V>\<^sub>B_graph \<phi> T\<^bsub>o\<^esub> b'\<close> show ?case
+    by (cases rule: \<V>\<^sub>B_graph.cases) simp_all
+next
+  case \<V>\<^sub>B_graph_F
+  from \<open>\<V>\<^sub>B_graph \<phi> F\<^bsub>o\<^esub> b'\<close> show ?case
+    by (cases rule: \<V>\<^sub>B_graph.cases) simp_all
+next
+  case (\<V>\<^sub>B_graph_var p)
+  from \<open>\<V>\<^sub>B_graph \<phi> (p\<^bsub>o\<^esub>) b'\<close> show ?case
+    by (cases rule: \<V>\<^sub>B_graph.cases) simp_all
+next
+  case (\<V>\<^sub>B_graph_neg A b\<^sub>A)
+  with \<open>\<V>\<^sub>B_graph \<phi> (\<sim>\<^sup>\<Q> A) b'\<close> have "\<V>\<^sub>B_graph \<phi> A (\<sim> b')"
+  proof (cases rule: \<V>\<^sub>B_graph.cases)
+    case (\<V>\<^sub>B_graph_neg A' b\<^sub>A)
+    from \<open>\<sim>\<^sup>\<Q> A = \<sim>\<^sup>\<Q> A'\<close> have "A = A'"
+      by simp
+    with \<open>\<V>\<^sub>B_graph \<phi> A' b\<^sub>A\<close> have "\<V>\<^sub>B_graph \<phi> A b\<^sub>A"
+      by simp
+    moreover have "b\<^sub>A = \<sim> b'"
+    proof -
+      have "b\<^sub>A \<in> elts \<bool>"
+        by (fact \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<V>\<^sub>B_graph_neg(3) assms(2)])
+      moreover from \<open>b\<^sub>A \<in> elts \<bool>\<close> and \<V>\<^sub>B_graph_neg(2) have "\<sim> b' \<in> elts \<bool>"
+        by fastforce
+      ultimately show ?thesis
+        using \<V>\<^sub>B_graph_neg(2) by fastforce
+    qed
+    ultimately show ?thesis
+      by blast
+  qed simp_all
+  moreover from \<V>\<^sub>B_graph_neg.prems(1) have "A \<in> pwffs"
+    by (force elim: pwffs.cases)
+  moreover have "b\<^sub>A \<in> elts \<bool>" and "b' \<in> elts \<bool>" and "b\<^sub>A = \<sim> b'"
+  proof -
+    show "b\<^sub>A \<in> elts \<bool>"
+      by (fact \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<open>\<V>\<^sub>B_graph \<phi> A b\<^sub>A\<close> assms(2)])
+    show "b' \<in> elts \<bool>"
+      by (fact \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<open>\<V>\<^sub>B_graph \<phi> (\<sim>\<^sup>\<Q> A) b'\<close> assms(2)])
+    show "b\<^sub>A = \<sim> b'"
+      by (fact \<V>\<^sub>B_graph_neg(2)[OF \<open>A \<in> pwffs\<close> \<open>\<V>\<^sub>B_graph \<phi> A (\<sim> b')\<close>])
+  qed
+  ultimately show ?case
+    by force
+next
+  case (\<V>\<^sub>B_graph_conj A b\<^sub>A B b\<^sub>B)
+  with \<open>\<V>\<^sub>B_graph \<phi> (A \<and>\<^sup>\<Q> B) b'\<close> obtain b\<^sub>A' and b\<^sub>B'
+    where "b' = b\<^sub>A' \<^bold>\<and> b\<^sub>B'" and "\<V>\<^sub>B_graph \<phi> A b\<^sub>A'" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B'"
+    by (cases rule: \<V>\<^sub>B_graph.cases) simp_all
+  moreover have "A \<in> pwffs" and "B \<in> pwffs"
+    using pwffs_from_conj_pwff[OF \<V>\<^sub>B_graph_conj.prems(1)] by blast+
+  ultimately show ?case
+    using \<V>\<^sub>B_graph_conj.IH and \<V>\<^sub>B_graph_conj.prems(2) by blast
+next
+  case (\<V>\<^sub>B_graph_disj A b\<^sub>A B b\<^sub>B)
+  from \<open>\<V>\<^sub>B_graph \<phi> (A \<or>\<^sup>\<Q> B) b'\<close> obtain b\<^sub>A' and b\<^sub>B'
+    where "b' = b\<^sub>A' \<^bold>\<or> b\<^sub>B'" and "\<V>\<^sub>B_graph \<phi> A b\<^sub>A'" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B'"
+    by (cases rule: \<V>\<^sub>B_graph.cases) simp_all
+  moreover have "A \<in> pwffs" and "B \<in> pwffs"
+    using pwffs_from_disj_pwff[OF \<V>\<^sub>B_graph_disj.prems(1)] by blast+
+  ultimately show ?case
+    using \<V>\<^sub>B_graph_disj.IH and \<V>\<^sub>B_graph_disj.prems(2) by blast
+next
+  case (\<V>\<^sub>B_graph_imp A b\<^sub>A B b\<^sub>B)
+  from \<open>\<V>\<^sub>B_graph \<phi> (A \<supset>\<^sup>\<Q> B) b'\<close> obtain b\<^sub>A' and b\<^sub>B'
+    where "b' = b\<^sub>A' \<^bold>\<supset> b\<^sub>B'" and "\<V>\<^sub>B_graph \<phi> A b\<^sub>A'" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B'"
+    by (cases rule: \<V>\<^sub>B_graph.cases) simp_all
+  moreover have "A \<in> pwffs" and "B \<in> pwffs"
+    using pwffs_from_imp_pwff[OF \<V>\<^sub>B_graph_imp.prems(1)] by blast+
+  ultimately show ?case
+    using \<V>\<^sub>B_graph_imp.IH and \<V>\<^sub>B_graph_imp.prems(2) by blast
+next
+  case (\<V>\<^sub>B_graph_eqv A b\<^sub>A B b\<^sub>B)
+  with \<open>\<V>\<^sub>B_graph \<phi> (A \<equiv>\<^sup>\<Q> B) b'\<close> obtain b\<^sub>A' and b\<^sub>B'
+    where "b' = b\<^sub>A' \<^bold>\<equiv> b\<^sub>B'" and "\<V>\<^sub>B_graph \<phi> A b\<^sub>A'" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B'"
+    by (cases rule: \<V>\<^sub>B_graph.cases) simp_all
+  moreover have "A \<in> pwffs" and "B \<in> pwffs"
+    using pwffs_from_eqv_pwff[OF \<V>\<^sub>B_graph_eqv.prems(1)] by blast+
+  ultimately show ?case
+    using \<V>\<^sub>B_graph_eqv.IH and \<V>\<^sub>B_graph_eqv.prems(2) by blast
+qed
+
+lemma \<V>\<^sub>B_graph_denotation_existence:
+  assumes "A \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<exists>b. \<V>\<^sub>B_graph \<phi> A b"
+using assms proof induction
+  case (eqv_pwff A B)
+  then obtain b\<^sub>A and b\<^sub>B where "\<V>\<^sub>B_graph \<phi> A b\<^sub>A" and "\<V>\<^sub>B_graph \<phi> B b\<^sub>B"
+    by blast
+  then show ?case
+  proof (cases "A \<noteq> F\<^bsub>o\<^esub>")
+    case True
+    then show ?thesis
+      using eqv_pwff.IH and eqv_pwff.prems by blast
+  next
+    case False
+    then have "A = F\<^bsub>o\<^esub>"
+      by blast
+    then show ?thesis
+      using \<V>\<^sub>B_graph_neg[OF \<open>\<V>\<^sub>B_graph \<phi> B b\<^sub>B\<close>] by auto
+  qed
+qed blast+
+
+lemma \<V>\<^sub>B_graph_is_functional:
+  assumes "A \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<exists>!b. \<V>\<^sub>B_graph \<phi> A b"
+  using assms and \<V>\<^sub>B_graph_denotation_existence and \<V>\<^sub>B_graph_denotation_uniqueness by blast
+
+definition \<V>\<^sub>B :: "(nat \<Rightarrow> V) \<Rightarrow> form \<Rightarrow> V" where
+  [simp]: "\<V>\<^sub>B \<phi> A = (THE b. \<V>\<^sub>B_graph \<phi> A b)"
+
+lemma \<V>\<^sub>B_equality:
+  assumes "A \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  and "\<V>\<^sub>B_graph \<phi> A b"
+  shows "\<V>\<^sub>B \<phi> A = b"
+  unfolding \<V>\<^sub>B_def using assms using \<V>\<^sub>B_graph_denotation_uniqueness by blast
+
+lemma \<V>\<^sub>B_graph_\<V>\<^sub>B:
+  assumes "A \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B_graph \<phi> A (\<V>\<^sub>B \<phi> A)"
+  using \<V>\<^sub>B_equality[OF assms] and \<V>\<^sub>B_graph_is_functional[OF assms] by blast
+
+named_theorems \<V>\<^sub>B_simps
+
+lemma \<V>\<^sub>B_T [\<V>\<^sub>B_simps]:
+  assumes "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> T\<^bsub>o\<^esub> = \<^bold>T"
+  by (rule \<V>\<^sub>B_equality[OF T_pwff assms], intro \<V>\<^sub>B_graph_T)
+
+lemma \<V>\<^sub>B_F [\<V>\<^sub>B_simps]:
+  assumes "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> F\<^bsub>o\<^esub> = \<^bold>F"
+  by (rule \<V>\<^sub>B_equality[OF F_pwff assms], intro \<V>\<^sub>B_graph_F)
+
+lemma \<V>\<^sub>B_var [\<V>\<^sub>B_simps]:
+  assumes "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> (p\<^bsub>o\<^esub>) = \<phi> p"
+  by (rule \<V>\<^sub>B_equality[OF var_pwff assms], intro \<V>\<^sub>B_graph_var)
+
+lemma \<V>\<^sub>B_neg [\<V>\<^sub>B_simps]:
+  assumes "A \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> (\<sim>\<^sup>\<Q> A) = \<sim> \<V>\<^sub>B \<phi> A"
+  by (rule \<V>\<^sub>B_equality[OF neg_pwff[OF assms(1)] assms(2)], intro \<V>\<^sub>B_graph_neg \<V>\<^sub>B_graph_\<V>\<^sub>B[OF assms])
+
+lemma \<V>\<^sub>B_disj [\<V>\<^sub>B_simps]:
+  assumes "A \<in> pwffs" and "B \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> (A \<or>\<^sup>\<Q> B) = \<V>\<^sub>B \<phi> A \<^bold>\<or> \<V>\<^sub>B \<phi> B"
+proof -
+  from assms(1,3) have "\<V>\<^sub>B_graph \<phi> A (\<V>\<^sub>B \<phi> A)"
+    by (intro \<V>\<^sub>B_graph_\<V>\<^sub>B)
+  moreover from assms(2,3) have "\<V>\<^sub>B_graph \<phi> B (\<V>\<^sub>B \<phi> B)"
+    by (intro \<V>\<^sub>B_graph_\<V>\<^sub>B)
+  ultimately have "\<V>\<^sub>B_graph \<phi> (A \<or>\<^sup>\<Q> B) (\<V>\<^sub>B \<phi> A \<^bold>\<or> \<V>\<^sub>B \<phi> B)"
+    by (intro \<V>\<^sub>B_graph_disj)
+  with assms show ?thesis
+    using disj_pwff by (intro \<V>\<^sub>B_equality)
+qed
+
+lemma \<V>\<^sub>B_conj [\<V>\<^sub>B_simps]:
+  assumes "A \<in> pwffs" and "B \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> (A \<and>\<^sup>\<Q> B) = \<V>\<^sub>B \<phi> A \<^bold>\<and> \<V>\<^sub>B \<phi> B"
+proof -
+  from assms(1,3) have "\<V>\<^sub>B_graph \<phi> A (\<V>\<^sub>B \<phi> A)"
+    by (intro \<V>\<^sub>B_graph_\<V>\<^sub>B)
+  moreover from assms(2,3) have "\<V>\<^sub>B_graph \<phi> B (\<V>\<^sub>B \<phi> B)"
+    by (intro \<V>\<^sub>B_graph_\<V>\<^sub>B)
+  ultimately have "\<V>\<^sub>B_graph \<phi> (A \<and>\<^sup>\<Q> B) (\<V>\<^sub>B \<phi> A \<^bold>\<and> \<V>\<^sub>B \<phi> B)"
+    by (intro \<V>\<^sub>B_graph_conj)
+  with assms show ?thesis
+    using conj_pwff by (intro \<V>\<^sub>B_equality)
+qed
+
+lemma \<V>\<^sub>B_imp [\<V>\<^sub>B_simps]:
+  assumes "A \<in> pwffs" and "B \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> (A \<supset>\<^sup>\<Q> B) = \<V>\<^sub>B \<phi> A \<^bold>\<supset> \<V>\<^sub>B \<phi> B"
+proof -
+  from assms(1,3) have "\<V>\<^sub>B_graph \<phi> A (\<V>\<^sub>B \<phi> A)"
+    by (intro \<V>\<^sub>B_graph_\<V>\<^sub>B)
+  moreover from assms(2,3) have "\<V>\<^sub>B_graph \<phi> B (\<V>\<^sub>B \<phi> B)"
+    by (intro \<V>\<^sub>B_graph_\<V>\<^sub>B)
+  ultimately have "\<V>\<^sub>B_graph \<phi> (A \<supset>\<^sup>\<Q> B) (\<V>\<^sub>B \<phi> A \<^bold>\<supset> \<V>\<^sub>B \<phi> B)"
+    by (intro \<V>\<^sub>B_graph_imp)
+  with assms show ?thesis
+    using imp_pwff by (intro \<V>\<^sub>B_equality)
+qed
+
+lemma \<V>\<^sub>B_eqv [\<V>\<^sub>B_simps]:
+  assumes "A \<in> pwffs" and "B \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> (A \<equiv>\<^sup>\<Q> B) = \<V>\<^sub>B \<phi> A \<^bold>\<equiv> \<V>\<^sub>B \<phi> B"
+proof (cases "A = F\<^bsub>o\<^esub>")
+  case True
+  then show ?thesis
+    using \<V>\<^sub>B_F[OF assms(3)] and \<V>\<^sub>B_neg[OF assms(2,3)] by force
+next
+  case False
+  from assms(1,3) have "\<V>\<^sub>B_graph \<phi> A (\<V>\<^sub>B \<phi> A)"
+    by (intro \<V>\<^sub>B_graph_\<V>\<^sub>B)
+  moreover from assms(2,3) have "\<V>\<^sub>B_graph \<phi> B (\<V>\<^sub>B \<phi> B)"
+    by (intro \<V>\<^sub>B_graph_\<V>\<^sub>B)
+  ultimately have "\<V>\<^sub>B_graph \<phi> (A \<equiv>\<^sup>\<Q> B) (\<V>\<^sub>B \<phi> A \<^bold>\<equiv> \<V>\<^sub>B \<phi> B)"
+    using False by (intro \<V>\<^sub>B_graph_eqv)
+  with assms show ?thesis
+    using eqv_pwff by (intro \<V>\<^sub>B_equality)
+qed
+
+declare pwffs.intros [\<V>\<^sub>B_simps]
+
+lemma pwff_denotation_function_existence:
+  shows "is_pwff_denotation_function \<V>\<^sub>B"
+  using \<V>\<^sub>B_simps by simp
+
+text \<open>Tautologies:\<close>
+
+definition is_tautology :: "form \<Rightarrow> bool" where
+  [iff]: "is_tautology A \<longleftrightarrow> A \<in> pwffs \<and> (\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> A = \<^bold>T)"
+
+lemma tautology_is_wffo:
+  assumes "is_tautology A"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+  using assms and pwffs_subset_of_wffso by blast
+
+lemma propositional_implication_reflexivity_is_tautology:
+  shows "is_tautology (p\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> p\<^bsub>o\<^esub>)"
+  using \<V>\<^sub>B_simps by simp
+
+lemma propositional_principle_of_simplification_is_tautology:
+  shows "is_tautology (p\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (r\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> p\<^bsub>o\<^esub>))"
+  using \<V>\<^sub>B_simps by simp
+
+lemma closed_pwff_denotation_uniqueness:
+  assumes "A \<in> pwffs" and "free_vars A = {}"
+  obtains b where "\<forall>\<phi>. is_tv_assignment \<phi> \<longrightarrow> \<V>\<^sub>B \<phi> A = b"
+  using assms
+  by (meson closed_pwff_is_meaningful_regardless_of_assignment pwff_denotation_function_existence)
+
+lemma pwff_substitution_simps:
+  shows "\<^bold>S {(p, o) \<Zinj> A} T\<^bsub>o\<^esub> = T\<^bsub>o\<^esub>"
+  and "\<^bold>S {(p, o) \<Zinj> A} F\<^bsub>o\<^esub> = F\<^bsub>o\<^esub>"
+  and "\<^bold>S {(p, o) \<Zinj> A} (p'\<^bsub>o\<^esub>) = (if p = p' then A else (p'\<^bsub>o\<^esub>))"
+  and "\<^bold>S {(p, o) \<Zinj> A} (\<sim>\<^sup>\<Q> B) = \<sim>\<^sup>\<Q> (\<^bold>S {(p, o) \<Zinj> A} B)"
+  and "\<^bold>S {(p, o) \<Zinj> A} (B \<and>\<^sup>\<Q> C) = (\<^bold>S {(p, o) \<Zinj> A} B) \<and>\<^sup>\<Q> (\<^bold>S {(p, o) \<Zinj> A} C)"
+  and "\<^bold>S {(p, o) \<Zinj> A} (B \<or>\<^sup>\<Q> C) = (\<^bold>S {(p, o) \<Zinj> A} B) \<or>\<^sup>\<Q> (\<^bold>S {(p, o) \<Zinj> A} C)"
+  and "\<^bold>S {(p, o) \<Zinj> A} (B \<supset>\<^sup>\<Q> C) = (\<^bold>S {(p, o) \<Zinj> A} B) \<supset>\<^sup>\<Q> (\<^bold>S {(p, o) \<Zinj> A} C)"
+  and "\<^bold>S {(p, o) \<Zinj> A} (B \<equiv>\<^sup>\<Q> C) = (\<^bold>S {(p, o) \<Zinj> A} B) \<equiv>\<^sup>\<Q> (\<^bold>S {(p, o) \<Zinj> A} C)"
+  by simp_all
+
+lemma pwff_substitution_in_pwffs:
+  assumes "A \<in> pwffs" and "B \<in> pwffs"
+  shows "\<^bold>S {(p, o) \<Zinj> A} B \<in> pwffs"
+using assms(2) proof induction
+  case T_pwff
+  then show ?case
+    using pwffs.T_pwff by simp
+next
+  case F_pwff
+  then show ?case
+    using pwffs.F_pwff by simp
+next
+  case (var_pwff p)
+  from assms(1) show ?case
+    using pwffs.var_pwff by simp
+next
+  case (neg_pwff A)
+  then show ?case
+    using pwff_substitution_simps(4) and pwffs.neg_pwff by simp
+next
+  case (conj_pwff A B)
+  then show ?case
+    using pwff_substitution_simps(5) and pwffs.conj_pwff by simp
+next
+  case (disj_pwff A B)
+  then show ?case
+    using pwff_substitution_simps(6) and pwffs.disj_pwff by simp
+next
+  case (imp_pwff A B)
+  then show ?case
+    using pwff_substitution_simps(7) and pwffs.imp_pwff by simp
+next
+  case (eqv_pwff A B)
+  then show ?case
+    using pwff_substitution_simps(8) and pwffs.eqv_pwff by simp
+qed
+
+lemma pwff_substitution_denotation:
+  assumes "A \<in> pwffs" and "B \<in> pwffs"
+  and "is_tv_assignment \<phi>"
+  shows "\<V>\<^sub>B \<phi> (\<^bold>S {(p, o) \<Zinj> A} B) = \<V>\<^sub>B (\<phi>(p := \<V>\<^sub>B \<phi> A)) B"
+proof -
+  from assms(1,3) have "is_tv_assignment (\<phi>(p := \<V>\<^sub>B \<phi> A))"
+    using \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<V>\<^sub>B_graph_\<V>\<^sub>B] by simp
+  with assms(2,1,3) show ?thesis
+    using \<V>\<^sub>B_simps and pwff_substitution_in_pwffs by induction auto
+qed
+
+lemma pwff_substitution_tautology_preservation:
+  assumes "is_tautology B" and "A \<in> pwffs"
+  and "(p, o) \<in> free_vars B"
+  shows "is_tautology (\<^bold>S {(p, o) \<Zinj> A} B)"
+proof (safe, fold is_tv_assignment_def)
+  from assms(1,2) show "\<^bold>S {(p, o) \<Zinj> A} B \<in> pwffs"
+    using pwff_substitution_in_pwffs by blast
+next
+  fix \<phi>
+  assume "is_tv_assignment \<phi>"
+  with assms(1,2) have "\<V>\<^sub>B \<phi> (\<^bold>S {(p, o) \<Zinj> A} B) = \<V>\<^sub>B (\<phi>(p := \<V>\<^sub>B \<phi> A)) B"
+    using pwff_substitution_denotation by blast
+  moreover from \<open>is_tv_assignment \<phi>\<close> and assms(2) have "is_tv_assignment (\<phi>(p := \<V>\<^sub>B \<phi> A))"
+    using \<V>\<^sub>B_graph_denotation_is_truth_value[OF \<V>\<^sub>B_graph_\<V>\<^sub>B] by simp
+  with assms(1) have "\<V>\<^sub>B (\<phi>(p := \<V>\<^sub>B \<phi> A)) B = \<^bold>T"
+    by fastforce
+  ultimately show "\<V>\<^sub>B \<phi> \<^bold>S {(p, o) \<Zinj> A} B = \<^bold>T"
+    by (simp only:)
+qed
+
+lemma closed_pwff_substitution_free_vars:
+  assumes "A \<in> pwffs" and "B \<in> pwffs"
+  and "free_vars A = {}"
+  and "(p, o) \<in> free_vars B"
+  shows "free_vars (\<^bold>S {(p, o) \<Zinj> A} B) = free_vars B - {(p, o)}" (is \<open>free_vars (\<^bold>S ?\<theta> B) = _\<close>)
+using assms(2,4) proof induction
+  case (conj_pwff C D)
+  have "free_vars (\<^bold>S ?\<theta> (C \<and>\<^sup>\<Q> D)) = free_vars ((\<^bold>S ?\<theta> C) \<and>\<^sup>\<Q> (\<^bold>S ?\<theta> D))"
+    by simp
+  also have "\<dots> = free_vars (\<^bold>S ?\<theta> C) \<union> free_vars (\<^bold>S ?\<theta> D)"
+    by (fact conj_fv)
+  finally have *: "free_vars (\<^bold>S ?\<theta> (C \<and>\<^sup>\<Q> D)) = free_vars (\<^bold>S ?\<theta> C) \<union> free_vars (\<^bold>S ?\<theta> D)" .
+  from conj_pwff.prems consider
+    (a) "(p, o) \<in> free_vars C" and "(p, o) \<in> free_vars D"
+  | (b) "(p, o) \<in> free_vars C" and "(p, o) \<notin> free_vars D"
+  | (c) "(p, o) \<notin> free_vars C" and "(p, o) \<in> free_vars D"
+    by auto
+  from this and * and conj_pwff.IH show ?case
+    using free_var_singleton_substitution_neutrality by cases auto
+next
+  case (disj_pwff C D)
+  have "free_vars (\<^bold>S ?\<theta> (C \<or>\<^sup>\<Q> D)) = free_vars ((\<^bold>S ?\<theta> C) \<or>\<^sup>\<Q> (\<^bold>S ?\<theta> D))"
+    by simp
+  also have "\<dots> = free_vars (\<^bold>S ?\<theta> C) \<union> free_vars (\<^bold>S ?\<theta> D)"
+    by (fact disj_fv)
+  finally have *: "free_vars (\<^bold>S ?\<theta> (C \<or>\<^sup>\<Q> D)) = free_vars (\<^bold>S ?\<theta> C) \<union> free_vars (\<^bold>S ?\<theta> D)" .
+  from disj_pwff.prems consider
+    (a) "(p, o) \<in> free_vars C" and "(p, o) \<in> free_vars D"
+  | (b) "(p, o) \<in> free_vars C" and "(p, o) \<notin> free_vars D"
+  | (c) "(p, o) \<notin> free_vars C" and "(p, o) \<in> free_vars D"
+    by auto
+  from this and * and disj_pwff.IH show ?case
+    using free_var_singleton_substitution_neutrality by cases auto
+next
+  case (imp_pwff C D)
+  have "free_vars (\<^bold>S ?\<theta> (C \<supset>\<^sup>\<Q> D)) = free_vars ((\<^bold>S ?\<theta> C) \<supset>\<^sup>\<Q> (\<^bold>S ?\<theta> D))"
+    by simp
+  also have "\<dots> = free_vars (\<^bold>S ?\<theta> C) \<union> free_vars (\<^bold>S ?\<theta> D)"
+    by (fact imp_fv)
+  finally have *: "free_vars (\<^bold>S ?\<theta> (C \<supset>\<^sup>\<Q> D)) = free_vars (\<^bold>S ?\<theta> C) \<union> free_vars (\<^bold>S ?\<theta> D)" .
+  from imp_pwff.prems consider
+    (a) "(p, o) \<in> free_vars C" and "(p, o) \<in> free_vars D"
+  | (b) "(p, o) \<in> free_vars C" and "(p, o) \<notin> free_vars D"
+  | (c) "(p, o) \<notin> free_vars C" and "(p, o) \<in> free_vars D"
+    by auto
+  from this and * and imp_pwff.IH show ?case
+    using free_var_singleton_substitution_neutrality by cases auto
+next
+  case (eqv_pwff C D)
+  have "free_vars (\<^bold>S ?\<theta> (C \<equiv>\<^sup>\<Q> D)) = free_vars ((\<^bold>S ?\<theta> C) \<equiv>\<^sup>\<Q> (\<^bold>S ?\<theta> D))"
+    by simp
+  also have "\<dots> = free_vars (\<^bold>S ?\<theta> C) \<union> free_vars (\<^bold>S ?\<theta> D)"
+    by (fact eqv_fv)
+  finally have *: "free_vars (\<^bold>S ?\<theta> (C \<equiv>\<^sup>\<Q> D)) = free_vars (\<^bold>S ?\<theta> C) \<union> free_vars (\<^bold>S ?\<theta> D)" .
+  from eqv_pwff.prems consider
+    (a) "(p, o) \<in> free_vars C" and "(p, o) \<in> free_vars D"
+  | (b) "(p, o) \<in> free_vars C" and "(p, o) \<notin> free_vars D"
+  | (c) "(p, o) \<notin> free_vars C" and "(p, o) \<in> free_vars D"
+    by auto
+  from this and * and eqv_pwff.IH show ?case
+    using free_var_singleton_substitution_neutrality by cases auto
+qed (use assms(3) in \<open>force+\<close>)
+
+text \<open>Substitution in a pwff:\<close>
+
+definition is_pwff_substitution where
+  [iff]: "is_pwff_substitution \<theta> \<longleftrightarrow> is_substitution \<theta> \<and> (\<forall>(x, \<alpha>) \<in> fmdom' \<theta>. \<alpha> = o)"
+
+text \<open>Tautologous pwff:\<close>
+
+definition is_tautologous :: "form \<Rightarrow> bool" where
+  [iff]: "is_tautologous B \<longleftrightarrow> (\<exists>\<theta> A. is_tautology A \<and> is_pwff_substitution \<theta> \<and> B = \<^bold>S \<theta> A)"
+
+lemma tautologous_is_wffo:
+  assumes "is_tautologous A"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+  using assms and substitution_preserves_typing and tautology_is_wffo by blast
+
+lemma implication_reflexivity_is_tautologous:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "is_tautologous (A \<supset>\<^sup>\<Q> A)"
+proof -
+  let ?\<theta> = "{(\<xx>, o) \<Zinj> A}"
+  have "is_tautology (\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>)"
+    by (fact propositional_implication_reflexivity_is_tautology)
+  moreover have "is_pwff_substitution ?\<theta>"
+    using assms by auto
+  moreover have "A \<supset>\<^sup>\<Q> A = \<^bold>S ?\<theta> (\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>)"
+    by simp
+  ultimately show ?thesis
+    by blast
+qed
+
+lemma principle_of_simplification_is_tautologous:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "is_tautologous (A \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> A))"
+proof -
+  let ?\<theta> = "{(\<xx>, o) \<Zinj> A, (\<yy>, o) \<Zinj> B}"
+  have "is_tautology (\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (\<yy>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>))"
+    by (fact propositional_principle_of_simplification_is_tautology)
+  moreover have "is_pwff_substitution ?\<theta>"
+    using assms by auto
+  moreover have "A \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> A) = \<^bold>S ?\<theta> (\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> (\<yy>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>))"
+    by simp
+  ultimately show ?thesis
+    by blast
+qed
+
+lemma pseudo_modus_tollens_is_tautologous:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "is_tautologous ((A \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> A))"
+proof -
+  let ?\<theta> = "{(\<xx>, o) \<Zinj> A, (\<yy>, o) \<Zinj> B}"
+  have "is_tautology ((\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> (\<yy>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>))"
+    using \<V>\<^sub>B_simps by (safe, fold is_tv_assignment_def, simp only:) simp
+  moreover have "is_pwff_substitution ?\<theta>"
+    using assms by auto
+  moreover have "(A \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> B) \<supset>\<^sup>\<Q> (B \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> A) = \<^bold>S ?\<theta> ((\<xx>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) \<supset>\<^sup>\<Q> (\<yy>\<^bsub>o\<^esub> \<supset>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub>))"
+    by simp
+  ultimately show ?thesis
+    by blast
+qed
+
+end
diff --git a/thys/Q0_Metatheory/ROOT b/thys/Q0_Metatheory/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/ROOT
@@ -0,0 +1,21 @@
+chapter AFP
+
+session Q0_Metatheory (AFP) = "HOL-Library" +
+  options [timeout = 600]
+  sessions
+    ZFC_in_HOL
+    "Finite-Map-Extras"
+  theories
+    Utilities
+    Syntax
+    Boolean_Algebra
+    Propositional_Wff
+    Proof_System
+    Elementary_Logic
+    Semantics
+    Soundness
+    Consistency
+  document_files
+    "root.tex"
+    "root.bib"
+
diff --git a/thys/Q0_Metatheory/Semantics.thy b/thys/Q0_Metatheory/Semantics.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Semantics.thy
@@ -0,0 +1,329 @@
+section \<open>Semantics\<close>
+
+theory Semantics
+  imports
+    "ZFC_in_HOL.ZFC_Typeclasses"
+    Syntax
+    Boolean_Algebra
+begin
+
+no_notation funcset (infixr "\<rightarrow>" 60)
+notation funcset (infixr "\<Zpfun>" 60)
+
+abbreviation vfuncset :: "V \<Rightarrow> V \<Rightarrow> V" (infixr "\<longmapsto>" 60) where
+  "A \<longmapsto> B \<equiv> VPi A (\<lambda>_. B)"
+
+notation app (infixl "\<bullet>" 300)
+
+syntax
+  "_vlambda" :: "pttrn \<Rightarrow> V \<Rightarrow> (V \<Rightarrow> V) \<Rightarrow> V" ("(3\<^bold>\<lambda>_\<^bold>:_ \<^bold>./ _)" [0, 0, 3] 3)
+translations
+  "\<^bold>\<lambda>x \<^bold>: A\<^bold>. f" \<rightleftharpoons> "CONST VLambda A (\<lambda>x. f)"
+
+lemma vlambda_extensionality:
+  assumes "\<And>x. x \<in> elts A \<Longrightarrow> f x = g x"
+  shows "(\<^bold>\<lambda>x \<^bold>: A\<^bold>. f x) = (\<^bold>\<lambda>x \<^bold>: A\<^bold>. g x)"
+  unfolding VLambda_def using assms by auto
+
+subsection \<open>Frames\<close>
+
+locale frame =
+  fixes \<D> :: "type \<Rightarrow> V"
+  assumes truth_values_domain_def: "\<D> o = \<bool>"
+  and function_domain_def: "\<forall>\<alpha> \<beta>. \<D> (\<alpha>\<rightarrow>\<beta>) \<le> \<D> \<alpha> \<longmapsto> \<D> \<beta>"
+  and domain_nonemptiness: "\<forall>\<alpha>. \<D> \<alpha> \<noteq> 0"
+begin
+
+lemma function_domainD:
+  assumes "f \<in> elts (\<D> (\<alpha>\<rightarrow>\<beta>))"
+  shows "f \<in> elts (\<D> \<alpha> \<longmapsto> \<D> \<beta>)"
+  using assms and function_domain_def by blast
+
+lemma vlambda_from_function_domain:
+  assumes "f \<in> elts (\<D> (\<alpha>\<rightarrow>\<beta>))"
+  obtains b where "f = (\<^bold>\<lambda>x \<^bold>: \<D> \<alpha>\<^bold>. b x)" and "\<forall>x \<in> elts (\<D> \<alpha>). b x \<in> elts (\<D> \<beta>)"
+  using function_domainD[OF assms] by (metis VPi_D eta)
+
+lemma app_is_domain_respecting:
+  assumes "f \<in> elts (\<D> (\<alpha>\<rightarrow>\<beta>))" and "x \<in> elts (\<D> \<alpha>)"
+  shows "f \<bullet> x \<in> elts (\<D> \<beta>)"
+  by (fact VPi_D[OF function_domainD[OF assms(1)] assms(2)])
+
+text \<open>One-element function on @{term \<open>\<D> \<alpha>\<close>}:\<close>
+
+definition one_element_function :: "V \<Rightarrow> type \<Rightarrow> V" ("{_}\<^bsub>_\<^esub>" [901, 0] 900) where
+  [simp]: "{x}\<^bsub>\<alpha>\<^esub> = (\<^bold>\<lambda>y \<^bold>: \<D> \<alpha>\<^bold>. bool_to_V (y = x))"
+
+lemma one_element_function_is_domain_respecting:
+  shows "{x}\<^bsub>\<alpha>\<^esub> \<in> elts (\<D> \<alpha> \<longmapsto> \<D> o)"
+  unfolding one_element_function_def and truth_values_domain_def by (intro VPi_I) (simp, metis)
+
+lemma one_element_function_simps:
+  shows "x \<in> elts (\<D> \<alpha>) \<Longrightarrow> {x}\<^bsub>\<alpha>\<^esub> \<bullet> x = \<^bold>T"
+  and "\<lbrakk>{x, y} \<subseteq> elts (\<D> \<alpha>); y \<noteq> x\<rbrakk> \<Longrightarrow> {x}\<^bsub>\<alpha>\<^esub> \<bullet> y = \<^bold>F"
+  by simp_all
+
+lemma one_element_function_injectivity:
+  assumes "{x, x'} \<subseteq> elts (\<D> i)" and "{x}\<^bsub>i\<^esub> = {x'}\<^bsub>i\<^esub>"
+  shows "x = x'"
+  using assms(1) and VLambda_eq_D2[OF assms(2)[unfolded one_element_function_def]]
+  and injD[OF bool_to_V_injectivity] by blast
+
+lemma one_element_function_uniqueness:
+  assumes "x \<in> elts (\<D> i)"
+  shows "(SOME x'. x' \<in> elts (\<D> i) \<and> {x}\<^bsub>i\<^esub> = {x'}\<^bsub>i\<^esub>) = x"
+  by (auto simp add: assms one_element_function_injectivity)
+
+text \<open>Identity relation on @{term \<open>\<D> \<alpha>\<close>}:\<close>
+
+definition identity_relation :: "type \<Rightarrow> V" ("q\<^bsub>_\<^esub>" [0] 100) where
+  [simp]: "q\<^bsub>\<alpha>\<^esub> = (\<^bold>\<lambda>x \<^bold>: \<D> \<alpha>\<^bold>. {x}\<^bsub>\<alpha>\<^esub>)"
+
+lemma identity_relation_is_domain_respecting:
+  shows "q\<^bsub>\<alpha>\<^esub> \<in> elts (\<D> \<alpha> \<longmapsto> \<D> \<alpha> \<longmapsto> \<D> o)"
+  using VPi_I and one_element_function_is_domain_respecting by simp
+
+lemma q_is_equality:
+  assumes "{x, y} \<subseteq> elts (\<D> \<alpha>)"
+  shows "(q\<^bsub>\<alpha>\<^esub>) \<bullet> x \<bullet> y = \<^bold>T \<longleftrightarrow> x = y"
+  unfolding identity_relation_def
+  using assms and injD[OF bool_to_V_injectivity] by fastforce
+
+text \<open>Unique member selector:\<close>
+
+definition is_unique_member_selector :: "V \<Rightarrow> bool" where
+  [iff]: "is_unique_member_selector f \<longleftrightarrow> (\<forall>x \<in> elts (\<D> i). f \<bullet> {x}\<^bsub>i\<^esub> = x)"
+
+text \<open>Assignment:\<close>
+
+definition is_assignment :: "(var \<Rightarrow> V) \<Rightarrow> bool" where
+  [iff]: "is_assignment \<phi> \<longleftrightarrow> (\<forall>x \<alpha>. \<phi> (x, \<alpha>) \<in> elts (\<D> \<alpha>))"
+
+end
+
+abbreviation one_element_function_in ("{_}\<^bsub>_\<^esub>\<^bsup>_\<^esup>" [901, 0, 0] 900) where
+  "{x}\<^bsub>\<alpha>\<^esub>\<^bsup>\<D>\<^esup> \<equiv> frame.one_element_function \<D> x \<alpha>"
+
+abbreviation identity_relation_in ("q\<^bsub>_\<^esub>\<^bsup>_\<^esup>" [0, 0] 100) where
+  "q\<^bsub>\<alpha>\<^esub>\<^bsup>\<D>\<^esup> \<equiv> frame.identity_relation \<D> \<alpha>"
+
+text \<open>
+  \<open>\<psi>\<close> is a ``\<open>v\<close>-variant'' of \<open>\<phi>\<close> if \<open>\<psi>\<close> is an assignment that agrees with \<open>\<phi>\<close> except possibly on
+  \<open>v\<close>:
+\<close>
+
+definition is_variant_of :: "(var \<Rightarrow> V) \<Rightarrow> var \<Rightarrow> (var \<Rightarrow> V) \<Rightarrow> bool" ("_ \<sim>\<^bsub>_\<^esub> _" [51, 0, 51] 50) where
+  [iff]: "\<psi> \<sim>\<^bsub>v\<^esub> \<phi> \<longleftrightarrow> (\<forall>v'. v' \<noteq> v \<longrightarrow> \<psi> v' = \<phi> v')"
+
+subsection \<open>Pre-models (interpretations)\<close>
+
+text \<open>We use the term ``pre-model'' instead of ``interpretation'' since the latter is already a keyword:\<close>
+
+locale premodel = frame +
+  fixes \<J> :: "con \<Rightarrow> V"
+  assumes Q_denotation: "\<forall>\<alpha>. \<J> (Q_constant_of_type \<alpha>) = q\<^bsub>\<alpha>\<^esub>"
+  and \<iota>_denotation: "is_unique_member_selector (\<J> iota_constant)"
+  and non_logical_constant_denotation: "\<forall>c \<alpha>. \<not> is_logical_constant (c, \<alpha>) \<longrightarrow> \<J> (c, \<alpha>) \<in> elts (\<D> \<alpha>)"
+begin
+
+text \<open>Wff denotation function:\<close>
+
+definition is_wff_denotation_function :: "((var \<Rightarrow> V) \<Rightarrow> form \<Rightarrow> V) \<Rightarrow> bool" where
+  [iff]: "is_wff_denotation_function \<V> \<longleftrightarrow>
+    (
+      \<forall>\<phi>. is_assignment \<phi> \<longrightarrow>
+        (\<forall>A \<alpha>. A \<in> wffs\<^bsub>\<alpha>\<^esub> \<longrightarrow> \<V> \<phi> A \<in> elts (\<D> \<alpha>)) \<and> \<comment> \<open>closure condition, see note in page 186\<close>
+        (\<forall>x \<alpha>. \<V> \<phi> (x\<^bsub>\<alpha>\<^esub>) = \<phi> (x, \<alpha>)) \<and>
+        (\<forall>c \<alpha>. \<V> \<phi> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = \<J> (c, \<alpha>)) \<and>
+        (\<forall>A B \<alpha> \<beta>. A \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub> \<and> B \<in> wffs\<^bsub>\<beta>\<^esub> \<longrightarrow> \<V> \<phi> (A \<sqdot> B) = (\<V> \<phi> A) \<bullet> (\<V> \<phi> B)) \<and>
+        (\<forall>x B \<alpha> \<beta>. B \<in> wffs\<^bsub>\<beta>\<^esub> \<longrightarrow> \<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) = (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V> (\<phi>((x, \<alpha>) := z)) B))
+    )"
+
+lemma wff_denotation_function_is_domain_respecting:
+  assumes "is_wff_denotation_function \<V>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "is_assignment \<phi>"
+  shows "\<V> \<phi> A \<in> elts (\<D> \<alpha>)"
+  using assms by force
+
+lemma wff_var_denotation:
+  assumes "is_wff_denotation_function \<V>"
+  and "is_assignment \<phi>"
+  shows "\<V> \<phi> (x\<^bsub>\<alpha>\<^esub>) = \<phi> (x, \<alpha>)"
+  using assms by force
+
+lemma wff_Q_denotation:
+  assumes "is_wff_denotation_function \<V>"
+  and "is_assignment \<phi>"
+  shows "\<V> \<phi> (Q\<^bsub>\<alpha>\<^esub>) = q\<^bsub>\<alpha>\<^esub>"
+  using assms and Q_denotation by force
+
+lemma wff_iota_denotation:
+  assumes "is_wff_denotation_function \<V>"
+  and "is_assignment \<phi>"
+  shows "is_unique_member_selector (\<V> \<phi> \<iota>)"
+  using assms and \<iota>_denotation by fastforce
+
+lemma wff_non_logical_constant_denotation:
+  assumes "is_wff_denotation_function \<V>"
+  and "is_assignment \<phi>"
+  and "\<not> is_logical_constant (c, \<alpha>)"
+  shows "\<V> \<phi> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = \<J> (c, \<alpha>)"
+  using assms by auto
+
+lemma wff_app_denotation:
+  assumes "is_wff_denotation_function \<V>"
+  and "is_assignment \<phi>"
+  and "A \<in> wffs\<^bsub>\<beta>\<rightarrow>\<alpha>\<^esub>"
+  and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  shows "\<V> \<phi> (A \<sqdot> B) = \<V> \<phi> A \<bullet> \<V> \<phi> B"
+  using assms by blast
+
+lemma wff_abs_denotation:
+  assumes "is_wff_denotation_function \<V>"
+  and "is_assignment \<phi>"
+  and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  shows "\<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) = (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V> (\<phi>((x, \<alpha>) := z)) B)"
+  using assms unfolding is_wff_denotation_function_def by metis
+
+lemma wff_denotation_function_is_uniquely_determined:
+  assumes "is_wff_denotation_function \<V>"
+  and "is_wff_denotation_function \<V>'"
+  and "is_assignment \<phi>"
+  and "A \<in> wffs"
+  shows "\<V> \<phi> A = \<V>' \<phi> A"
+proof -
+  obtain \<alpha> where "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+    using assms(4) by blast
+  then show ?thesis
+  using assms(3) proof (induction A arbitrary: \<phi>)
+    case var_is_wff
+    with assms(1,2) show ?case
+      by auto
+  next
+    case con_is_wff
+    with assms(1,2) show ?case
+      by auto
+  next
+    case app_is_wff
+    with assms(1,2) show ?case
+      using wff_app_denotation by metis
+  next
+    case (abs_is_wff \<beta> A \<alpha> x)
+    have "is_assignment (\<phi>((x, \<alpha>) := z))" if "z \<in> elts (\<D> \<alpha>)" for z
+      using that and abs_is_wff.prems by simp
+    then have *: "\<V> (\<phi>((x, \<alpha>) := z)) A = \<V>' (\<phi>((x, \<alpha>) := z)) A" if "z \<in> elts (\<D> \<alpha>)" for z
+      using abs_is_wff.IH and that by blast
+    have "\<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V> (\<phi>((x, \<alpha>) := z)) A)"
+      by (fact wff_abs_denotation[OF assms(1) abs_is_wff.prems abs_is_wff.hyps])
+    also have "\<dots> = (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V>' (\<phi>((x, \<alpha>) := z)) A)"
+      using * and vlambda_extensionality by fastforce
+    also have "\<dots> = \<V>' \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+      by (fact wff_abs_denotation[OF assms(2) abs_is_wff.prems abs_is_wff.hyps, symmetric])
+    finally show ?case .
+  qed
+qed
+
+end
+
+subsection \<open>General models\<close>
+
+type_synonym model_structure = "(type \<Rightarrow> V) \<times> (con \<Rightarrow> V) \<times> ((var \<Rightarrow> V) \<Rightarrow> form \<Rightarrow> V)"
+
+text \<open>
+  The assumption in the following locale implies that there must exist a function that is a wff
+  denotation function for the pre-model, which is a requirement in the definition of general model
+  in @{cite "andrews:2002"}:
+\<close>
+
+locale general_model = premodel +
+  fixes \<V> :: "(var \<Rightarrow> V) \<Rightarrow> form \<Rightarrow> V"
+  assumes \<V>_is_wff_denotation_function: "is_wff_denotation_function \<V>"
+begin
+
+lemma mixed_beta_conversion:
+  assumes "is_assignment \<phi>"
+  and "y \<in> elts (\<D> \<alpha>)"
+  and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  shows "\<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<bullet> y = \<V> (\<phi>((x, \<alpha>) := y)) B"
+  using wff_abs_denotation[OF \<V>_is_wff_denotation_function assms(1,3)] and beta[OF assms(2)] by simp
+
+lemma conj_fun_is_domain_respecting:
+  assumes "is_assignment \<phi>"
+  shows "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))"
+  using assms and conj_fun_wff and \<V>_is_wff_denotation_function by auto
+
+lemma fully_applied_conj_fun_is_domain_respecting:
+  assumes "is_assignment \<phi>"
+  and "{x, y} \<subseteq> elts (\<D> o)"
+  shows "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y \<in> elts (\<D> o)"
+  using assms and conj_fun_is_domain_respecting and app_is_domain_respecting by (meson insert_subset)
+
+lemma imp_fun_denotation_is_domain_respecting:
+  assumes "is_assignment \<phi>"
+  shows "\<V> \<phi> (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))"
+  using assms and imp_fun_wff and \<V>_is_wff_denotation_function by simp
+
+lemma fully_applied_imp_fun_denotation_is_domain_respecting:
+  assumes "is_assignment \<phi>"
+  and "{x, y} \<subseteq> elts (\<D> o)"
+  shows "\<V> \<phi> (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y \<in> elts (\<D> o)"
+  using assms and imp_fun_denotation_is_domain_respecting and app_is_domain_respecting
+  by (meson insert_subset)
+
+end
+
+abbreviation is_general_model :: "model_structure \<Rightarrow> bool" where
+  "is_general_model \<M> \<equiv> case \<M> of (\<D>, \<J>, \<V>) \<Rightarrow> general_model \<D> \<J> \<V>"
+
+subsection \<open>Standard models\<close>
+
+locale standard_model = general_model +
+  assumes full_function_domain_def: "\<forall>\<alpha> \<beta>. \<D> (\<alpha>\<rightarrow>\<beta>) = \<D> \<alpha> \<longmapsto> \<D> \<beta>"
+
+abbreviation is_standard_model :: "model_structure \<Rightarrow> bool" where
+  "is_standard_model \<M> \<equiv> case \<M> of (\<D>, \<J>, \<V>) \<Rightarrow> standard_model \<D> \<J> \<V>"
+
+lemma standard_model_is_general_model:
+  assumes "is_standard_model \<M>"
+  shows "is_general_model \<M>"
+  using assms and standard_model.axioms(1) by force
+
+subsection \<open>Validity\<close>
+
+abbreviation is_assignment_into_frame ("_ \<leadsto> _" [51, 51] 50) where
+  "\<phi> \<leadsto> \<D> \<equiv> frame.is_assignment \<D> \<phi>"
+
+abbreviation is_assignment_into_model ("_ \<leadsto>\<^sub>M _" [51, 51] 50) where
+  "\<phi> \<leadsto>\<^sub>M \<M> \<equiv> (case \<M> of (\<D>, \<J>, \<V>) \<Rightarrow> \<phi> \<leadsto> \<D>)"
+
+abbreviation satisfies ("_ \<Turnstile>\<^bsub>_\<^esub> _" [50, 50, 50] 50) where
+  "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> A \<equiv> case \<M> of (\<D>, \<J>, \<V>) \<Rightarrow> \<V> \<phi> A = \<^bold>T"
+
+abbreviation is_satisfiable_in where
+  "is_satisfiable_in A \<M> \<equiv> \<exists>\<phi>. \<phi> \<leadsto>\<^sub>M \<M> \<and> \<M> \<Turnstile>\<^bsub>\<phi>\<^esub> A"
+
+abbreviation is_valid_in ("_ \<Turnstile> _" [50, 50] 50) where
+  "\<M> \<Turnstile> A \<equiv> \<forall>\<phi>. \<phi> \<leadsto>\<^sub>M \<M> \<longrightarrow> \<M> \<Turnstile>\<^bsub>\<phi>\<^esub> A"
+
+abbreviation is_valid_in_the_general_sense ("\<Turnstile> _" [50] 50) where
+  "\<Turnstile> A \<equiv> \<forall>\<M>. is_general_model \<M> \<longrightarrow> \<M> \<Turnstile> A"
+
+abbreviation is_valid_in_the_standard_sense ("\<Turnstile>\<^sub>S _" [50] 50) where
+  "\<Turnstile>\<^sub>S A \<equiv> \<forall>\<M>. is_standard_model \<M> \<longrightarrow> \<M> \<Turnstile> A"
+
+abbreviation is_true_sentence_in where
+  "is_true_sentence_in A \<M> \<equiv> is_sentence A \<and> \<M> \<Turnstile>\<^bsub>undefined\<^esub> A" \<comment> \<open>assignments are not meaningful\<close>
+
+abbreviation is_false_sentence_in where
+  "is_false_sentence_in A \<M> \<equiv> is_sentence A \<and> \<not> \<M> \<Turnstile>\<^bsub>undefined\<^esub> A" \<comment> \<open>assignments are not meaningful\<close>
+
+abbreviation is_model_for where
+  "is_model_for \<M> \<G> \<equiv> \<forall>A \<in> \<G>. \<M> \<Turnstile> A"
+
+lemma general_validity_in_standard_validity:
+  assumes "\<Turnstile> A"
+  shows "\<Turnstile>\<^sub>S A"
+  using assms and standard_model_is_general_model by blast
+
+end
diff --git a/thys/Q0_Metatheory/Soundness.thy b/thys/Q0_Metatheory/Soundness.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Soundness.thy
@@ -0,0 +1,1561 @@
+section \<open>Soundness\<close>
+
+theory Soundness
+  imports
+    Elementary_Logic
+    Semantics
+begin
+
+no_notation funcset (infixr "\<rightarrow>" 60)
+notation funcset (infixr "\<Zpfun>" 60)
+
+subsection \<open>Proposition 5400\<close>
+
+proposition (in general_model) prop_5400:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "\<phi> \<leadsto> \<D>" and "\<psi> \<leadsto> \<D>"
+  and "\<forall>v \<in> free_vars A. \<phi> v = \<psi> v"
+  shows "\<V> \<phi> A = \<V> \<psi> A"
+proof -
+  from assms(1) show ?thesis
+  using assms(2,3,4) proof (induction A arbitrary: \<phi> \<psi>)
+    case (var_is_wff \<alpha> x)
+    have "(x, \<alpha>) \<in> free_vars (x\<^bsub>\<alpha>\<^esub>)"
+      by simp
+    from assms(1) and var_is_wff.prems(1) have "\<V> \<phi> (x\<^bsub>\<alpha>\<^esub>) = \<phi> (x, \<alpha>)"
+      using \<V>_is_wff_denotation_function by fastforce
+    also from \<open>(x, \<alpha>) \<in> free_vars (x\<^bsub>\<alpha>\<^esub>)\<close> and var_is_wff.prems(3) have "\<dots> = \<psi> (x, \<alpha>)"
+      by (simp only:)
+    also from assms(1) and var_is_wff.prems(2) have "\<dots> = \<V> \<psi> (x\<^bsub>\<alpha>\<^esub>)"
+      using \<V>_is_wff_denotation_function by fastforce
+    finally show ?case .
+  next
+    case (con_is_wff \<alpha> c)
+    from assms(1) and con_is_wff.prems(1) have "\<V> \<phi> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = \<J> (c, \<alpha>)"
+      using \<V>_is_wff_denotation_function by fastforce
+    also from assms(1) and con_is_wff.prems(2) have "\<dots> = \<V> \<psi> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>)"
+      using \<V>_is_wff_denotation_function by fastforce
+    finally show ?case .
+  next
+    case (app_is_wff \<alpha> \<beta> A B)
+    have "free_vars (A \<sqdot> B) = free_vars A \<union> free_vars B"
+      by simp
+    with app_is_wff.prems(3)
+    have "\<forall>v \<in> free_vars A. \<phi> v = \<psi> v" and "\<forall>v \<in> free_vars B. \<phi> v = \<psi> v"
+      by blast+
+    with app_is_wff.IH and app_is_wff.prems(1,2) have "\<V> \<phi> A = \<V> \<psi> A" and "\<V> \<phi> B = \<V> \<psi> B"
+      by blast+
+    from assms(1) and app_is_wff.prems(1) and app_is_wff.hyps have "\<V> \<phi> (A \<sqdot> B) = \<V> \<phi> A \<bullet> \<V> \<phi> B"
+      using \<V>_is_wff_denotation_function by fastforce
+    also from \<open>\<V> \<phi> A = \<V> \<psi> A\<close> and \<open>\<V> \<phi> B = \<V> \<psi> B\<close> have "\<dots> = \<V> \<psi> A \<bullet> \<V> \<psi> B"
+      by (simp only:)
+    also from assms(1) and app_is_wff.prems(2) and app_is_wff.hyps have "\<dots> = \<V> \<psi> (A \<sqdot> B)"
+      using \<V>_is_wff_denotation_function by fastforce
+    finally show ?case .
+  next
+    case (abs_is_wff \<beta> A \<alpha> x)
+    have "free_vars (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = free_vars A - {(x, \<alpha>)}"
+      by simp
+    with abs_is_wff.prems(3) have "\<forall>v \<in> free_vars A. v \<noteq> (x, \<alpha>)\<longrightarrow> \<phi> v = \<psi> v"
+      by blast
+    then have "\<forall>v \<in> free_vars A. (\<phi>((x, \<alpha>) := z)) v = (\<psi>((x, \<alpha>) := z)) v" if "z \<in> elts (\<D> \<alpha>)" for z
+      by simp
+    moreover from abs_is_wff.prems(1,2)
+    have "\<forall>x' \<alpha>'. (\<phi>((x, \<alpha>) := z)) (x', \<alpha>') \<in> elts (\<D> \<alpha>')" (* needs \<alpha>-conversion *)
+      and "\<forall>x' \<alpha>'. (\<psi>((x, \<alpha>) := z)) (x', \<alpha>') \<in> elts (\<D> \<alpha>')" (* needs \<alpha>-conversion *)
+      if "z \<in> elts (\<D> \<alpha>)" for z
+      using that by force+
+    ultimately have \<V>_\<phi>_\<psi>_eq: "\<V> (\<phi>((x, \<alpha>) := z)) A = \<V> (\<psi>((x, \<alpha>) := z)) A" if "z \<in> elts (\<D> \<alpha>)" for z
+      using abs_is_wff.IH and that by simp
+    from assms(1) and abs_is_wff.prems(1) and abs_is_wff.hyps
+    have "\<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V> (\<phi>((x, \<alpha>) := z)) A)"
+      using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by simp
+    also from \<V>_\<phi>_\<psi>_eq have "\<dots> = (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V> (\<psi>((x, \<alpha>) := z)) A)"
+      by (fact vlambda_extensionality)
+    also from assms(1) and abs_is_wff.hyps have "\<dots> = \<V> \<psi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+      using wff_abs_denotation[OF \<V>_is_wff_denotation_function abs_is_wff.prems(2)] by simp
+    finally show ?case .
+  qed
+qed
+
+corollary (in general_model) closed_wff_is_meaningful_regardless_of_assignment:
+  assumes "is_closed_wff_of_type A \<alpha>"
+  and "\<phi> \<leadsto> \<D>" and "\<psi> \<leadsto> \<D>"
+  shows "\<V> \<phi> A = \<V> \<psi> A"
+  using assms and prop_5400 by blast
+
+subsection \<open>Proposition 5401\<close>
+
+lemma (in general_model) prop_5401_a:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  shows "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) = \<V> (\<phi>((x, \<alpha>) := \<V> \<phi> A)) B"
+proof -
+  from assms(2,3) have "\<lambda>x\<^bsub>\<alpha>\<^esub>. B \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>"
+    by blast
+  with assms(1,2) have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) = \<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<bullet> \<V> \<phi> A"
+    using \<V>_is_wff_denotation_function by blast
+  also from assms(1,3) have "\<dots> = app (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V> (\<phi>((x, \<alpha>) := z)) B) (\<V> \<phi> A)"
+    using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by simp
+  also from assms(1,2) have "\<dots> = \<V> (\<phi>((x, \<alpha>) := \<V> \<phi> A)) B"
+    using \<V>_is_wff_denotation_function by auto
+  finally show ?thesis .
+qed
+
+lemma (in general_model) prop_5401_b:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<V> \<phi> (A =\<^bsub>\<alpha>\<^esub> B) = \<^bold>T \<longleftrightarrow> \<V> \<phi> A = \<V> \<phi> B"
+proof -
+  from assms have "{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts (\<D> \<alpha>)"
+    using \<V>_is_wff_denotation_function by auto
+  have "\<V> \<phi> (A =\<^bsub>\<alpha>\<^esub> B) = \<V> \<phi> (Q\<^bsub>\<alpha>\<^esub> \<sqdot> A \<sqdot> B)"
+    by simp
+  also from assms have "\<dots> = \<V> \<phi> (Q\<^bsub>\<alpha>\<^esub> \<sqdot> A) \<bullet> \<V> \<phi> B"
+    using \<V>_is_wff_denotation_function by blast
+  also from assms have "\<dots> = \<V> \<phi> (Q\<^bsub>\<alpha>\<^esub>) \<bullet> \<V> \<phi> A \<bullet> \<V> \<phi> B"
+    using Q_wff and wff_app_denotation[OF \<V>_is_wff_denotation_function] by fastforce
+  also from assms(1) have "\<dots> = (q\<^bsub>\<alpha>\<^esub>) \<bullet> \<V> \<phi> A \<bullet> \<V> \<phi> B"
+    using Q_denotation and \<V>_is_wff_denotation_function by fastforce
+  also from \<open>{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts (\<D> \<alpha>)\<close> have "\<dots> = \<^bold>T \<longleftrightarrow> \<V> \<phi> A = \<V> \<phi> B"
+    using q_is_equality by simp
+  finally show ?thesis .
+qed
+
+corollary (in general_model) prop_5401_b':
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>o\<^esub>"
+  and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<V> \<phi> (A \<equiv>\<^sup>\<Q> B) = \<^bold>T \<longleftrightarrow> \<V> \<phi> A = \<V> \<phi> B"
+  using assms and prop_5401_b by auto
+
+lemma (in general_model) prop_5401_c:
+  assumes "\<phi> \<leadsto> \<D>"
+  shows "\<V> \<phi> T\<^bsub>o\<^esub> = \<^bold>T"
+proof -
+  have "Q\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>"
+    by blast
+  moreover have "\<V> \<phi> T\<^bsub>o\<^esub> = \<V> \<phi> (Q\<^bsub>o\<^esub> =\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> Q\<^bsub>o\<^esub>)"
+    unfolding true_def ..
+  ultimately have "\<dots> = \<^bold>T \<longleftrightarrow> \<V> \<phi> (Q\<^bsub>o\<^esub>) = \<V> \<phi> (Q\<^bsub>o\<^esub>)"
+    using prop_5401_b and assms by blast
+  then show ?thesis
+    by simp
+qed
+
+lemma (in general_model) prop_5401_d:
+  assumes "\<phi> \<leadsto> \<D>"
+  shows "\<V> \<phi> F\<^bsub>o\<^esub> = \<^bold>F"
+proof -
+  have "\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>" and "\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by blast+
+  moreover have "\<V> \<phi> F\<^bsub>o\<^esub> = \<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub> =\<^bsub>o\<rightarrow>o\<^esub> \<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)"
+    unfolding false_def ..
+  ultimately have "\<V> \<phi> F\<^bsub>o\<^esub> = \<^bold>T \<longleftrightarrow> \<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) = \<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)"
+    using prop_5401_b and assms by simp
+  moreover have "\<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) \<noteq> \<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>)"
+  proof -
+    have "\<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) = (\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. \<^bold>T)"
+    proof -
+      from assms have T_denotation: "\<V> (\<phi>((\<xx>, o) := z)) T\<^bsub>o\<^esub> = \<^bold>T" if "z \<in> elts (\<D> o)" for z
+        using prop_5401_c and that by simp
+      from assms have "\<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub>) = (\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. \<V> (\<phi>((\<xx>, o) := z)) T\<^bsub>o\<^esub>)"
+        using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by blast
+      also from assms and T_denotation have "\<dots> = (\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. \<^bold>T)"
+        using vlambda_extensionality by fastforce
+      finally show ?thesis .
+    qed
+    moreover have "\<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) = (\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. z)"
+    proof -
+      from assms have \<xx>_denotation: "\<V> (\<phi>((\<xx>, o) := z)) (\<xx>\<^bsub>o\<^esub>) = z" if "z \<in> elts (\<D> o)" for z
+        using that and \<V>_is_wff_denotation_function by auto
+      from assms have "\<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) = (\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. \<V> (\<phi>((\<xx>, o) := z)) (\<xx>\<^bsub>o\<^esub>))"
+        using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by blast
+      also from \<xx>_denotation have "\<dots> = (\<^bold>\<lambda>z \<^bold>: (\<D> o)\<^bold>. z)"
+        using vlambda_extensionality by fastforce
+      finally show ?thesis .
+    qed
+    moreover have "(\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. \<^bold>T) \<noteq> (\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. z)"
+    proof -
+      from assms(1) have "(\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. \<^bold>T) \<bullet> \<^bold>F = \<^bold>T"
+        by (simp add: truth_values_domain_def)
+      moreover from assms(1) have "(\<^bold>\<lambda>z \<^bold>: \<D> o\<^bold>. z) \<bullet> \<^bold>F = \<^bold>F"
+        by (simp add: truth_values_domain_def)
+      ultimately show ?thesis
+        by (auto simp add: inj_eq)
+    qed
+    ultimately show ?thesis
+      by simp
+  qed
+  moreover from assms have "\<V> \<phi> F\<^bsub>o\<^esub> \<in> elts (\<D> o)"
+    using false_wff and \<V>_is_wff_denotation_function by fast
+  ultimately show ?thesis
+    using assms(1) by (simp add: truth_values_domain_def)
+qed
+
+lemma (in general_model) prop_5401_e:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "{x, y} \<subseteq> elts (\<D> o)"
+  shows "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = (if x = \<^bold>T \<and> y = \<^bold>T then \<^bold>T else \<^bold>F)"
+proof -
+  let ?B\<^sub>l\<^sub>e\<^sub>q = "\<lambda>\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<sqdot> T\<^bsub>o\<^esub>"
+  let ?B\<^sub>r\<^sub>e\<^sub>q = "\<lambda>\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<sqdot> \<yy>\<^bsub>o\<^esub>"
+  let ?B\<^sub>e\<^sub>q = "?B\<^sub>l\<^sub>e\<^sub>q =\<^bsub>(o\<rightarrow>o\<rightarrow>o)\<rightarrow>o\<^esub> ?B\<^sub>r\<^sub>e\<^sub>q"
+  let ?B\<^sub>\<yy> = "\<lambda>\<yy>\<^bsub>o\<^esub>. ?B\<^sub>e\<^sub>q"
+  let ?B\<^sub>\<xx> = "\<lambda>\<xx>\<^bsub>o\<^esub>. ?B\<^sub>\<yy>"
+  let ?\<phi>' = "\<phi>((\<xx>, o) := x, (\<yy>, o) := y)"
+  let ?\<phi>'' = "\<lambda>g. ?\<phi>'((\<gg>, o\<rightarrow>o\<rightarrow>o) := g)"
+  have "\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by blast
+  have "\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>" and "\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<sqdot> \<yy>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+    by blast+
+  have "?B\<^sub>l\<^sub>e\<^sub>q \<in> wffs\<^bsub>(o\<rightarrow>o\<rightarrow>o)\<rightarrow>o\<^esub>" and "?B\<^sub>r\<^sub>e\<^sub>q \<in> wffs\<^bsub>(o\<rightarrow>o\<rightarrow>o)\<rightarrow>o\<^esub>"
+    by blast+
+  then have "?B\<^sub>e\<^sub>q \<in> wffs\<^bsub>o\<^esub>" and "?B\<^sub>\<yy> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>" and "?B\<^sub>\<xx> \<in> wffs\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>"
+    by blast+
+  have "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = \<V> \<phi> ?B\<^sub>\<xx> \<bullet> x \<bullet> y"
+    by simp
+  also from assms and \<open>?B\<^sub>\<yy> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> have "\<dots> = \<V> (\<phi>((\<xx>, o) := x)) ?B\<^sub>\<yy> \<bullet> y"
+    using mixed_beta_conversion by simp
+  also from assms and \<open>?B\<^sub>e\<^sub>q \<in> wffs\<^bsub>o\<^esub>\<close> have "\<dots> = \<V> ?\<phi>' ?B\<^sub>e\<^sub>q"
+    using mixed_beta_conversion by simp
+  finally have "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = \<^bold>T \<longleftrightarrow> \<V> ?\<phi>' ?B\<^sub>l\<^sub>e\<^sub>q = \<V> ?\<phi>' ?B\<^sub>r\<^sub>e\<^sub>q"
+    using assms and \<open>?B\<^sub>l\<^sub>e\<^sub>q \<in> wffs\<^bsub>(o\<rightarrow>o\<rightarrow>o)\<rightarrow>o\<^esub>\<close> and \<open>?B\<^sub>r\<^sub>e\<^sub>q \<in> wffs\<^bsub>(o\<rightarrow>o\<rightarrow>o)\<rightarrow>o\<^esub>\<close> and prop_5401_b
+    by simp
+  also have "\<dots> \<longleftrightarrow> (\<^bold>\<lambda>g \<^bold>: \<D> (o\<rightarrow>o\<rightarrow>o)\<^bold>. g \<bullet> \<^bold>T \<bullet> \<^bold>T) = (\<^bold>\<lambda>g \<^bold>: \<D> (o\<rightarrow>o\<rightarrow>o)\<^bold>. g \<bullet> x \<bullet> y)"
+  proof -
+    have leq: "\<V> ?\<phi>' ?B\<^sub>l\<^sub>e\<^sub>q = (\<^bold>\<lambda>g \<^bold>: \<D> (o\<rightarrow>o\<rightarrow>o)\<^bold>. g \<bullet> \<^bold>T \<bullet> \<^bold>T)"
+    and req: "\<V> ?\<phi>' ?B\<^sub>r\<^sub>e\<^sub>q = (\<^bold>\<lambda>g \<^bold>: \<D> (o\<rightarrow>o\<rightarrow>o)\<^bold>. g \<bullet> x \<bullet> y)"
+    proof -
+      from assms(1,2) have is_assg_\<phi>'': "?\<phi>'' g \<leadsto> \<D>" if "g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))" for g
+        using that by auto
+      have side_eq_denotation:
+        "\<V> ?\<phi>' (\<lambda>\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B) = (\<^bold>\<lambda>g \<^bold>: \<D> (o\<rightarrow>o\<rightarrow>o)\<^bold>. g \<bullet> \<V> (?\<phi>'' g) A \<bullet> \<V> (?\<phi>'' g) B)"
+        if "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>" for A and B
+      proof -
+        from that have "\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B \<in> wffs\<^bsub>o\<^esub>"
+          by blast
+        have "\<V> (?\<phi>'' g) (\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B) = g \<bullet> \<V> (?\<phi>'' g) A \<bullet> \<V> (?\<phi>'' g) B"
+          if "g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))" for g
+        proof -
+          from \<open>A \<in> wffs\<^bsub>o\<^esub>\<close> have "\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+            by blast
+          with that and is_assg_\<phi>'' and \<open>B \<in> wffs\<^bsub>o\<^esub>\<close> have "
+            \<V> (?\<phi>'' g) (\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B) = \<V> (?\<phi>'' g) (\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A) \<bullet> \<V> (?\<phi>'' g) B"
+            using wff_app_denotation[OF \<V>_is_wff_denotation_function] by simp
+          also from that and \<open>A \<in> wffs\<^bsub>o\<^esub>\<close> and is_assg_\<phi>'' have "
+            \<dots> = \<V> (?\<phi>'' g) (\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> \<V> (?\<phi>'' g) A \<bullet> \<V> (?\<phi>'' g) B"
+            by (metis \<V>_is_wff_denotation_function wff_app_denotation wffs_of_type_intros(1))
+          finally show ?thesis
+            using that and is_assg_\<phi>'' and \<V>_is_wff_denotation_function by auto
+        qed
+        moreover from assms have "is_assignment ?\<phi>'"
+          by auto
+        with \<open>\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B \<in> wffs\<^bsub>o\<^esub>\<close> have "
+          \<V> ?\<phi>' (\<lambda>\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B) = (\<^bold>\<lambda>g \<^bold>: \<D> (o\<rightarrow>o\<rightarrow>o)\<^bold>. \<V> (?\<phi>'' g) (\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B))"
+          using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by simp
+        ultimately show ?thesis
+          using vlambda_extensionality by fastforce
+      qed
+      \<comment> \<open>Proof of \<open>leq\<close>:\<close>
+      show "\<V> ?\<phi>' ?B\<^sub>l\<^sub>e\<^sub>q = (\<^bold>\<lambda>g \<^bold>: \<D> (o\<rightarrow>o\<rightarrow>o)\<^bold>. g \<bullet> \<^bold>T \<bullet> \<^bold>T)"
+      proof -
+        have "\<V> (?\<phi>'' g) T\<^bsub>o\<^esub> = \<^bold>T" if "g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))" for g
+          using that and is_assg_\<phi>'' and prop_5401_c by simp
+        then show ?thesis
+          using side_eq_denotation and true_wff and vlambda_extensionality by fastforce
+      qed
+      \<comment> \<open>Proof of \<open>req\<close>:\<close>
+      show "\<V> ?\<phi>' ?B\<^sub>r\<^sub>e\<^sub>q = (\<^bold>\<lambda>g \<^bold>: \<D> (o\<rightarrow>o\<rightarrow>o)\<^bold>. g \<bullet> x \<bullet> y)"
+      proof -
+        from is_assg_\<phi>'' have "\<V> (?\<phi>'' g) (\<xx>\<^bsub>o\<^esub>) = x" and "\<V> (?\<phi>'' g) (\<yy>\<^bsub>o\<^esub>) = y"
+          if "g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))" for g
+          using that and \<V>_is_wff_denotation_function by auto
+        with side_eq_denotation show ?thesis
+          using wffs_of_type_intros(1) and vlambda_extensionality by fastforce
+      qed
+    qed
+    then show ?thesis
+      by auto
+  qed
+  also have "\<dots> \<longleftrightarrow> (\<forall>g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o)). g \<bullet> \<^bold>T \<bullet> \<^bold>T = g \<bullet> x \<bullet> y)"
+    using vlambda_extensionality and VLambda_eq_D2 by fastforce
+  finally have and_eqv: "
+    \<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = \<^bold>T \<longleftrightarrow> (\<forall>g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o)). g \<bullet> \<^bold>T \<bullet> \<^bold>T = g \<bullet> x \<bullet> y)"
+    by blast
+  then show ?thesis
+  proof -
+    from assms(1,2) have is_assg_1: "\<phi>((\<xx>, o) := \<^bold>T) \<leadsto> \<D>"
+      by (simp add: truth_values_domain_def)
+    then have is_assg_2: "\<phi>((\<xx>, o) := \<^bold>T, (\<yy>, o) := \<^bold>T) \<leadsto> \<D>"
+      unfolding is_assignment_def by (metis fun_upd_apply prod.sel(2))
+    from assms consider (a) "x = \<^bold>T \<and> y = \<^bold>T" | (b) "x \<noteq> \<^bold>T" | (c) "y \<noteq> \<^bold>T"
+      by blast
+    then show ?thesis
+    proof cases
+      case a
+      then have "g \<bullet> \<^bold>T \<bullet> \<^bold>T = g \<bullet> x \<bullet> y" if "g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))" for g
+        by simp
+      with a and and_eqv show ?thesis
+        by simp
+    next
+      case b
+      let ?g_witness = "\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>"
+      have "\<lambda>\<yy>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+        by blast
+      then have "is_closed_wff_of_type ?g_witness (o\<rightarrow>o\<rightarrow>o)"
+        by force
+      moreover from assms have is_assg_\<phi>': "?\<phi>' \<leadsto> \<D>"
+        by simp
+      ultimately have "\<V> \<phi> ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T = \<V> ?\<phi>' ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T"
+        using assms(1) and closed_wff_is_meaningful_regardless_of_assignment by metis
+      also from assms and \<open>\<lambda>\<yy>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> have "
+        \<V> ?\<phi>' ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T = \<V> (?\<phi>'((\<xx>, o) := \<^bold>T)) (\<lambda>\<yy>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<bullet> \<^bold>T"
+        using mixed_beta_conversion and truth_values_domain_def by auto
+      also from assms(1) and \<open>\<lambda>\<yy>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> and is_assg_1 and calculation have "
+        \<dots> = \<V> (?\<phi>'((\<xx>, o) := \<^bold>T, (\<yy>, o) := \<^bold>T)) (\<xx>\<^bsub>o\<^esub>)"
+        using mixed_beta_conversion and is_assignment_def
+        by (metis fun_upd_same fun_upd_twist fun_upd_upd wffs_of_type_intros(1))
+      also have "\<dots> = \<^bold>T"
+        using is_assg_2 and \<V>_is_wff_denotation_function by fastforce
+      finally have "\<V> \<phi> ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T = \<^bold>T" .
+      with b have "\<V> \<phi> ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T \<noteq> x"
+        by blast
+      moreover have "x = \<V> \<phi> ?g_witness \<bullet> x \<bullet> y"
+      proof -
+        from is_assg_\<phi>' have "x = \<V> ?\<phi>' (\<xx>\<^bsub>o\<^esub>)"
+          using \<V>_is_wff_denotation_function by auto
+        also from assms(2) and is_assg_\<phi>' have "\<dots> = \<V> ?\<phi>' (\<lambda>\<yy>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>) \<bullet> y"
+          using wffs_of_type_intros(1)[where x = \<xx> and \<alpha> = o]
+          by (simp add: mixed_beta_conversion \<V>_is_wff_denotation_function)
+        also from assms(2) have "\<dots> = \<V> ?\<phi>' ?g_witness \<bullet> x \<bullet> y"
+          using is_assg_\<phi>' and \<open>\<lambda>\<yy>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close>
+          by (simp add: mixed_beta_conversion fun_upd_twist)
+        also from assms(1,2) have "\<dots> = \<V> \<phi> ?g_witness \<bullet> x \<bullet> y"
+          using is_assg_\<phi>' and \<open>is_closed_wff_of_type ?g_witness (o\<rightarrow>o\<rightarrow>o)\<close>
+          and closed_wff_is_meaningful_regardless_of_assignment by metis
+        finally show ?thesis .
+      qed
+      moreover from assms(1,2) have "\<V> \<phi> ?g_witness \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))"
+        using \<open>is_closed_wff_of_type ?g_witness (o\<rightarrow>o\<rightarrow>o)\<close> and \<V>_is_wff_denotation_function by simp
+      ultimately have "\<exists>g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o)). g \<bullet> \<^bold>T \<bullet> \<^bold>T \<noteq> g \<bullet> x \<bullet> y"
+        by auto
+      moreover from assms have "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y \<in> elts (\<D> o)"
+        by (rule fully_applied_conj_fun_is_domain_respecting)
+      ultimately have "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = \<^bold>F"
+        using and_eqv and truth_values_domain_def by fastforce
+      with b show ?thesis
+        by simp
+    next
+      case c
+      let ?g_witness = "\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. \<yy>\<^bsub>o\<^esub>"
+      have "\<lambda>\<yy>\<^bsub>o\<^esub>. \<yy>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+        by blast
+      then have "is_closed_wff_of_type ?g_witness (o\<rightarrow>o\<rightarrow>o)"
+        by force
+      moreover from assms(1,2) have is_assg_\<phi>': "?\<phi>' \<leadsto> \<D>"
+        by simp
+      ultimately have "\<V> \<phi> ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T = \<V> ?\<phi>' ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T"
+        using assms(1) and closed_wff_is_meaningful_regardless_of_assignment by metis
+      also from is_assg_1 and is_assg_\<phi>' have "\<dots> = \<V> (?\<phi>'((\<xx>, o) := \<^bold>T)) (\<lambda>\<yy>\<^bsub>o\<^esub>. \<yy>\<^bsub>o\<^esub>) \<bullet> \<^bold>T"
+        using \<open>\<lambda>\<yy>\<^bsub>o\<^esub>. \<yy>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> and mixed_beta_conversion and truth_values_domain_def by auto
+      also from assms(1) and \<open>\<lambda>\<yy>\<^bsub>o\<^esub>. \<yy>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> and is_assg_1 and calculation have "
+        \<dots> = \<V> (?\<phi>'((\<xx>, o) := \<^bold>T, (\<yy>, o) := \<^bold>T)) (\<yy>\<^bsub>o\<^esub>)"
+        using mixed_beta_conversion and is_assignment_def
+        by (metis fun_upd_same fun_upd_twist fun_upd_upd wffs_of_type_intros(1))
+      also have "\<dots> = \<^bold>T"
+        using is_assg_2 and \<V>_is_wff_denotation_function by force
+      finally have "\<V> \<phi> ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T = \<^bold>T" .
+      with c have "\<V> \<phi> ?g_witness \<bullet> \<^bold>T \<bullet> \<^bold>T \<noteq> y"
+        by blast
+      moreover have "y = \<V> \<phi> ?g_witness \<bullet> x \<bullet> y"
+      proof -
+        from assms(2) and is_assg_\<phi>' have "y = \<V> ?\<phi>' (\<lambda>\<yy>\<^bsub>o\<^esub>. \<yy>\<^bsub>o\<^esub>) \<bullet> y"
+          using wffs_of_type_intros(1)[where x = \<yy> and \<alpha> = o]
+          and \<V>_is_wff_denotation_function and mixed_beta_conversion by auto
+        also from assms(2) and \<open>\<lambda>\<yy>\<^bsub>o\<^esub>. \<yy>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> have "\<dots> = \<V> ?\<phi>' ?g_witness \<bullet> x \<bullet> y"
+          using is_assg_\<phi>' by (simp add: mixed_beta_conversion fun_upd_twist)
+        also from assms(1,2) have "\<dots> = \<V> \<phi> ?g_witness \<bullet> x \<bullet> y"
+          using is_assg_\<phi>' and \<open>is_closed_wff_of_type ?g_witness (o\<rightarrow>o\<rightarrow>o)\<close>
+          and closed_wff_is_meaningful_regardless_of_assignment by metis
+        finally show ?thesis .
+      qed
+      moreover from assms(1) have "\<V> \<phi> ?g_witness \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o))"
+        using \<open>is_closed_wff_of_type ?g_witness (o\<rightarrow>o\<rightarrow>o)\<close> and \<V>_is_wff_denotation_function by auto
+      ultimately have "\<exists>g \<in> elts (\<D> (o\<rightarrow>o\<rightarrow>o)). g \<bullet> \<^bold>T \<bullet> \<^bold>T \<noteq> g \<bullet> x \<bullet> y"
+        by auto
+      moreover from assms have "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y \<in> elts (\<D> o)"
+        by (rule fully_applied_conj_fun_is_domain_respecting)
+      ultimately have "\<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = \<^bold>F"
+        using and_eqv and truth_values_domain_def by fastforce
+      with c show ?thesis
+        by simp
+    qed
+  qed
+qed
+
+corollary (in general_model) prop_5401_e':
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<V> \<phi> (A \<and>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<and> \<V> \<phi> B"
+proof -
+  from assms have "{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts (\<D> o)"
+    using \<V>_is_wff_denotation_function by simp
+  from assms(2) have "\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by blast
+  have "\<V> \<phi> (A \<and>\<^sup>\<Q> B) = \<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B)"
+    by simp
+  also from assms have "\<dots> = \<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A) \<bullet> \<V> \<phi> B"
+    using \<V>_is_wff_denotation_function and \<open>\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> by blast
+  also from assms have "\<dots> = \<V> \<phi> (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> \<V> \<phi> A \<bullet> \<V> \<phi> B"
+    using \<V>_is_wff_denotation_function and conj_fun_wff by fastforce
+  also from assms(1,2) have "\<dots> = (if \<V> \<phi> A = \<^bold>T \<and> \<V> \<phi> B = \<^bold>T then \<^bold>T else \<^bold>F)"
+    using \<open>{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts (\<D> o)\<close> and prop_5401_e by simp
+  also have "\<dots> = \<V> \<phi> A \<^bold>\<and> \<V> \<phi> B"
+    using truth_values_domain_def and \<open>{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts (\<D> o)\<close> by fastforce
+  finally show ?thesis .
+qed
+
+lemma (in general_model) prop_5401_f:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "{x, y} \<subseteq> elts (\<D> o)"
+  shows "\<V> \<phi> (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = (if x = \<^bold>T \<and> y = \<^bold>F then \<^bold>F else \<^bold>T)"
+proof -
+  let ?\<phi>' = "\<phi>((\<xx>, o) := x, (\<yy>, o) := y)"
+  from assms(2) have "{x, y} \<subseteq> elts \<bool>"
+    unfolding truth_values_domain_def .
+  have "(\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<^esub>"
+    by blast
+  then have "\<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by blast
+  from assms have is_assg_\<phi>': "?\<phi>' \<leadsto> \<D>"
+    by simp
+  from assms(1) have "\<V> ?\<phi>' (\<xx>\<^bsub>o\<^esub>) = x" and "\<V> ?\<phi>' (\<yy>\<^bsub>o\<^esub>) = y"
+    using is_assg_\<phi>' and \<V>_is_wff_denotation_function by force+
+  have "\<V> \<phi> (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = \<V> \<phi> (\<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<bullet> x \<bullet> y"
+    by simp
+  also from assms have "\<dots> = \<V> (\<phi>((\<xx>, o) := x)) (\<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)) \<bullet> y"
+    using \<open>\<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> and mixed_beta_conversion by simp
+  also from assms have "\<dots> = \<V> ?\<phi>' (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+    using mixed_beta_conversion and \<open>(\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>) \<in> wffs\<^bsub>o\<^esub>\<close> by simp
+  finally have "\<V> \<phi> (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> x \<bullet> y = \<^bold>T \<longleftrightarrow> \<V> ?\<phi>' (\<xx>\<^bsub>o\<^esub>) = \<V> ?\<phi>' (\<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+    using prop_5401_b'[OF is_assg_\<phi>'] and conj_op_wff and wffs_of_type_intros(1) by simp
+  also have "\<dots> \<longleftrightarrow> x = x \<^bold>\<and> y"
+    unfolding prop_5401_e'[OF is_assg_\<phi>' wffs_of_type_intros(1) wffs_of_type_intros(1)]
+    and \<open>\<V> ?\<phi>' (\<xx>\<^bsub>o\<^esub>) = x\<close> and \<open>\<V> ?\<phi>' (\<yy>\<^bsub>o\<^esub>) = y\<close> ..
+  also have "\<dots> \<longleftrightarrow> x = (if x = \<^bold>T \<and> y = \<^bold>T then \<^bold>T else \<^bold>F)"
+    using \<open>{x, y} \<subseteq> elts \<bool>\<close> by auto
+  also have "\<dots> \<longleftrightarrow> \<^bold>T = (if x = \<^bold>T \<and> y = \<^bold>F then \<^bold>F else \<^bold>T)"
+    using \<open>{x, y} \<subseteq> elts \<bool>\<close> by auto
+  finally show ?thesis
+    using assms and fully_applied_imp_fun_denotation_is_domain_respecting and tv_cases
+    and truth_values_domain_def by metis
+qed
+
+corollary (in general_model) prop_5401_f':
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<V> \<phi> (A \<supset>\<^sup>\<Q> B) = \<V> \<phi> A \<^bold>\<supset> \<V> \<phi> B"
+proof -
+  from assms have "{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts (\<D> o)"
+    using \<V>_is_wff_denotation_function by simp
+  from assms(2) have "\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>"
+    by blast
+  have "\<V> \<phi> (A \<supset>\<^sup>\<Q> B) = \<V> \<phi> (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B)"
+    by simp
+  also from assms(1,3) have "\<dots> = \<V> \<phi> (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A) \<bullet> \<V> \<phi> B"
+    using \<V>_is_wff_denotation_function and \<open>\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<in> wffs\<^bsub>o\<rightarrow>o\<^esub>\<close> by blast
+  also from assms have "\<dots> = \<V> \<phi> (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>) \<bullet> \<V> \<phi> A \<bullet> \<V> \<phi> B"
+    using \<V>_is_wff_denotation_function and imp_fun_wff by fastforce
+  also from assms have "\<dots> = (if \<V> \<phi> A = \<^bold>T \<and> \<V> \<phi> B = \<^bold>F then \<^bold>F else \<^bold>T)"
+    using \<open>{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts (\<D> o)\<close> and prop_5401_f by simp
+  also have "\<dots> = \<V> \<phi> A \<^bold>\<supset> \<V> \<phi> B"
+    using truth_values_domain_def and \<open>{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts (\<D> o)\<close> by auto
+  finally show ?thesis .
+qed
+
+lemma (in general_model) forall_denotation:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<V> \<phi> (\<forall>x\<^bsub>\<alpha>\<^esub>. A) = \<^bold>T \<longleftrightarrow> (\<forall>z \<in> elts (\<D> \<alpha>). \<V> (\<phi>((x, \<alpha>) := z)) A = \<^bold>T)"
+proof -
+  from assms(1) have lhs: "\<V> \<phi> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) \<bullet> z = \<^bold>T" if "z \<in> elts (\<D> \<alpha>)" for z
+    using prop_5401_c and mixed_beta_conversion and that and true_wff by simp
+  from assms have rhs: "\<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) \<bullet> z = \<V> (\<phi>((x, \<alpha>) := z)) A" if "z \<in> elts (\<D> \<alpha>)" for z
+    using that by (simp add: mixed_beta_conversion)
+  from assms(2) have "\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> \<in> wffs\<^bsub>\<alpha>\<rightarrow>o\<^esub>" and "\<lambda>x\<^bsub>\<alpha>\<^esub>. A \<in> wffs\<^bsub>\<alpha>\<rightarrow>o\<^esub>"
+    by auto
+  have "\<V> \<phi> (\<forall>x\<^bsub>\<alpha>\<^esub>. A) = \<V> \<phi> (\<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A))"
+    unfolding forall_def ..
+  also have "\<dots> = \<V> \<phi> (Q\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) \<sqdot> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A))"
+    unfolding PI_def ..
+  also have "\<dots> = \<V> \<phi> ((\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>\<alpha>\<rightarrow>o\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A))"
+    unfolding equality_of_type_def ..
+  finally have "\<V> \<phi> (\<forall>x\<^bsub>\<alpha>\<^esub>. A) = \<V> \<phi> ((\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>\<alpha>\<rightarrow>o\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A))" .
+  moreover from assms(1,2) have "
+    \<V> \<phi> ((\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) =\<^bsub>\<alpha>\<rightarrow>o\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)) = \<^bold>T \<longleftrightarrow> \<V> \<phi> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) = \<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+    using \<open>\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> \<in> wffs\<^bsub>\<alpha>\<rightarrow>o\<^esub>\<close> and \<open>\<lambda>x\<^bsub>\<alpha>\<^esub>. A \<in> wffs\<^bsub>\<alpha>\<rightarrow>o\<^esub>\<close> and prop_5401_b by blast
+  moreover
+  have "(\<V> \<phi> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) = \<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)) \<longleftrightarrow> (\<forall>z \<in> elts (\<D> \<alpha>). \<V> (\<phi>((x, \<alpha>) := z)) A = \<^bold>T)"
+  proof
+    assume "\<V> \<phi> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) = \<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+    with lhs and rhs show "\<forall>z \<in> elts (\<D> \<alpha>). \<V> (\<phi>((x, \<alpha>) := z)) A = \<^bold>T"
+      by auto
+  next
+    assume "\<forall>z \<in> elts (\<D> \<alpha>). \<V> (\<phi>((x, \<alpha>) := z)) A = \<^bold>T"
+    moreover from assms have "\<V> \<phi> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) = (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V> (\<phi>((\<xx>, \<alpha>) := z)) T\<^bsub>o\<^esub>)"
+      using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by blast
+    moreover from assms have "\<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = (\<^bold>\<lambda>z \<^bold>: \<D> \<alpha>\<^bold>. \<V> (\<phi>((x, \<alpha>) := z)) A)"
+      using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by blast
+    ultimately show "\<V> \<phi> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>) = \<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+      using lhs and vlambda_extensionality by fastforce
+  qed
+  ultimately show ?thesis
+    by (simp only:)
+qed
+
+lemma prop_5401_g:
+  assumes "is_general_model \<M>"
+  and "\<phi> \<leadsto>\<^sub>M \<M>"
+  and "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> \<forall>x\<^bsub>\<alpha>\<^esub>. A \<longleftrightarrow> (\<forall>\<psi>. \<psi> \<leadsto>\<^sub>M \<M> \<and> \<psi> \<sim>\<^bsub>(x, \<alpha>)\<^esub> \<phi> \<longrightarrow> \<M> \<Turnstile>\<^bsub>\<psi>\<^esub> A)"
+proof -
+  obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+    using prod_cases3 by blast
+  with assms have "
+    \<M> \<Turnstile>\<^bsub>\<phi>\<^esub> \<forall>x\<^bsub>\<alpha>\<^esub>. A
+    \<longleftrightarrow>
+    \<forall>x\<^bsub>\<alpha>\<^esub>. A \<in> wffs\<^bsub>o\<^esub> \<and> is_general_model (\<D>, \<J>, \<V>) \<and> \<phi> \<leadsto> \<D> \<and> \<V> \<phi> (\<forall>x\<^bsub>\<alpha>\<^esub>. A) = \<^bold>T"
+    by fastforce
+  also from assms and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<dots> \<longleftrightarrow> (\<forall>z \<in> elts (\<D> \<alpha>). \<V> (\<phi>((x, \<alpha>) := z)) A = \<^bold>T)"
+    using general_model.forall_denotation by fastforce
+  also have "\<dots> \<longleftrightarrow> (\<forall>\<psi>. \<psi> \<leadsto> \<D> \<and> \<psi> \<sim>\<^bsub>(x, \<alpha>)\<^esub> \<phi> \<longrightarrow> \<M> \<Turnstile>\<^bsub>\<psi>\<^esub> A)"
+  proof
+    assume *: "\<forall>z \<in> elts (\<D> \<alpha>). \<V> (\<phi>((x, \<alpha>) := z)) A = \<^bold>T"
+    {
+      fix \<psi>
+      assume "\<psi> \<leadsto> \<D>" and "\<psi> \<sim>\<^bsub>(x, \<alpha>)\<^esub> \<phi>"
+      have "\<V> \<psi> A = \<^bold>T"
+      proof -
+        have "\<exists>z \<in> elts (\<D> \<alpha>). \<psi> = \<phi>((x, \<alpha>) := z)"
+        proof (rule ccontr)
+          assume "\<not> (\<exists>z \<in> elts (\<D> \<alpha>). \<psi> = \<phi>((x, \<alpha>) := z))"
+          with \<open>\<psi> \<sim>\<^bsub>(x, \<alpha>)\<^esub> \<phi>\<close> have "\<forall>z \<in> elts (\<D> \<alpha>). \<psi> (x, \<alpha>) \<noteq> z"
+            by fastforce
+          then have "\<psi> (x, \<alpha>) \<notin> elts (\<D> \<alpha>)"
+            by blast
+          moreover from assms(1) and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>\<psi> \<leadsto> \<D>\<close> have "\<psi> (x, \<alpha>) \<in> elts (\<D> \<alpha>)"
+            using general_model_def and premodel_def and frame.is_assignment_def by auto
+          ultimately show False
+            by simp
+        qed
+        with * show ?thesis
+          by fastforce
+      qed
+      with assms(1) and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<M> \<Turnstile>\<^bsub>\<psi>\<^esub> A"
+        by simp
+    }
+    then show "\<forall>\<psi>. \<psi> \<leadsto> \<D> \<and> \<psi> \<sim>\<^bsub>(x, \<alpha>)\<^esub> \<phi> \<longrightarrow> \<M> \<Turnstile>\<^bsub>\<psi>\<^esub> A"
+      by blast
+  next
+    assume *: "\<forall>\<psi>. \<psi> \<leadsto> \<D> \<and> \<psi> \<sim>\<^bsub>(x, \<alpha>)\<^esub> \<phi> \<longrightarrow> \<M> \<Turnstile>\<^bsub>\<psi>\<^esub> A"
+    show "\<forall>z \<in> elts (\<D> \<alpha>). \<V> (\<phi>((x, \<alpha>) := z)) A = \<^bold>T"
+    proof
+      fix z
+      assume "z \<in> elts (\<D> \<alpha>)"
+      with assms(1,2) and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<phi>((x, \<alpha>) := z) \<leadsto> \<D>"
+        using general_model_def and premodel_def and frame.is_assignment_def by auto
+      moreover have "\<phi>((x, \<alpha>) := z) \<sim>\<^bsub>(x, \<alpha>)\<^esub> \<phi>"
+        by simp
+      ultimately have "\<M> \<Turnstile>\<^bsub>\<phi>((x, \<alpha>) := z)\<^esub> A"
+        using * by blast
+      with assms(1) and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>\<phi>((x, \<alpha>) := z) \<leadsto> \<D>\<close> show "\<V> (\<phi>((x, \<alpha>) := z)) A = \<^bold>T"
+        by simp
+    qed
+  qed
+  finally show ?thesis
+    using \<open>\<M> = (\<D>, \<J>, \<V>)\<close>
+    by simp
+qed
+
+lemma (in general_model) axiom_1_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  shows "\<V> \<phi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>) = \<^bold>T" (is "\<V> \<phi> (?A \<equiv>\<^sup>\<Q> ?B) = \<^bold>T")
+proof -
+  let ?\<M> = "(\<D>, \<J>, \<V>)"
+  from assms have *: "is_general_model ?\<M>" "\<phi> \<leadsto>\<^sub>M ?\<M>"
+    using general_model_axioms by blast+
+  have "?A \<equiv>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_1 and axioms_are_wffs_of_type_o by blast
+  have lhs: "\<V> \<phi> ?A = \<phi> (\<gg>, o\<rightarrow>o) \<bullet> \<^bold>T \<^bold>\<and> \<phi> (\<gg>, o\<rightarrow>o) \<bullet> \<^bold>F"
+  proof -
+    have "\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>" and "\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+      by blast+
+    with assms have "\<V> \<phi> ?A = \<V> \<phi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub>) \<^bold>\<and> \<V> \<phi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub>)"
+      using prop_5401_e' by simp
+    also from assms have "\<dots> = \<phi> (\<gg>, o\<rightarrow>o) \<bullet> \<V> \<phi> (T\<^bsub>o\<^esub>) \<^bold>\<and> \<phi> (\<gg>, o\<rightarrow>o) \<bullet> \<V> \<phi> (F\<^bsub>o\<^esub>)"
+      using wff_app_denotation[OF \<V>_is_wff_denotation_function]
+      and wff_var_denotation[OF \<V>_is_wff_denotation_function]
+      by (metis false_wff true_wff wffs_of_type_intros(1))
+    finally show ?thesis
+      using assms and prop_5401_c and prop_5401_d by simp
+  qed
+  have "\<V> \<phi> (?A \<equiv>\<^sup>\<Q> ?B) = \<^bold>T"
+  proof (cases "\<forall>z \<in> elts (\<D> o). \<phi> (\<gg>, o\<rightarrow>o) \<bullet> z = \<^bold>T")
+    case True
+    with assms have "\<phi> (\<gg>, o\<rightarrow>o) \<bullet> \<^bold>T = \<^bold>T" and "\<phi> (\<gg>, o\<rightarrow>o) \<bullet> \<^bold>F = \<^bold>T"
+      using truth_values_domain_def by auto
+    with lhs have "\<V> \<phi> ?A = \<^bold>T \<^bold>\<and> \<^bold>T"
+      by (simp only:)
+    also have "\<dots> = \<^bold>T"
+      by simp
+    finally have "\<V> \<phi> ?A = \<^bold>T" .
+    moreover have "\<V> \<phi> ?B = \<^bold>T"
+    proof -
+      have "\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+        by blast
+      moreover
+      {
+        fix \<psi>
+        assume "\<psi> \<leadsto> \<D>" and "\<psi> \<sim>\<^bsub>(\<xx>, o)\<^esub> \<phi>"
+        with assms have "\<V> \<psi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>) = \<V> \<psi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub>) \<bullet> \<V> \<psi> (\<xx>\<^bsub>o\<^esub>)"
+          using \<V>_is_wff_denotation_function by blast
+        also from \<open>\<psi> \<leadsto> \<D>\<close> have "\<dots> = \<psi> (\<gg>, o\<rightarrow>o) \<bullet> \<psi> (\<xx>, o)"
+          using \<V>_is_wff_denotation_function by auto
+        also from \<open>\<psi> \<sim>\<^bsub>(\<xx>, o)\<^esub> \<phi>\<close> have "\<dots> = \<phi> (\<gg>, o\<rightarrow>o) \<bullet> \<psi> (\<xx>, o)"
+          by simp
+        also from True and \<open>\<psi> \<leadsto> \<D>\<close> have "\<dots> = \<^bold>T"
+          by blast
+        finally have "\<V> \<psi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>) = \<^bold>T" .
+        with assms and \<open>\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>\<close> have "?\<M> \<Turnstile>\<^bsub>\<psi>\<^esub> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>"
+          by simp
+      }
+      ultimately have "?\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?B"
+        using assms and * and prop_5401_g by auto
+      with *(2) show ?thesis
+        by simp
+    qed
+    ultimately show ?thesis
+      using assms and prop_5401_b' and wffs_from_equivalence[OF \<open>?A \<equiv>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>\<close>] by simp
+  next
+    case False
+    then have "\<exists>z \<in> elts (\<D> o). \<phi> (\<gg>, o\<rightarrow>o) \<bullet> z \<noteq> \<^bold>T"
+      by blast
+    moreover from * have "\<forall>z \<in> elts (\<D> o). \<phi> (\<gg>, o\<rightarrow>o) \<bullet> z \<in> elts (\<D> o)"
+      using app_is_domain_respecting by blast
+    ultimately obtain z where "z \<in> elts (\<D> o)" and "\<phi> (\<gg>, o\<rightarrow>o) \<bullet> z = \<^bold>F"
+      using truth_values_domain_def by auto
+    define \<psi> where \<psi>_def: "\<psi> = \<phi>((\<xx>, o) := z)"
+    with * and \<open>z \<in> elts (\<D> o)\<close> have "\<psi> \<leadsto> \<D>"
+      by simp
+    then have "\<V> \<psi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>) = \<V> \<psi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub>) \<bullet> \<V> \<psi> (\<xx>\<^bsub>o\<^esub>)"
+      using \<V>_is_wff_denotation_function by blast
+    also from \<open>\<psi> \<leadsto> \<D>\<close> have "\<dots> = \<psi> (\<gg>, o\<rightarrow>o) \<bullet> \<psi> (\<xx>, o)"
+      using \<V>_is_wff_denotation_function by auto
+    also from \<psi>_def have "\<dots> = \<phi> (\<gg>, o\<rightarrow>o) \<bullet> z"
+      by simp
+    also have "\<dots> = \<^bold>F"
+      unfolding \<open>\<phi> (\<gg>, o\<rightarrow>o) \<bullet> z = \<^bold>F\<close> ..
+    finally have "\<V> \<psi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>) = \<^bold>F" .
+    with \<open>\<psi> \<leadsto> \<D>\<close> have "\<not> ?\<M> \<Turnstile>\<^bsub>\<psi>\<^esub> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>"
+      by (auto simp add: inj_eq)
+    with \<open>\<psi> \<leadsto> \<D>\<close> and \<psi>_def have "\<not> (\<forall>\<psi>. \<psi> \<leadsto> \<D> \<and> \<psi> \<sim>\<^bsub>(\<xx>, o)\<^esub> \<phi> \<longrightarrow> ?\<M> \<Turnstile>\<^bsub>\<psi>\<^esub> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>)"
+      using fun_upd_other by fastforce
+    with \<open>\<not> ?\<M> \<Turnstile>\<^bsub>\<psi>\<^esub> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>\<close> have "\<not> ?\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?B"
+      using prop_5401_g[OF * wffs_from_forall[OF wffs_from_equivalence(2)[OF \<open>?A \<equiv>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>\<close>]]]
+      by blast
+    then have "\<V> \<phi> (\<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>) \<noteq> \<^bold>T"
+      by simp
+    moreover from assms have "\<V> \<phi> ?B \<in> elts (\<D> o)"
+      using wffs_from_equivalence[OF \<open>?A \<equiv>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>\<close>] and \<V>_is_wff_denotation_function by auto
+    ultimately have "\<V> \<phi> ?B = \<^bold>F"
+      by (simp add: truth_values_domain_def)
+    moreover have "\<V> \<phi> (\<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub>) = \<^bold>F"
+    proof -
+      from \<open>z \<in> elts (\<D> o)\<close> and \<open>\<phi> (\<gg>, o\<rightarrow>o) \<bullet> z = \<^bold>F\<close>
+      have "((\<phi> (\<gg>, o\<rightarrow>o)) \<bullet> \<^bold>T) = \<^bold>F \<or> ((\<phi> (\<gg>, o\<rightarrow>o)) \<bullet> \<^bold>F) = \<^bold>F"
+        using truth_values_domain_def by fastforce
+      moreover from \<open>z \<in> elts (\<D> o)\<close> and \<open>\<phi> (\<gg>, o\<rightarrow>o) \<bullet> z = \<^bold>F\<close>
+        and \<open>\<forall>z \<in> elts (\<D> o). \<phi> (\<gg>, o\<rightarrow>o) \<bullet> z \<in> elts (\<D> o)\<close>
+      have "{(\<phi> (\<gg>, o\<rightarrow>o)) \<bullet> \<^bold>T, (\<phi> (\<gg>, o\<rightarrow>o)) \<bullet> \<^bold>F} \<subseteq> elts (\<D> o)"
+        by (simp add: truth_values_domain_def)
+      ultimately have "((\<phi> (\<gg>, o\<rightarrow>o)) \<bullet> \<^bold>T) \<^bold>\<and> ((\<phi> (\<gg>, o\<rightarrow>o)) \<bullet> \<^bold>F) = \<^bold>F"
+        by auto
+      with lhs show ?thesis
+        by (simp only:)
+    qed
+    ultimately show ?thesis
+      using assms and prop_5401_b' and wffs_from_equivalence[OF \<open>?A \<equiv>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>\<close>] by simp
+  qed
+  then show ?thesis .
+qed
+
+lemma axiom_1_validity:
+  shows "\<Turnstile> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<forall>\<xx>\<^bsub>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub>" (is "\<Turnstile> ?A \<equiv>\<^sup>\<Q> ?B")
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?A \<equiv>\<^sup>\<Q> ?B"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> (?A \<equiv>\<^sup>\<Q> ?B) = \<^bold>T"
+      using general_model.axiom_1_validity_aux by simp
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma (in general_model) axiom_2_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  shows "\<V> \<phi> ((\<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<alpha>\<^esub> \<yy>\<^bsub>\<alpha>\<^esub>) \<supset>\<^sup>\<Q> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> \<equiv>\<^sup>\<Q> \<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>)) = \<^bold>T" (is "\<V> \<phi> (?A \<supset>\<^sup>\<Q> ?B) = \<^bold>T")
+proof -
+  have "?A \<supset>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_2 and axioms_are_wffs_of_type_o by blast
+  from \<open>?A \<supset>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>\<close> have "?A \<in> wffs\<^bsub>o\<^esub>" and "?B \<in> wffs\<^bsub>o\<^esub>"
+    using wffs_from_imp_op by blast+
+  with assms have "\<V> \<phi> (?A \<supset>\<^sup>\<Q> ?B) = \<V> \<phi> ?A \<^bold>\<supset> \<V> \<phi> ?B"
+    using prop_5401_f' by simp
+  moreover from assms and \<open>?A \<in> wffs\<^bsub>o\<^esub>\<close> and \<open>?B \<in> wffs\<^bsub>o\<^esub>\<close> have "{\<V> \<phi> ?A, \<V> \<phi> ?B} \<subseteq> elts (\<D> o)"
+    using \<V>_is_wff_denotation_function by simp
+  then have "{\<V> \<phi> ?A, \<V> \<phi> ?B} \<subseteq> elts \<bool>"
+    by (simp add: truth_values_domain_def)
+  ultimately have \<V>_imp_T: "\<V> \<phi> (?A \<supset>\<^sup>\<Q> ?B) = \<^bold>T \<longleftrightarrow> \<V> \<phi> ?A = \<^bold>F \<or> \<V> \<phi> ?B = \<^bold>T"
+    by fastforce
+  then show ?thesis
+  proof (cases "\<phi> (\<xx>, \<alpha>) = \<phi> (\<yy>, \<alpha>)")
+    case True
+    from assms and \<open>?B \<in> wffs\<^bsub>o\<^esub>\<close> have "\<V> \<phi> ?B = \<^bold>T \<longleftrightarrow> \<V> \<phi> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<V> \<phi> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>)"
+      using wffs_from_equivalence and prop_5401_b' by metis
+    moreover have "\<V> \<phi> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<V> \<phi> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>)"
+    proof -
+      from assms and \<open>?B \<in> wffs\<^bsub>o\<^esub>\<close> have "\<V> \<phi> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<V> \<phi> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub>) \<bullet> \<V> \<phi> (\<xx>\<^bsub>\<alpha>\<^esub>)"
+        using \<V>_is_wff_denotation_function by blast
+      also from assms have "\<dots> = \<phi> (\<hh>, \<alpha>\<rightarrow>o) \<bullet> \<phi> (\<xx>, \<alpha>)"
+        using \<V>_is_wff_denotation_function by auto
+      also from True have "\<dots> = \<phi> (\<hh>, \<alpha>\<rightarrow>o) \<bullet> \<phi> (\<yy>, \<alpha>)"
+        by (simp only:)
+      also from assms have "\<dots> = \<V> \<phi> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub>) \<bullet> \<V> \<phi> (\<yy>\<^bsub>\<alpha>\<^esub>)"
+        using \<V>_is_wff_denotation_function by auto
+      also from assms and \<open>?B \<in> wffs\<^bsub>o\<^esub>\<close> have "\<dots> = \<V> \<phi> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>)"
+        using wff_app_denotation[OF \<V>_is_wff_denotation_function] by (metis wffs_of_type_intros(1))
+      finally show ?thesis .
+    qed
+    ultimately show ?thesis
+      using \<V>_imp_T by simp
+  next
+    case False
+    from assms have "\<V> \<phi> ?A = \<^bold>T \<longleftrightarrow> \<V> \<phi> (\<xx>\<^bsub>\<alpha>\<^esub>) = \<V> \<phi> (\<yy>\<^bsub>\<alpha>\<^esub>)"
+      using prop_5401_b by blast
+    moreover from False and assms have "\<V> \<phi> (\<xx>\<^bsub>\<alpha>\<^esub>) \<noteq> \<V> \<phi> (\<yy>\<^bsub>\<alpha>\<^esub>)"
+      using \<V>_is_wff_denotation_function by auto
+    ultimately have "\<V> \<phi> ?A = \<^bold>F"
+      using assms and \<open>{\<V> \<phi> ?A, \<V> \<phi> ?B} \<subseteq> elts \<bool>\<close> by simp
+    then show ?thesis
+      using \<V>_imp_T by simp
+  qed
+qed
+
+lemma axiom_2_validity:
+  shows "\<Turnstile> (\<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<alpha>\<^esub> \<yy>\<^bsub>\<alpha>\<^esub>) \<supset>\<^sup>\<Q> (\<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> \<equiv>\<^sup>\<Q> \<hh>\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> \<yy>\<^bsub>\<alpha>\<^esub>)" (is "\<Turnstile> ?A \<supset>\<^sup>\<Q> ?B")
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?A \<supset>\<^sup>\<Q> ?B"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> (?A \<supset>\<^sup>\<Q> ?B) = \<^bold>T"
+      using general_model.axiom_2_validity_aux by simp
+    ultimately show ?thesis
+      by force
+  qed
+qed
+
+lemma (in general_model) axiom_3_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  shows "\<V> \<phi> ((\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<equiv>\<^sup>\<Q> \<forall>\<xx>\<^bsub>\<alpha>\<^esub>. (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)) = \<^bold>T"
+  (is "\<V> \<phi> (?A \<equiv>\<^sup>\<Q> ?B) = \<^bold>T")
+proof -
+  let ?\<M> = "(\<D>, \<J>, \<V>)"
+  from assms have *: "is_general_model ?\<M>" "\<phi> \<leadsto>\<^sub>M ?\<M>"
+    using general_model_axioms by blast+
+  have B'_wffo: "\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+    by blast
+  have "?A \<equiv>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>" and "?A \<in> wffs\<^bsub>o\<^esub>" and "?B \<in> wffs\<^bsub>o\<^esub>"
+  proof -
+    show "?A \<equiv>\<^sup>\<Q> ?B \<in> wffs\<^bsub>o\<^esub>"
+      using axioms.axiom_3 and axioms_are_wffs_of_type_o
+      by blast
+    then show "?A \<in> wffs\<^bsub>o\<^esub>" and "?B \<in> wffs\<^bsub>o\<^esub>"
+      by (blast dest: wffs_from_equivalence)+
+  qed
+  have "\<V> \<phi> ?A = \<V> \<phi> ?B"
+  proof (cases "\<phi> (\<ff>, \<alpha>\<rightarrow>\<beta>) = \<phi> (\<gg>, \<alpha>\<rightarrow>\<beta>)")
+    case True
+    have "\<V> \<phi> ?A = \<^bold>T"
+    proof -
+      from assms have "\<V> \<phi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) = \<phi> (\<ff>, \<alpha>\<rightarrow>\<beta>)"
+        using \<V>_is_wff_denotation_function by auto
+      also from True have "\<dots> = \<phi> (\<gg>, \<alpha>\<rightarrow>\<beta>)"
+        by (simp only:)
+      also from assms have "\<dots> = \<V> \<phi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>)"
+        using \<V>_is_wff_denotation_function by auto
+      finally have "\<V> \<phi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) = \<V> \<phi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>)" .
+      with assms show ?thesis
+        using prop_5401_b by blast
+    qed
+    moreover have "\<V> \<phi> ?B = \<^bold>T"
+    proof -
+      {
+        fix \<psi>
+        assume "\<psi> \<leadsto> \<D>" and "\<psi> \<sim>\<^bsub>(\<xx>, \<alpha>)\<^esub> \<phi>"
+        from assms and \<open>\<psi> \<leadsto> \<D>\<close> have "\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<bullet> \<V> \<psi> (\<xx>\<^bsub>\<alpha>\<^esub>)"
+          using \<V>_is_wff_denotation_function by blast
+        also from assms and \<open>\<psi> \<leadsto> \<D>\<close> have "\<dots> = \<psi> (\<ff>, \<alpha>\<rightarrow>\<beta>) \<bullet> \<psi> (\<xx>, \<alpha>)"
+          using \<V>_is_wff_denotation_function by auto
+        also from \<open>\<psi> \<sim>\<^bsub>(\<xx>, \<alpha>)\<^esub> \<phi>\<close> have "\<dots> = \<phi> (\<ff>, \<alpha>\<rightarrow>\<beta>) \<bullet> \<psi> (\<xx>, \<alpha>)"
+          by simp
+        also from True have "\<dots> = \<phi> (\<gg>, \<alpha>\<rightarrow>\<beta>) \<bullet> \<psi> (\<xx>, \<alpha>)"
+          by (simp only:)
+        also from \<open>\<psi> \<sim>\<^bsub>(\<xx>, \<alpha>)\<^esub> \<phi>\<close> have "\<dots> = \<psi> (\<gg>, \<alpha>\<rightarrow>\<beta>) \<bullet> \<psi> (\<xx>, \<alpha>)"
+          by simp
+        also from assms and \<open>\<psi> \<leadsto> \<D>\<close> have "\<dots> = \<V> \<psi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<bullet> \<V> \<psi> (\<xx>\<^bsub>\<alpha>\<^esub>)"
+          using \<V>_is_wff_denotation_function by auto
+        also from assms and \<open>\<psi> \<leadsto> \<D>\<close> have "\<dots> = \<V> \<psi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)"
+          using wff_app_denotation[OF \<V>_is_wff_denotation_function] by (metis wffs_of_type_intros(1))
+        finally have "\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<V> \<psi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)" .
+        with B'_wffo and assms and \<open>\<psi> \<leadsto> \<D>\<close> have "\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<^bold>T"
+          using prop_5401_b and wffs_from_equality by blast
+        with *(2) have "?\<M> \<Turnstile>\<^bsub>\<psi>\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+          by simp
+      }
+      with * and B'_wffo have "?\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?B"
+        using prop_5401_g by force
+      with *(2) show ?thesis
+        by auto
+    qed
+    ultimately show ?thesis ..
+  next
+    case False
+    from * have "\<phi> (\<ff>, \<alpha>\<rightarrow>\<beta>) \<in> elts (\<D> \<alpha> \<longmapsto> \<D> \<beta>)" and "\<phi> (\<gg>, \<alpha>\<rightarrow>\<beta>) \<in> elts (\<D> \<alpha> \<longmapsto> \<D> \<beta>)"
+      by (simp_all add: function_domainD)
+    with False obtain z where "z \<in> elts (\<D> \<alpha>)" and "\<phi> (\<ff>, \<alpha>\<rightarrow>\<beta>) \<bullet> z \<noteq> \<phi> (\<gg>, \<alpha>\<rightarrow>\<beta>) \<bullet> z"
+      by (blast dest: fun_ext)
+    define \<psi> where "\<psi> = \<phi>((\<xx>, \<alpha>) := z)"
+    from * and \<open>z \<in> elts (\<D> \<alpha>)\<close> have "\<psi> \<leadsto> \<D>" and "\<psi> \<sim>\<^bsub>(\<xx>, \<alpha>)\<^esub> \<phi>"
+      unfolding \<psi>_def by fastforce+
+    have "\<V> \<psi> (f\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<phi> (f, \<alpha>\<rightarrow>\<beta>) \<bullet> z" for f
+    proof -
+      from \<open>\<psi> \<leadsto> \<D>\<close> have "\<V> \<psi> (f\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<V> \<psi> (f\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<bullet> \<V> \<psi> (\<xx>\<^bsub>\<alpha>\<^esub>)"
+        using \<V>_is_wff_denotation_function by blast
+      also from \<open>\<psi> \<leadsto> \<D>\<close> have "\<dots> = \<psi> (f, \<alpha>\<rightarrow>\<beta>) \<bullet> \<psi> (\<xx>, \<alpha>)"
+        using \<V>_is_wff_denotation_function by auto
+      finally show ?thesis
+        unfolding \<psi>_def by simp
+    qed
+    then have "\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<phi> (\<ff>, \<alpha>\<rightarrow>\<beta>) \<bullet> z" and "\<V> \<psi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<phi> (\<gg>, \<alpha>\<rightarrow>\<beta>) \<bullet> z"
+      by (simp_all only:)
+    with \<open>\<phi> (\<ff>, \<alpha>\<rightarrow>\<beta>) \<bullet> z \<noteq> \<phi> (\<gg>, \<alpha>\<rightarrow>\<beta>) \<bullet> z\<close> have "\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<noteq> \<V> \<psi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)"
+      by simp
+    then have "\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) = \<^bold>F"
+    proof -
+      from B'_wffo and \<open>\<psi> \<leadsto> \<D>\<close> and * have "\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<in> elts (\<D> o)"
+        using \<V>_is_wff_denotation_function by auto
+      moreover from B'_wffo have "{\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>, \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>} \<subseteq> wffs\<^bsub>\<beta>\<^esub>"
+        by blast
+      with \<open>\<psi> \<leadsto> \<D>\<close> and \<open>\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<noteq> \<V> \<psi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)\<close> and B'_wffo
+      have "\<V> \<psi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>) \<noteq> \<^bold>T"
+        using prop_5401_b by simp
+      ultimately show ?thesis
+        by (simp add: truth_values_domain_def)
+    qed
+    with \<open>\<psi> \<leadsto> \<D>\<close> have "\<not> ?\<M> \<Turnstile>\<^bsub>\<psi>\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+      by (auto simp add: inj_eq)
+    with \<open>\<psi> \<leadsto> \<D>\<close> and \<open>\<psi> \<sim>\<^bsub>(\<xx>, \<alpha>)\<^esub> \<phi>\<close>
+    have "\<exists>\<psi>. \<psi> \<leadsto> \<D> \<and> \<psi> \<sim>\<^bsub>(\<xx>, \<alpha>)\<^esub> \<phi> \<and> \<not> ?\<M> \<Turnstile>\<^bsub>\<psi>\<^esub> \<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>"
+      by blast
+    with * and B'_wffo have "\<not> ?\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?B"
+      using prop_5401_g by blast
+    then have "\<V> \<phi> ?B = \<^bold>F"
+    proof -
+      from \<open>?B \<in> wffs\<^bsub>o\<^esub>\<close> and * have "\<V> \<phi> ?B \<in> elts (\<D> o)"
+        using \<V>_is_wff_denotation_function by auto
+      with \<open>\<not> ?\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?B\<close> and \<open>?B \<in> wffs\<^bsub>o\<^esub>\<close> show ?thesis
+        using truth_values_domain_def by fastforce
+    qed
+    moreover have "\<V> \<phi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) = \<^bold>F"
+    proof -
+      from * have "\<V> \<phi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) = \<phi> (\<ff>, \<alpha>\<rightarrow>\<beta>)" and "\<V> \<phi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) = \<phi> (\<gg>, \<alpha>\<rightarrow>\<beta>)"
+        using \<V>_is_wff_denotation_function by auto
+      with False have "\<V> \<phi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<noteq> \<V> \<phi> (\<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>)"
+        by simp
+      with * have "\<V> \<phi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<noteq> \<^bold>T"
+        using prop_5401_b by blast
+      moreover from * and \<open>?A \<in> wffs\<^bsub>o\<^esub>\<close> have "\<V> \<phi> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<in> elts (\<D> o)"
+        using \<V>_is_wff_denotation_function by auto
+      ultimately show ?thesis
+        by (simp add: truth_values_domain_def)
+    qed
+    ultimately show ?thesis
+      by (simp only:)
+  qed
+  with * and \<open>?A \<in> wffs\<^bsub>o\<^esub>\<close> and \<open>?B \<in> wffs\<^bsub>o\<^esub>\<close> show ?thesis
+    using prop_5401_b' by simp
+qed
+
+lemma axiom_3_validity:
+  shows "\<Turnstile> (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> =\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>) \<equiv>\<^sup>\<Q> \<forall>\<xx>\<^bsub>\<alpha>\<^esub>. (\<ff>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub> =\<^bsub>\<beta>\<^esub> \<gg>\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub> \<sqdot> \<xx>\<^bsub>\<alpha>\<^esub>)" (is "\<Turnstile> ?A \<equiv>\<^sup>\<Q> ?B")
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?A \<equiv>\<^sup>\<Q> ?B"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> (?A \<equiv>\<^sup>\<Q> ?B) = \<^bold>T"
+      using general_model.axiom_3_validity_aux by simp
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma (in general_model) axiom_4_1_con_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) = \<^bold>T"
+proof -
+  from assms(2) have "(\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_4_1_con and axioms_are_wffs_of_type_o by blast
+  define \<psi> where "\<psi> = \<phi>((x, \<alpha>) := \<V> \<phi> A)"
+  from assms have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A) = \<V> (\<phi>((x, \<alpha>) := \<V> \<phi> A)) (\<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>)"
+    using prop_5401_a by blast
+  also have "\<dots> = \<V> \<psi> (\<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>)"
+    unfolding \<psi>_def ..
+  also from assms and \<psi>_def have "\<dots> = \<V> \<phi> (\<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>)"
+    using \<V>_is_wff_denotation_function by auto
+  finally have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A) = \<V> \<phi> (\<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>)" .
+  with assms(1) and \<open>(\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub> \<in> wffs\<^bsub>o\<^esub>\<close> show ?thesis
+    using wffs_from_equality(1) and prop_5401_b by blast
+qed
+
+lemma axiom_4_1_con_validity:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<Turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>"
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from assms and * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<beta>\<^esub>) = \<^bold>T"
+      using general_model.axiom_4_1_con_validity_aux by simp
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma (in general_model) axiom_4_1_var_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "(y, \<beta>) \<noteq> (x, \<alpha>)"
+  shows "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub>) = \<^bold>T"
+proof -
+  from assms(2) have "(\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_4_1_var and axioms_are_wffs_of_type_o by blast
+  define \<psi> where "\<psi> = \<phi>((x, \<alpha>) := \<V> \<phi> A)"
+  with assms(1,2) have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A) = \<V> (\<phi>((x, \<alpha>) := \<V> \<phi> A)) (y\<^bsub>\<beta>\<^esub>)"
+    using prop_5401_a by blast
+  also have "\<dots> = \<V> \<psi> (y\<^bsub>\<beta>\<^esub>)"
+    unfolding \<psi>_def ..
+  also have "\<dots> = \<V> \<phi> (y\<^bsub>\<beta>\<^esub>)"
+  proof -
+    from assms(1,2) have "\<V> \<phi> A \<in> elts (\<D> \<alpha>)"
+      using \<V>_is_wff_denotation_function by auto
+    with \<psi>_def and assms(1) have "\<psi> \<leadsto> \<D>"
+      by simp
+    moreover have "free_vars (y\<^bsub>\<beta>\<^esub>) = {(y, \<beta>)}"
+      by simp
+    with \<psi>_def and assms(3) have "\<forall>v \<in> free_vars (y\<^bsub>\<beta>\<^esub>). \<phi> v = \<psi> v"
+      by auto
+    ultimately show ?thesis
+      using prop_5400[OF wffs_of_type_intros(1) assms(1)] by simp
+  qed
+  finally have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A) = \<V> \<phi> (y\<^bsub>\<beta>\<^esub>)" .
+  with \<open>(\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub> \<in> wffs\<^bsub>o\<^esub>\<close> show ?thesis
+    using wffs_from_equality(1) and prop_5401_b[OF assms(1)] by blast
+qed
+
+lemma axiom_4_1_var_validity:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "(y, \<beta>) \<noteq> (x, \<alpha>)"
+  shows "\<Turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub>"
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub>"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from assms and * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. y\<^bsub>\<beta>\<^esub>) \<sqdot> A =\<^bsub>\<beta>\<^esub> y\<^bsub>\<beta>\<^esub>) = \<^bold>T"
+      using general_model.axiom_4_1_var_validity_aux by auto
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma (in general_model) axiom_4_2_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A) = \<^bold>T"
+proof -
+  from assms(2) have "(\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_4_2 and axioms_are_wffs_of_type_o by blast
+  define \<psi> where "\<psi> = \<phi>((x, \<alpha>) := \<V> \<phi> A)"
+  with assms have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A) = \<V> \<psi> (x\<^bsub>\<alpha>\<^esub>)"
+    using prop_5401_a by blast
+  also from assms and \<psi>_def have "\<dots> = \<psi> (x, \<alpha>)"
+    using \<V>_is_wff_denotation_function by force
+  also from \<psi>_def have "\<dots> = \<V> \<phi> A"
+    by simp
+  finally have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A) = \<V> \<phi> A" .
+  with assms(1) and \<open>(\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A \<in> wffs\<^bsub>o\<^esub>\<close> show ?thesis
+    using wffs_from_equality and prop_5401_b by meson
+qed
+
+lemma axiom_4_2_validity:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<Turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A"
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from assms and * and  \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. x\<^bsub>\<alpha>\<^esub>) \<sqdot> A =\<^bsub>\<alpha>\<^esub> A) = \<^bold>T"
+      using general_model.axiom_4_2_validity_aux by simp
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma (in general_model) axiom_4_3_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>" and "C \<in> wffs\<^bsub>\<gamma>\<^esub>"
+  shows "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B \<sqdot> C) \<sqdot> A =\<^bsub>\<beta>\<^esub> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) \<sqdot> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A)) = \<^bold>T"
+  (is "\<V> \<phi> (?A =\<^bsub>\<beta>\<^esub> ?B) = \<^bold>T")
+proof -
+  from assms(2-4) have "?A =\<^bsub>\<beta>\<^esub> ?B \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_4_3 and axioms_are_wffs_of_type_o by blast
+  define \<psi> where "\<psi> = \<phi>((x, \<alpha>) := \<V> \<phi> A)"
+  with assms(1,2) have "\<psi> \<leadsto> \<D>"
+    using \<V>_is_wff_denotation_function by auto
+  from assms and \<psi>_def have "\<V> \<phi> ?A = \<V> \<psi> (B \<sqdot> C)"
+    using prop_5401_a by blast
+  also from assms(3,4) and \<psi>_def and \<open>\<psi> \<leadsto> \<D>\<close> have "\<dots> = \<V> \<psi> B \<bullet> \<V> \<psi> C"
+    using \<V>_is_wff_denotation_function by blast
+  also from assms(1-3) and \<psi>_def have "\<dots> = \<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) \<bullet> \<V> \<psi> C"
+    using prop_5401_a by simp
+  also from assms(1,2,4) and \<psi>_def have "\<dots> = \<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) \<bullet> \<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A)"
+    using prop_5401_a by simp
+  also have "\<dots> = \<V> \<phi> ?B"
+  proof -
+    have "(\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>" and "(\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A \<in> wffs\<^bsub>\<gamma>\<^esub>"
+      using assms(2-4) by blast+
+    with assms(1) show ?thesis
+      using wff_app_denotation[OF \<V>_is_wff_denotation_function] by simp
+  qed
+  finally have "\<V> \<phi> ?A = \<V> \<phi> ?B" .
+  with assms(1) and \<open>?A =\<^bsub>\<beta>\<^esub> ?B \<in> wffs\<^bsub>o\<^esub>\<close> show ?thesis
+    using prop_5401_b and wffs_from_equality by meson
+qed
+
+lemma axiom_4_3_validity:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>" and "C \<in> wffs\<^bsub>\<gamma>\<^esub>"
+  shows "\<Turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B \<sqdot> C) \<sqdot> A =\<^bsub>\<beta>\<^esub> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) \<sqdot> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. C) \<sqdot> A)" (is "\<Turnstile> ?A =\<^bsub>\<beta>\<^esub> ?B")
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?A =\<^bsub>\<beta>\<^esub> ?B"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from assms and * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> (?A =\<^bsub>\<beta>\<^esub> ?B) = \<^bold>T"
+      using general_model.axiom_4_3_validity_aux by simp
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma (in general_model) axiom_4_4_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<delta>\<^esub>"
+  and "(y, \<gamma>) \<notin> {(x, \<alpha>)} \<union> vars A"
+  shows "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. B) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> (\<lambda>y\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A)) = \<^bold>T"
+  (is "\<V> \<phi> (?A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> ?B) = \<^bold>T")
+proof -
+  from assms(2,3) have "?A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> ?B \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_4_4 and axioms_are_wffs_of_type_o by blast
+  let ?D = "\<lambda>y\<^bsub>\<gamma>\<^esub>. B"
+  define \<psi> where "\<psi> = \<phi>((x, \<alpha>) := \<V> \<phi> A)"
+  from assms(1,2) and \<psi>_def have "\<psi> \<leadsto> \<D>"
+    using \<V>_is_wff_denotation_function by simp
+  {
+    fix z
+    assume "z \<in> elts (\<D> \<gamma>)"
+    define \<phi>' where "\<phi>' = \<phi>((y, \<gamma>) := z)"
+    from assms(1) and \<open>z \<in> elts (\<D> \<gamma>)\<close> and \<phi>'_def have "\<phi>' \<leadsto> \<D>"
+      by simp
+    moreover from \<phi>'_def and assms(4) have "\<forall>v \<in> free_vars A. \<phi> v = \<phi>' v"
+      using free_vars_in_all_vars by auto
+    ultimately have "\<V> \<phi> A = \<V> \<phi>' A"
+      using assms(1,2) and prop_5400 by blast
+    with \<psi>_def and \<phi>'_def and assms(4) have "\<phi>'((x, \<alpha>) := \<V> \<phi>' A) = \<psi>((y, \<gamma>) := z)"
+      by auto
+    with \<open>\<psi> \<leadsto> \<D>\<close> and \<open>z \<in> elts (\<D> \<gamma>)\<close> and assms(3) have "\<V> \<psi> ?D \<bullet> z = \<V> (\<psi>((y, \<gamma>) := z)) B"
+      by (simp add: mixed_beta_conversion)
+    also from \<open>\<phi>' \<leadsto> \<D>\<close> and assms(2,3) have "\<dots> = \<V> \<phi>' ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A)"
+      using prop_5401_a and \<open>\<phi>'((x, \<alpha>) := \<V> \<phi>' A) = \<psi>((y, \<gamma>) := z)\<close> by simp
+    also from \<phi>'_def and assms(1) and \<open>z \<in> elts (\<D> \<gamma>)\<close> and \<open>?A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> ?B \<in> wffs\<^bsub>o\<^esub>\<close>
+    have "\<dots> = \<V> \<phi> ?B \<bullet> z"
+      by (metis mixed_beta_conversion wffs_from_abs wffs_from_equality(2))
+    finally have "\<V> \<psi> ?D \<bullet> z = \<V> \<phi> ?B \<bullet> z" .
+  }
+  note * = this
+  then have "\<V> \<psi> ?D = \<V> \<phi> ?B"
+  proof -
+    from \<open>\<psi> \<leadsto> \<D>\<close> and assms(3) have "\<V> \<psi> ?D = (\<^bold>\<lambda>z \<^bold>: \<D> \<gamma>\<^bold>. \<V> (\<psi>((y, \<gamma>) := z)) B)"
+      using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by simp
+    moreover from assms(1) have "\<V> \<phi> ?B = (\<^bold>\<lambda>z \<^bold>: \<D> \<gamma>\<^bold>. \<V> (\<phi>((y, \<gamma>) := z)) ((\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A))"
+      using wffs_from_abs[OF wffs_from_equality(2)[OF \<open>?A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> ?B \<in> wffs\<^bsub>o\<^esub>\<close>]]
+      and wff_abs_denotation[OF \<V>_is_wff_denotation_function] by meson
+    ultimately show ?thesis
+      using vlambda_extensionality and * by fastforce
+  qed
+  with assms(1-3) and \<psi>_def have "\<V> \<phi> ?A = \<V> \<phi> ?B"
+    using prop_5401_a and wffs_of_type_intros(4) by metis
+  with assms(1) show ?thesis
+    using prop_5401_b and wffs_from_equality[OF \<open>?A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> ?B \<in> wffs\<^bsub>o\<^esub>\<close>] by blast
+qed
+
+lemma axiom_4_4_validity:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<delta>\<^esub>"
+  and "(y, \<gamma>) \<notin> {(x, \<alpha>)} \<union> vars A"
+  shows "\<Turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>y\<^bsub>\<gamma>\<^esub>. B) \<sqdot> A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> (\<lambda>y\<^bsub>\<gamma>\<^esub>. (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A)" (is "\<Turnstile> ?A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> ?B")
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> ?A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> ?B"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from assms and * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> (?A =\<^bsub>\<gamma>\<rightarrow>\<delta>\<^esub> ?B) = \<^bold>T"
+      using general_model.axiom_4_4_validity_aux by blast
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma (in general_model) axiom_4_5_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<delta>\<^esub>"
+  shows "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<alpha>\<rightarrow>\<delta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)) = \<^bold>T"
+proof -
+  define \<psi> where "\<psi> = \<phi>((x, \<alpha>) := \<V> \<phi> A)"
+  from assms have wff: "(\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<alpha>\<rightarrow>\<delta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_4_5 and axioms_are_wffs_of_type_o by blast
+  with assms(1,2) and \<psi>_def have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) = \<V> \<psi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+    using prop_5401_a and wffs_from_equality(2) by blast
+  also have "\<dots> = \<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+  proof -
+    have "(x, \<alpha>) \<notin> free_vars (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+      by simp
+    with \<psi>_def have "\<forall>v \<in> free_vars (\<lambda>x\<^bsub>\<alpha>\<^esub>. B). \<phi> v = \<psi> v"
+      by simp
+    moreover from \<psi>_def and assms(1,2) have "\<psi> \<leadsto> \<D>"
+      using \<V>_is_wff_denotation_function by simp
+    moreover from assms(2,3) have "(\<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<delta>\<^esub>"
+      by fastforce
+    ultimately show ?thesis
+      using assms(1) and prop_5400 by metis
+  qed
+  finally have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A) = \<V> \<phi> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)" .
+  with wff and assms(1) show ?thesis
+    using prop_5401_b and wffs_from_equality by meson
+qed
+
+lemma axiom_4_5_validity:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<delta>\<^esub>"
+  shows "\<Turnstile> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<alpha>\<rightarrow>\<delta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<alpha>\<rightarrow>\<delta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover
+    from assms and * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> ((\<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) \<sqdot> A =\<^bsub>\<alpha>\<rightarrow>\<delta>\<^esub> (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)) = \<^bold>T"
+      using general_model.axiom_4_5_validity_aux by blast
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma (in general_model) axiom_5_validity_aux:
+  assumes "\<phi> \<leadsto> \<D>"
+  shows "\<V> \<phi> (\<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>) =\<^bsub>i\<^esub> \<yy>\<^bsub>i\<^esub>) = \<^bold>T"
+proof -
+  have "\<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>) =\<^bsub>i\<^esub> \<yy>\<^bsub>i\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+    using axioms.axiom_5 and axioms_are_wffs_of_type_o by blast
+  have "Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub> \<in> wffs\<^bsub>i\<rightarrow>o\<^esub>"
+    by blast
+  with assms have "\<V> \<phi> (\<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>)) = \<V> \<phi> \<iota> \<bullet> \<V> \<phi> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>)"
+    using \<V>_is_wff_denotation_function by blast
+  also from assms have "\<dots> = \<V> \<phi> \<iota> \<bullet> (\<V> \<phi> (Q\<^bsub>i\<^esub>) \<bullet> \<V> \<phi> (\<yy>\<^bsub>i\<^esub>))"
+    using wff_app_denotation[OF \<V>_is_wff_denotation_function] by (metis Q_wff wffs_of_type_intros(1))
+  also from assms have "\<dots> = \<J> (\<cc>\<^sub>\<iota>, (i\<rightarrow>o)\<rightarrow>i) \<bullet> (\<J> (\<cc>\<^sub>Q, i\<rightarrow>i\<rightarrow>o) \<bullet> \<V> \<phi> (\<yy>\<^bsub>i\<^esub>))"
+    using \<V>_is_wff_denotation_function by auto
+  also from assms have "\<dots> = \<J> (\<cc>\<^sub>\<iota>, (i\<rightarrow>o)\<rightarrow>i) \<bullet> ((q\<^bsub>i\<^esub>\<^bsup>\<D>\<^esup>) \<bullet> \<V> \<phi> (\<yy>\<^bsub>i\<^esub>))"
+    using Q_constant_of_type_def and Q_denotation by simp
+  also from assms have "\<dots> = \<J> (\<cc>\<^sub>\<iota>, (i\<rightarrow>o)\<rightarrow>i) \<bullet> {\<V> \<phi> (\<yy>\<^bsub>i\<^esub>)}\<^bsub>i\<^esub>\<^bsup>\<D>\<^esup>"
+    using \<V>_is_wff_denotation_function by auto
+  finally have "\<V> \<phi> (\<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>)) = \<J> (\<cc>\<^sub>\<iota>, (i\<rightarrow>o)\<rightarrow>i) \<bullet> {\<V> \<phi> (\<yy>\<^bsub>i\<^esub>)}\<^bsub>i\<^esub>\<^bsup>\<D>\<^esup>" .
+  moreover from assms have "\<J> (\<cc>\<^sub>\<iota>, (i\<rightarrow>o)\<rightarrow>i) \<bullet> {\<V> \<phi> (\<yy>\<^bsub>i\<^esub>)}\<^bsub>i\<^esub>\<^bsup>\<D>\<^esup> = \<V> \<phi> (\<yy>\<^bsub>i\<^esub>)"
+    using \<V>_is_wff_denotation_function and \<iota>_denotation by force
+  ultimately have "\<V> \<phi> (\<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>)) = \<V> \<phi> (\<yy>\<^bsub>i\<^esub>)"
+    by (simp only:)
+  with assms and \<open>Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub> \<in> wffs\<^bsub>i\<rightarrow>o\<^esub>\<close> show ?thesis
+    using prop_5401_b by blast
+qed
+
+lemma axiom_5_validity:
+  shows "\<Turnstile> \<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>) =\<^bsub>i\<^esub> \<yy>\<^bsub>i\<^esub>"
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume *: "is_general_model \<M>" "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> \<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>) =\<^bsub>i\<^esub> \<yy>\<^bsub>i\<^esub>"
+  proof -
+    obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+      using prod_cases3 by blast
+    moreover from * and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> have "\<V> \<phi> (\<iota> \<sqdot> (Q\<^bsub>i\<^esub> \<sqdot> \<yy>\<^bsub>i\<^esub>) =\<^bsub>i\<^esub> \<yy>\<^bsub>i\<^esub>) = \<^bold>T"
+      using general_model.axiom_5_validity_aux by simp
+    ultimately show ?thesis
+      by simp
+  qed
+qed
+
+lemma axioms_validity:
+  assumes "A \<in> axioms"
+  shows "\<Turnstile> A"
+  using assms
+  and axiom_1_validity
+  and axiom_2_validity
+  and axiom_3_validity
+  and axiom_4_1_con_validity
+  and axiom_4_1_var_validity
+  and axiom_4_2_validity
+  and axiom_4_3_validity
+  and axiom_4_4_validity
+  and axiom_4_5_validity
+  and axiom_5_validity
+  by cases auto
+
+lemma (in general_model) rule_R_validity_aux:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "\<forall>\<phi>. \<phi> \<leadsto> \<D> \<longrightarrow> \<V> \<phi> A = \<V> \<phi> B"
+  and "C \<in> wffs\<^bsub>\<beta>\<^esub>" and "C' \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "p \<in> positions C" and "A \<preceq>\<^bsub>p\<^esub> C" and "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> C'"
+  shows "\<forall>\<phi>. \<phi> \<leadsto> \<D> \<longrightarrow> \<V> \<phi> C = \<V> \<phi> C'"
+proof -
+  from assms(8,3-5,7) show ?thesis
+  proof (induction arbitrary: \<beta>)
+    case pos_found
+    then show ?case
+      by simp
+  next
+    case (replace_left_app p G B' G' H)
+    show ?case
+    proof (intro allI impI)
+      fix \<phi>
+      assume "\<phi> \<leadsto> \<D>"
+      from \<open>G \<sqdot> H \<in> wffs\<^bsub>\<beta>\<^esub>\<close> obtain \<gamma> where "G \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>" and "H \<in> wffs\<^bsub>\<gamma>\<^esub>"
+        by (rule wffs_from_app)
+      with \<open>G' \<sqdot> H \<in> wffs\<^bsub>\<beta>\<^esub>\<close> have "G' \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>"
+        by (metis wff_has_unique_type wffs_from_app)
+      from assms(1) and \<open>\<phi> \<leadsto> \<D>\<close> and \<open>G \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>\<close> and \<open>H \<in> wffs\<^bsub>\<gamma>\<^esub>\<close>
+      have "\<V> \<phi> (G \<sqdot> H) = \<V> \<phi> G \<bullet> \<V> \<phi> H"
+        using \<V>_is_wff_denotation_function by blast
+      also from \<open>\<phi> \<leadsto> \<D>\<close> and \<open>G \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>\<close> and \<open>G' \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>\<close> have "\<dots> = \<V> \<phi> G' \<bullet> \<V> \<phi> H"
+        using replace_left_app.IH and replace_left_app.prems(1,4) by simp
+      also from assms(1) and \<open>\<phi> \<leadsto> \<D>\<close> and \<open>G' \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>\<close> and \<open>H \<in> wffs\<^bsub>\<gamma>\<^esub>\<close>
+      have "\<dots> = \<V> \<phi> (G' \<sqdot> H)"
+        using \<V>_is_wff_denotation_function by fastforce
+      finally show "\<V> \<phi> (G \<sqdot> H) = \<V> \<phi> (G' \<sqdot> H)" .
+    qed
+  next
+    case (replace_right_app p H B' H' G)
+    show ?case
+    proof (intro allI impI)
+      fix \<phi>
+      assume "\<phi> \<leadsto> \<D>"
+      from \<open>G \<sqdot> H \<in> wffs\<^bsub>\<beta>\<^esub>\<close> obtain \<gamma> where "G \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>" and "H \<in> wffs\<^bsub>\<gamma>\<^esub>"
+        by (rule wffs_from_app)
+      with \<open>G \<sqdot> H' \<in> wffs\<^bsub>\<beta>\<^esub>\<close> have "H' \<in> wffs\<^bsub>\<gamma>\<^esub>"
+        using wff_has_unique_type and wffs_from_app by (metis type.inject)
+      from assms(1) and \<open>\<phi> \<leadsto> \<D>\<close> and \<open>G \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>\<close> and \<open>H \<in> wffs\<^bsub>\<gamma>\<^esub>\<close>
+      have "\<V> \<phi> (G \<sqdot> H) = \<V> \<phi> G \<bullet> \<V> \<phi> H"
+        using \<V>_is_wff_denotation_function by blast
+      also from \<open>\<phi> \<leadsto> \<D>\<close> and \<open>H \<in> wffs\<^bsub>\<gamma>\<^esub>\<close> and \<open>H' \<in> wffs\<^bsub>\<gamma>\<^esub>\<close> have "\<dots> = \<V> \<phi> G \<bullet> \<V> \<phi> H'"
+        using replace_right_app.IH and replace_right_app.prems(1,4) by force
+      also from assms(1) and \<open>\<phi> \<leadsto> \<D>\<close> and \<open>G \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>\<close> and \<open>H' \<in> wffs\<^bsub>\<gamma>\<^esub>\<close>
+      have "\<dots> = \<V> \<phi> (G \<sqdot> H')"
+        using \<V>_is_wff_denotation_function by fastforce
+      finally show "\<V> \<phi> (G \<sqdot> H) = \<V> \<phi> (G \<sqdot> H')" .
+    qed
+  next
+    case (replace_abs p E B' E' x \<gamma>)
+    show ?case
+    proof (intro allI impI)
+      fix \<phi>
+      assume "\<phi> \<leadsto> \<D>"
+      define \<psi> where "\<psi> z = \<phi>((x, \<gamma>) := z)" for z
+      with \<open>\<phi> \<leadsto> \<D>\<close> have \<psi>_assg: "\<psi> z \<leadsto> \<D>" if "z \<in> elts (\<D> \<gamma>)" for z
+        by (simp add: that)
+      from \<open>\<lambda>x\<^bsub>\<gamma>\<^esub>. E \<in> wffs\<^bsub>\<beta>\<^esub>\<close> obtain \<delta> where "\<beta> = \<gamma>\<rightarrow>\<delta>" and "E \<in> wffs\<^bsub>\<delta>\<^esub>"
+        by (rule wffs_from_abs)
+      with \<open>\<lambda>x\<^bsub>\<gamma>\<^esub>. E' \<in> wffs\<^bsub>\<beta>\<^esub>\<close> have "E' \<in> wffs\<^bsub>\<delta>\<^esub>"
+        using wffs_from_abs by blast
+      from assms(1) and \<open>\<phi> \<leadsto> \<D>\<close> and \<open>E \<in> wffs\<^bsub>\<delta>\<^esub>\<close> and \<psi>_def
+      have "\<V> \<phi> (\<lambda>x\<^bsub>\<gamma>\<^esub>. E) = (\<^bold>\<lambda>z \<^bold>: \<D> \<gamma>\<^bold>. \<V> (\<psi> z) E)"
+        using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by simp
+      also have "\<dots> = (\<^bold>\<lambda>z \<^bold>: \<D> \<gamma>\<^bold>. \<V> (\<psi> z) E')"
+      proof (intro vlambda_extensionality)
+        fix z
+        assume "z \<in> elts (\<D> \<gamma>)"
+        from \<open>E \<in> wffs\<^bsub>\<delta>\<^esub>\<close> and \<open>E' \<in> wffs\<^bsub>\<delta>\<^esub>\<close> have "\<forall>\<phi>. \<phi> \<leadsto> \<D> \<longrightarrow> \<V> \<phi> E = \<V> \<phi> E'"
+          using replace_abs.prems(1,4) and replace_abs.IH by simp
+        with \<psi>_assg and \<open>z \<in> elts (\<D> \<gamma>)\<close> show "\<V> (\<psi> z) E = \<V> (\<psi> z) E'"
+          by simp
+      qed
+      also from assms(1) and \<open>\<phi> \<leadsto> \<D>\<close> and \<open>E' \<in> wffs\<^bsub>\<delta>\<^esub>\<close> and \<psi>_def
+      have "\<dots> = \<V> \<phi> (\<lambda>x\<^bsub>\<gamma>\<^esub>. E')"
+        using wff_abs_denotation[OF \<V>_is_wff_denotation_function] by simp
+      finally show "\<V> \<phi> (\<lambda>x\<^bsub>\<gamma>\<^esub>. E) = \<V> \<phi> (\<lambda>x\<^bsub>\<gamma>\<^esub>. E')" .
+    qed
+  qed
+qed
+
+lemma rule_R_validity:
+  assumes "C \<in> wffs\<^bsub>o\<^esub>" and "C' \<in> wffs\<^bsub>o\<^esub>" and "E \<in> wffs\<^bsub>o\<^esub>"
+  and "\<Turnstile> C" and "\<Turnstile> E"
+  and "is_rule_R_app p C' C E"
+  shows "\<Turnstile> C'"
+proof (intro allI impI)
+  fix \<M> and \<phi>
+  assume "is_general_model \<M>" and "\<phi> \<leadsto>\<^sub>M \<M>"
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> C'"
+  proof -
+    have "\<M> \<Turnstile> C'"
+    proof -
+      obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+        using prod_cases3 by blast
+      from assms(6) obtain A and B and \<alpha> where "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>" and "E = A =\<^bsub>\<alpha>\<^esub> B"
+        using wffs_from_equality by (meson is_rule_R_app_def)
+      note * = \<open>is_general_model \<M>\<close> \<open>\<M> = (\<D>, \<J>, \<V>)\<close> \<open>\<phi> \<leadsto>\<^sub>M \<M>\<close>
+      have "\<V> \<phi>' C = \<V> \<phi>' C'" if "\<phi>' \<leadsto> \<D>" for \<phi>'
+      proof -
+        from assms(5) and *(1,2) and \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> and \<open>B \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> and \<open>E = A =\<^bsub>\<alpha>\<^esub> B\<close> and that
+        have "\<forall>\<phi>'. \<phi>' \<leadsto> \<D> \<longrightarrow>\<V> \<phi>' A = \<V> \<phi>' B"
+          using general_model.prop_5401_b by blast
+        moreover
+        from \<open>E = A =\<^bsub>\<alpha>\<^esub> B\<close> and assms(6) have "p \<in> positions C" and "A \<preceq>\<^bsub>p\<^esub> C" and "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> C'"
+          using is_subform_implies_in_positions by auto
+        ultimately show ?thesis
+          using \<open>A \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> and \<open>B \<in> wffs\<^bsub>\<alpha>\<^esub>\<close> and \<open>C \<in> wffs\<^bsub>o\<^esub>\<close> and assms(2) and that and *(1,2)
+          and general_model.rule_R_validity_aux by blast
+      qed
+      with assms(4) and *(1,2) show ?thesis
+        by simp
+    qed
+    with \<open>\<phi> \<leadsto>\<^sub>M \<M>\<close> show ?thesis
+      by blast
+  qed
+qed
+
+lemma individual_proof_step_validity:
+  assumes "is_proof \<S>" and "A \<in> lset \<S>"
+  shows "\<Turnstile> A"
+using assms proof (induction "length \<S>" arbitrary: \<S> A rule: less_induct)
+  case less
+  from \<open>A \<in> lset \<S>\<close> obtain i' where "\<S> ! i' = A" and "\<S> \<noteq> []" and "i' < length \<S>"
+    by (metis empty_iff empty_set in_set_conv_nth)
+  with \<open>is_proof \<S>\<close> have "is_proof (take (Suc i') \<S>)" and "take (Suc i') \<S> \<noteq> []"
+    using proof_prefix_is_proof[where \<S>\<^sub>1 = "take (Suc i') \<S>" and \<S>\<^sub>2 = "drop (Suc i') \<S>"]
+    and append_take_drop_id by simp_all
+  from \<open>i' < length \<S>\<close> consider (a) "i' < length \<S> - 1" | (b) "i' = length \<S> - 1"
+    by fastforce
+  then show ?case
+  proof cases
+    case a
+    then have "length (take (Suc i') \<S>) < length \<S>"
+      by simp
+    with \<open>\<S> ! i' = A\<close> and \<open>take (Suc i') \<S> \<noteq> []\<close> have "A \<in> lset (take (Suc i') \<S>)"
+      by (simp add: take_Suc_conv_app_nth)
+    with \<open>length (take (Suc i') \<S>) < length \<S>\<close> and \<open>is_proof (take (Suc i') \<S>)\<close> show ?thesis
+      using less(1) by blast
+  next
+    case b
+    with \<open>\<S> ! i' = A\<close> and \<open>\<S> \<noteq> []\<close> have "last \<S> = A"
+      using last_conv_nth by blast
+    with \<open>is_proof \<S>\<close> and \<open>\<S> \<noteq> []\<close> and b have "is_proof_step \<S> i'"
+      using added_suffix_proof_preservation[where \<S>' = "[]"] by simp
+    then consider
+      (axiom) "\<S> ! i' \<in> axioms"
+    | (rule_R) "\<exists>p j k. {j, k} \<subseteq> {0..<i'} \<and> is_rule_R_app p (\<S> ! i') (\<S> ! j) (\<S> ! k)"
+      by fastforce
+    then show ?thesis
+    proof cases
+      case axiom
+      with \<open>\<S> ! i' = A\<close> show ?thesis
+        by (blast dest: axioms_validity)
+    next
+      case rule_R
+      then obtain p and j and k
+        where "{j, k} \<subseteq> {0..<i'}" and "is_rule_R_app p (\<S> ! i') (\<S> ! j) (\<S> ! k)"
+        by blast
+      let ?\<S>\<^sub>j = "take (Suc j) \<S>" and ?\<S>\<^sub>k = "take (Suc k) \<S>"
+      obtain \<S>\<^sub>j' and \<S>\<^sub>k' where "\<S> = ?\<S>\<^sub>j @ \<S>\<^sub>j'" and "\<S> = ?\<S>\<^sub>k @ \<S>\<^sub>k'"
+        by (metis append_take_drop_id)
+      with \<open>is_proof \<S>\<close> have "is_proof (?\<S>\<^sub>j @ \<S>\<^sub>j')" and "is_proof (?\<S>\<^sub>k @ \<S>\<^sub>k')"
+        by (simp_all only:)
+      moreover from \<open>\<S> \<noteq> []\<close> have "?\<S>\<^sub>j \<noteq> []" and "?\<S>\<^sub>k \<noteq> []"
+        by simp_all
+      ultimately have "is_proof_of ?\<S>\<^sub>j (last ?\<S>\<^sub>j)" and "is_proof_of ?\<S>\<^sub>k (last ?\<S>\<^sub>k)"
+        using proof_prefix_is_proof_of_last[where \<S> = ?\<S>\<^sub>j and \<S>' = \<S>\<^sub>j']
+        and proof_prefix_is_proof_of_last[where \<S> = ?\<S>\<^sub>k and \<S>' = \<S>\<^sub>k']
+        by fastforce+
+      moreover
+      from \<open>{j, k} \<subseteq> {0..<i'}\<close> and b have "length ?\<S>\<^sub>j < length \<S>" and "length ?\<S>\<^sub>k < length \<S>"
+        by force+
+      moreover from calculation(3,4) have "\<S> ! j \<in> lset ?\<S>\<^sub>j" and "\<S> ! k \<in> lset ?\<S>\<^sub>k"
+        by (simp_all add: take_Suc_conv_app_nth)
+      ultimately have "\<Turnstile> \<S> ! j" and "\<Turnstile> \<S> ! k"
+        using \<open>?\<S>\<^sub>j \<noteq> []\<close> and \<open>?\<S>\<^sub>k \<noteq> []\<close> and less(1) unfolding is_proof_of_def by presburger+
+      moreover have "\<S> ! i' \<in> wffs\<^bsub>o\<^esub>" and "\<S> ! j \<in> wffs\<^bsub>o\<^esub>" and "\<S> ! k \<in> wffs\<^bsub>o\<^esub>"
+        using \<open>is_rule_R_app p (\<S> ! i') (\<S> ! j) (\<S> ! k)\<close> and replacement_preserves_typing
+        by force+
+      ultimately show ?thesis
+        using \<open>is_rule_R_app p (\<S> ! i') (\<S> ! j) (\<S> ! k)\<close> and \<open>\<S> ! i' = A\<close>
+        and rule_R_validity[where C' = A] by blast
+    qed
+  qed
+qed
+
+lemma semantic_modus_ponens:
+  assumes "is_general_model \<M>"
+  and "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  and "\<M> \<Turnstile> A \<supset>\<^sup>\<Q> B"
+  and "\<M> \<Turnstile> A"
+  shows "\<M> \<Turnstile> B"
+proof (intro allI impI)
+  fix \<phi>
+  assume "\<phi> \<leadsto>\<^sub>M \<M>"
+  moreover obtain \<D> and \<J> and \<V> where "\<M> = (\<D>, \<J>, \<V>)"
+    using prod_cases3 by blast
+  ultimately have "\<phi> \<leadsto> \<D>"
+    by simp
+  show "\<M> \<Turnstile>\<^bsub>\<phi>\<^esub> B"
+  proof -
+    from assms(4) have "\<V> \<phi> (A \<supset>\<^sup>\<Q> B) = \<^bold>T"
+      using \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>\<phi> \<leadsto>\<^sub>M \<M>\<close> by auto
+    with assms(1-3) have "\<V> \<phi> A \<^bold>\<supset> \<V> \<phi> B = \<^bold>T"
+      using \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>\<phi> \<leadsto>\<^sub>M \<M>\<close> and general_model.prop_5401_f' by simp
+    moreover from assms(5) have "\<V> \<phi> A = \<^bold>T"
+      using \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>\<phi> \<leadsto> \<D>\<close> by auto
+    moreover from \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and assms(1) have "elts (\<D> o) = elts \<bool>"
+      using frame.truth_values_domain_def and general_model_def and premodel_def by fastforce
+    with assms and \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and \<open>\<phi> \<leadsto> \<D>\<close> and \<open>\<V> \<phi> A = \<^bold>T\<close> have "{\<V> \<phi> A, \<V> \<phi> B} \<subseteq> elts \<bool>"
+      using general_model.\<V>_is_wff_denotation_function
+      and premodel.wff_denotation_function_is_domain_respecting and general_model.axioms(1) by blast
+    ultimately have "\<V> \<phi> B = \<^bold>T"
+      by fastforce
+    with \<open>\<M> = (\<D>, \<J>, \<V>)\<close> and assms(1) and \<open>\<phi> \<leadsto> \<D>\<close> show ?thesis
+      by simp
+  qed
+qed
+
+lemma generalized_semantic_modus_ponens:
+  assumes "is_general_model \<M>"
+  and "lset hs \<subseteq> wffs\<^bsub>o\<^esub>"
+  and "\<forall>H \<in> lset hs. \<M> \<Turnstile> H"
+  and "P \<in> wffs\<^bsub>o\<^esub>"
+  and "\<M> \<Turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> P"
+  shows "\<M> \<Turnstile> P"
+using assms(2-5) proof (induction hs arbitrary: P rule: rev_induct)
+  case Nil
+  then show ?case by simp
+next
+  case (snoc H' hs)
+  from \<open>\<M> \<Turnstile> (hs @ [H']) \<supset>\<^sup>\<Q>\<^sub>\<star> P\<close> have "\<M> \<Turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> (H' \<supset>\<^sup>\<Q> P)"
+    by simp
+  moreover from \<open>\<forall>H \<in> lset (hs @ [H']). \<M> \<Turnstile> H\<close> and \<open>lset (hs @ [H']) \<subseteq> wffs\<^bsub>o\<^esub>\<close>
+  have "\<forall>H \<in> lset hs. \<M> \<Turnstile> H" and "lset hs \<subseteq> wffs\<^bsub>o\<^esub>"
+    by simp_all
+  moreover from \<open>lset (hs @ [H']) \<subseteq> wffs\<^bsub>o\<^esub>\<close> and \<open>P \<in> wffs\<^bsub>o\<^esub>\<close> have "H' \<supset>\<^sup>\<Q> P \<in> wffs\<^bsub>o\<^esub>"
+    by auto
+  ultimately have "\<M> \<Turnstile> H' \<supset>\<^sup>\<Q> P"
+    by (elim snoc.IH)
+  moreover from \<open>\<forall>H \<in> lset (hs @ [H']). \<M> \<Turnstile> H\<close> have "\<M> \<Turnstile> H'"
+    by simp
+  moreover from \<open>H' \<supset>\<^sup>\<Q> P \<in> wffs\<^bsub>o\<^esub>\<close> have "H' \<in> wffs\<^bsub>o\<^esub>"
+    using wffs_from_imp_op(1) by blast
+  ultimately show ?case
+    using assms(1) and \<open>P \<in> wffs\<^bsub>o\<^esub>\<close> and semantic_modus_ponens by simp
+qed
+
+subsection \<open>Proposition 5402(a)\<close>
+
+proposition theoremhood_implies_validity:
+  assumes "is_theorem A"
+  shows "\<Turnstile> A"
+  using assms and individual_proof_step_validity by force
+
+subsection \<open>Proposition 5402(b)\<close>
+
+proposition hyp_derivability_implies_validity:
+  assumes "is_hyps \<G>"
+  and "is_model_for \<M> \<G>"
+  and "\<G> \<turnstile> A"
+  and "is_general_model \<M>"
+  shows "\<M> \<Turnstile> A"
+proof -
+  from assms(3) have "A \<in> wffs\<^bsub>o\<^esub>"
+    by (fact hyp_derivable_form_is_wffso)
+  from \<open>\<G> \<turnstile> A\<close> and \<open>is_hyps \<G>\<close> obtain \<H> where "finite \<H>" and "\<H> \<subseteq> \<G>" and "\<H> \<turnstile> A"
+    by blast
+  moreover from \<open>finite \<H>\<close> obtain hs where "lset hs = \<H>"
+    using finite_list by blast
+  ultimately have "\<turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> A"
+    using generalized_deduction_theorem by simp
+  with assms(4) have "\<M> \<Turnstile> hs \<supset>\<^sup>\<Q>\<^sub>\<star> A"
+    using derivability_from_no_hyps_theoremhood_equivalence and theoremhood_implies_validity
+    by blast
+  moreover from \<open>\<H> \<subseteq> \<G>\<close> and assms(2) have "\<M> \<Turnstile> H" if "H \<in> \<H>" for H
+    using that by blast
+  moreover from \<open>\<H> \<subseteq> \<G>\<close> and \<open>lset hs = \<H>\<close> and assms(1) have "lset hs \<subseteq> wffs\<^bsub>o\<^esub>"
+    by blast
+  ultimately show ?thesis
+    using assms(1,4) and \<open>A \<in> wffs\<^bsub>o\<^esub>\<close> and \<open>lset hs = \<H>\<close> and generalized_semantic_modus_ponens
+    by auto
+qed
+
+subsection \<open>Theorem 5402 (Soundness Theorem)\<close>
+
+lemmas thm_5402 = theoremhood_implies_validity hyp_derivability_implies_validity
+
+end
diff --git a/thys/Q0_Metatheory/Syntax.thy b/thys/Q0_Metatheory/Syntax.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Syntax.thy
@@ -0,0 +1,3852 @@
+section \<open>Syntax\<close>
+
+theory Syntax
+  imports
+    "HOL-Library.Sublist"
+    Utilities
+begin
+
+subsection \<open>Type symbols\<close>
+
+datatype type =
+  TInd ("i")
+| TBool ("o")
+| TFun type type (infixr "\<rightarrow>" 101)
+
+primrec type_size :: "type \<Rightarrow> nat" where
+  "type_size i = 1"
+| "type_size o = 1"
+| "type_size (\<alpha> \<rightarrow> \<beta>) = Suc (type_size \<alpha> + type_size \<beta>)"
+
+primrec subtypes :: "type \<Rightarrow> type set" where
+  "subtypes i = {}"
+| "subtypes o = {}"
+| "subtypes (\<alpha> \<rightarrow> \<beta>) = {\<alpha>, \<beta>} \<union> subtypes \<alpha> \<union> subtypes \<beta>"
+
+lemma subtype_size_decrease:
+  assumes "\<alpha> \<in> subtypes \<beta>"
+  shows "type_size \<alpha> < type_size \<beta>"
+  using assms by (induction rule: type.induct) force+
+
+lemma subtype_is_not_type:
+  assumes "\<alpha> \<in> subtypes \<beta>"
+  shows "\<alpha> \<noteq> \<beta>"
+  using assms and subtype_size_decrease by blast
+
+lemma fun_type_atoms_in_subtypes:
+  assumes "k < length ts"
+  shows "ts ! k \<in> subtypes (foldr (\<rightarrow>) ts \<gamma>)"
+  using assms by (induction ts arbitrary: k) (cases k, use less_Suc_eq_0_disj in \<open>fastforce+\<close>)
+
+lemma fun_type_atoms_neq_fun_type:
+  assumes "k < length ts"
+  shows "ts ! k \<noteq> foldr (\<rightarrow>) ts \<gamma>"
+  by (fact fun_type_atoms_in_subtypes[OF assms, THEN subtype_is_not_type])
+
+subsection \<open>Variables\<close>
+
+text \<open>
+  Unfortunately, the Nominal package does not support multi-sort atoms yet; therefore, we need to
+  implement this support from scratch.
+\<close>
+
+type_synonym var = "nat \<times> type"
+
+abbreviation var_name :: "var \<Rightarrow> nat" where
+  "var_name \<equiv> fst"
+
+abbreviation var_type :: "var \<Rightarrow> type" where
+  "var_type \<equiv> snd"
+
+lemma fresh_var_existence:
+  assumes "finite (vs :: var set)"
+  obtains x where "(x, \<alpha>) \<notin> vs"
+  using ex_new_if_finite[OF infinite_UNIV_nat]
+proof -
+  from assms obtain x where "x \<notin> var_name ` vs"
+    using ex_new_if_finite[OF infinite_UNIV_nat] by fastforce
+  with that show ?thesis
+    by force
+qed
+
+lemma fresh_var_name_list_existence:
+  assumes "finite (ns :: nat set)"
+  obtains ns' where "length ns' = n" and "distinct ns'" and "lset ns' \<inter> ns = {}"
+using assms proof (induction n arbitrary: thesis)
+  case 0
+  then show ?case
+    by simp
+next
+  case (Suc n)
+  from assms obtain ns' where "length ns' = n" and "distinct ns'" and "lset ns' \<inter> ns = {}"
+    using Suc.IH by blast
+  moreover from assms obtain n' where "n' \<notin> lset ns' \<union> ns"
+    using ex_new_if_finite[OF infinite_UNIV_nat] by blast
+  ultimately
+    have "length (n' # ns') = Suc n" and "distinct (n' # ns')" and "lset (n' # ns') \<inter> ns = {}"
+    by simp_all
+  with Suc.prems(1) show ?case
+    by blast
+qed
+
+lemma fresh_var_list_existence:
+  fixes xs :: "var list"
+  and ns :: "nat set"
+  assumes "finite ns"
+  obtains vs' :: "var list"
+  where "length vs' = length xs"
+  and "distinct vs'"
+  and "var_name ` lset vs' \<inter> (ns \<union> var_name ` lset xs) = {}"
+  and "map var_type vs' = map var_type xs"
+proof -
+  from assms(1) have "finite (ns \<union> var_name ` lset xs)"
+    by blast
+  then obtain ns'
+    where "length ns' = length xs"
+    and "distinct ns'"
+    and "lset ns' \<inter> (ns \<union> var_name ` lset xs) = {}"
+    by (rule fresh_var_name_list_existence)
+  define vs'' where "vs'' = zip ns' (map var_type xs)"
+  from vs''_def and \<open>length ns' = length xs\<close> have "length vs'' = length xs"
+    by simp
+  moreover from vs''_def and \<open>distinct ns'\<close> have "distinct vs''"
+    by (simp add: distinct_zipI1)
+  moreover have "var_name ` lset vs'' \<inter> (ns \<union> var_name ` lset xs) = {}"
+    unfolding vs''_def
+    using \<open>length ns' = length xs\<close> and \<open>lset ns' \<inter> (ns \<union> var_name ` lset xs) = {}\<close>
+    by (metis length_map set_map map_fst_zip)
+  moreover from vs''_def have "map var_type vs'' = map var_type xs"
+    by (simp add: \<open>length ns' = length xs\<close>)
+  ultimately show ?thesis
+    by (fact that)
+qed
+
+subsection \<open>Constants\<close>
+
+type_synonym con = "nat \<times> type"
+
+subsection \<open>Formulas\<close>
+
+datatype form =
+  FVar var
+| FCon con
+| FApp form form (infixl "\<sqdot>" 200)
+| FAbs var form
+
+syntax
+  "_FVar" :: "nat \<Rightarrow> type \<Rightarrow> form" ("_\<^bsub>_\<^esub>" [899, 0] 900)
+  "_FCon" :: "nat \<Rightarrow> type \<Rightarrow> form" ("\<lbrace>_\<rbrace>\<^bsub>_\<^esub>" [899, 0] 900)
+  "_FAbs" :: "nat \<Rightarrow> type \<Rightarrow> form \<Rightarrow> form" ("(4\<lambda>_\<^bsub>_\<^esub>./ _)" [0, 0, 104] 104)
+translations
+  "x\<^bsub>\<alpha>\<^esub>" \<rightleftharpoons> "CONST FVar (x, \<alpha>)"
+  "\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>" \<rightleftharpoons> "CONST FCon (c, \<alpha>)"
+  "\<lambda>x\<^bsub>\<alpha>\<^esub>. A" \<rightleftharpoons> "CONST FAbs (x, \<alpha>) A"
+
+subsection \<open>Generalized operators\<close>
+
+text \<open>Generalized application. We define \<open>\<sqdot>\<^sup>\<Q>\<^sub>\<star> A [B\<^sub>1, B\<^sub>2, \<dots>, B\<^sub>n]\<close> as \<open>A \<sqdot> B\<^sub>1 \<sqdot> B\<^sub>2 \<sqdot> \<cdots> \<sqdot> B\<^sub>n\<close>:\<close>
+
+definition generalized_app :: "form \<Rightarrow> form list \<Rightarrow> form" ("\<sqdot>\<^sup>\<Q>\<^sub>\<star> _ _" [241, 241] 241) where
+  [simp]: "\<sqdot>\<^sup>\<Q>\<^sub>\<star> A Bs = foldl (\<sqdot>) A Bs"
+
+text \<open>Generalized abstraction. We define \<open>\<lambda>\<^sup>\<Q>\<^sub>\<star> [x\<^sub>1, \<dots>, x\<^sub>n] A\<close> as \<open>\<lambda>x\<^sub>1. \<cdots> \<lambda>x\<^sub>n. A\<close>:\<close>
+
+definition generalized_abs :: "var list \<Rightarrow> form \<Rightarrow> form" ("\<lambda>\<^sup>\<Q>\<^sub>\<star> _ _" [141, 141] 141) where
+  [simp]: "\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A = foldr (\<lambda>(x, \<alpha>) B. \<lambda>x\<^bsub>\<alpha>\<^esub>. B) vs A"
+
+fun form_size :: "form \<Rightarrow> nat" where
+  "form_size (x\<^bsub>\<alpha>\<^esub>) = 1"
+| "form_size (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = 1"
+| "form_size (A \<sqdot> B) = Suc (form_size A + form_size B)"
+| "form_size (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = Suc (form_size A)"
+
+fun form_depth :: "form \<Rightarrow> nat" where
+  "form_depth (x\<^bsub>\<alpha>\<^esub>) = 0"
+| "form_depth (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = 0"
+| "form_depth (A \<sqdot> B) = Suc (max (form_depth A) (form_depth B))"
+| "form_depth (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = Suc (form_depth A)"
+
+subsection \<open>Subformulas\<close>
+
+fun subforms :: "form \<Rightarrow> form set" where
+  "subforms (x\<^bsub>\<alpha>\<^esub>) = {}"
+| "subforms (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = {}"
+| "subforms (A \<sqdot> B) = {A, B}"
+| "subforms (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = {A}"
+
+datatype direction = Left ("\<guillemotleft>") | Right ("\<guillemotright>")
+type_synonym position = "direction list"
+
+fun positions :: "form \<Rightarrow> position set" where
+  "positions (x\<^bsub>\<alpha>\<^esub>) = {[]}"
+| "positions (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = {[]}"
+| "positions (A \<sqdot> B) = {[]} \<union> {\<guillemotleft> # p | p. p \<in> positions A} \<union> {\<guillemotright> # p | p. p \<in> positions B}"
+| "positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = {[]} \<union> {\<guillemotleft> # p | p. p \<in> positions A}"
+
+lemma empty_is_position [simp]:
+  shows "[] \<in> positions A"
+  by (cases A rule: positions.cases) simp_all
+
+fun subform_at :: "form \<Rightarrow> position \<rightharpoonup> form" where
+  "subform_at A [] = Some A"
+| "subform_at (A \<sqdot> B) (\<guillemotleft> # p) = subform_at A p"
+| "subform_at (A \<sqdot> B) (\<guillemotright> # p) = subform_at B p"
+| "subform_at (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) (\<guillemotleft> # p) = subform_at A p"
+| "subform_at _ _ = None"
+
+fun is_subform_at :: "form \<Rightarrow> position \<Rightarrow> form \<Rightarrow> bool" ("(_ \<preceq>\<^bsub>_\<^esub>/ _)" [51,0,51] 50) where
+  "is_subform_at A [] A' = (A = A')"
+| "is_subform_at C (\<guillemotleft> # p) (A \<sqdot> B) = is_subform_at C p A"
+| "is_subform_at C (\<guillemotright> # p) (A \<sqdot> B) = is_subform_at C p B"
+| "is_subform_at C (\<guillemotleft> # p) (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = is_subform_at C p A"
+| "is_subform_at _ _ _ = False"
+
+lemma is_subform_at_alt_def:
+  shows "A' \<preceq>\<^bsub>p\<^esub> A = (case subform_at A p of Some B \<Rightarrow> B = A' | None \<Rightarrow> False)"
+  by (induction A' p A rule: is_subform_at.induct) auto
+
+lemma superform_existence:
+  assumes "B \<preceq>\<^bsub>p @ [d]\<^esub> C"
+  obtains A where "B \<preceq>\<^bsub>[d]\<^esub> A" and "A \<preceq>\<^bsub>p\<^esub> C"
+  using assms by (induction B p C rule: is_subform_at.induct) auto
+
+lemma subform_at_subforms_con:
+  assumes "\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub> \<preceq>\<^bsub>p\<^esub> C"
+  shows "\<nexists>A. A \<preceq>\<^bsub>p @ [d]\<^esub> C"
+  using assms by (induction "\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>" p C rule: is_subform_at.induct) auto
+
+lemma subform_at_subforms_var:
+  assumes "x\<^bsub>\<alpha>\<^esub> \<preceq>\<^bsub>p\<^esub> C"
+  shows "\<nexists>A. A \<preceq>\<^bsub>p @ [d]\<^esub> C"
+  using assms by (induction "x\<^bsub>\<alpha>\<^esub>" p C rule: is_subform_at.induct) auto
+
+lemma subform_at_subforms_app:
+  assumes "A \<sqdot> B \<preceq>\<^bsub>p\<^esub> C"
+  shows "A \<preceq>\<^bsub>p @ [\<guillemotleft>]\<^esub> C" and "B \<preceq>\<^bsub>p @ [\<guillemotright>]\<^esub> C"
+  using assms by (induction "A \<sqdot> B" p C rule: is_subform_at.induct) auto
+
+lemma subform_at_subforms_abs:
+  assumes "\<lambda>x\<^bsub>\<alpha>\<^esub>. A \<preceq>\<^bsub>p\<^esub> C"
+  shows "A \<preceq>\<^bsub>p @ [\<guillemotleft>]\<^esub> C"
+  using assms by (induction "\<lambda>x\<^bsub>\<alpha>\<^esub>. A" p C rule: is_subform_at.induct) auto
+
+lemma is_subform_implies_in_positions:
+  assumes "B \<preceq>\<^bsub>p\<^esub> A"
+  shows "p \<in> positions A"
+  using assms by (induction rule: is_subform_at.induct) simp_all
+
+lemma subform_size_decrease:
+  assumes "A \<preceq>\<^bsub>p\<^esub> B" and "p \<noteq> []"
+  shows "form_size A < form_size B"
+  using assms by (induction A p B rule: is_subform_at.induct) force+
+
+lemma strict_subform_is_not_form:
+  assumes "p \<noteq> []" and "A' \<preceq>\<^bsub>p\<^esub> A"
+  shows "A' \<noteq> A"
+  using assms and subform_size_decrease by blast
+
+lemma no_right_subform_of_abs:
+  shows "\<nexists>B. B \<preceq>\<^bsub>\<guillemotright> # p\<^esub> \<lambda>x\<^bsub>\<alpha>\<^esub>. A"
+  by simp
+
+lemma subforms_from_var:
+  assumes "A \<preceq>\<^bsub>p\<^esub> x\<^bsub>\<alpha>\<^esub>"
+  shows "A = x\<^bsub>\<alpha>\<^esub>" and "p = []"
+  using assms by (auto elim: is_subform_at.elims)
+
+lemma subforms_from_con:
+  assumes "A \<preceq>\<^bsub>p\<^esub> \<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>"
+  shows "A = \<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>" and "p = []"
+  using assms by (auto elim: is_subform_at.elims)
+
+lemma subforms_from_app:
+  assumes "A \<preceq>\<^bsub>p\<^esub> B \<sqdot> C"
+  shows "
+    (A = B \<sqdot> C \<and> p = []) \<or>
+    (A \<noteq> B \<sqdot> C \<and>
+      (\<exists>p' \<in> positions B. p = \<guillemotleft> # p' \<and> A \<preceq>\<^bsub>p'\<^esub> B) \<or> (\<exists>p' \<in> positions C. p = \<guillemotright> # p' \<and> A \<preceq>\<^bsub>p'\<^esub> C))"
+  using assms and strict_subform_is_not_form
+  by (auto simp add: is_subform_implies_in_positions elim: is_subform_at.elims)
+
+lemma subforms_from_abs:
+  assumes "A \<preceq>\<^bsub>p\<^esub> \<lambda>x\<^bsub>\<alpha>\<^esub>. B"
+  shows "(A = \<lambda>x\<^bsub>\<alpha>\<^esub>. B \<and> p = []) \<or> (A \<noteq> \<lambda>x\<^bsub>\<alpha>\<^esub>. B \<and> (\<exists>p' \<in> positions B. p = \<guillemotleft> # p' \<and> A \<preceq>\<^bsub>p'\<^esub> B))"
+  using assms and strict_subform_is_not_form
+  by (auto simp add: is_subform_implies_in_positions elim: is_subform_at.elims)
+
+lemma leftmost_subform_in_generalized_app:
+  shows "B \<preceq>\<^bsub>replicate (length As) \<guillemotleft>\<^esub> \<sqdot>\<^sup>\<Q>\<^sub>\<star> B As"
+  by (induction As arbitrary: B) (simp_all, metis replicate_append_same subform_at_subforms_app(1))
+
+lemma self_subform_is_at_top:
+  assumes "A \<preceq>\<^bsub>p\<^esub> A"
+  shows "p = []"
+  using assms and strict_subform_is_not_form by blast
+
+lemma at_top_is_self_subform:
+  assumes "A \<preceq>\<^bsub>[]\<^esub> B"
+  shows "A = B"
+  using assms by (auto elim: is_subform_at.elims)
+
+lemma is_subform_at_uniqueness:
+  assumes "B \<preceq>\<^bsub>p\<^esub> A" and "C \<preceq>\<^bsub>p\<^esub> A"
+  shows "B = C"
+  using assms by (induction A arbitrary: p B C) (auto elim: is_subform_at.elims)
+
+lemma is_subform_at_existence:
+  assumes "p \<in> positions A"
+  obtains B where "B \<preceq>\<^bsub>p\<^esub> A"
+  using assms by (induction A arbitrary: p) (auto elim: is_subform_at.elims, blast+)
+
+lemma is_subform_at_transitivity:
+  assumes "A \<preceq>\<^bsub>p\<^sub>1\<^esub> B" and "B \<preceq>\<^bsub>p\<^sub>2\<^esub> C"
+  shows "A \<preceq>\<^bsub>p\<^sub>2 @ p\<^sub>1\<^esub> C"
+  using assms by (induction B p\<^sub>2 C arbitrary: A p\<^sub>1 rule: is_subform_at.induct) simp_all
+
+lemma subform_nesting:
+  assumes "strict_prefix p' p"
+  and "B \<preceq>\<^bsub>p'\<^esub> A"
+  and "C \<preceq>\<^bsub>p\<^esub> A"
+  shows "C \<preceq>\<^bsub>drop (length p') p\<^esub> B"
+proof -
+  from assms(1) have "p \<noteq> []"
+    using strict_prefix_simps(1) by blast
+  with assms(1,3) show ?thesis
+  proof (induction p arbitrary: C rule: rev_induct)
+    case Nil
+    then show ?case
+      by blast
+  next
+    case (snoc d p'')
+    then show ?case
+    proof (cases "p'' = p'")
+      case True
+      obtain A' where "C \<preceq>\<^bsub>[d]\<^esub> A'" and "A' \<preceq>\<^bsub>p'\<^esub> A"
+        by (fact superform_existence[OF snoc.prems(2)[unfolded True]])
+      from \<open>A' \<preceq>\<^bsub>p'\<^esub> A\<close> and assms(2) have "A' = B"
+        by (rule is_subform_at_uniqueness)
+      with \<open>C \<preceq>\<^bsub>[d]\<^esub> A'\<close> have "C \<preceq>\<^bsub>[d]\<^esub> B"
+        by (simp only:)
+      with True show ?thesis
+        by auto
+    next
+      case False
+      with snoc.prems(1) have "strict_prefix p' p''"
+        using prefix_order.dual_order.strict_implies_order by fastforce
+      then have "p'' \<noteq> []"
+        by force
+      moreover from snoc.prems(2) obtain A' where "C \<preceq>\<^bsub>[d]\<^esub> A'" and "A' \<preceq>\<^bsub>p''\<^esub> A"
+        using superform_existence by blast
+      ultimately have "A' \<preceq>\<^bsub>drop (length p') p''\<^esub> B"
+        using snoc.IH and \<open>strict_prefix p' p''\<close> by blast
+      with \<open>C \<preceq>\<^bsub>[d]\<^esub> A'\<close> and snoc.prems(1) show ?thesis
+        using is_subform_at_transitivity and prefix_length_less by fastforce
+    qed
+  qed
+qed
+
+lemma loop_subform_impossibility:
+  assumes "B \<preceq>\<^bsub>p\<^esub> A"
+  and "strict_prefix p' p"
+  shows "\<not> B \<preceq>\<^bsub>p'\<^esub> A"
+  using assms and prefix_length_less and self_subform_is_at_top and subform_nesting by fastforce
+
+lemma nested_subform_size_decreases:
+  assumes "strict_prefix p' p"
+  and "B \<preceq>\<^bsub>p'\<^esub> A"
+  and "C \<preceq>\<^bsub>p\<^esub> A"
+  shows "form_size C < form_size B"
+proof -
+  from assms(1) have "p \<noteq> []"
+    by force
+  have "C \<preceq>\<^bsub>drop (length p') p\<^esub> B"
+    by (fact subform_nesting[OF assms])
+  moreover have "drop (length p') p \<noteq> []"
+    using prefix_length_less[OF assms(1)] by force
+  ultimately show ?thesis
+    using subform_size_decrease by simp
+qed
+
+definition is_subform :: "form \<Rightarrow> form \<Rightarrow> bool" (infix "\<preceq>" 50) where
+  [simp]: "A \<preceq> B = (\<exists>p. A \<preceq>\<^bsub>p\<^esub> B)"
+
+instantiation form :: ord
+begin
+
+definition
+  "A \<le> B \<longleftrightarrow> A \<preceq> B"
+
+definition
+  "A < B \<longleftrightarrow> A \<preceq> B \<and> A \<noteq> B"
+
+instance ..
+
+end
+
+instance form :: preorder
+proof (standard, unfold less_eq_form_def less_form_def)
+  fix A
+  show "A \<preceq> A"
+    unfolding is_subform_def using is_subform_at.simps(1) by blast
+next
+  fix A and B and C
+  assume "A \<preceq> B" and "B \<preceq> C"
+  then show "A \<preceq> C"
+    unfolding is_subform_def using is_subform_at_transitivity by blast
+next
+  fix A and B
+  show "A \<preceq> B \<and> A \<noteq> B \<longleftrightarrow> A \<preceq> B \<and> \<not> B \<preceq> A"
+    unfolding is_subform_def
+    by (metis is_subform_at.simps(1) not_less_iff_gr_or_eq subform_size_decrease)
+qed
+
+lemma position_subform_existence_equivalence:
+  shows "p \<in> positions A \<longleftrightarrow> (\<exists>A'. A' \<preceq>\<^bsub>p\<^esub> A)"
+  by (meson is_subform_at_existence is_subform_implies_in_positions)
+
+lemma position_prefix_is_position:
+  assumes "p \<in> positions A" and "prefix p' p"
+  shows "p' \<in> positions A"
+using assms proof (induction p rule: rev_induct)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (snoc d p'')
+  from snoc.prems(1) have "p'' \<in> positions A"
+    by (meson position_subform_existence_equivalence superform_existence)
+  with snoc.prems(1,2) show ?case
+    using snoc.IH by fastforce
+qed
+
+subsection \<open>Free and bound variables\<close>
+
+consts vars :: "'a \<Rightarrow> var set"
+
+overloading
+  "vars_form" \<equiv> "vars :: form \<Rightarrow> var set"
+  "vars_form_set" \<equiv> "vars :: form set \<Rightarrow> var set" (* abuse of notation *)
+begin
+
+fun vars_form :: "form \<Rightarrow> var set" where
+  "vars_form (x\<^bsub>\<alpha>\<^esub>) = {(x, \<alpha>)}"
+| "vars_form (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = {}"
+| "vars_form (A \<sqdot> B) = vars_form A \<union> vars_form B"
+| "vars_form (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = vars_form A \<union> {(x, \<alpha>)}"
+
+fun vars_form_set :: "form set \<Rightarrow> var set" where
+  "vars_form_set S = (\<Union>A \<in> S. vars A)"
+
+end
+
+abbreviation var_names :: "'a \<Rightarrow> nat set" where
+  "var_names \<X> \<equiv> var_name ` (vars \<X>)"
+
+lemma vars_form_finiteness:
+  fixes A :: form
+  shows "finite (vars A)"
+  by (induction rule: vars_form.induct) simp_all
+
+lemma vars_form_set_finiteness:
+  fixes S :: "form set"
+  assumes "finite S"
+  shows "finite (vars S)"
+  using assms unfolding vars_form_set.simps using vars_form_finiteness by blast
+
+lemma form_var_names_finiteness:
+  fixes A :: form
+  shows "finite (var_names A)"
+  using vars_form_finiteness by blast
+
+lemma form_set_var_names_finiteness:
+  fixes S :: "form set"
+  assumes "finite S"
+  shows "finite (var_names S)"
+  using assms and vars_form_set_finiteness by blast
+
+consts free_vars :: "'a \<Rightarrow> var set"
+
+overloading
+  "free_vars_form" \<equiv> "free_vars :: form \<Rightarrow> var set"
+  "free_vars_form_set" \<equiv> "free_vars :: form set \<Rightarrow> var set" (* abuse of notation *)
+begin
+
+fun free_vars_form :: "form \<Rightarrow> var set" where
+  "free_vars_form (x\<^bsub>\<alpha>\<^esub>) = {(x, \<alpha>)}"
+| "free_vars_form (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = {}"
+| "free_vars_form (A \<sqdot> B) = free_vars_form A \<union> free_vars_form B"
+| "free_vars_form (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = free_vars_form A - {(x, \<alpha>)}"
+
+fun free_vars_form_set :: "form set \<Rightarrow> var set" where
+  "free_vars_form_set S = (\<Union>A \<in> S. free_vars A)"
+
+end
+
+abbreviation free_var_names :: "'a \<Rightarrow> nat set" where
+  "free_var_names \<X> \<equiv> var_name ` (free_vars \<X>)"
+
+lemma free_vars_form_finiteness:
+  fixes A :: form
+  shows "finite (free_vars A)"
+  by (induction rule: free_vars_form.induct) simp_all
+
+lemma free_vars_of_generalized_app:
+  shows "free_vars (\<sqdot>\<^sup>\<Q>\<^sub>\<star> A Bs) = free_vars A \<union> free_vars (lset Bs)"
+  by (induction Bs arbitrary: A) auto
+
+lemma free_vars_of_generalized_abs:
+  shows "free_vars (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) = free_vars A - lset vs"
+  by (induction vs arbitrary: A) auto
+
+lemma free_vars_in_all_vars:
+  fixes A :: form
+  shows "free_vars A \<subseteq> vars A"
+proof (induction A)
+  case (FVar v)
+  then show ?case
+    using surj_pair[of v] by force
+next
+  case (FCon k)
+  then show ?case
+    using surj_pair[of k] by force
+next
+  case (FApp A B)
+  have "free_vars (A \<sqdot> B) = free_vars A \<union> free_vars B"
+    using free_vars_form.simps(3) .
+  also from FApp.IH have "\<dots> \<subseteq> vars A \<union> vars B"
+    by blast
+  also have "\<dots> = vars (A \<sqdot> B)"
+    using vars_form.simps(3)[symmetric] .
+  finally show ?case
+    by (simp only:)
+next
+  case (FAbs v A)
+  then show ?case
+    using surj_pair[of v] by force
+qed
+
+lemma free_vars_in_all_vars_set:
+  fixes S :: "form set"
+  shows "free_vars S \<subseteq> vars S"
+  using free_vars_in_all_vars by fastforce
+
+lemma singleton_form_set_vars:
+  shows "vars {FVar y} = {y}"
+  using surj_pair[of y] by force
+
+fun bound_vars where
+  "bound_vars (x\<^bsub>\<alpha>\<^esub>) = {}"
+| "bound_vars (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = {}"
+| "bound_vars (B \<sqdot> C) = bound_vars B \<union> bound_vars C"
+| "bound_vars (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) = {(x, \<alpha>)} \<union> bound_vars B"
+
+lemma vars_is_free_and_bound_vars:
+  shows "vars A = free_vars A \<union> bound_vars A"
+  by (induction A) auto
+
+fun binders_at :: "form \<Rightarrow> position \<Rightarrow> var set" where
+  "binders_at (A \<sqdot> B) (\<guillemotleft> # p) = binders_at A p"
+| "binders_at (A \<sqdot> B) (\<guillemotright> # p) = binders_at B p"
+| "binders_at (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) (\<guillemotleft> # p) = {(x, \<alpha>)} \<union> binders_at A p"
+| "binders_at A [] = {}"
+| "binders_at A p = {}"
+
+lemma binders_at_concat:
+  assumes "A' \<preceq>\<^bsub>p\<^esub> A"
+  shows "binders_at A (p @ p') = binders_at A p \<union> binders_at A' p'"
+  using assms by (induction p A rule: is_subform_at.induct) auto
+
+subsection \<open>Free and bound occurrences\<close>
+
+definition occurs_at :: "var \<Rightarrow> position \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "occurs_at v p B \<longleftrightarrow> (FVar v \<preceq>\<^bsub>p\<^esub> B)"
+
+lemma occurs_at_alt_def:
+  shows "occurs_at v [] (FVar v') \<longleftrightarrow> (v = v')"
+  and "occurs_at v p (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) \<longleftrightarrow> False"
+  and "occurs_at v (\<guillemotleft> # p) (A \<sqdot> B) \<longleftrightarrow> occurs_at v p A"
+  and "occurs_at v (\<guillemotright> # p) (A \<sqdot> B) \<longleftrightarrow> occurs_at v p B"
+  and "occurs_at v (\<guillemotleft> # p) (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) \<longleftrightarrow> occurs_at v p A"
+  and "occurs_at v (d # p) (FVar v') \<longleftrightarrow> False"
+  and "occurs_at v (\<guillemotright> # p) (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) \<longleftrightarrow> False"
+  and "occurs_at v [] (A \<sqdot> B) \<longleftrightarrow> False"
+  and "occurs_at v [] (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) \<longleftrightarrow> False"
+  by (fastforce elim: is_subform_at.elims)+
+
+definition occurs :: "var \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "occurs v B \<longleftrightarrow> (\<exists>p \<in> positions B. occurs_at v p B)"
+
+lemma occurs_in_vars:
+  assumes "occurs v A"
+  shows "v \<in> vars A"
+  using assms by (induction A) force+
+
+abbreviation strict_prefixes where
+  "strict_prefixes xs \<equiv> [ys \<leftarrow> prefixes xs. ys \<noteq> xs]"
+
+definition in_scope_of_abs :: "var \<Rightarrow> position \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "in_scope_of_abs v p B \<longleftrightarrow> (
+    p \<noteq> [] \<and>
+    (
+      \<exists>p' \<in> lset (strict_prefixes p).
+        case (subform_at B p') of
+          Some (FAbs v' _) \<Rightarrow> v = v'
+        | _ \<Rightarrow> False
+    )
+  )"
+
+lemma in_scope_of_abs_alt_def:
+  shows "
+    in_scope_of_abs v p B
+    \<longleftrightarrow>
+    p \<noteq> [] \<and> (\<exists>p' \<in> positions B. \<exists>C. strict_prefix p' p \<and> FAbs v C \<preceq>\<^bsub>p'\<^esub> B)"
+proof
+  assume "in_scope_of_abs v p B"
+  then show "p \<noteq> [] \<and> (\<exists>p' \<in> positions B. \<exists>C. strict_prefix p' p \<and> FAbs v C \<preceq>\<^bsub>p'\<^esub> B)"
+    by (induction rule: subform_at.induct) force+
+next
+  assume "p \<noteq> [] \<and> (\<exists>p' \<in> positions B. \<exists>C. strict_prefix p' p \<and> FAbs v C \<preceq>\<^bsub>p'\<^esub> B)"
+  then show "in_scope_of_abs v p B"
+    by (induction rule: subform_at.induct) fastforce+
+qed
+
+lemma in_scope_of_abs_in_left_app:
+  shows "in_scope_of_abs v (\<guillemotleft> # p) (A \<sqdot> B) \<longleftrightarrow> in_scope_of_abs v p A"
+  by force
+
+lemma in_scope_of_abs_in_right_app:
+  shows "in_scope_of_abs v (\<guillemotright> # p) (A \<sqdot> B) \<longleftrightarrow> in_scope_of_abs v p B"
+  by force
+
+lemma in_scope_of_abs_in_app:
+  assumes "in_scope_of_abs v p (A \<sqdot> B)"
+  obtains p' where "(p = \<guillemotleft> # p' \<and> in_scope_of_abs v p' A) \<or> (p = \<guillemotright> # p' \<and> in_scope_of_abs v p' B)"
+proof -
+  from assms obtain d and p' where "p = d # p'"
+    unfolding in_scope_of_abs_def by (meson list.exhaust)
+  then show ?thesis
+  proof (cases d)
+    case Left
+    with assms and \<open>p = d # p'\<close> show ?thesis
+      using that and in_scope_of_abs_in_left_app by simp
+  next
+    case Right
+    with assms and \<open>p = d # p'\<close> show ?thesis
+      using that and in_scope_of_abs_in_right_app by simp
+  qed
+qed
+
+lemma not_in_scope_of_abs_in_app:
+  assumes "
+    \<forall>p'.
+      (p = \<guillemotleft> # p' \<longrightarrow> \<not> in_scope_of_abs v' p' A)
+      \<and>
+      (p = \<guillemotright> # p' \<longrightarrow> \<not> in_scope_of_abs v' p' B)"
+  shows "\<not> in_scope_of_abs v' p (A \<sqdot> B)"
+  using assms and in_scope_of_abs_in_app by metis
+
+lemma in_scope_of_abs_in_abs:
+  shows "in_scope_of_abs v (\<guillemotleft> # p) (FAbs v' B) \<longleftrightarrow> v = v' \<or> in_scope_of_abs v p B"
+proof
+  assume "in_scope_of_abs v (\<guillemotleft> # p) (FAbs v' B)"
+  then obtain p' and C
+    where "p' \<in> positions (FAbs v' B)"
+    and "strict_prefix p' (\<guillemotleft> # p)"
+    and "FAbs v C \<preceq>\<^bsub>p'\<^esub> FAbs v' B"
+    unfolding in_scope_of_abs_alt_def by blast
+  then show "v = v' \<or> in_scope_of_abs v p B"
+  proof (cases p')
+    case Nil
+    with \<open>FAbs v C \<preceq>\<^bsub>p'\<^esub> FAbs v' B\<close> have "v = v'"
+      by auto
+    then show ?thesis
+      by simp
+  next
+    case (Cons d p'')
+    with \<open>strict_prefix p' (\<guillemotleft> # p)\<close> have "d = \<guillemotleft>"
+      by simp
+    from \<open>FAbs v C \<preceq>\<^bsub>p'\<^esub> FAbs v' B\<close> and Cons have "p'' \<in> positions B"
+      by
+        (cases "(FAbs v C, p', FAbs v' B)" rule: is_subform_at.cases)
+        (simp_all add: is_subform_implies_in_positions)
+    moreover from \<open>FAbs v C \<preceq>\<^bsub>p'\<^esub> FAbs v' B\<close> and Cons and \<open>d = \<guillemotleft>\<close> have "FAbs v C \<preceq>\<^bsub>p''\<^esub> B"
+      by (metis is_subform_at.simps(4) old.prod.exhaust)
+    moreover from \<open>strict_prefix p' (\<guillemotleft> # p)\<close> and Cons have "strict_prefix p'' p"
+      by auto
+    ultimately have "in_scope_of_abs v p B"
+      using in_scope_of_abs_alt_def by auto
+    then show ?thesis
+      by simp
+  qed
+next
+  assume "v = v' \<or> in_scope_of_abs v p B"
+  then show "in_scope_of_abs v (\<guillemotleft> # p) (FAbs v' B)"
+    unfolding in_scope_of_abs_alt_def
+    using position_subform_existence_equivalence and surj_pair[of v']
+    by force
+qed
+
+lemma not_in_scope_of_abs_in_var:
+  shows "\<not> in_scope_of_abs v p (FVar v')"
+  unfolding in_scope_of_abs_def by (cases p) simp_all
+
+lemma in_scope_of_abs_in_vars:
+  assumes "in_scope_of_abs v p A"
+  shows "v \<in> vars A"
+using assms proof (induction A arbitrary: p)
+  case (FVar v')
+  then show ?case
+    using not_in_scope_of_abs_in_var by blast
+next
+  case (FCon k)
+  then show ?case
+    using in_scope_of_abs_alt_def by (blast elim: is_subform_at.elims(2))
+next
+  case (FApp B C)
+  from FApp.prems obtain d and p' where "p = d # p'"
+    unfolding in_scope_of_abs_def by (meson neq_Nil_conv)
+  then show ?case
+  proof (cases d)
+    case Left
+    with FApp.prems and \<open>p = d # p'\<close> have "in_scope_of_abs v p' B"
+      using in_scope_of_abs_in_left_app by blast
+    then have "v \<in> vars B"
+      by (fact FApp.IH(1))
+    then show ?thesis
+      by simp
+  next
+    case Right
+    with FApp.prems and \<open>p = d # p'\<close> have "in_scope_of_abs v p' C"
+      using in_scope_of_abs_in_right_app by blast
+    then have "v \<in> vars C"
+      by (fact FApp.IH(2))
+    then show ?thesis
+      by simp
+  qed
+next
+  case (FAbs v' B)
+  then show ?case
+  proof (cases "v = v'")
+    case True
+    then show ?thesis
+      using surj_pair[of v] by force
+  next
+    case False
+    with FAbs.prems obtain p' and d where "p = d # p'"
+      unfolding in_scope_of_abs_def by (meson neq_Nil_conv)
+    then show ?thesis
+    proof (cases d)
+      case Left
+      with FAbs.prems and False and \<open>p = d # p'\<close> have "in_scope_of_abs v p' B"
+        using in_scope_of_abs_in_abs by blast
+      then have "v \<in> vars B"
+        by (fact FAbs.IH)
+      then show ?thesis
+        using surj_pair[of v'] by force
+    next
+      case Right
+      with FAbs.prems and \<open>p = d # p'\<close> and False show ?thesis
+        by (cases rule: is_subform_at.cases) auto
+    qed
+  qed
+qed
+
+lemma binders_at_alt_def:
+  assumes "p \<in> positions A"
+  shows "binders_at A p = {v | v. in_scope_of_abs v p A}"
+  using assms and in_set_prefixes by (induction rule: binders_at.induct) auto
+
+definition is_bound_at :: "var \<Rightarrow> position \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_bound_at v p B \<longleftrightarrow> occurs_at v p B \<and> in_scope_of_abs v p B"
+
+lemma not_is_bound_at_in_var:
+  shows "\<not> is_bound_at v p (FVar v')"
+  by (fastforce elim: is_subform_at.elims(2))
+
+lemma not_is_bound_at_in_con:
+  shows "\<not> is_bound_at v p (FCon k)"
+  by (fastforce elim: is_subform_at.elims(2))
+
+lemma is_bound_at_in_left_app:
+  shows "is_bound_at v (\<guillemotleft> # p) (B \<sqdot> C) \<longleftrightarrow> is_bound_at v p B"
+  by auto
+
+lemma is_bound_at_in_right_app:
+  shows "is_bound_at v (\<guillemotright> # p) (B \<sqdot> C) \<longleftrightarrow> is_bound_at v p C"
+  by auto
+
+lemma is_bound_at_from_app:
+  assumes "is_bound_at v p (B \<sqdot> C)"
+  obtains p' where "(p = \<guillemotleft> # p' \<and> is_bound_at v p' B) \<or> (p = \<guillemotright> # p' \<and> is_bound_at v p' C)"
+proof -
+  from assms obtain d and p' where "p = d # p'"
+    using subforms_from_app by blast
+  then show ?thesis
+  proof (cases d)
+    case Left
+    with assms and that and \<open>p = d # p'\<close> show ?thesis
+      using is_bound_at_in_left_app by simp
+  next
+    case Right
+    with assms and that and \<open>p = d # p'\<close> show ?thesis
+      using is_bound_at_in_right_app by simp
+  qed
+qed
+
+lemma is_bound_at_from_abs:
+  assumes "is_bound_at v (\<guillemotleft> # p) (FAbs v' B)"
+  shows "v = v' \<or> is_bound_at v p B"
+  using assms by (fastforce elim: is_subform_at.elims)
+
+lemma is_bound_at_from_absE:
+  assumes "is_bound_at v p (FAbs v' B)"
+  obtains p' where "p = \<guillemotleft> # p'" and "v = v' \<or> is_bound_at v p' B"
+proof -
+  obtain x and \<alpha> where "v' = (x, \<alpha>)"
+    by fastforce
+  with assms obtain p' where "p = \<guillemotleft> # p'"
+    using subforms_from_abs by blast
+  with assms and that show ?thesis
+    using is_bound_at_from_abs by simp
+qed
+
+lemma is_bound_at_to_abs:
+  assumes "(v = v' \<and> occurs_at v p B) \<or> is_bound_at v p B"
+  shows "is_bound_at v (\<guillemotleft> # p) (FAbs v' B)"
+unfolding is_bound_at_def proof
+  from assms(1) show "occurs_at v (\<guillemotleft> # p) (FAbs v' B)"
+    using surj_pair[of v'] by force
+  from assms show "in_scope_of_abs v (\<guillemotleft> # p) (FAbs v' B)"
+    using in_scope_of_abs_in_abs by auto
+qed
+
+lemma is_bound_at_in_bound_vars:
+  assumes "p \<in> positions A"
+  and "is_bound_at v p A \<or> v \<in> binders_at A p"
+  shows "v \<in> bound_vars A"
+using assms proof (induction A arbitrary: p)
+  case (FApp B C)
+  from FApp.prems(2) consider (a) "is_bound_at v p (B \<sqdot> C)" | (b) "v \<in> binders_at (B \<sqdot> C) p"
+    by blast
+  then show ?case
+  proof cases
+    case a
+    then have "p \<noteq> []"
+      using occurs_at_alt_def(8) by blast
+    then obtain d and p' where "p = d # p'"
+      by (meson list.exhaust)
+    with \<open>p \<in> positions (B \<sqdot> C)\<close>
+    consider (a\<^sub>1) "p = \<guillemotleft> # p'" and "p' \<in> positions B" | (a\<^sub>2) "p = \<guillemotright> # p'" and "p' \<in> positions C"
+      by force
+    then show ?thesis
+    proof cases
+      case a\<^sub>1
+      from a\<^sub>1(1) and \<open>is_bound_at v p (B \<sqdot> C)\<close> have "is_bound_at v p' B"
+        using is_bound_at_in_left_app by blast
+      with a\<^sub>1(2) have "v \<in> bound_vars B"
+        using FApp.IH(1) by blast
+      then show ?thesis
+        by simp
+    next
+      case a\<^sub>2
+      from a\<^sub>2(1) and \<open>is_bound_at v p (B \<sqdot> C)\<close> have "is_bound_at v p' C"
+        using is_bound_at_in_right_app by blast
+      with a\<^sub>2(2) have "v \<in> bound_vars C"
+        using FApp.IH(2) by blast
+      then show ?thesis
+        by simp
+    qed
+  next
+    case b
+    then have "p \<noteq> []"
+      by force
+    then obtain d and p' where "p = d # p'"
+      by (meson list.exhaust)
+    with \<open>p \<in> positions (B \<sqdot> C)\<close>
+    consider (b\<^sub>1) "p = \<guillemotleft> # p'" and "p' \<in> positions B" | (b\<^sub>2) "p = \<guillemotright> # p'" and "p' \<in> positions C"
+      by force
+    then show ?thesis
+    proof cases
+      case b\<^sub>1
+      from b\<^sub>1(1) and \<open>v \<in> binders_at (B \<sqdot> C) p\<close> have "v \<in> binders_at B p'"
+        by force
+      with b\<^sub>1(2) have "v \<in> bound_vars B"
+        using FApp.IH(1) by blast
+      then show ?thesis
+        by simp
+    next
+      case b\<^sub>2
+      from b\<^sub>2(1) and \<open>v \<in> binders_at (B \<sqdot> C) p\<close> have "v \<in> binders_at C p'"
+        by force
+      with b\<^sub>2(2) have "v \<in> bound_vars C"
+        using FApp.IH(2) by blast
+      then show ?thesis
+        by simp
+    qed
+  qed
+next
+  case (FAbs v' B)
+  from FAbs.prems(2) consider (a) "is_bound_at v p (FAbs v' B)" | (b) "v \<in> binders_at (FAbs v' B) p"
+    by blast
+  then show ?case
+  proof cases
+    case a
+    then have "p \<noteq> []"
+      using occurs_at_alt_def(9) by force
+    with \<open>p \<in> positions (FAbs v' B)\<close> obtain p' where "p = \<guillemotleft> # p'" and "p' \<in> positions B"
+      by (cases "FAbs v' B" rule: positions.cases) fastforce+
+    from \<open>p = \<guillemotleft> # p'\<close> and \<open>is_bound_at v p (FAbs v' B)\<close> have "v = v' \<or> is_bound_at v p' B"
+      using is_bound_at_from_abs by blast
+    then consider (a\<^sub>1) "v = v'" | (a\<^sub>2) "is_bound_at v p' B"
+      by blast
+    then show ?thesis
+    proof cases
+      case a\<^sub>1
+      then show ?thesis
+        using surj_pair[of v'] by fastforce
+    next
+      case a\<^sub>2
+      then have "v \<in> bound_vars B"
+        using \<open>p' \<in> positions B\<close> and FAbs.IH by blast
+      then show ?thesis
+        using surj_pair[of v'] by fastforce
+    qed
+  next
+    case b
+    then have "p \<noteq> []"
+      by force
+    with FAbs.prems(1) obtain p' where "p = \<guillemotleft> # p'" and "p' \<in> positions B"
+      by (cases "FAbs v' B" rule: positions.cases) fastforce+
+    with b consider (b\<^sub>1) "v = v'" | (b\<^sub>2) "v \<in> binders_at B p'"
+      by (cases "FAbs v' B" rule: positions.cases) fastforce+
+    then show ?thesis
+    proof cases
+      case b\<^sub>1
+      then show ?thesis
+        using surj_pair[of v'] by fastforce
+    next
+      case b\<^sub>2
+      then have "v \<in> bound_vars B"
+        using \<open>p' \<in> positions B\<close> and FAbs.IH by blast
+      then show ?thesis
+        using surj_pair[of v'] by fastforce
+    qed
+  qed
+qed fastforce+
+
+lemma bound_vars_in_is_bound_at:
+  assumes "v \<in> bound_vars A"
+  obtains p where "p \<in> positions A" and "is_bound_at v p A \<or> v \<in> binders_at A p"
+using assms proof (induction A arbitrary: thesis rule: bound_vars.induct)
+  case (3 B C)
+  from \<open>v \<in> bound_vars (B \<sqdot> C)\<close> consider (a) "v \<in> bound_vars B" | (b) "v \<in> bound_vars C"
+    by fastforce
+  then show ?case
+  proof cases
+    case a
+    with "3.IH"(1) obtain p where "p \<in> positions B" and "is_bound_at v p B \<or> v \<in> binders_at B p"
+      by blast
+    from \<open>p \<in> positions B\<close> have "\<guillemotleft> # p \<in> positions (B \<sqdot> C)"
+      by simp
+    from \<open>is_bound_at v p B \<or> v \<in> binders_at B p\<close>
+    consider (a\<^sub>1) "is_bound_at v p B" | (a\<^sub>2) "v \<in> binders_at B p"
+      by blast
+    then show ?thesis
+    proof cases
+      case a\<^sub>1
+      then have "is_bound_at v (\<guillemotleft> # p) (B \<sqdot> C)"
+        using is_bound_at_in_left_app by blast
+      then show ?thesis
+        using "3.prems"(1) and is_subform_implies_in_positions by blast
+    next
+      case a\<^sub>2
+      then have "v \<in> binders_at (B \<sqdot> C) (\<guillemotleft> # p)"
+        by simp
+      then show ?thesis
+        using "3.prems"(1) and \<open>\<guillemotleft> # p \<in> positions (B \<sqdot> C)\<close> by blast
+    qed
+  next
+    case b
+    with "3.IH"(2) obtain p where "p \<in> positions C" and "is_bound_at v p C \<or> v \<in> binders_at C p"
+      by blast
+    from \<open>p \<in> positions C\<close> have "\<guillemotright> # p \<in> positions (B \<sqdot> C)"
+      by simp
+    from \<open>is_bound_at v p C \<or> v \<in> binders_at C p\<close>
+    consider (b\<^sub>1) "is_bound_at v p C" | (b\<^sub>2) "v \<in> binders_at C p"
+      by blast
+    then show ?thesis
+    proof cases
+      case b\<^sub>1
+      then have "is_bound_at v (\<guillemotright> # p) (B \<sqdot> C)"
+        using is_bound_at_in_right_app by blast
+      then show ?thesis
+        using "3.prems"(1) and is_subform_implies_in_positions by blast
+    next
+      case b\<^sub>2
+      then have "v \<in> binders_at (B \<sqdot> C) (\<guillemotright> # p)"
+        by simp
+      then show ?thesis
+        using "3.prems"(1) and \<open>\<guillemotright> # p \<in> positions (B \<sqdot> C)\<close> by blast
+    qed
+  qed
+next
+  case (4 x \<alpha> B)
+  from \<open>v \<in> bound_vars (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)\<close> consider (a) "v = (x, \<alpha>)" | (b) "v \<in> bound_vars B"
+    by force
+  then show ?case
+  proof cases
+    case a
+    then have "v \<in> binders_at (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) [\<guillemotleft>]"
+      by simp
+    then show ?thesis
+      using "4.prems"(1) and is_subform_implies_in_positions by fastforce
+  next
+    case b
+    with "4.IH"(1) obtain p where "p \<in> positions B" and "is_bound_at v p B \<or> v \<in> binders_at B p"
+      by blast
+    from \<open>p \<in> positions B\<close> have "\<guillemotleft> # p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+      by simp
+    from \<open>is_bound_at v p B \<or> v \<in> binders_at B p\<close>
+    consider (b\<^sub>1) "is_bound_at v p B" | (b\<^sub>2) "v \<in> binders_at B p"
+      by blast
+    then show ?thesis
+    proof cases
+      case b\<^sub>1
+      then have "is_bound_at v (\<guillemotleft> # p) (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+        using is_bound_at_to_abs by blast
+      then show ?thesis
+        using "4.prems"(1) and \<open>\<guillemotleft> # p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)\<close> by blast
+    next
+      case b\<^sub>2
+      then have "v \<in> binders_at (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) (\<guillemotleft> # p)"
+        by simp
+      then show ?thesis
+        using "4.prems"(1) and \<open>\<guillemotleft> # p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)\<close> by blast
+    qed
+  qed
+qed simp_all
+
+lemma bound_vars_alt_def:
+  shows "bound_vars A = {v | v p. p \<in> positions A \<and> (is_bound_at v p A \<or> v \<in> binders_at A p)}"
+  using bound_vars_in_is_bound_at and is_bound_at_in_bound_vars
+  by (intro subset_antisym subsetI CollectI, metis) blast
+
+definition is_free_at :: "var \<Rightarrow> position \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_free_at v p B \<longleftrightarrow> occurs_at v p B \<and> \<not> in_scope_of_abs v p B"
+
+lemma is_free_at_in_var:
+  shows "is_free_at v [] (FVar v') \<longleftrightarrow> v = v'"
+  by simp
+
+lemma not_is_free_at_in_con:
+  shows "\<not> is_free_at v [] (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>)"
+  by simp
+
+lemma is_free_at_in_left_app:
+  shows "is_free_at v (\<guillemotleft> # p) (B \<sqdot> C) \<longleftrightarrow> is_free_at v p B"
+  by auto
+
+lemma is_free_at_in_right_app:
+  shows "is_free_at v (\<guillemotright> # p) (B \<sqdot> C) \<longleftrightarrow> is_free_at v p C"
+  by auto
+
+lemma is_free_at_from_app:
+  assumes "is_free_at v p (B \<sqdot> C)"
+  obtains p' where "(p = \<guillemotleft> # p' \<and> is_free_at v p' B) \<or> (p = \<guillemotright> # p' \<and> is_free_at v p' C)"
+proof -
+  from assms obtain d and p' where "p = d # p'"
+    using subforms_from_app by blast
+  then show ?thesis
+  proof (cases d)
+    case Left
+    with assms and that and \<open>p = d # p'\<close> show ?thesis
+      using is_free_at_in_left_app by blast
+  next
+    case Right
+    with assms and that and \<open>p = d # p'\<close> show ?thesis
+      using is_free_at_in_right_app by blast
+  qed
+qed
+
+lemma is_free_at_from_abs:
+  assumes "is_free_at v (\<guillemotleft> # p) (FAbs v' B)"
+  shows "is_free_at v p B"
+  using assms by (fastforce elim: is_subform_at.elims)
+
+lemma is_free_at_from_absE:
+  assumes "is_free_at v p (FAbs v' B)"
+  obtains p' where "p = \<guillemotleft> # p'" and "is_free_at v p' B"
+proof -
+  obtain x and \<alpha> where "v' = (x, \<alpha>)"
+    by fastforce
+  with assms obtain p' where "p = \<guillemotleft> # p'"
+    using subforms_from_abs by blast
+  with assms and that show ?thesis
+    using is_free_at_from_abs by blast
+qed
+
+lemma is_free_at_to_abs:
+  assumes "is_free_at v p B" and "v \<noteq> v'"
+  shows "is_free_at v (\<guillemotleft> # p) (FAbs v' B)"
+unfolding is_free_at_def proof
+  from assms(1) show "occurs_at v (\<guillemotleft> # p) (FAbs v' B)"
+    using surj_pair[of v'] by fastforce
+  from assms show "\<not> in_scope_of_abs v (\<guillemotleft> # p) (FAbs v' B)"
+    unfolding is_free_at_def using in_scope_of_abs_in_abs by presburger
+qed
+
+lemma is_free_at_in_free_vars:
+  assumes "p \<in> positions A" and "is_free_at v p A"
+  shows "v \<in> free_vars A"
+using assms proof (induction A arbitrary: p)
+  case (FApp B C)
+  from \<open>is_free_at v p (B \<sqdot> C)\<close> have "p \<noteq> []"
+    using occurs_at_alt_def(8) by blast
+  then obtain d and p' where "p = d # p'"
+    by (meson list.exhaust)
+  with \<open>p \<in> positions (B \<sqdot> C)\<close>
+  consider (a) "p = \<guillemotleft> # p'" and "p' \<in> positions B" | (b) "p = \<guillemotright> # p'" and "p' \<in> positions C"
+    by force
+  then show ?case
+  proof cases
+    case a
+    from a(1) and \<open>is_free_at v p (B \<sqdot> C)\<close> have "is_free_at v p' B"
+      using is_free_at_in_left_app by blast
+    with a(2) have "v \<in> free_vars B"
+      using FApp.IH(1) by blast
+    then show ?thesis
+      by simp
+  next
+    case b
+    from b(1) and \<open>is_free_at v p (B \<sqdot> C)\<close> have "is_free_at v p' C"
+      using is_free_at_in_right_app by blast
+    with b(2) have "v \<in> free_vars C"
+      using FApp.IH(2) by blast
+    then show ?thesis
+      by simp
+  qed
+next
+  case (FAbs v' B)
+  from \<open>is_free_at v p (FAbs v' B)\<close> have "p \<noteq> []"
+    using occurs_at_alt_def(9) by force
+  with \<open>p \<in> positions (FAbs v' B)\<close> obtain p' where "p = \<guillemotleft> # p'" and "p' \<in> positions B"
+    by (cases "FAbs v' B" rule: positions.cases) fastforce+
+  moreover from \<open>p = \<guillemotleft> # p'\<close> and \<open>is_free_at v p (FAbs v' B)\<close> have "is_free_at v p' B"
+    using is_free_at_from_abs by blast
+  ultimately have "v \<in> free_vars B"
+    using FAbs.IH by simp
+  moreover from \<open>p = \<guillemotleft> # p'\<close> and \<open>is_free_at v p (FAbs v' B)\<close> have "v \<noteq> v'"
+    using in_scope_of_abs_in_abs by blast
+  ultimately show ?case
+    using surj_pair[of v'] by force
+qed fastforce+
+
+lemma free_vars_in_is_free_at:
+  assumes "v \<in> free_vars A"
+  obtains p where "p \<in> positions A" and "is_free_at v p A"
+using assms proof (induction A arbitrary: thesis rule: free_vars_form.induct)
+  case (3 A B)
+  from \<open>v \<in> free_vars (A \<sqdot> B)\<close> consider (a) "v \<in> free_vars A" | (b) "v \<in> free_vars B"
+    by fastforce
+  then show ?case
+  proof cases
+    case a
+    with "3.IH"(1) obtain p where "p \<in> positions A" and "is_free_at v p A"
+      by blast
+    from \<open>p \<in> positions A\<close> have "\<guillemotleft> # p \<in> positions (A \<sqdot> B)"
+      by simp
+    moreover from \<open>is_free_at v p A\<close> have "is_free_at v (\<guillemotleft> # p) (A \<sqdot> B)"
+      using is_free_at_in_left_app by blast
+    ultimately show ?thesis
+      using "3.prems"(1) by presburger
+  next
+    case b
+    with "3.IH"(2) obtain p where "p \<in> positions B" and "is_free_at v p B"
+      by blast
+    from \<open>p \<in> positions B\<close> have "\<guillemotright> # p \<in> positions (A \<sqdot> B)"
+      by simp
+    moreover from \<open>is_free_at v p B\<close> have "is_free_at v (\<guillemotright> # p) (A \<sqdot> B)"
+      using is_free_at_in_right_app by blast
+    ultimately show ?thesis
+      using "3.prems"(1) by presburger
+  qed
+next
+  case (4 x \<alpha> A)
+  from \<open>v \<in> free_vars (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)\<close> have "v \<in> free_vars A - {(x, \<alpha>)}" and "v \<noteq> (x, \<alpha>)"
+    by simp_all
+  then have "v \<in> free_vars A"
+    by blast
+  with "4.IH" obtain p where "p \<in> positions A" and "is_free_at v p A"
+    by blast
+  from \<open>p \<in> positions A\<close> have "\<guillemotleft> # p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+    by simp
+  moreover from \<open>is_free_at v p A\<close> and \<open>v \<noteq> (x, \<alpha>)\<close> have "is_free_at v (\<guillemotleft> # p) (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+    using is_free_at_to_abs by blast
+  ultimately show ?case
+    using "4.prems"(1) by presburger
+qed simp_all
+
+lemma free_vars_alt_def:
+  shows "free_vars A = {v | v p. p \<in> positions A \<and> is_free_at v p A}"
+  using free_vars_in_is_free_at and is_free_at_in_free_vars
+  by (intro subset_antisym subsetI CollectI, metis) blast
+
+text \<open>
+  In the following definition, note that the variable immeditately preceded by \<open>\<lambda>\<close> counts as a bound
+  variable:
+\<close>
+
+definition is_bound :: "var \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_bound v B \<longleftrightarrow> (\<exists>p \<in> positions B. is_bound_at v p B \<or> v \<in> binders_at B p)"
+
+lemma is_bound_in_app_homomorphism:
+  shows "is_bound v (A \<sqdot> B) \<longleftrightarrow> is_bound v A \<or> is_bound v B"
+proof
+  assume "is_bound v (A \<sqdot> B)"
+  then obtain p where "p \<in> positions (A \<sqdot> B)" and "is_bound_at v p (A \<sqdot> B) \<or> v \<in> binders_at (A \<sqdot> B) p"
+    by auto
+  then have "p \<noteq> []"
+    by fastforce
+  with \<open>p \<in> positions (A \<sqdot> B)\<close> obtain p' and d where "p = d # p'"
+    by auto
+  from \<open>is_bound_at v p (A \<sqdot> B) \<or> v \<in> binders_at (A \<sqdot> B) p\<close>
+  consider (a) "is_bound_at v p (A \<sqdot> B)" | (b) "v \<in> binders_at (A \<sqdot> B) p"
+    by blast
+  then show "is_bound v A \<or> is_bound v B"
+  proof cases
+    case a
+    then show ?thesis
+    proof (cases d)
+      case Left
+      then have "p' \<in> positions A"
+        using \<open>p = d # p'\<close> and \<open>p \<in> positions (A \<sqdot> B)\<close> by fastforce
+      moreover from \<open>is_bound_at v p (A \<sqdot> B)\<close> have "occurs_at v p' A"
+        using Left and \<open>p = d # p'\<close> and is_subform_at.simps(2) by force
+      moreover from \<open>is_bound_at v p (A \<sqdot> B)\<close> have "in_scope_of_abs v p' A"
+        using Left and \<open>p = d # p'\<close> by fastforce
+      ultimately show ?thesis
+        by auto
+    next
+      case Right
+      then have "p' \<in> positions B"
+        using \<open>p = d # p'\<close> and \<open>p \<in> positions (A \<sqdot> B)\<close> by fastforce
+      moreover from \<open>is_bound_at v p (A \<sqdot> B)\<close> have "occurs_at v p' B"
+        using Right and \<open>p = d # p'\<close> and is_subform_at.simps(3) by force
+      moreover from \<open>is_bound_at v p (A \<sqdot> B)\<close> have "in_scope_of_abs v p' B"
+        using Right and \<open>p = d # p'\<close> by fastforce
+      ultimately show ?thesis
+        by auto
+    qed
+  next
+    case b
+    then show ?thesis
+    proof (cases d)
+      case Left
+      then have "p' \<in> positions A"
+        using \<open>p = d # p'\<close> and \<open>p \<in> positions (A \<sqdot> B)\<close> by fastforce
+      moreover from \<open>v \<in> binders_at (A \<sqdot> B) p\<close> have "v \<in> binders_at A p'"
+        using Left and \<open>p = d # p'\<close> by force
+      ultimately show ?thesis
+        by auto
+    next
+      case Right
+      then have "p' \<in> positions B"
+        using \<open>p = d # p'\<close> and \<open>p \<in> positions (A \<sqdot> B)\<close> by fastforce
+      moreover from \<open>v \<in> binders_at (A \<sqdot> B) p\<close> have "v \<in> binders_at B p'"
+        using Right and \<open>p = d # p'\<close> by force
+      ultimately show ?thesis
+        by auto
+    qed
+  qed
+next
+  assume "is_bound v A \<or> is_bound v B"
+  then show "is_bound v (A \<sqdot> B)"
+  proof (rule disjE)
+    assume "is_bound v A"
+    then obtain p where "p \<in> positions A" and "is_bound_at v p A \<or> v \<in> binders_at A p"
+      by auto
+    from \<open>p \<in> positions A\<close> have "\<guillemotleft> # p \<in> positions (A \<sqdot> B)"
+      by auto
+    from \<open>is_bound_at v p A \<or> v \<in> binders_at A p\<close>
+    consider (a) "is_bound_at v p A" | (b) "v \<in> binders_at A p"
+      by blast
+    then show "is_bound v (A \<sqdot> B)"
+    proof cases
+      case a
+      then have "occurs_at v (\<guillemotleft> # p) (A \<sqdot> B)"
+        by auto
+      moreover from a have "is_bound_at v (\<guillemotleft> # p) (A \<sqdot> B)"
+        by force
+      ultimately show "is_bound v (A \<sqdot> B)"
+        using \<open>\<guillemotleft> # p \<in> positions (A \<sqdot> B)\<close> by blast
+    next
+      case b
+      then have "v \<in> binders_at (A \<sqdot> B) (\<guillemotleft> # p)"
+        by auto
+      then show "is_bound v (A \<sqdot> B)"
+        using \<open>\<guillemotleft> # p \<in> positions (A \<sqdot> B)\<close> by blast
+    qed
+  next
+    assume "is_bound v B"
+    then obtain p where "p \<in> positions B" and "is_bound_at v p B \<or> v \<in> binders_at B p"
+      by auto
+    from \<open>p \<in> positions B\<close> have "\<guillemotright> # p \<in> positions (A \<sqdot> B)"
+      by auto
+    from \<open>is_bound_at v p B \<or> v \<in> binders_at B p\<close>
+    consider (a) "is_bound_at v p B" | (b) "v \<in> binders_at B p"
+      by blast
+    then show "is_bound v (A \<sqdot> B)"
+    proof cases
+      case a
+      then have "occurs_at v (\<guillemotright> # p) (A \<sqdot> B)"
+        by auto
+      moreover from a have "is_bound_at v (\<guillemotright> # p) (A \<sqdot> B)"
+        by force
+      ultimately show "is_bound v (A \<sqdot> B)"
+        using \<open>\<guillemotright> # p \<in> positions (A \<sqdot> B)\<close> by blast
+    next
+      case b
+      then have "v \<in> binders_at (A \<sqdot> B) (\<guillemotright> # p)"
+        by auto
+      then show "is_bound v (A \<sqdot> B)"
+        using \<open>\<guillemotright> # p \<in> positions (A \<sqdot> B)\<close> by blast
+    qed
+  qed
+qed
+
+lemma is_bound_in_abs_body:
+  assumes "is_bound v A"
+  shows "is_bound v (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+using assms unfolding is_bound_def proof
+  fix p
+  assume "p \<in> positions A" and "is_bound_at v p A \<or> v \<in> binders_at A p"
+  moreover from \<open>p \<in> positions A\<close> have "\<guillemotleft> # p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+    by simp
+  ultimately consider (a) "is_bound_at v p A" | (b) "v \<in> binders_at A p"
+    by blast
+  then show "\<exists>p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. A). is_bound_at v p (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) \<or> v \<in> binders_at (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) p"
+  proof cases
+    case a
+    then have "is_bound_at v (\<guillemotleft> # p) (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+      by force
+    with \<open>\<guillemotleft> # p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)\<close> show ?thesis
+      by blast
+  next
+    case b
+    then have "v \<in> binders_at (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) (\<guillemotleft> # p)"
+      by simp
+    with \<open>\<guillemotleft> # p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)\<close> show ?thesis
+      by blast
+  qed
+qed
+
+lemma absent_var_is_not_bound:
+  assumes "v \<notin> vars A"
+  shows "\<not> is_bound v A"
+  using assms and binders_at_alt_def and in_scope_of_abs_in_vars by blast
+
+lemma bound_vars_alt_def2:
+  shows "bound_vars A = {v \<in> vars A. is_bound v A}"
+  unfolding bound_vars_alt_def using absent_var_is_not_bound by fastforce
+
+definition is_free :: "var \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_free v B \<longleftrightarrow> (\<exists>p \<in> positions B. is_free_at v p B)"
+
+subsection \<open>Free variables for a formula in another formula\<close>
+
+definition is_free_for :: "form \<Rightarrow> var \<Rightarrow> form \<Rightarrow> bool" where
+  [iff]: "is_free_for A v B \<longleftrightarrow>
+    (
+      \<forall>v' \<in> free_vars A.
+        \<forall>p \<in> positions B.
+          is_free_at v p B \<longrightarrow> \<not> in_scope_of_abs v' p B
+    )"
+
+lemma is_free_for_absent_var [intro]:
+  assumes "v \<notin> vars B"
+  shows "is_free_for A v B"
+  using assms and occurs_def and is_free_at_def and occurs_in_vars by blast
+
+lemma is_free_for_in_var [intro]:
+  shows "is_free_for A v (x\<^bsub>\<alpha>\<^esub>)"
+  using subforms_from_var(2) by force
+
+lemma is_free_for_in_con [intro]:
+  shows "is_free_for A v (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>)"
+  using subforms_from_con(2) by force
+
+lemma is_free_for_from_app:
+  assumes "is_free_for A v (B \<sqdot> C)"
+  shows "is_free_for A v B" and "is_free_for A v C"
+proof -
+  {
+    fix v'
+    assume "v' \<in> free_vars A"
+    then have "\<forall>p \<in> positions B. is_free_at v p B \<longrightarrow> \<not> in_scope_of_abs v' p B"
+    proof (intro ballI impI)
+      fix p
+      assume "v' \<in> free_vars A" and "p \<in> positions B" and "is_free_at v p B"
+      from \<open>p \<in> positions B\<close> have "\<guillemotleft> # p \<in> positions (B \<sqdot> C)"
+        by simp
+      moreover from \<open>is_free_at v p B\<close> have "is_free_at v (\<guillemotleft> # p) (B \<sqdot> C)"
+        using is_free_at_in_left_app by blast
+      ultimately have "\<not> in_scope_of_abs v' (\<guillemotleft> # p) (B \<sqdot> C)"
+        using assms and \<open>v' \<in> free_vars A\<close> by blast
+      then show "\<not> in_scope_of_abs v' p B"
+        by simp
+    qed
+  }
+  then show "is_free_for A v B"
+    by force
+next
+  {
+    fix v'
+    assume "v' \<in> free_vars A"
+    then have "\<forall>p \<in> positions C. is_free_at v p C \<longrightarrow> \<not> in_scope_of_abs v' p C"
+    proof (intro ballI impI)
+      fix p
+      assume "v' \<in> free_vars A" and "p \<in> positions C" and "is_free_at v p C"
+      from \<open>p \<in> positions C\<close> have "\<guillemotright> # p \<in> positions (B \<sqdot> C)"
+        by simp
+      moreover from \<open>is_free_at v p C\<close> have "is_free_at v (\<guillemotright> # p) (B \<sqdot> C)"
+        using is_free_at_in_right_app by blast
+      ultimately have "\<not> in_scope_of_abs v' (\<guillemotright> # p) (B \<sqdot> C)"
+        using assms and \<open>v' \<in> free_vars A\<close> by blast
+      then show "\<not> in_scope_of_abs v' p C"
+        by simp
+    qed
+  }
+  then show "is_free_for A v C"
+    by force
+qed
+
+lemma is_free_for_to_app [intro]:
+  assumes "is_free_for A v B" and "is_free_for A v C"
+  shows "is_free_for A v (B \<sqdot> C)"
+unfolding is_free_for_def proof (intro ballI impI)
+  fix v' and p
+  assume "v' \<in> free_vars A" and "p \<in> positions (B \<sqdot> C)" and "is_free_at v p (B \<sqdot> C)"
+  from \<open>is_free_at v p (B \<sqdot> C)\<close> have "p \<noteq> []"
+    using occurs_at_alt_def(8) by force
+  then obtain d and p' where "p = d # p'"
+    by (meson list.exhaust)
+  with \<open>p \<in> positions (B \<sqdot> C)\<close>
+  consider (b) "p = \<guillemotleft> # p'" and "p' \<in> positions B" | (c) "p = \<guillemotright> # p'" and "p' \<in> positions C"
+    by force
+  then show "\<not> in_scope_of_abs v' p (B \<sqdot> C)"
+  proof cases
+    case b
+    from b(1) and \<open>is_free_at v p (B \<sqdot> C)\<close> have "is_free_at v p' B"
+      using is_free_at_in_left_app by blast
+    with assms(1) and \<open>v' \<in> free_vars A\<close> and \<open>p' \<in> positions B\<close> have "\<not> in_scope_of_abs v' p' B"
+      by simp
+    with b(1) show ?thesis
+      using in_scope_of_abs_in_left_app by simp
+  next
+    case c
+    from c(1) and \<open>is_free_at v p (B \<sqdot> C)\<close> have "is_free_at v p' C"
+      using is_free_at_in_right_app by blast
+    with assms(2) and \<open>v' \<in> free_vars A\<close> and \<open>p' \<in> positions C\<close> have "\<not> in_scope_of_abs v' p' C"
+      by simp
+    with c(1) show ?thesis
+      using in_scope_of_abs_in_right_app by simp
+  qed
+qed
+
+lemma is_free_for_in_app:
+  shows "is_free_for A v (B \<sqdot> C) \<longleftrightarrow> is_free_for A v B \<and> is_free_for A v C"
+  using is_free_for_from_app and is_free_for_to_app by iprover
+
+lemma is_free_for_to_abs [intro]:
+  assumes "is_free_for A v B" and "(x, \<alpha>) \<notin> free_vars A"
+  shows "is_free_for A v (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+unfolding is_free_for_def proof (intro ballI impI)
+  fix v' and p
+  assume "v' \<in> free_vars A" and "p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)" and "is_free_at v p (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+  from \<open>is_free_at v p (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)\<close> have "p \<noteq> []"
+    using occurs_at_alt_def(9) by force
+  with \<open>p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)\<close> obtain p' where "p = \<guillemotleft> # p'" and "p' \<in> positions B"
+    by force
+  then show "\<not> in_scope_of_abs v' p (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+  proof -
+    from \<open>p = \<guillemotleft> # p'\<close> and \<open>is_free_at v p (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)\<close> have "is_free_at v p' B"
+      using is_free_at_from_abs by blast
+    with assms(1) and \<open>v' \<in> free_vars A\<close> and \<open>p' \<in> positions B\<close> have "\<not> in_scope_of_abs v' p' B"
+      by force
+    moreover from \<open>v' \<in> free_vars A\<close> and assms(2) have "v' \<noteq> (x, \<alpha>)"
+      by blast
+    ultimately show ?thesis
+      using \<open>p = \<guillemotleft> # p'\<close> and in_scope_of_abs_in_abs by auto
+  qed
+qed
+
+lemma is_free_for_from_abs:
+  assumes "is_free_for A v (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)" and "v \<noteq> (x, \<alpha>)"
+  shows "is_free_for A v B"
+unfolding is_free_for_def proof (intro ballI impI)
+  fix v' and p
+  assume "v' \<in> free_vars A" and "p \<in> positions B" and "is_free_at v p B"
+  then show "\<not> in_scope_of_abs v' p B"
+  proof -
+    from \<open>is_free_at v p B\<close> and assms(2) have "is_free_at v (\<guillemotleft> # p) (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+      by (rule is_free_at_to_abs)
+    moreover from \<open>p \<in> positions B\<close> have "\<guillemotleft> # p \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+      by simp
+    ultimately have "\<not> in_scope_of_abs v' (\<guillemotleft> # p) (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+      using assms and \<open>v' \<in> free_vars A\<close> by blast
+    then show ?thesis
+      using in_scope_of_abs_in_abs by blast
+  qed
+qed
+
+lemma closed_is_free_for [intro]:
+  assumes "free_vars A = {}"
+  shows "is_free_for A v B"
+  using assms by force
+
+lemma is_free_for_closed_form [intro]:
+  assumes "free_vars B = {}"
+  shows "is_free_for A v B"
+  using assms and is_free_at_in_free_vars by blast
+
+lemma is_free_for_alt_def:
+  shows "
+    is_free_for A v B
+    \<longleftrightarrow>
+    (
+      \<nexists>p.
+      (
+        p \<in> positions B \<and> is_free_at v p B \<and> p \<noteq> [] \<and>
+        (\<exists>v' \<in> free_vars A. \<exists>p' C. strict_prefix p' p \<and> FAbs v' C \<preceq>\<^bsub>p'\<^esub> B)
+      )
+    )"
+  unfolding is_free_for_def
+  using in_scope_of_abs_alt_def and is_subform_implies_in_positions
+  by meson
+
+lemma binding_var_not_free_for_in_abs:
+  assumes "is_free x B" and "x \<noteq> w"
+  shows "\<not> is_free_for (FVar w) x (FAbs w B)"
+proof (rule ccontr)
+  assume "\<not> \<not> is_free_for (FVar w) x (FAbs w B)"
+  then have "
+    \<forall>v' \<in> free_vars (FVar w). \<forall>p \<in> positions (FAbs w B). is_free_at x p (FAbs w B)
+      \<longrightarrow> \<not> in_scope_of_abs v' p (FAbs w B)"
+    by force
+  moreover have "free_vars (FVar w) = {w}"
+    using surj_pair[of w] by force
+  ultimately have "
+    \<forall>p \<in> positions (FAbs w B). is_free_at x p (FAbs w B) \<longrightarrow> \<not> in_scope_of_abs w p (FAbs w B)"
+    by blast
+  moreover from assms(1) obtain p where "is_free_at x p B"
+    by fastforce
+  from this and assms(2) have "is_free_at x (\<guillemotleft> # p) (FAbs w B)"
+    by (rule is_free_at_to_abs)
+  moreover from this have "\<guillemotleft> # p \<in> positions (FAbs w B)"
+    using is_subform_implies_in_positions by force
+  ultimately have "\<not> in_scope_of_abs w (\<guillemotleft> # p) (FAbs w B)"
+    by blast
+  moreover have "in_scope_of_abs w (\<guillemotleft> # p) (FAbs w B)"
+    using in_scope_of_abs_in_abs by blast
+  ultimately show False
+    by contradiction
+qed
+
+lemma absent_var_is_free_for [intro]:
+  assumes "x \<notin> vars A"
+  shows "is_free_for (FVar x) y A"
+  using in_scope_of_abs_in_vars and assms and surj_pair[of x] by fastforce
+
+lemma form_is_free_for_absent_var [intro]:
+  assumes "x \<notin> vars A"
+  shows "is_free_for B x A"
+  using assms and occurs_in_vars by fastforce
+
+lemma form_with_free_binder_not_free_for:
+  assumes "v \<noteq> v'" and "v' \<in> free_vars A" and "v \<in> free_vars B"
+  shows "\<not> is_free_for A v (FAbs v' B)"
+proof -
+  from assms(3) obtain p where "p \<in> positions B" and "is_free_at v p B"
+    using free_vars_in_is_free_at by blast
+  then have "\<guillemotleft> # p \<in> positions (FAbs v' B)" and "is_free_at v (\<guillemotleft> # p) (FAbs v' B)"
+    using surj_pair[of v'] and is_free_at_to_abs[OF \<open>is_free_at v p B\<close> assms(1)] by force+
+  moreover have "in_scope_of_abs v' (\<guillemotleft> # p) (FAbs v' B)"
+    using in_scope_of_abs_in_abs by blast
+  ultimately show ?thesis
+    using assms(2) by blast
+qed
+
+subsection \<open>Replacement of subformulas\<close>
+
+inductive
+  is_replacement_at :: "form \<Rightarrow> position \<Rightarrow> form \<Rightarrow> form \<Rightarrow> bool"
+  ("(4_\<lblot>_ \<leftarrow> _\<rblot> \<rhd> _)" [1000, 0, 0, 0] 900)
+where
+  pos_found: "A\<lblot>p \<leftarrow> C\<rblot> \<rhd> C'" if "p = []" and "C = C'"
+| replace_left_app: "(G \<sqdot> H)\<lblot>\<guillemotleft> # p \<leftarrow> C\<rblot> \<rhd> (G' \<sqdot> H)" if "p \<in> positions G" and "G\<lblot>p \<leftarrow> C\<rblot> \<rhd> G'"
+| replace_right_app: "(G \<sqdot> H)\<lblot>\<guillemotright> # p \<leftarrow> C\<rblot> \<rhd> (G \<sqdot> H')" if "p \<in> positions H" and "H\<lblot>p \<leftarrow> C\<rblot> \<rhd> H'"
+| replace_abs: "(\<lambda>x\<^bsub>\<gamma>\<^esub>. E)\<lblot>\<guillemotleft> # p \<leftarrow> C\<rblot> \<rhd> (\<lambda>x\<^bsub>\<gamma>\<^esub>. E')" if "p \<in> positions E" and "E\<lblot>p \<leftarrow> C\<rblot> \<rhd> E'"
+
+lemma is_replacement_at_implies_in_positions:
+  assumes "C\<lblot>p \<leftarrow> A\<rblot> \<rhd> D"
+  shows "p \<in> positions C"
+  using assms by (induction rule: is_replacement_at.induct) auto
+
+declare is_replacement_at.intros [intro!]
+
+lemma is_replacement_at_existence:
+  assumes "p \<in> positions C"
+  obtains D where "C\<lblot>p \<leftarrow> A\<rblot> \<rhd> D"
+using assms proof (induction C arbitrary: p thesis)
+  case (FApp C\<^sub>1 C\<^sub>2)
+  from FApp.prems(2) consider
+    (a) "p = []"
+  | (b) "\<exists>p'. p = \<guillemotleft> # p' \<and> p' \<in> positions C\<^sub>1"
+  | (c) "\<exists>p'. p = \<guillemotright> # p' \<and> p' \<in> positions C\<^sub>2"
+    by fastforce
+  then show ?case
+  proof cases
+    case a
+    with FApp.prems(1) show ?thesis
+      by blast
+  next
+    case b
+    with FApp.prems(1) show ?thesis
+      using FApp.IH(1) and replace_left_app by meson
+  next
+    case c
+    with FApp.prems(1) show ?thesis
+      using FApp.IH(2) and replace_right_app by meson
+  qed
+next
+  case (FAbs v C')
+  from FAbs.prems(2) consider (a) "p = []" | (b) "\<exists>p'. p = \<guillemotleft> # p' \<and> p' \<in> positions C'"
+    using surj_pair[of v] by fastforce
+  then show ?case
+  proof cases
+    case a
+    with FAbs.prems(1) show ?thesis
+      by blast
+  next
+    case b
+    with FAbs.prems(1,2) show ?thesis
+      using FAbs.IH and surj_pair[of v] by blast
+  qed
+qed force+
+
+lemma is_replacement_at_minimal_change:
+  assumes "C\<lblot>p \<leftarrow> A\<rblot> \<rhd> D"
+  shows "A \<preceq>\<^bsub>p\<^esub> D"
+  and "\<forall>p' \<in> positions D. \<not> prefix p' p \<and> \<not> prefix p p' \<longrightarrow> subform_at D p' = subform_at C p'"
+  using assms by (induction rule: is_replacement_at.induct) auto
+
+lemma is_replacement_at_binders:
+  assumes "C\<lblot>p \<leftarrow> A\<rblot> \<rhd> D"
+  shows "binders_at D p = binders_at C p"
+  using assms by (induction rule: is_replacement_at.induct) simp_all
+
+lemma is_replacement_at_occurs:
+  assumes "C\<lblot>p \<leftarrow> A\<rblot> \<rhd> D"
+  and "\<not> prefix p' p" and "\<not> prefix p p'"
+  shows "occurs_at v p' C \<longleftrightarrow> occurs_at v p' D"
+using assms proof (induction arbitrary: p' rule: is_replacement_at.induct)
+  case pos_found
+  then show ?case
+    by simp
+next
+  case replace_left_app
+  then show ?case
+  proof (cases p')
+    case (Cons d p'')
+    with replace_left_app.prems(1,2) show ?thesis
+      by (cases d) (use replace_left_app.IH in force)+
+  qed force
+next
+  case replace_right_app
+  then show ?case
+  proof (cases p')
+    case (Cons d p'')
+    with replace_right_app.prems(1,2) show ?thesis
+      by (cases d) (use replace_right_app.IH in force)+
+  qed force
+next
+  case replace_abs
+  then show ?case
+  proof (cases p')
+    case (Cons d p'')
+    with replace_abs.prems(1,2) show ?thesis
+      by (cases d) (use replace_abs.IH in force)+
+  qed force
+qed
+
+lemma fresh_var_replacement_position_uniqueness:
+  assumes "v \<notin> vars C"
+  and "C\<lblot>p \<leftarrow> FVar v\<rblot> \<rhd> G"
+  and "occurs_at v p' G"
+  shows "p' = p"
+proof (rule ccontr)
+  assume "p' \<noteq> p"
+  from assms(2) have "occurs_at v p G"
+    by (simp add: is_replacement_at_minimal_change(1))
+  moreover have *: "occurs_at v p' C \<longleftrightarrow> occurs_at v p' G" if "\<not> prefix p' p" and "\<not> prefix p p'"
+    using assms(2) and that and is_replacement_at_occurs by blast
+  ultimately show False
+  proof (cases "\<not> prefix p' p \<and> \<not> prefix p p'")
+    case True
+    with assms(3) and * have "occurs_at v p' C"
+      by simp
+    then have "v \<in> vars C"
+      using is_subform_implies_in_positions and occurs_in_vars by fastforce
+    with assms(1) show ?thesis
+      by contradiction
+  next
+    case False
+    have "FVar v \<preceq>\<^bsub>p\<^esub> G"
+      by (fact is_replacement_at_minimal_change(1)[OF assms(2)])
+    moreover from assms(3) have "FVar v \<preceq>\<^bsub>p'\<^esub> G"
+      by simp
+    ultimately show ?thesis
+      using \<open>p' \<noteq> p\<close> and False and loop_subform_impossibility
+      by (blast dest: prefix_order.antisym_conv2)
+  qed
+qed
+
+lemma is_replacement_at_new_positions:
+  assumes "C\<lblot>p \<leftarrow> A\<rblot> \<rhd> D" and "prefix p p'" and "p' \<in> positions D"
+  obtains p'' where "p' = p @ p''" and "p'' \<in> positions A"
+  using assms by (induction arbitrary: thesis p' rule: is_replacement_at.induct, auto) blast+
+
+lemma replacement_override:
+  assumes "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D" and "C\<lblot>p \<leftarrow> A\<rblot> \<rhd> F"
+  shows "D\<lblot>p \<leftarrow> A\<rblot> \<rhd> F"
+using assms proof (induction arbitrary: F rule: is_replacement_at.induct)
+  case pos_found
+  from pos_found.hyps(1) and pos_found.prems have "A = F"
+    using is_replacement_at.simps by blast
+  with pos_found.hyps(1) show ?case
+    by blast
+next
+  case (replace_left_app p G C G' H)
+  have "p \<in> positions G'"
+    by (
+        fact is_subform_implies_in_positions
+          [OF is_replacement_at_minimal_change(1)[OF replace_left_app.hyps(2)]]
+       )
+  from replace_left_app.prems obtain F' where "F = F' \<sqdot> H" and "G\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'"
+    by (fastforce elim: is_replacement_at.cases)
+  from \<open>G\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'\<close> have "G'\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'"
+    by (fact replace_left_app.IH)
+  with \<open>p \<in> positions G'\<close> show ?case
+    unfolding \<open>F = F' \<sqdot> H\<close> by blast
+next
+  case (replace_right_app p H C H' G)
+  have "p \<in> positions H'"
+    by
+      (
+        fact is_subform_implies_in_positions
+          [OF is_replacement_at_minimal_change(1)[OF replace_right_app.hyps(2)]]
+      )
+  from replace_right_app.prems obtain F' where "F = G \<sqdot> F'" and "H\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'"
+    by (fastforce elim: is_replacement_at.cases)
+  from \<open>H\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'\<close> have "H'\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'"
+    by (fact replace_right_app.IH)
+  with \<open>p \<in> positions H'\<close> show ?case
+    unfolding \<open>F = G \<sqdot> F'\<close> by blast
+next
+  case (replace_abs p E C E' x \<gamma>)
+  have "p \<in> positions E'"
+    by
+      (
+        fact is_subform_implies_in_positions
+          [OF is_replacement_at_minimal_change(1)[OF replace_abs.hyps(2)]]
+      )
+  from replace_abs.prems obtain F' where "F = \<lambda>x\<^bsub>\<gamma>\<^esub>. F'" and "E\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'"
+    by (fastforce elim: is_replacement_at.cases)
+  from \<open>E\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'\<close> have "E'\<lblot>p \<leftarrow> A\<rblot> \<rhd> F'"
+    by (fact replace_abs.IH)
+  with \<open>p \<in> positions E'\<close> show ?case
+    unfolding \<open>F = \<lambda>x\<^bsub>\<gamma>\<^esub>. F'\<close> by blast
+qed
+
+lemma leftmost_subform_in_generalized_app_replacement:
+  shows "(\<sqdot>\<^sup>\<Q>\<^sub>\<star> C As)\<lblot>replicate (length As) \<guillemotleft> \<leftarrow> D\<rblot> \<rhd> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> D As)"
+  using is_replacement_at_implies_in_positions and replace_left_app
+  by (induction As arbitrary: D rule: rev_induct) auto
+
+subsection \<open>Logical constants\<close>
+
+abbreviation (input) \<xx> where "\<xx> \<equiv> 0"
+abbreviation (input) \<yy> where "\<yy> \<equiv> Suc \<xx>"
+abbreviation (input) \<zz> where "\<zz> \<equiv> Suc \<yy>"
+abbreviation (input) \<ff> where "\<ff> \<equiv> Suc \<zz>"
+abbreviation (input) \<gg> where "\<gg> \<equiv> Suc \<ff>"
+abbreviation (input) \<hh> where "\<hh> \<equiv> Suc \<gg>"
+abbreviation (input) \<cc> where "\<cc> \<equiv> Suc \<hh>"
+abbreviation (input) \<cc>\<^sub>Q where "\<cc>\<^sub>Q \<equiv> Suc \<cc>"
+abbreviation (input) \<cc>\<^sub>\<iota> where "\<cc>\<^sub>\<iota> \<equiv> Suc \<cc>\<^sub>Q"
+
+definition Q_constant_of_type :: "type \<Rightarrow> con" where
+  [simp]: "Q_constant_of_type \<alpha> = (\<cc>\<^sub>Q, \<alpha>\<rightarrow>\<alpha>\<rightarrow>o)"
+
+definition iota_constant :: con where
+  [simp]: "iota_constant \<equiv> (\<cc>\<^sub>\<iota>, (i\<rightarrow>o)\<rightarrow>i)"
+
+definition Q :: "type \<Rightarrow> form" ("Q\<^bsub>_\<^esub>") where
+  [simp]: "Q\<^bsub>\<alpha>\<^esub> = FCon (Q_constant_of_type \<alpha>)"
+
+definition iota :: form ("\<iota>") where
+  [simp]: "\<iota> = FCon iota_constant"
+
+definition is_Q_constant_of_type :: "con \<Rightarrow> type \<Rightarrow> bool" where
+  [iff]: "is_Q_constant_of_type p \<alpha> \<longleftrightarrow> p = Q_constant_of_type \<alpha>"
+
+definition is_iota_constant :: "con \<Rightarrow> bool" where
+  [iff]: "is_iota_constant p \<longleftrightarrow> p = iota_constant"
+
+definition is_logical_constant :: "con \<Rightarrow> bool" where
+  [iff]: "is_logical_constant p \<longleftrightarrow> (\<exists>\<beta>. is_Q_constant_of_type p \<beta>) \<or> is_iota_constant p"
+
+definition type_of_Q_constant :: "con \<Rightarrow> type" where
+  [simp]: "type_of_Q_constant p = (THE \<alpha>. is_Q_constant_of_type p \<alpha>)"
+
+lemma constant_cases[case_names non_logical Q_constant \<iota>_constant, cases type: con]:
+  assumes "\<not> is_logical_constant p \<Longrightarrow> P"
+  and "\<And>\<beta>. is_Q_constant_of_type p \<beta> \<Longrightarrow> P"
+  and "is_iota_constant p \<Longrightarrow> P"
+  shows "P"
+  using assms by blast
+
+subsection \<open>Definitions and abbreviations\<close>
+
+definition equality_of_type :: "form \<Rightarrow> type \<Rightarrow> form \<Rightarrow> form" ("(_ =\<^bsub>_\<^esub>/ _)" [103, 0, 103] 102) where
+  [simp]: "A =\<^bsub>\<alpha>\<^esub> B = Q\<^bsub>\<alpha>\<^esub> \<sqdot> A \<sqdot> B"
+
+definition equivalence :: "form \<Rightarrow> form \<Rightarrow> form" (infixl "\<equiv>\<^sup>\<Q>" 102) where
+  [simp]: "A \<equiv>\<^sup>\<Q> B = A =\<^bsub>o\<^esub> B" \<comment> \<open>more modular than the definition in @{cite "andrews:2002"}\<close>
+
+definition true :: form ("T\<^bsub>o\<^esub>") where
+  [simp]: "T\<^bsub>o\<^esub> = Q\<^bsub>o\<^esub> =\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> Q\<^bsub>o\<^esub>"
+
+definition false :: form ("F\<^bsub>o\<^esub>") where
+  [simp]: "F\<^bsub>o\<^esub> = \<lambda>\<xx>\<^bsub>o\<^esub>. T\<^bsub>o\<^esub> =\<^bsub>o\<rightarrow>o\<^esub> \<lambda>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>"
+
+definition PI :: "type \<Rightarrow> form" ("\<Prod>\<^bsub>_\<^esub>") where
+  [simp]: "\<Prod>\<^bsub>\<alpha>\<^esub> = Q\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<sqdot> (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>)"
+
+definition forall :: "nat \<Rightarrow> type \<Rightarrow> form \<Rightarrow> form" ("(4\<forall>_\<^bsub>_\<^esub>./ _)" [0, 0, 141] 141) where
+  [simp]: "\<forall>x\<^bsub>\<alpha>\<^esub>. A = \<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)"
+
+text \<open>Generalized universal quantification. We define \<open>\<forall>\<^sup>\<Q>\<^sub>\<star> [x\<^sub>1, \<dots>, x\<^sub>n] A\<close> as \<open>\<forall>x\<^sub>1. \<cdots> \<forall>x\<^sub>n. A\<close>:\<close>
+
+definition generalized_forall :: "var list \<Rightarrow> form \<Rightarrow> form" ("\<forall>\<^sup>\<Q>\<^sub>\<star> _ _" [141, 141] 141) where
+  [simp]: "\<forall>\<^sup>\<Q>\<^sub>\<star> vs A = foldr (\<lambda>(x, \<alpha>) B. \<forall>x\<^bsub>\<alpha>\<^esub>. B) vs A"
+
+lemma innermost_subform_in_generalized_forall:
+  assumes "vs \<noteq> []"
+  shows "A \<preceq>\<^bsub>foldr (\<lambda>_ p. [\<guillemotright>,\<guillemotleft>] @ p) vs []\<^esub> \<forall>\<^sup>\<Q>\<^sub>\<star> vs A"
+  using assms by (induction vs) fastforce+
+
+lemma innermost_replacement_in_generalized_forall:
+  assumes "vs \<noteq> []"
+  shows "(\<forall>\<^sup>\<Q>\<^sub>\<star> vs C)\<lblot>foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs [] \<leftarrow> B\<rblot> \<rhd> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+using assms proof (induction vs)
+  case Nil
+  then show ?case
+    by blast
+next
+  case (Cons v vs)
+  obtain x and \<alpha> where "v = (x, \<alpha>)"
+    by fastforce
+  then show ?case
+  proof (cases "vs = []")
+    case True
+    with \<open>v = (x, \<alpha>)\<close> show ?thesis
+      unfolding True by force
+  next
+    case False
+    then have "foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs [] \<in> positions (\<forall>\<^sup>\<Q>\<^sub>\<star> vs C)"
+      using innermost_subform_in_generalized_forall and is_subform_implies_in_positions by blast
+    moreover from False have "(\<forall>\<^sup>\<Q>\<^sub>\<star> vs C)\<lblot>foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs [] \<leftarrow> B\<rblot> \<rhd> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+      by (fact Cons.IH)
+    ultimately have "(\<lambda>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs C)\<lblot>\<guillemotleft> # foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs [] \<leftarrow> B\<rblot> \<rhd> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+      by (rule replace_abs)
+    moreover have "\<guillemotleft> # foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs [] \<in> positions (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs C)"
+      using \<open>foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs [] \<in> positions (\<forall>\<^sup>\<Q>\<^sub>\<star> vs C)\<close> by simp
+    ultimately have "
+      (\<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs C))\<lblot>\<guillemotright> # \<guillemotleft> # foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs [] \<leftarrow> B\<rblot> \<rhd> (\<Prod>\<^bsub>\<alpha>\<^esub> \<sqdot> (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs B))"
+      by blast
+    then have "(\<forall>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs C)\<lblot>[\<guillemotright>,\<guillemotleft>] @ foldr (\<lambda>_. (@) [\<guillemotright>,\<guillemotleft>]) vs [] \<leftarrow> B\<rblot> \<rhd> (\<forall>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+      by simp
+    then show ?thesis
+      unfolding \<open>v = (x, \<alpha>)\<close> and generalized_forall_def and foldr.simps(2) and o_apply
+      and case_prod_conv .
+  qed
+qed
+
+lemma false_is_forall:
+  shows "F\<^bsub>o\<^esub> = \<forall>\<xx>\<^bsub>o\<^esub>. \<xx>\<^bsub>o\<^esub>"
+  unfolding false_def and forall_def and PI_def and equality_of_type_def ..
+
+definition conj_fun :: form ("\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>") where
+  [simp]: "\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> =
+    \<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>.
+    (
+      (\<lambda>\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> T\<^bsub>o\<^esub> \<sqdot> T\<^bsub>o\<^esub>) =\<^bsub>(o\<rightarrow>o\<rightarrow>o)\<rightarrow>o\<^esub> (\<lambda>\<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>. \<gg>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> \<xx>\<^bsub>o\<^esub> \<sqdot> \<yy>\<^bsub>o\<^esub>)
+    )"
+
+definition conj_op :: "form \<Rightarrow> form \<Rightarrow> form" (infixl "\<and>\<^sup>\<Q>" 131) where
+  [simp]: "A \<and>\<^sup>\<Q> B = \<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B"
+
+text \<open>Generalized conjunction. We define \<open>\<and>\<^sup>\<Q>\<^sub>\<star> [A\<^sub>1, \<dots>, A\<^sub>n]\<close> as \<open>A\<^sub>1 \<and>\<^sup>\<Q> (\<cdots> \<and>\<^sup>\<Q> (A\<^sub>n\<^sub>-\<^sub>1 \<and>\<^sup>\<Q> A\<^sub>n) \<cdots>)\<close>:\<close>
+
+definition generalized_conj_op :: "form list \<Rightarrow> form" ("\<and>\<^sup>\<Q>\<^sub>\<star> _" [0] 131) where
+  [simp]: "\<and>\<^sup>\<Q>\<^sub>\<star> As = foldr1 (\<and>\<^sup>\<Q>) As"
+
+definition imp_fun :: form ("\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>") where \<comment> \<open>\<open>\<equiv>\<close> used instead of \<open>=\<close>, see @{cite "andrews:2002"}\<close>
+  [simp]: "\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> = \<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. (\<xx>\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+
+definition imp_op :: "form \<Rightarrow> form \<Rightarrow> form" (infixl "\<supset>\<^sup>\<Q>" 111) where
+  [simp]: "A \<supset>\<^sup>\<Q> B = \<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B"
+
+text \<open>Generalized implication. We define \<open>[A\<^sub>1, \<dots>, A\<^sub>n] \<supset>\<^sup>\<Q>\<^sub>\<star> B\<close> as \<open>A\<^sub>1 \<supset>\<^sup>\<Q> (\<cdots> \<supset>\<^sup>\<Q> (A\<^sub>n \<supset>\<^sup>\<Q> B) \<cdots>)\<close>:\<close>
+
+definition generalized_imp_op :: "form list \<Rightarrow> form \<Rightarrow> form" (infixl "\<supset>\<^sup>\<Q>\<^sub>\<star>" 111) where
+  [simp]: "As \<supset>\<^sup>\<Q>\<^sub>\<star> B = foldr (\<supset>\<^sup>\<Q>) As B"
+
+text \<open>
+  Given the definition below, it is interesting to note that \<open>\<sim>\<^sup>\<Q> A\<close> and \<open>F\<^bsub>o\<^esub> \<equiv>\<^sup>\<Q> A\<close> are exactly the
+  same formula, namely \<open>Q\<^bsub>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> \<sqdot> A\<close>:
+\<close>
+
+definition neg :: "form \<Rightarrow> form" ("\<sim>\<^sup>\<Q> _" [141] 141) where
+  [simp]: "\<sim>\<^sup>\<Q> A = Q\<^bsub>o\<^esub> \<sqdot> F\<^bsub>o\<^esub> \<sqdot> A"
+
+definition disj_fun :: form ("\<or>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>") where
+  [simp]: "\<or>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> = \<lambda>\<xx>\<^bsub>o\<^esub>. \<lambda>\<yy>\<^bsub>o\<^esub>. \<sim>\<^sup>\<Q> (\<sim>\<^sup>\<Q> \<xx>\<^bsub>o\<^esub> \<and>\<^sup>\<Q> \<sim>\<^sup>\<Q> \<yy>\<^bsub>o\<^esub>)"
+
+definition disj_op :: "form \<Rightarrow> form \<Rightarrow> form" (infixl "\<or>\<^sup>\<Q>" 126) where
+  [simp]: "A \<or>\<^sup>\<Q> B = \<or>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B"
+
+definition exists :: "nat \<Rightarrow> type \<Rightarrow> form \<Rightarrow> form" ("(4\<exists>_\<^bsub>_\<^esub>./ _)" [0, 0, 141] 141) where
+  [simp]: "\<exists>x\<^bsub>\<alpha>\<^esub>. A = \<sim>\<^sup>\<Q> (\<forall>x\<^bsub>\<alpha>\<^esub>. \<sim>\<^sup>\<Q> A)"
+
+lemma exists_fv:
+  shows "free_vars (\<exists>x\<^bsub>\<alpha>\<^esub>. A) = free_vars A - {(x, \<alpha>)}"
+  by simp
+
+definition inequality_of_type :: "form \<Rightarrow> type \<Rightarrow> form \<Rightarrow> form" ("(_ \<noteq>\<^bsub>_\<^esub>/ _)" [103, 0, 103] 102) where
+  [simp]: "A \<noteq>\<^bsub>\<alpha>\<^esub> B = \<sim>\<^sup>\<Q> (A =\<^bsub>\<alpha>\<^esub> B)"
+
+subsection \<open>Well-formed formulas\<close>
+
+inductive is_wff_of_type :: "type \<Rightarrow> form \<Rightarrow> bool" where
+  var_is_wff: "is_wff_of_type \<alpha> (x\<^bsub>\<alpha>\<^esub>)"
+| con_is_wff: "is_wff_of_type \<alpha> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>)"
+| app_is_wff: "is_wff_of_type \<beta> (A \<sqdot> B)" if "is_wff_of_type (\<alpha>\<rightarrow>\<beta>) A" and "is_wff_of_type \<alpha> B"
+| abs_is_wff: "is_wff_of_type (\<alpha>\<rightarrow>\<beta>) (\<lambda>x\<^bsub>\<alpha>\<^esub>. A)" if "is_wff_of_type \<beta> A"
+
+definition wffs_of_type :: "type \<Rightarrow> form set" ("wffs\<^bsub>_\<^esub>" [0]) where
+  "wffs\<^bsub>\<alpha>\<^esub> = {f :: form. is_wff_of_type \<alpha> f}"
+
+abbreviation wffs :: "form set" where
+  "wffs \<equiv> \<Union>\<alpha>. wffs\<^bsub>\<alpha>\<^esub>"
+
+lemma is_wff_of_type_wffs_of_type_eq [pred_set_conv]:
+  shows "is_wff_of_type \<alpha> = (\<lambda>f. f \<in> wffs\<^bsub>\<alpha>\<^esub>)"
+  unfolding wffs_of_type_def by simp
+
+lemmas wffs_of_type_intros [intro!] = is_wff_of_type.intros[to_set]
+lemmas wffs_of_type_induct [consumes 1, induct set: wffs_of_type] = is_wff_of_type.induct[to_set]
+lemmas wffs_of_type_cases [consumes 1, cases set: wffs_of_type] = is_wff_of_type.cases[to_set]
+lemmas wffs_of_type_simps = is_wff_of_type.simps[to_set]
+
+lemma generalized_app_wff [intro]:
+  assumes "length As = length ts"
+  and "\<forall>k < length As. As ! k \<in> wffs\<^bsub>ts ! k\<^esub>"
+  and "B \<in> wffs\<^bsub>foldr (\<rightarrow>) ts \<beta>\<^esub>"
+  shows "\<sqdot>\<^sup>\<Q>\<^sub>\<star> B As \<in> wffs\<^bsub>\<beta>\<^esub>"
+using assms proof (induction As ts arbitrary: B rule: list_induct2)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (Cons A As t ts)
+  from Cons.prems(1) have "A \<in> wffs\<^bsub>t\<^esub>"
+    by fastforce
+  moreover from Cons.prems(2) have "B \<in> wffs\<^bsub>t\<rightarrow>foldr (\<rightarrow>) ts \<beta>\<^esub>"
+    by auto
+  ultimately have "B \<sqdot> A \<in> wffs\<^bsub>foldr (\<rightarrow>) ts \<beta>\<^esub>"
+    by blast
+  moreover have "\<forall>k < length As. (A # As) ! (Suc k) = As ! k \<and> (t # ts) ! (Suc k) = ts ! k"
+    by force
+  with Cons.prems(1) have "\<forall>k < length As. As ! k \<in> wffs\<^bsub>ts ! k\<^esub>"
+    by fastforce
+  ultimately have "\<sqdot>\<^sup>\<Q>\<^sub>\<star> (B \<sqdot> A) As \<in> wffs\<^bsub>\<beta>\<^esub>"
+    using Cons.IH by (simp only:)
+  moreover have "\<sqdot>\<^sup>\<Q>\<^sub>\<star> B (A # As) = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (B \<sqdot> A) As"
+    by simp
+  ultimately show ?case
+    by (simp only:)
+qed
+
+lemma generalized_abs_wff [intro]:
+  assumes "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  shows "\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B \<in> wffs\<^bsub>foldr (\<rightarrow>) (map snd vs) \<beta>\<^esub>"
+using assms proof (induction vs)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (Cons v vs)
+  let ?\<delta> = "foldr (\<rightarrow>) (map snd vs) \<beta>"
+  obtain x and \<alpha> where "v = (x, \<alpha>)"
+    by fastforce
+  then have "FVar v \<in> wffs\<^bsub>\<alpha>\<^esub>"
+    by auto
+  from Cons.prems have "\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B \<in> wffs\<^bsub>?\<delta>\<^esub>"
+    by (fact Cons.IH)
+  with \<open>v = (x, \<alpha>)\<close> have "FAbs v (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B) \<in> wffs\<^bsub>\<alpha>\<rightarrow>?\<delta>\<^esub>"
+    by blast
+  moreover from \<open>v = (x, \<alpha>)\<close> have "foldr (\<rightarrow>) (map snd (v # vs)) \<beta> = \<alpha>\<rightarrow>?\<delta>"
+    by simp
+  moreover have "\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) B = FAbs v (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs B)"
+    by simp
+  ultimately show ?case by (simp only:)
+qed
+
+lemma Q_wff [intro]:
+  shows "Q\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<alpha>\<rightarrow>o\<^esub>"
+  by auto
+
+lemma iota_wff [intro]:
+  shows "\<iota> \<in> wffs\<^bsub>(i\<rightarrow>o)\<rightarrow>i\<^esub>"
+  by auto
+
+lemma equality_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "A =\<^bsub>\<alpha>\<^esub> B \<in> wffs\<^bsub>o\<^esub>"
+  using assms by auto
+
+lemma equivalence_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<equiv>\<^sup>\<Q> B \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding equivalence_def by blast
+
+lemma true_wff [intro]:
+  shows "T\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+  by force
+
+lemma false_wff [intro]:
+  shows "F\<^bsub>o\<^esub> \<in> wffs\<^bsub>o\<^esub>"
+  by auto
+
+lemma pi_wff [intro]:
+  shows "\<Prod>\<^bsub>\<alpha>\<^esub> \<in> wffs\<^bsub>(\<alpha>\<rightarrow>o)\<rightarrow>o\<^esub>"
+  using PI_def by fastforce
+
+lemma forall_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<forall>x\<^bsub>\<alpha>\<^esub>. A \<in> wffs\<^bsub>o\<^esub>"
+  using assms and pi_wff unfolding forall_def by blast
+
+lemma generalized_forall_wff [intro]:
+  assumes "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<forall>\<^sup>\<Q>\<^sub>\<star> vs B \<in> wffs\<^bsub>o\<^esub>"
+using assms proof (induction vs)
+  case (Cons v vs)
+  then show ?case
+    using surj_pair[of v] by force
+qed simp
+
+lemma conj_fun_wff [intro]:
+  shows "\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>"
+  by auto
+
+lemma conj_op_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<and>\<^sup>\<Q> B \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding conj_op_def by blast
+
+lemma imp_fun_wff [intro]:
+  shows "\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>"
+  by auto
+
+lemma imp_op_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<supset>\<^sup>\<Q> B \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding imp_op_def by blast
+
+lemma neg_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows " \<sim>\<^sup>\<Q> A \<in> wffs\<^bsub>o\<^esub>"
+  using assms by fastforce
+
+lemma disj_fun_wff [intro]:
+  shows "\<or>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<in> wffs\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>"
+  by auto
+
+lemma disj_op_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<or>\<^sup>\<Q> B \<in> wffs\<^bsub>o\<^esub>"
+  using assms by auto
+
+lemma exists_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  shows "\<exists>x\<^bsub>\<alpha>\<^esub>. A \<in> wffs\<^bsub>o\<^esub>"
+  using assms by fastforce
+
+lemma inequality_wff [intro]:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "A \<noteq>\<^bsub>\<alpha>\<^esub> B \<in> wffs\<^bsub>o\<^esub>"
+  using assms by fastforce
+
+lemma wffs_from_app:
+  assumes "A \<sqdot> B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  obtains \<alpha> where "A \<in> wffs\<^bsub>\<alpha>\<rightarrow>\<beta>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  using assms by (blast elim: wffs_of_type_cases)
+
+lemma wffs_from_generalized_app:
+  assumes "\<sqdot>\<^sup>\<Q>\<^sub>\<star> B As \<in> wffs\<^bsub>\<beta>\<^esub>"
+  obtains ts
+  where "length ts = length As"
+  and "\<forall>k < length As. As ! k \<in> wffs\<^bsub>ts ! k\<^esub>"
+  and "B \<in> wffs\<^bsub>foldr (\<rightarrow>) ts \<beta>\<^esub>"
+using assms proof (induction As arbitrary: B thesis)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (Cons A As)
+  from Cons.prems have "\<sqdot>\<^sup>\<Q>\<^sub>\<star> (B \<sqdot> A) As \<in> wffs\<^bsub>\<beta>\<^esub>"
+    by auto
+  then obtain ts
+    where "length ts = length As"
+    and "\<forall>k < length As. As ! k \<in> wffs\<^bsub>ts ! k\<^esub>"
+    and "B \<sqdot> A \<in> wffs\<^bsub>foldr (\<rightarrow>) ts \<beta>\<^esub>"
+    using Cons.IH by blast
+  moreover
+  from \<open>B \<sqdot> A \<in> wffs\<^bsub>foldr (\<rightarrow>) ts \<beta>\<^esub>\<close> obtain t where "B \<in> wffs\<^bsub>t\<rightarrow>foldr (\<rightarrow>) ts \<beta>\<^esub>" and "A \<in> wffs\<^bsub>t\<^esub>"
+    by (elim wffs_from_app)
+  moreover from \<open>length ts = length As\<close> have "length (t # ts) = length (A # As)"
+    by simp
+  moreover from \<open>A \<in> wffs\<^bsub>t\<^esub>\<close> and \<open>\<forall>k < length As. As ! k \<in> wffs\<^bsub>ts ! k\<^esub>\<close>
+  have "\<forall>k < length (A # As). (A # As) ! k \<in> wffs\<^bsub>(t # ts) ! k\<^esub>"
+    by (simp add: nth_Cons')
+  moreover from \<open>B \<in> wffs\<^bsub>t\<rightarrow>foldr (\<rightarrow>) ts \<beta>\<^esub>\<close> have "B \<in> wffs\<^bsub>foldr (\<rightarrow>) (t # ts) \<beta>\<^esub>"
+    by simp
+  ultimately show ?case
+    using Cons.prems(1) by blast
+qed
+
+lemma wffs_from_abs:
+  assumes "\<lambda>x\<^bsub>\<alpha>\<^esub>. A \<in> wffs\<^bsub>\<gamma>\<^esub>"
+  obtains \<beta> where "\<gamma> = \<alpha>\<rightarrow>\<beta>" and "A \<in> wffs\<^bsub>\<beta>\<^esub>"
+  using assms by (blast elim: wffs_of_type_cases)
+
+lemma wffs_from_equality:
+  assumes "A =\<^bsub>\<alpha>\<^esub> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  using assms by (fastforce elim: wffs_of_type_cases)+
+
+lemma wffs_from_equivalence:
+  assumes "A \<equiv>\<^sup>\<Q> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding equivalence_def by (fact wffs_from_equality)+
+
+lemma wffs_from_forall:
+  assumes "\<forall>x\<^bsub>\<alpha>\<^esub>. A \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding forall_def and PI_def
+  by (fold equality_of_type_def) (drule wffs_from_equality, blast elim: wffs_from_abs)
+
+lemma wffs_from_conj_fun:
+  assumes "\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  using assms by (auto elim: wffs_from_app wffs_from_abs)
+
+lemma wffs_from_conj_op:
+  assumes "A \<and>\<^sup>\<Q> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding conj_op_def by (elim wffs_from_conj_fun)+
+
+lemma wffs_from_imp_fun:
+  assumes "\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  using assms by (auto elim: wffs_from_app wffs_from_abs)
+
+lemma wffs_from_imp_op:
+  assumes "A \<supset>\<^sup>\<Q> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding imp_op_def by (elim wffs_from_imp_fun)+
+
+lemma wffs_from_neg:
+  assumes "\<sim>\<^sup>\<Q> A \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding neg_def by (fold equality_of_type_def) (drule wffs_from_equality, blast)
+
+lemma wffs_from_disj_fun:
+  assumes "\<or>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> A \<sqdot> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  using assms by (auto elim: wffs_from_app wffs_from_abs)
+
+lemma wffs_from_disj_op:
+  assumes "A \<or>\<^sup>\<Q> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>" and "B \<in> wffs\<^bsub>o\<^esub>"
+  using assms and wffs_from_disj_fun unfolding disj_op_def by blast+
+
+lemma wffs_from_exists:
+  assumes "\<exists>x\<^bsub>\<alpha>\<^esub>. A \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>o\<^esub>"
+  using assms unfolding exists_def using wffs_from_neg and wffs_from_forall by blast
+
+lemma wffs_from_inequality:
+  assumes "A \<noteq>\<^bsub>\<alpha>\<^esub> B \<in> wffs\<^bsub>o\<^esub>"
+  shows "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  using assms unfolding inequality_of_type_def using wffs_from_equality and wffs_from_neg by meson+
+
+lemma wff_has_unique_type:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "A \<in> wffs\<^bsub>\<beta>\<^esub>"
+  shows "\<alpha> = \<beta>"
+using assms proof (induction arbitrary: \<alpha> \<beta> rule: form.induct)
+  case (FVar v)
+  obtain x and \<gamma> where "v = (x, \<gamma>)"
+    by fastforce
+  with FVar.prems have "\<alpha> = \<gamma>" and "\<beta> = \<gamma>"
+    by (blast elim: wffs_of_type_cases)+
+  then show ?case ..
+next
+  case (FCon k)
+  obtain x and \<gamma> where "k = (x, \<gamma>)"
+    by fastforce
+  with FCon.prems have "\<alpha> = \<gamma>" and "\<beta> = \<gamma>"
+    by (blast elim: wffs_of_type_cases)+
+  then show ?case ..
+next
+  case (FApp A B)
+  from FApp.prems obtain \<alpha>' and \<beta>' where "A \<in> wffs\<^bsub>\<alpha>'\<rightarrow>\<alpha>\<^esub>" and "A \<in> wffs\<^bsub>\<beta>'\<rightarrow>\<beta>\<^esub>"
+    by (blast elim: wffs_from_app)
+  with FApp.IH(1) show ?case
+    by blast
+next
+  case (FAbs v A)
+  obtain x and \<gamma> where "v = (x, \<gamma>)"
+    by fastforce
+  with FAbs.prems obtain \<alpha>' and \<beta>'
+    where "\<alpha> = \<gamma>\<rightarrow>\<alpha>'" and "\<beta> = \<gamma>\<rightarrow>\<beta>'" and "A \<in> wffs\<^bsub>\<alpha>'\<^esub>" and "A \<in> wffs\<^bsub>\<beta>'\<^esub>"
+    by (blast elim: wffs_from_abs)
+  with FAbs.IH show ?case
+    by simp
+qed
+
+lemma wffs_of_type_o_induct [consumes 1, case_names Var Con App]:
+  assumes "A \<in> wffs\<^bsub>o\<^esub>"
+  and "\<And>x. \<P> (x\<^bsub>o\<^esub>)"
+  and "\<And>c. \<P> (\<lbrace>c\<rbrace>\<^bsub>o\<^esub>)"
+  and "\<And>A B \<alpha>. A \<in> wffs\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<Longrightarrow> B \<in> wffs\<^bsub>\<alpha>\<^esub> \<Longrightarrow> \<P> (A \<sqdot> B)"
+  shows "\<P> A"
+  using assms by (cases rule: wffs_of_type_cases) simp_all
+
+lemma diff_types_implies_diff_wffs:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<beta>\<^esub>"
+  and "\<alpha> \<noteq> \<beta>"
+  shows "A \<noteq> B"
+  using assms and wff_has_unique_type by blast
+
+lemma is_free_for_in_generalized_app [intro]:
+  assumes "is_free_for A v B" and "\<forall>C \<in> lset Cs. is_free_for A v C"
+  shows "is_free_for A v (\<sqdot>\<^sup>\<Q>\<^sub>\<star> B Cs)"
+using assms proof (induction Cs rule: rev_induct)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (snoc C Cs)
+  from snoc.prems(2) have "is_free_for A v C" and "\<forall>C \<in> lset Cs. is_free_for A v C"
+    by simp_all
+  with snoc.prems(1) have "is_free_for A v (\<sqdot>\<^sup>\<Q>\<^sub>\<star> B Cs)"
+    using snoc.IH by simp
+  with \<open>is_free_for A v C\<close> show ?case
+    using is_free_for_to_app by simp
+qed
+
+lemma is_free_for_in_equality [intro]:
+  assumes "is_free_for A v B" and "is_free_for A v C"
+  shows "is_free_for A v (B =\<^bsub>\<alpha>\<^esub> C)"
+  using assms unfolding equality_of_type_def and Q_def and Q_constant_of_type_def
+  by (intro is_free_for_to_app is_free_for_in_con)
+
+lemma is_free_for_in_equivalence [intro]:
+  assumes "is_free_for A v B" and "is_free_for A v C"
+  shows "is_free_for A v (B \<equiv>\<^sup>\<Q> C)"
+  using assms unfolding equivalence_def by (rule is_free_for_in_equality)
+
+lemma is_free_for_in_true [intro]:
+  shows "is_free_for A v (T\<^bsub>o\<^esub>)"
+  by force
+
+lemma is_free_for_in_false [intro]:
+  shows "is_free_for A v (F\<^bsub>o\<^esub>)"
+  unfolding false_def by (intro is_free_for_in_equality is_free_for_closed_form) simp_all
+
+lemma is_free_for_in_forall [intro]:
+  assumes "is_free_for A v B" and "(x, \<alpha>) \<notin> free_vars A"
+  shows "is_free_for A v (\<forall>x\<^bsub>\<alpha>\<^esub>. B)"
+unfolding forall_def and PI_def proof (fold equality_of_type_def)
+  have "is_free_for A v (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub>)"
+    using is_free_for_to_abs[OF is_free_for_in_true assms(2)] by fastforce
+  moreover have "is_free_for A v (\<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+    by (fact is_free_for_to_abs[OF assms])
+  ultimately show "is_free_for A v (\<lambda>\<xx>\<^bsub>\<alpha>\<^esub>. T\<^bsub>o\<^esub> =\<^bsub>\<alpha>\<rightarrow>o\<^esub> \<lambda>x\<^bsub>\<alpha>\<^esub>. B)"
+    by (iprover intro: assms(1) is_free_for_in_equality is_free_for_in_true is_free_for_to_abs)
+qed
+
+lemma is_free_for_in_generalized_forall [intro]:
+  assumes "is_free_for A v B" and "lset vs \<inter> free_vars A = {}"
+  shows "is_free_for A v (\<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+using assms proof (induction vs)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (Cons v' vs)
+  obtain x and \<alpha> where "v' = (x, \<alpha>)"
+    by fastforce
+  from Cons.prems(2) have "v' \<notin> free_vars A" and "lset vs \<inter> free_vars A = {}"
+    by simp_all
+  from Cons.prems(1) and \<open>lset vs \<inter> free_vars A = {}\<close> have "is_free_for A v (\<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+    by (fact Cons.IH)
+  from this and \<open>v' \<notin> free_vars A\<close>[unfolded \<open>v' = (x, \<alpha>)\<close>] have "is_free_for A v (\<forall>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs B)"
+    by (intro is_free_for_in_forall)
+  with \<open>v' = (x, \<alpha>)\<close> show ?case
+    by simp
+qed
+
+lemma is_free_for_in_conj [intro]:
+  assumes "is_free_for A v B" and "is_free_for A v C"
+  shows "is_free_for A v (B \<and>\<^sup>\<Q> C)"
+proof -
+  have "free_vars \<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> = {}"
+    by force
+  then have "is_free_for A v (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>)"
+    using is_free_for_closed_form by fast
+  with assms have "is_free_for A v (\<and>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> B \<sqdot> C)"
+    by (intro is_free_for_to_app)
+  then show ?thesis
+    by (fold conj_op_def)
+qed
+
+lemma is_free_for_in_imp [intro]:
+  assumes "is_free_for A v B" and "is_free_for A v C"
+  shows "is_free_for A v (B \<supset>\<^sup>\<Q> C)"
+proof -
+  have "free_vars \<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> = {}"
+    by force
+  then have "is_free_for A v (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>)"
+    using is_free_for_closed_form by fast
+  with assms have "is_free_for A v (\<supset>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> B \<sqdot> C)"
+    by (intro is_free_for_to_app)
+  then show ?thesis
+    by (fold imp_op_def)
+qed
+
+lemma is_free_for_in_neg [intro]:
+  assumes "is_free_for A v B"
+  shows "is_free_for A v (\<sim>\<^sup>\<Q> B)"
+  using assms unfolding neg_def and Q_def and Q_constant_of_type_def
+  by (intro is_free_for_to_app is_free_for_in_false is_free_for_in_con)
+
+lemma is_free_for_in_disj [intro]:
+  assumes "is_free_for A v B" and "is_free_for A v C"
+  shows "is_free_for A v (B \<or>\<^sup>\<Q> C)"
+proof -
+  have "free_vars \<or>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> = {}"
+    by force
+  then have "is_free_for A v (\<or>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub>)"
+    using is_free_for_closed_form by fast
+  with assms have "is_free_for A v (\<or>\<^bsub>o\<rightarrow>o\<rightarrow>o\<^esub> \<sqdot> B \<sqdot> C)"
+    by (intro is_free_for_to_app)
+  then show ?thesis
+    by (fold disj_op_def)
+qed
+
+lemma replacement_preserves_typing:
+  assumes "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D"
+  and "A \<preceq>\<^bsub>p\<^esub> C"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "C \<in> wffs\<^bsub>\<beta>\<^esub> \<longleftrightarrow> D \<in> wffs\<^bsub>\<beta>\<^esub>"
+using assms proof (induction arbitrary: \<beta> rule: is_replacement_at.induct)
+  case (pos_found p C C' A)
+  then show ?case
+    using diff_types_implies_diff_wffs by auto
+qed (metis is_subform_at.simps(2,3,4) wffs_from_app wffs_from_abs wffs_of_type_simps)+
+
+corollary replacement_preserves_typing':
+  assumes "C\<lblot>p \<leftarrow> B\<rblot> \<rhd> D"
+  and "A \<preceq>\<^bsub>p\<^esub> C"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>" and "B \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "C \<in> wffs\<^bsub>\<beta>\<^esub>" and "D \<in> wffs\<^bsub>\<gamma>\<^esub>"
+  shows "\<beta> = \<gamma>"
+  using assms and replacement_preserves_typing and wff_has_unique_type by simp
+
+text \<open>Closed formulas and sentences:\<close>
+
+definition is_closed_wff_of_type :: "form \<Rightarrow> type \<Rightarrow> bool" where
+  [iff]: "is_closed_wff_of_type A \<alpha> \<longleftrightarrow> A \<in> wffs\<^bsub>\<alpha>\<^esub> \<and> free_vars A = {}"
+
+definition is_sentence :: "form \<Rightarrow> bool" where
+  [iff]: "is_sentence A \<longleftrightarrow> is_closed_wff_of_type A o"
+
+subsection \<open>Substitutions\<close>
+
+type_synonym substitution = "(var, form) fmap"
+
+definition is_substitution :: "substitution \<Rightarrow> bool" where
+  [iff]: "is_substitution \<theta> \<longleftrightarrow> (\<forall>(x, \<alpha>) \<in> fmdom' \<theta>. \<theta> $$! (x, \<alpha>) \<in> wffs\<^bsub>\<alpha>\<^esub>)"
+
+fun substitute :: "substitution \<Rightarrow> form \<Rightarrow> form" ("\<^bold>S _ _" [51, 51]) where
+  "\<^bold>S \<theta> (x\<^bsub>\<alpha>\<^esub>) = (case \<theta> $$ (x, \<alpha>) of None \<Rightarrow> x\<^bsub>\<alpha>\<^esub> | Some A \<Rightarrow> A)"
+| "\<^bold>S \<theta> (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = \<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>"
+| "\<^bold>S \<theta> (A \<sqdot> B) = (\<^bold>S \<theta> A) \<sqdot> (\<^bold>S \<theta> B)"
+| "\<^bold>S \<theta> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = (if (x, \<alpha>) \<notin> fmdom' \<theta> then \<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S \<theta> A else \<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S (fmdrop (x, \<alpha>) \<theta>) A)"
+
+lemma empty_substitution_neutrality:
+  shows "\<^bold>S {$$} A = A"
+  by (induction A) auto
+
+lemma substitution_preserves_typing:
+  assumes "is_substitution \<theta>"
+  and "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "\<^bold>S \<theta> A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+using assms(2) and assms(1)[unfolded is_substitution_def] proof (induction arbitrary: \<theta>)
+  case (var_is_wff \<alpha> x)
+  then show ?case
+    by (cases "(x, \<alpha>) \<in> fmdom' \<theta>") (use fmdom'_notI in \<open>force+\<close>)
+next
+  case (abs_is_wff \<beta> A \<alpha> x)
+  then show ?case
+  proof (cases "(x, \<alpha>) \<in> fmdom' \<theta>")
+    case True
+    then have "\<^bold>S \<theta> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = \<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S (fmdrop (x, \<alpha>) \<theta>) A"
+      by simp
+    moreover from abs_is_wff.prems have "is_substitution (fmdrop (x, \<alpha>) \<theta>)"
+      by fastforce
+    with abs_is_wff.IH have "\<^bold>S (fmdrop (x, \<alpha>) \<theta>) A \<in> wffs\<^bsub>\<beta>\<^esub>"
+      by simp
+    ultimately show ?thesis
+      by auto
+  next
+    case False
+    then have "\<^bold>S \<theta> (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = \<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S \<theta> A"
+      by simp
+    moreover from abs_is_wff.IH have "\<^bold>S \<theta> A \<in> wffs\<^bsub>\<beta>\<^esub>"
+      using abs_is_wff.prems by blast
+    ultimately show ?thesis
+      by fastforce
+  qed
+qed force+
+
+lemma derived_substitution_simps:
+  shows "\<^bold>S \<theta> T\<^bsub>o\<^esub> = T\<^bsub>o\<^esub>"
+  and "\<^bold>S \<theta> F\<^bsub>o\<^esub> = F\<^bsub>o\<^esub>"
+  and "\<^bold>S \<theta> (\<Prod>\<^bsub>\<alpha>\<^esub>) = \<Prod>\<^bsub>\<alpha>\<^esub>"
+  and "\<^bold>S \<theta> (\<sim>\<^sup>\<Q> B) = \<sim>\<^sup>\<Q> (\<^bold>S \<theta> B)"
+  and "\<^bold>S \<theta> (B =\<^bsub>\<alpha>\<^esub> C) = (\<^bold>S \<theta> B) =\<^bsub>\<alpha>\<^esub> (\<^bold>S \<theta> C)"
+  and "\<^bold>S \<theta> (B \<and>\<^sup>\<Q> C) = (\<^bold>S \<theta> B) \<and>\<^sup>\<Q> (\<^bold>S \<theta> C)"
+  and "\<^bold>S \<theta> (B \<or>\<^sup>\<Q> C) = (\<^bold>S \<theta> B) \<or>\<^sup>\<Q> (\<^bold>S \<theta> C)"
+  and "\<^bold>S \<theta> (B \<supset>\<^sup>\<Q> C) = (\<^bold>S \<theta> B) \<supset>\<^sup>\<Q> (\<^bold>S \<theta> C)"
+  and "\<^bold>S \<theta> (B \<equiv>\<^sup>\<Q> C) = (\<^bold>S \<theta> B) \<equiv>\<^sup>\<Q> (\<^bold>S \<theta> C)"
+  and "\<^bold>S \<theta> (B \<noteq>\<^bsub>\<alpha>\<^esub> C) = (\<^bold>S \<theta> B) \<noteq>\<^bsub>\<alpha>\<^esub> (\<^bold>S \<theta> C)"
+  and "\<^bold>S \<theta> (\<forall>x\<^bsub>\<alpha>\<^esub>. B) = (if (x, \<alpha>) \<notin> fmdom' \<theta> then \<forall>x\<^bsub>\<alpha>\<^esub>. \<^bold>S \<theta> B else \<forall>x\<^bsub>\<alpha>\<^esub>. \<^bold>S (fmdrop (x, \<alpha>) \<theta>) B)"
+  and "\<^bold>S \<theta> (\<exists>x\<^bsub>\<alpha>\<^esub>. B) = (if (x, \<alpha>) \<notin> fmdom' \<theta> then \<exists>x\<^bsub>\<alpha>\<^esub>. \<^bold>S \<theta> B else \<exists>x\<^bsub>\<alpha>\<^esub>. \<^bold>S (fmdrop (x, \<alpha>) \<theta>) B)"
+  by auto
+
+lemma generalized_app_substitution:
+  shows "\<^bold>S \<theta> (\<sqdot>\<^sup>\<Q>\<^sub>\<star> A Bs) = \<sqdot>\<^sup>\<Q>\<^sub>\<star> (\<^bold>S \<theta> A) (map (\<lambda>B. \<^bold>S \<theta> B) Bs)"
+  by (induction Bs arbitrary: A) simp_all
+
+lemma generalized_abs_substitution:
+  shows "\<^bold>S \<theta> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A) = \<lambda>\<^sup>\<Q>\<^sub>\<star> vs (\<^bold>S (fmdrop_set (fmdom' \<theta> \<inter> lset vs) \<theta>) A)"
+proof (induction vs arbitrary: \<theta>)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (Cons v vs)
+  obtain x and \<alpha> where "v = (x, \<alpha>)"
+    by fastforce
+  then show ?case
+  proof (cases "v \<notin> fmdom' \<theta>")
+    case True
+    then have *: "fmdom' \<theta> \<inter> lset (v # vs) = fmdom' \<theta> \<inter> lset vs"
+      by simp
+    from True have "\<^bold>S \<theta> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) A) = \<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S \<theta> (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A)"
+      using \<open>v = (x, \<alpha>)\<close> by auto
+    also have "\<dots> = \<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>\<^sup>\<Q>\<^sub>\<star> vs (\<^bold>S (fmdrop_set (fmdom' \<theta> \<inter> lset vs) \<theta>) A)"
+      using Cons.IH by (simp only:)
+    also have "\<dots> = \<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) (\<^bold>S (fmdrop_set (fmdom' \<theta> \<inter> lset (v # vs)) \<theta>) A)"
+      using \<open>v = (x, \<alpha>)\<close> and * by auto
+    finally show ?thesis .
+  next
+    case False
+    let ?\<theta>' = "fmdrop v \<theta>"
+    have *: "fmdrop_set (fmdom' \<theta> \<inter> lset (v # vs)) \<theta> = fmdrop_set (fmdom' ?\<theta>' \<inter> lset vs) ?\<theta>'"
+      using False by clarsimp (metis Int_Diff Int_commute fmdrop_set_insert insert_Diff_single)
+    from False have "\<^bold>S \<theta> (\<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) A) = \<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S ?\<theta>' (\<lambda>\<^sup>\<Q>\<^sub>\<star> vs A)"
+      using \<open>v = (x, \<alpha>)\<close> by auto
+    also have "\<dots> = \<lambda>x\<^bsub>\<alpha>\<^esub>. \<lambda>\<^sup>\<Q>\<^sub>\<star> vs (\<^bold>S (fmdrop_set (fmdom' ?\<theta>' \<inter> lset vs) ?\<theta>') A)"
+      using Cons.IH by (simp only:)
+    also have "\<dots> = \<lambda>\<^sup>\<Q>\<^sub>\<star> (v # vs) (\<^bold>S (fmdrop_set (fmdom' \<theta> \<inter> lset (v # vs)) \<theta>) A)"
+      using \<open>v = (x, \<alpha>)\<close> and * by auto
+    finally show ?thesis .
+  qed
+qed
+
+lemma generalized_forall_substitution:
+  shows "\<^bold>S \<theta> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs A) = \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<^bold>S (fmdrop_set (fmdom' \<theta> \<inter> lset vs) \<theta>) A)"
+proof (induction vs arbitrary: \<theta>)
+  case Nil
+  then show ?case
+    by simp
+next
+  case (Cons v vs)
+  obtain x and \<alpha> where "v = (x, \<alpha>)"
+    by fastforce
+  then show ?case
+  proof (cases "v \<notin> fmdom' \<theta>")
+    case True
+    then have *: "fmdom' \<theta> \<inter> lset (v # vs) = fmdom' \<theta> \<inter> lset vs"
+      by simp
+    from True have "\<^bold>S \<theta> (\<forall>\<^sup>\<Q>\<^sub>\<star> (v # vs) A) = \<forall>x\<^bsub>\<alpha>\<^esub>. \<^bold>S \<theta> (\<forall>\<^sup>\<Q>\<^sub>\<star> vs A)"
+      using \<open>v = (x, \<alpha>)\<close> by auto
+    also have "\<dots> = \<forall>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<^bold>S (fmdrop_set (fmdom' \<theta> \<inter> lset vs) \<theta>) A)"
+      using Cons.IH by (simp only:)
+    also have "\<dots> = \<forall>\<^sup>\<Q>\<^sub>\<star> (v # vs) (\<^bold>S (fmdrop_set (fmdom' \<theta> \<inter> lset (v # vs)) \<theta>) A)"
+      using \<open>v = (x, \<alpha>)\<close> and * by auto
+    finally show ?thesis .
+  next
+    case False
+    let ?\<theta>' = "fmdrop v \<theta>"
+    have *: "fmdrop_set (fmdom' \<theta> \<inter> lset (v # vs)) \<theta> = fmdrop_set (fmdom' ?\<theta>' \<inter> lset vs) ?\<theta>'"
+      using False by clarsimp (metis Int_Diff Int_commute fmdrop_set_insert insert_Diff_single)
+    from False have "\<^bold>S \<theta> (\<forall>\<^sup>\<Q>\<^sub>\<star> (v # vs) A) = \<forall>x\<^bsub>\<alpha>\<^esub>. \<^bold>S ?\<theta>' (\<forall>\<^sup>\<Q>\<^sub>\<star> vs A)"
+      using \<open>v = (x, \<alpha>)\<close> by auto
+    also have "\<dots> = \<forall>x\<^bsub>\<alpha>\<^esub>. \<forall>\<^sup>\<Q>\<^sub>\<star> vs (\<^bold>S (fmdrop_set (fmdom' ?\<theta>' \<inter> lset vs) ?\<theta>') A)"
+      using Cons.IH by (simp only:)
+    also have "\<dots> = \<forall>\<^sup>\<Q>\<^sub>\<star> (v # vs) (\<^bold>S (fmdrop_set (fmdom' \<theta> \<inter> lset (v # vs)) \<theta>) A)"
+      using \<open>v = (x, \<alpha>)\<close> and * by auto
+    finally show ?thesis .
+  qed
+qed
+
+lemma singleton_substitution_simps:
+  shows "\<^bold>S {(x, \<alpha>) \<Zinj> A} (y\<^bsub>\<beta>\<^esub>) = (if (x, \<alpha>) \<noteq> (y, \<beta>) then y\<^bsub>\<beta>\<^esub> else A)"
+  and "\<^bold>S {(x, \<alpha>) \<Zinj> A} (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = \<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>"
+  and "\<^bold>S {(x, \<alpha>) \<Zinj> A} (B \<sqdot> C) = (\<^bold>S {(x, \<alpha>) \<Zinj> A} B) \<sqdot> (\<^bold>S {(x, \<alpha>) \<Zinj> A} C)"
+  and "\<^bold>S {(x, \<alpha>) \<Zinj> A} (\<lambda>y\<^bsub>\<beta>\<^esub>. B) = \<lambda>y\<^bsub>\<beta>\<^esub>. (if (x, \<alpha>) = (y, \<beta>) then B else \<^bold>S {(x, \<alpha>) \<Zinj> A} B)"
+  by (simp_all add: empty_substitution_neutrality fmdrop_fmupd_same)
+
+lemma substitution_preserves_freeness:
+  assumes "y \<notin> free_vars A" and "y \<noteq> z"
+  shows "y \<notin> free_vars \<^bold>S {x \<Zinj> FVar z} A"
+using assms(1) proof (induction A rule: free_vars_form.induct)
+  case (1 x' \<alpha>)
+  with assms(2) show ?case
+    using surj_pair[of z] by (cases "x = (x', \<alpha>)") force+
+next
+  case (4 x' \<alpha> A)
+  then show ?case
+    using surj_pair[of z]
+    by (cases "x = (x', \<alpha>)") (use singleton_substitution_simps(4) in presburger, auto)
+qed auto
+
+lemma renaming_substitution_minimal_change:
+  assumes "y \<notin> vars A" and "y \<noteq> z"
+  shows "y \<notin> vars (\<^bold>S {x \<Zinj> FVar z} A)"
+using assms(1) proof (induction A rule: vars_form.induct)
+  case (1 x' \<alpha>)
+  with assms(2) show ?case
+    using surj_pair[of z] by (cases "x = (x', \<alpha>)") force+
+next
+  case (4 x' \<alpha> A)
+  then show ?case
+    using surj_pair[of z]
+    by (cases "x = (x', \<alpha>)") (use singleton_substitution_simps(4) in presburger, auto)
+qed auto
+
+lemma free_var_singleton_substitution_neutrality:
+  assumes "v \<notin> free_vars A"
+  shows "\<^bold>S {v \<Zinj> B} A = A"
+  using assms
+  by
+    (induction A rule: free_vars_form.induct)
+    (simp_all, metis empty_substitution_neutrality fmdrop_empty fmdrop_fmupd_same)
+
+lemma identity_singleton_substitution_neutrality:
+  shows "\<^bold>S {v \<Zinj> FVar v} A = A"
+  by
+    (induction A rule: free_vars_form.induct)
+    (simp_all add: empty_substitution_neutrality fmdrop_fmupd_same)
+
+lemma free_var_in_renaming_substitution:
+  assumes "x \<noteq> y"
+  shows "(x, \<alpha>) \<notin> free_vars (\<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} B)"
+  using assms by (induction B rule: free_vars_form.induct) simp_all
+
+lemma renaming_substitution_preserves_form_size:
+  shows "form_size (\<^bold>S {v \<Zinj> FVar v'} A) = form_size A"
+proof (induction A rule: form_size.induct)
+  case (1 x \<alpha>)
+  then show ?case
+    using form_size.elims by auto
+next
+  case (4 x \<alpha> A)
+  then show ?case
+    by (cases "v = (x, \<alpha>)") (use singleton_substitution_simps(4) in presburger, auto)
+qed simp_all
+
+text \<open>The following lemma corresponds to X5100 in @{cite "andrews:2002"}:\<close>
+
+lemma substitution_composability:
+  assumes "v' \<notin> vars B"
+  shows "\<^bold>S {v' \<Zinj> A} \<^bold>S {v \<Zinj> FVar v'} B = \<^bold>S {v \<Zinj> A} B"
+using assms proof (induction B arbitrary: v')
+  case (FAbs w C)
+  then show ?case
+  proof (cases "v = w")
+    case True
+    from \<open>v' \<notin> vars (FAbs w C)\<close> have "v' \<notin> free_vars (FAbs w C)"
+      using free_vars_in_all_vars by blast
+    then have "\<^bold>S {v' \<Zinj> A} (FAbs w C) = FAbs w C"
+      by (rule free_var_singleton_substitution_neutrality)
+    from \<open>v = w\<close> have "v \<notin> free_vars (FAbs w C)"
+      using surj_pair[of w] by fastforce
+    then have "\<^bold>S {v \<Zinj> A} (FAbs w C) = FAbs w C"
+      by (fact free_var_singleton_substitution_neutrality)
+    also from \<open>\<^bold>S {v' \<Zinj> A} (FAbs w C) = FAbs w C\<close> have "\<dots> = \<^bold>S {v' \<Zinj> A} (FAbs w C)"
+      by (simp only:)
+    also from \<open>v = w\<close> have "\<dots> = \<^bold>S {v' \<Zinj> A} \<^bold>S {v \<Zinj> FVar v'} (FAbs w C)"
+      using free_var_singleton_substitution_neutrality[OF \<open>v \<notin> free_vars (FAbs w C)\<close>] by (simp only:)
+    finally show ?thesis ..
+  next
+    case False
+    from FAbs.prems have "v' \<notin> vars C"
+      using surj_pair[of w] by fastforce
+    then show ?thesis
+    proof (cases "v' = w")
+      case True
+      with FAbs.prems show ?thesis
+        using vars_form.elims by auto
+    next
+      case False
+      from \<open>v \<noteq> w\<close> have "\<^bold>S {v \<Zinj> A} (FAbs w C) = FAbs w (\<^bold>S {v \<Zinj> A} C)"
+        using surj_pair[of w] by fastforce
+      also from FAbs.IH have "\<dots> = FAbs w (\<^bold>S {v' \<Zinj> A} \<^bold>S {v \<Zinj> FVar v'} C)"
+        using \<open>v' \<notin> vars C\<close> by simp
+      also from \<open>v' \<noteq> w\<close> have "\<dots> = \<^bold>S {v' \<Zinj> A} (FAbs w (\<^bold>S {v \<Zinj> FVar v'} C))"
+        using surj_pair[of w] by fastforce
+      also from \<open>v \<noteq> w\<close> have "\<dots> = \<^bold>S {v' \<Zinj> A} \<^bold>S {v \<Zinj> FVar v'} (FAbs w C)"
+        using surj_pair[of w] by fastforce
+      finally show ?thesis ..
+    qed
+  qed
+qed auto
+
+text \<open>The following lemma corresponds to X5101 in @{cite "andrews:2002"}:\<close>
+
+lemma renaming_substitution_composability:
+  assumes "z \<notin> free_vars A" and "is_free_for (FVar z) x A"
+  shows "\<^bold>S {z \<Zinj> FVar y} \<^bold>S {x \<Zinj> FVar z} A = \<^bold>S {x \<Zinj> FVar y} A"
+using assms proof (induction A arbitrary: z)
+  case (FVar v)
+  then show ?case
+    using surj_pair[of v] and surj_pair[of z] by fastforce
+next
+  case (FCon k)
+  then show ?case
+    using surj_pair[of k] by fastforce
+next
+  case (FApp B C)
+  let ?\<theta>\<^sub>z\<^sub>y = "{z \<Zinj> FVar y}" and ?\<theta>\<^sub>x\<^sub>z = "{x \<Zinj> FVar z}" and ?\<theta>\<^sub>x\<^sub>y = "{x \<Zinj> FVar y}"
+  from \<open>is_free_for (FVar z) x (B \<sqdot> C)\<close> have "is_free_for (FVar z) x B" and "is_free_for (FVar z) x C"
+    using is_free_for_from_app by iprover+
+  moreover from \<open>z \<notin> free_vars (B \<sqdot> C)\<close> have "z \<notin> free_vars B" and "z \<notin> free_vars C"
+    by simp_all
+  ultimately have *: "\<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z B = \<^bold>S ?\<theta>\<^sub>x\<^sub>y B" and **: "\<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z C = \<^bold>S ?\<theta>\<^sub>x\<^sub>y C"
+    using FApp.IH by simp_all
+  have "\<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z (B \<sqdot> C) = (\<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z B) \<sqdot> (\<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z C)"
+    by simp
+  also from * and ** have "\<dots> = (\<^bold>S ?\<theta>\<^sub>x\<^sub>y B) \<sqdot> (\<^bold>S ?\<theta>\<^sub>x\<^sub>y C)"
+    by (simp only:)
+  also have "\<dots> = \<^bold>S ?\<theta>\<^sub>x\<^sub>y (B \<sqdot> C)"
+    by simp
+  finally show ?case .
+next
+  case (FAbs w B)
+  let ?\<theta>\<^sub>z\<^sub>y = "{z \<Zinj> FVar y}" and ?\<theta>\<^sub>x\<^sub>z = "{x \<Zinj> FVar z}" and ?\<theta>\<^sub>x\<^sub>y = "{x \<Zinj> FVar y}"
+  show ?case
+  proof (cases "x = w")
+    case True
+    then show ?thesis
+    proof (cases "z = w")
+      case True
+      with \<open>x = w\<close> have "x \<notin> free_vars (FAbs w B)" and "z \<notin> free_vars (FAbs w B)"
+        using surj_pair[of w] by fastforce+
+      from \<open>x \<notin> free_vars (FAbs w B)\<close> have "\<^bold>S ?\<theta>\<^sub>x\<^sub>y (FAbs w B) = FAbs w B"
+        by (fact free_var_singleton_substitution_neutrality)
+      also from \<open>z \<notin> free_vars (FAbs w B)\<close> have "\<dots> = \<^bold>S ?\<theta>\<^sub>z\<^sub>y (FAbs w B)"
+        by (fact free_var_singleton_substitution_neutrality[symmetric])
+      also from \<open>x \<notin> free_vars (FAbs w B)\<close> have "\<dots> = \<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z (FAbs w B)"
+        using free_var_singleton_substitution_neutrality by simp
+      finally show ?thesis ..
+    next
+      case False
+      with \<open>x = w\<close> have "z \<notin> free_vars B" and "x \<notin> free_vars (FAbs w B)"
+        using \<open>z \<notin> free_vars (FAbs w B)\<close> and surj_pair[of w] by fastforce+
+      from \<open>z \<notin> free_vars B\<close> have "\<^bold>S ?\<theta>\<^sub>z\<^sub>y B = B"
+        by (fact free_var_singleton_substitution_neutrality)
+      from \<open>x \<notin> free_vars (FAbs w B)\<close> have "\<^bold>S ?\<theta>\<^sub>x\<^sub>y (FAbs w B) = FAbs w B"
+        by (fact free_var_singleton_substitution_neutrality)
+      also from \<open>\<^bold>S ?\<theta>\<^sub>z\<^sub>y B = B\<close> have "\<dots> = FAbs w (\<^bold>S ?\<theta>\<^sub>z\<^sub>y B)"
+        by (simp only:)
+      also from \<open>z \<notin> free_vars (FAbs w B)\<close> have "\<dots> = \<^bold>S ?\<theta>\<^sub>z\<^sub>y (FAbs w B)"
+        by (simp add: \<open>FAbs w B = FAbs w (\<^bold>S ?\<theta>\<^sub>z\<^sub>y B)\<close> free_var_singleton_substitution_neutrality)
+      also from \<open>x \<notin> free_vars (FAbs w B)\<close> have "\<dots> = \<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z (FAbs w B)"
+        using free_var_singleton_substitution_neutrality by simp
+      finally show ?thesis ..
+    qed
+  next
+    case False
+    then show ?thesis
+    proof (cases "z = w")
+      case True
+      have "x \<notin> free_vars B"
+      proof (rule ccontr)
+        assume "\<not> x \<notin> free_vars B"
+        with \<open>x \<noteq> w\<close> have "x \<in> free_vars (FAbs w B)"
+          using surj_pair[of w] by fastforce
+        then obtain p where "p \<in> positions (FAbs w B)" and "is_free_at x p (FAbs w B)"
+          using free_vars_in_is_free_at by blast
+        with \<open>is_free_for (FVar z) x (FAbs w B)\<close> have "\<not> in_scope_of_abs z p (FAbs w B)"
+          by (meson empty_is_position is_free_at_in_free_vars is_free_at_in_var is_free_for_def)
+        moreover obtain p' where "p = \<guillemotleft> # p'"
+          using is_free_at_from_absE[OF \<open>is_free_at x p (FAbs w B)\<close>] by blast
+        ultimately have "z \<noteq> w"
+          using in_scope_of_abs_in_abs by blast
+        with \<open>z = w\<close> show False
+          by contradiction
+      qed
+      then have *: "\<^bold>S ?\<theta>\<^sub>x\<^sub>y B = \<^bold>S ?\<theta>\<^sub>x\<^sub>z B"
+        using free_var_singleton_substitution_neutrality by auto
+      from \<open>x \<noteq> w\<close> have "\<^bold>S ?\<theta>\<^sub>x\<^sub>y (FAbs w B) = FAbs w (\<^bold>S ?\<theta>\<^sub>x\<^sub>y B)"
+        using surj_pair[of w] by fastforce
+      also from * have "\<dots> = FAbs w (\<^bold>S ?\<theta>\<^sub>x\<^sub>z B)"
+        by (simp only:)
+      also from FAbs.prems(1) have "\<dots> = \<^bold>S ?\<theta>\<^sub>z\<^sub>y (FAbs w (\<^bold>S ?\<theta>\<^sub>x\<^sub>z B))"
+        using \<open>x \<notin> free_vars B\<close> and free_var_singleton_substitution_neutrality by auto
+      also from \<open>x \<noteq> w\<close> have "\<dots> = \<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z (FAbs w B)"
+        using surj_pair[of w] by fastforce
+      finally show ?thesis ..
+    next
+      case False
+      obtain v\<^sub>w and \<alpha> where "w = (v\<^sub>w, \<alpha>)"
+        by fastforce
+      with \<open>is_free_for (FVar z) x (FAbs w B)\<close> and \<open>x \<noteq> w\<close> have "is_free_for (FVar z) x B"
+        using is_free_for_from_abs by iprover
+      moreover from \<open>z \<notin> free_vars (FAbs w B)\<close> and \<open>z \<noteq> w\<close> and \<open>w = (v\<^sub>w, \<alpha>)\<close> have "z \<notin> free_vars B"
+        by simp
+      ultimately have *: "\<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z B = \<^bold>S ?\<theta>\<^sub>x\<^sub>y B"
+        using FAbs.IH by simp
+      from \<open>x \<noteq> w\<close> have "\<^bold>S ?\<theta>\<^sub>x\<^sub>y (FAbs w B) = FAbs w (\<^bold>S ?\<theta>\<^sub>x\<^sub>y B)"
+        using \<open>w = (v\<^sub>w, \<alpha>)\<close> and free_var_singleton_substitution_neutrality by simp
+      also from * have "\<dots> = FAbs w (\<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z B)"
+        by (simp only:)
+      also from \<open>z \<noteq> w\<close> have "\<dots> = \<^bold>S ?\<theta>\<^sub>z\<^sub>y (FAbs w (\<^bold>S ?\<theta>\<^sub>x\<^sub>z B))"
+        using \<open>w = (v\<^sub>w, \<alpha>)\<close> and free_var_singleton_substitution_neutrality by simp
+      also from \<open>x \<noteq> w\<close> have "\<dots> = \<^bold>S ?\<theta>\<^sub>z\<^sub>y \<^bold>S ?\<theta>\<^sub>x\<^sub>z (FAbs w B)"
+        using \<open>w = (v\<^sub>w, \<alpha>)\<close> and free_var_singleton_substitution_neutrality by simp
+      finally show ?thesis ..
+    qed
+  qed
+qed
+
+lemma absent_vars_substitution_preservation:
+  assumes "v \<notin> vars A"
+  and "\<forall>v' \<in> fmdom' \<theta>. v \<notin> vars (\<theta> $$! v')"
+  shows "v \<notin> vars (\<^bold>S \<theta> A)"
+using assms proof (induction A arbitrary: \<theta>)
+  case (FVar v')
+  then show ?case
+    using surj_pair[of v'] by (cases "v' \<in> fmdom' \<theta>") (use fmlookup_dom'_iff in force)+
+next
+  case (FCon k)
+  then show ?case
+    using surj_pair[of k] by fastforce
+next
+  case FApp
+  then show ?case
+    by simp
+next
+  case (FAbs w B)
+  from FAbs.prems(1) have "v \<notin> vars B"
+    using vars_form.elims by auto
+  then show ?case
+  proof (cases "w \<in> fmdom' \<theta>")
+    case True
+    from FAbs.prems(2) have "\<forall>v' \<in> fmdom' (fmdrop w \<theta>). v \<notin> vars ((fmdrop w \<theta>) $$! v')"
+      by auto
+    with \<open>v \<notin> vars B\<close> have "v \<notin> vars (\<^bold>S (fmdrop w \<theta>) B)"
+      by (fact FAbs.IH)
+    with FAbs.prems(1) have "v \<notin> vars (FAbs w (\<^bold>S (fmdrop w \<theta>) B))"
+      using surj_pair[of w] by fastforce
+    moreover from True have "\<^bold>S \<theta> (FAbs w B) = FAbs w (\<^bold>S (fmdrop w \<theta>) B)"
+      using surj_pair[of w] by fastforce
+    ultimately show ?thesis
+      by simp
+  next
+    case False
+    then show ?thesis
+      using FAbs.IH and FAbs.prems and surj_pair[of w] by fastforce
+  qed
+qed
+
+lemma substitution_free_absorption:
+  assumes "\<theta> $$ v = None" and "v \<notin> free_vars B"
+  shows "\<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) B = \<^bold>S \<theta> B"
+using assms proof (induction B arbitrary: \<theta>)
+  case (FAbs w B)
+  show ?case
+  proof (cases "v \<noteq> w")
+    case True
+    with FAbs.prems(2) have "v \<notin> free_vars B"
+      using surj_pair[of w] by fastforce
+    then show ?thesis
+    proof (cases "w \<in> fmdom' \<theta>")
+      case True
+      then have "\<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S (fmdrop w ({v \<Zinj> A} ++\<^sub>f \<theta>)) B)"
+        using surj_pair[of w] by fastforce
+      also from \<open>v \<noteq> w\<close> and True have "\<dots> = FAbs w (\<^bold>S ({v \<Zinj> A} ++\<^sub>f fmdrop w \<theta>) B)"
+        by (simp add: fmdrop_fmupd)
+      also from FAbs.prems(1) and \<open>v \<notin> free_vars B\<close> have "\<dots> = FAbs w (\<^bold>S (fmdrop w \<theta>) B)"
+        using FAbs.IH by simp
+      also from True have "\<dots> = \<^bold>S \<theta> (FAbs w B)"
+        using surj_pair[of w] by fastforce
+      finally show ?thesis .
+    next
+      case False
+      with FAbs.prems(1) have "\<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) B)"
+        using \<open>v \<noteq> w\<close> and surj_pair[of w] by fastforce
+      also from FAbs.prems(1) and \<open>v \<notin> free_vars B\<close> have "\<dots> = FAbs w (\<^bold>S \<theta> B)"
+        using FAbs.IH by simp
+      also from False have "\<dots> = \<^bold>S \<theta> (FAbs w B)"
+        using surj_pair[of w] by fastforce
+      finally show ?thesis .
+    qed
+  next
+    case False
+    then have "fmdrop w ({v \<Zinj> A} ++\<^sub>f \<theta>) = fmdrop w \<theta>"
+      by (simp add: fmdrop_fmupd_same)
+    then show ?thesis
+      using surj_pair[of w] by (metis (no_types, lifting) fmdrop_idle' substitute.simps(4))
+  qed
+qed fastforce+
+
+lemma substitution_absorption:
+  assumes "\<theta> $$ v = None" and "v \<notin> vars B"
+  shows "\<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) B = \<^bold>S \<theta> B"
+  using assms by (meson free_vars_in_all_vars in_mono substitution_free_absorption)
+
+lemma is_free_for_with_renaming_substitution:
+  assumes "is_free_for A x B"
+  and "y \<notin> vars B"
+  and "x \<notin> fmdom' \<theta>"
+  and "\<forall>v \<in> fmdom' \<theta>. y \<notin> vars (\<theta> $$! v)"
+  and "\<forall>v \<in> fmdom' \<theta>. is_free_for (\<theta> $$! v) v B"
+  shows "is_free_for A y (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) B)"
+using assms proof (induction B arbitrary: \<theta>)
+  case (FVar w)
+  then show ?case
+  proof (cases "w = x")
+    case True
+    with FVar.prems(3) have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FVar w) = FVar y"
+      using surj_pair[of w] by fastforce
+    then show ?thesis
+      using self_subform_is_at_top by fastforce
+  next
+    case False
+    then show ?thesis
+    proof (cases "w \<in> fmdom' \<theta>")
+      case True
+      from False have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FVar w) = \<^bold>S \<theta> (FVar w)"
+        using substitution_absorption and surj_pair[of w] by force
+      also from True have "\<dots> = \<theta> $$! w"
+        using surj_pair[of w] by (metis fmdom'_notI option.case_eq_if substitute.simps(1))
+      finally have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FVar w) = \<theta> $$! w" .
+      moreover from True and FVar.prems(4) have "y \<notin> vars (\<theta> $$! w)"
+        by blast
+      ultimately show ?thesis
+        using form_is_free_for_absent_var by presburger
+    next
+      case False
+      with FVar.prems(3) and \<open>w \<noteq> x\<close> have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FVar w) = FVar w"
+        using surj_pair[of w] by fastforce
+      with FVar.prems(2) show ?thesis
+        using form_is_free_for_absent_var by presburger
+    qed
+  qed
+next
+  case (FCon k)
+  then show ?case
+    using surj_pair[of k] by fastforce
+next
+  case (FApp C D)
+  from FApp.prems(2) have "y \<notin> vars C" and "y \<notin> vars D"
+    by simp_all
+  from FApp.prems(1) have "is_free_for A x C" and "is_free_for A x D"
+    using is_free_for_from_app by iprover+
+  have "\<forall>v \<in> fmdom' \<theta>. is_free_for (\<theta> $$! v) v C \<and> is_free_for (\<theta> $$! v) v D"
+  proof (rule ballI)
+    fix v
+    assume "v \<in> fmdom' \<theta>"
+    with FApp.prems(5) have "is_free_for (\<theta> $$! v) v (C \<sqdot> D)"
+      by blast
+    then show "is_free_for (\<theta> $$! v) v C \<and> is_free_for (\<theta> $$! v) v D"
+      using is_free_for_from_app by iprover+
+  qed
+  then have
+    *: "\<forall>v \<in> fmdom' \<theta>. is_free_for (\<theta> $$! v) v C" and **: "\<forall>v \<in> fmdom' \<theta>. is_free_for (\<theta> $$! v) v D"
+    by auto
+  have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (C \<sqdot> D) = (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) C) \<sqdot> (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) D)"
+    by simp
+  moreover have "is_free_for A y (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) C)"
+    by (rule FApp.IH(1)[OF \<open>is_free_for A x C\<close> \<open>y \<notin> vars C\<close> FApp.prems(3,4) *])
+  moreover have "is_free_for A y (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) D)"
+    by (rule FApp.IH(2)[OF \<open>is_free_for A x D\<close> \<open>y \<notin> vars D\<close> FApp.prems(3,4) **])
+  ultimately show ?case
+    using is_free_for_in_app by simp
+next
+  case (FAbs w B)
+  obtain x\<^sub>w and \<alpha>\<^sub>w where "w = (x\<^sub>w, \<alpha>\<^sub>w)"
+    by fastforce
+  from FAbs.prems(2) have "y \<notin> vars B"
+    using vars_form.elims by auto
+  then show ?case
+  proof (cases "w = x")
+    case True
+    from True and \<open>x \<notin> fmdom' \<theta>\<close> have "w \<notin> fmdom' \<theta>" and "x \<notin> free_vars (FAbs w B)"
+      using \<open>w = (x\<^sub>w, \<alpha>\<^sub>w)\<close> by fastforce+
+    with True have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = \<^bold>S \<theta> (FAbs w B)"
+      using substitution_free_absorption by blast
+    also have "\<dots> = FAbs w (\<^bold>S \<theta> B)"
+      using \<open>w = (x\<^sub>w, \<alpha>\<^sub>w)\<close> \<open>w \<notin> fmdom' \<theta>\<close> substitute.simps(4) by presburger
+    finally have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S \<theta> B)" .
+    moreover from \<open>\<^bold>S \<theta> (FAbs w B) = FAbs w (\<^bold>S \<theta> B)\<close> have "y \<notin> vars (FAbs w (\<^bold>S \<theta> B))"
+      using absent_vars_substitution_preservation[OF FAbs.prems(2,4)] by simp
+    ultimately show ?thesis
+      using is_free_for_absent_var by (simp only:)
+  next
+    case False
+    obtain v\<^sub>w and \<alpha>\<^sub>w where "w = (v\<^sub>w, \<alpha>\<^sub>w)"
+      by fastforce
+    from FAbs.prems(1) and \<open>w \<noteq> x\<close> and \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> have "is_free_for A x B"
+      using is_free_for_from_abs by iprover
+    then show ?thesis
+    proof (cases "w \<in> fmdom' \<theta>")
+      case True
+      then have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S (fmdrop w ({x \<Zinj> FVar y} ++\<^sub>f \<theta>)) B)"
+        using \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> by (simp add: fmdrop_idle')
+      also from \<open>w \<noteq> x\<close> and True have "\<dots> = FAbs w (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f fmdrop w \<theta>) B)"
+        by (simp add: fmdrop_fmupd)
+      finally
+      have *: "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f fmdrop w \<theta>) B)" .
+      have "\<forall>v \<in> fmdom' (fmdrop w \<theta>). is_free_for (fmdrop w \<theta> $$! v) v B"
+      proof
+        fix v
+        assume "v \<in> fmdom' (fmdrop w \<theta>)"
+        with FAbs.prems(5) have "is_free_for (fmdrop w \<theta> $$! v) v (FAbs w B)"
+          by auto
+        moreover from \<open>v \<in> fmdom' (fmdrop w \<theta>)\<close> have "v \<noteq> w"
+          by auto
+        ultimately show "is_free_for (fmdrop w \<theta> $$! v) v B"
+          unfolding \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> using is_free_for_from_abs by iprover
+      qed
+      moreover from FAbs.prems(3) have "x \<notin> fmdom' (fmdrop w \<theta>)"
+        by simp
+      moreover from FAbs.prems(4) have "\<forall>v \<in> fmdom' (fmdrop w \<theta>). y \<notin> vars (fmdrop w \<theta> $$! v)"
+        by simp
+      ultimately have "is_free_for A y (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f fmdrop w \<theta>) B)"
+        using \<open>is_free_for A x B\<close> and \<open>y \<notin> vars B\<close> and FAbs.IH by iprover
+      then show ?thesis
+      proof (cases "x \<notin> free_vars B")
+        case True
+        have "y \<notin> vars (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B))"
+        proof -
+          have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f fmdrop w \<theta>) B)"
+            using * .
+          also from \<open>x \<notin> free_vars B\<close> and FAbs.prems(3) have "\<dots> = FAbs w (\<^bold>S (fmdrop w \<theta>) B)"
+            using substitution_free_absorption by (simp add: fmdom'_notD)
+          finally have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S (fmdrop w \<theta>) B)" .
+          with FAbs.prems(2) and \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> and FAbs.prems(4) show ?thesis
+            using absent_vars_substitution_preservation by auto
+        qed
+        then show ?thesis
+          using is_free_for_absent_var by simp
+      next
+        case False
+        have "w \<notin> free_vars A"
+        proof (rule ccontr)
+          assume "\<not> w \<notin> free_vars A"
+          with False and \<open>w \<noteq> x\<close> have "\<not> is_free_for A x (FAbs w B)"
+            using form_with_free_binder_not_free_for by simp
+          with FAbs.prems(1) show False
+            by contradiction
+        qed
+        with \<open>is_free_for A y (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f fmdrop w \<theta>) B)\<close>
+        have "is_free_for A y (FAbs w (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f fmdrop w \<theta>) B))"
+          unfolding \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> using is_free_for_to_abs by iprover
+        with * show ?thesis
+          by (simp only:)
+      qed
+    next
+      case False
+      have "\<forall>v \<in> fmdom' \<theta>. is_free_for (\<theta> $$! v) v B"
+      proof (rule ballI)
+        fix v
+        assume "v \<in> fmdom' \<theta>"
+        with FAbs.prems(5) have "is_free_for (\<theta> $$! v) v (FAbs w B)"
+          by blast
+        moreover from \<open>v \<in> fmdom' \<theta>\<close> and \<open>w \<notin> fmdom' \<theta>\<close> have "v \<noteq> w"
+          by blast
+        ultimately show "is_free_for (\<theta> $$! v) v B"
+          unfolding \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> using is_free_for_from_abs by iprover
+      qed
+      with \<open>is_free_for A x B\<close> and \<open>y \<notin> vars B\<close> and FAbs.prems(3,4)
+      have "is_free_for A y (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) B)"
+        using FAbs.IH by iprover
+      then show ?thesis
+      proof (cases "x \<notin> free_vars B")
+        case True
+        have "y \<notin> vars (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B))"
+        proof -
+          from False and \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> and \<open>w \<noteq> x\<close>
+          have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) B)"
+            by auto
+          also from \<open>x \<notin> free_vars B\<close> and FAbs.prems(3) have "\<dots> = FAbs w (\<^bold>S \<theta> B)"
+            using substitution_free_absorption by (simp add: fmdom'_notD)
+          finally have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S \<theta> B)" .
+          with FAbs.prems(2,4) and \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> show ?thesis
+            using absent_vars_substitution_preservation by auto
+        qed
+        then show ?thesis
+          using is_free_for_absent_var by simp
+      next
+        case False
+        have "w \<notin> free_vars A"
+        proof (rule ccontr)
+          assume "\<not> w \<notin> free_vars A"
+          with False and \<open>w \<noteq> x\<close> have "\<not> is_free_for A x (FAbs w B)"
+            using form_with_free_binder_not_free_for by simp
+          with FAbs.prems(1) show False
+            by contradiction
+        qed
+        with \<open>is_free_for A y (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) B)\<close>
+        have "is_free_for A y (FAbs w (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) B))"
+          unfolding \<open>w = (v\<^sub>w, \<alpha>\<^sub>w)\<close> using is_free_for_to_abs by iprover
+        moreover from \<open>w \<notin> fmdom' \<theta>\<close> and \<open>w \<noteq> x\<close> and FAbs.prems(3)
+        have "\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) (FAbs w B) = FAbs w (\<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f \<theta>) B)"
+          using surj_pair[of w] by fastforce
+        ultimately show ?thesis
+          by (simp only:)
+      qed
+    qed
+  qed
+qed
+
+text \<open>
+  The following lemma allows us to fuse a singleton substitution and a simultaneous substitution,
+  as long as the variable of the former does not occur anywhere in the latter:
+\<close>
+
+lemma substitution_fusion:
+  assumes "is_substitution \<theta>" and "is_substitution {v \<Zinj> A}"
+  and "\<theta> $$ v = None" and "\<forall>v' \<in> fmdom' \<theta>. v \<notin> vars (\<theta> $$! v')"
+  shows "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> B = \<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) B"
+using assms(1,3,4) proof (induction B arbitrary: \<theta>)
+  case (FVar v')
+  then show ?case
+  proof (cases "v' \<notin> fmdom' \<theta>")
+    case True
+    then show ?thesis
+      using surj_pair[of v'] by fastforce
+  next
+    case False
+    then obtain A' where "\<theta> $$ v' = Some A'"
+      by (meson fmlookup_dom'_iff)
+    with False and FVar.prems(3) have "v \<notin> vars A'"
+      by fastforce
+    then have "\<^bold>S {v \<Zinj> A} A' = A'"
+      using free_var_singleton_substitution_neutrality and free_vars_in_all_vars by blast
+    from \<open>\<theta> $$ v' = Some A'\<close> have "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> (FVar v') = \<^bold>S {v \<Zinj> A} A'"
+      using surj_pair[of v'] by fastforce
+    also from \<open>\<^bold>S {v \<Zinj> A} A' = A'\<close> have "\<dots> = A'"
+      by (simp only:)
+    also from \<open>\<theta> $$ v' = Some A'\<close> and \<open>\<theta> $$ v = None\<close> have "\<dots> = \<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) (FVar v')"
+      using surj_pair[of v'] by fastforce
+    finally show ?thesis .
+  qed
+next
+  case (FCon k)
+  then show ?case
+    using surj_pair[of k] by fastforce
+next
+  case (FApp C D)
+  have "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> (C \<sqdot> D) = \<^bold>S {v \<Zinj> A} ((\<^bold>S \<theta> C) \<sqdot> (\<^bold>S \<theta> D))"
+    by auto
+  also have "\<dots> = (\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> C) \<sqdot> (\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> D)"
+    by simp
+  also from FApp.IH have "\<dots> = (\<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) C) \<sqdot> (\<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) D)"
+    using FApp.prems(1,2,3) by presburger
+  also have "\<dots> = \<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) (C \<sqdot> D)"
+    by simp
+  finally show ?case .
+next
+  case (FAbs w C)
+  obtain v\<^sub>w and \<alpha> where "w = (v\<^sub>w, \<alpha>)"
+    by fastforce
+  then show ?case
+  proof (cases "v \<noteq> w")
+    case True
+    show ?thesis
+    proof (cases "w \<notin> fmdom' \<theta>")
+      case True
+      then have "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> (FAbs w C) = \<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S \<theta> C))"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close>)
+      also from \<open>v \<noteq> w\<close> have "\<dots> = FAbs w (\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> C)"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close>)
+      also from FAbs.IH have "\<dots> = FAbs w (\<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) C)"
+        using FAbs.prems(1,2,3) by blast
+      also from \<open>v \<noteq> w\<close> and True have "\<dots> = \<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) (FAbs w C)"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close>)
+      finally show ?thesis .
+    next
+      case False
+      then have "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> (FAbs w C) = \<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S (fmdrop w \<theta>) C))"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close>)
+      also from \<open>v \<noteq> w\<close> have "\<dots> = FAbs w (\<^bold>S {v \<Zinj> A} \<^bold>S (fmdrop w \<theta>) C)"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close>)
+      also have "\<dots> = FAbs w (\<^bold>S ({v \<Zinj> A} ++\<^sub>f fmdrop w \<theta>) C)"
+      proof -
+        from \<open>is_substitution \<theta>\<close> have "is_substitution (fmdrop w \<theta>)"
+          by fastforce
+        moreover from \<open>\<theta> $$ v = None\<close> have "(fmdrop w \<theta>) $$ v = None"
+          by force
+        moreover from FAbs.prems(3) have "\<forall>v' \<in> fmdom' (fmdrop w \<theta>). v \<notin> vars ((fmdrop w \<theta>) $$! v')"
+          by force
+        ultimately show ?thesis
+          using FAbs.IH by blast
+      qed
+      also from \<open>v \<noteq> w\<close> have "\<dots> = \<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) (FAbs w C)"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close> fmdrop_idle')
+      finally show ?thesis .
+    qed
+  next
+    case False
+    then show ?thesis
+    proof (cases "w \<notin> fmdom' \<theta>")
+      case True
+      then have "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> (FAbs w C) = \<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S \<theta> C))"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close>)
+      also from \<open>\<not> v \<noteq> w\<close> have "\<dots> = FAbs w (\<^bold>S \<theta> C)"
+        using \<open>w = (v\<^sub>w, \<alpha>)\<close> and singleton_substitution_simps(4) by presburger
+      also from \<open>\<not> v \<noteq> w\<close> and True have "\<dots> = FAbs w (\<^bold>S (fmdrop w ({v \<Zinj> A} ++\<^sub>f \<theta>)) C)"
+        by (simp add: fmdrop_fmupd_same fmdrop_idle')
+      also from \<open>\<not> v \<noteq> w\<close> have "\<dots> = \<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) (FAbs w C)"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close>)
+      finally show ?thesis .
+    next
+      case False
+      then have "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> (FAbs w C) = \<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S (fmdrop w \<theta>) C))"
+        by (simp add: \<open>w = (v\<^sub>w, \<alpha>)\<close>)
+      also from \<open>\<not> v \<noteq> w\<close> have "\<dots> = FAbs w (\<^bold>S (fmdrop w \<theta>) C)"
+        using \<open>\<theta> $$ v = None\<close> and False by (simp add: fmdom'_notI)
+      also from \<open>\<not> v \<noteq> w\<close> have "\<dots> = FAbs w (\<^bold>S (fmdrop w ({v \<Zinj> A} ++\<^sub>f \<theta>)) C)"
+        by (simp add: fmdrop_fmupd_same)
+      also from \<open>\<not> v \<noteq> w\<close> and False and \<open>\<theta> $$ v = None\<close> have "\<dots> = \<^bold>S ({v \<Zinj> A} ++\<^sub>f \<theta>) (FAbs w C)"
+        by (simp add: fmdom'_notI)
+      finally show ?thesis .
+    qed
+  qed
+qed
+
+lemma updated_substitution_is_substitution:
+  assumes "v \<notin> fmdom' \<theta>" and "is_substitution (\<theta>(v \<Zinj> A))"
+  shows "is_substitution \<theta>"
+unfolding is_substitution_def proof (intro ballI)
+  fix v' :: var
+  obtain x and \<alpha> where "v' = (x, \<alpha>)"
+    by fastforce
+  assume "v' \<in> fmdom' \<theta>"
+  with assms(2)[unfolded is_substitution_def] have "v' \<in> fmdom' (\<theta>(v \<Zinj> A))"
+    by simp
+  with assms(2)[unfolded is_substitution_def] have "\<theta>(v \<Zinj> A) $$! (x, \<alpha>) \<in> wffs\<^bsub>\<alpha>\<^esub>"
+    using \<open>v' = (x, \<alpha>)\<close> by fastforce
+  with assms(1) and \<open>v' \<in> fmdom' \<theta>\<close> and \<open>v' = (x, \<alpha>)\<close> have "\<theta> $$! (x, \<alpha>) \<in> wffs\<^bsub>\<alpha>\<^esub>"
+     by (metis fmupd_lookup)
+  then show "case v' of (x, \<alpha>) \<Rightarrow> \<theta> $$! (x, \<alpha>) \<in> wffs\<^bsub>\<alpha>\<^esub>"
+    by (simp add: \<open>v' = (x, \<alpha>)\<close>)
+qed
+
+definition is_renaming_substitution where
+  [iff]: "is_renaming_substitution \<theta> \<longleftrightarrow> is_substitution \<theta> \<and> fmpred (\<lambda>_ A. \<exists>v. A = FVar v) \<theta>"
+
+text \<open>
+  The following lemma proves that $
+  \d{\textsf{S}}\;^{x^1_{\alpha_1}\;\dots\;x^n_{\alpha_n}}_{y^1_{\alpha_1}\;\dots\;y^n_{\alpha_n}} B
+  =
+  \d{\textsf{S}}\;^{x^1_{\alpha_1}}_{y^1_{\alpha_1}}\;\cdots\;
+  \d{\textsf{S}}\;^{x^n_{\alpha_n}}_{y^n_{\alpha_n}} B$ provided that
+
+    \<^item> $x^1_{\alpha_1}\;\dots\;x^n_{\alpha_n}$ are distinct variables
+
+    \<^item> $y^1_{\alpha_1}\;\dots\;y^n_{\alpha_n}$ are distinct variables, distinct from
+      $x^1_{\alpha_1}\;\dots\;x^n_{\alpha_n}$ and from all variables in \<open>B\<close> (i.e., they are fresh
+      variables)
+
+  In other words, simultaneously renaming distinct variables with fresh ones is equivalent to
+  renaming each variable one at a time.
+\<close>
+
+lemma fresh_vars_substitution_unfolding:
+  fixes ps :: "(var \<times> form) list"
+  assumes "\<theta> = fmap_of_list ps" and "is_renaming_substitution \<theta>"
+  and "distinct (map fst ps)" and "distinct (map snd ps)"
+  and "vars (fmran' \<theta>) \<inter> (fmdom' \<theta> \<union> vars B) = {}"
+  shows "\<^bold>S \<theta> B = foldr (\<lambda>(x, y) C. \<^bold>S {x \<Zinj> y} C) ps B"
+using assms proof (induction ps arbitrary: \<theta>)
+  case Nil
+  then have "\<theta> = {$$}"
+    by simp
+  then have "\<^bold>S \<theta> B = B"
+    using empty_substitution_neutrality by (simp only:)
+  with Nil show ?case
+    by simp
+next
+  case (Cons p ps)
+  from Cons.prems(1,2) obtain x and y where "\<theta> $$ (fst p) = Some (FVar y)" and "p = (x, FVar y)"
+    using surj_pair[of p] by fastforce
+  let ?\<theta>' = "fmap_of_list ps"
+  from Cons.prems(1) and \<open>p = (x, FVar y)\<close> have "\<theta> = fmupd x (FVar y) ?\<theta>'"
+    by simp
+  moreover from Cons.prems(3) and \<open>p = (x, FVar y)\<close> have "x \<notin> fmdom' ?\<theta>'"
+    by simp
+  ultimately have "\<theta> = {x \<Zinj> FVar y} ++\<^sub>f ?\<theta>'"
+    using fmap_singleton_comm by fastforce
+  with Cons.prems(2) and \<open>x \<notin> fmdom' ?\<theta>'\<close> have "is_renaming_substitution ?\<theta>'"
+    unfolding is_renaming_substitution_def and \<open>\<theta> = fmupd x (FVar y) ?\<theta>'\<close>
+    using updated_substitution_is_substitution by (metis fmdiff_fmupd fmdom'_notD fmpred_filter)
+  from Cons.prems(2) and \<open>\<theta> = fmupd x (FVar y) ?\<theta>'\<close> have "is_renaming_substitution {x \<Zinj> FVar y}"
+    by auto
+  have "
+    foldr (\<lambda>(x, y) C. \<^bold>S {x \<Zinj> y} C) (p # ps) B
+    =
+    \<^bold>S {x \<Zinj> FVar y} (foldr (\<lambda>(x, y) C. \<^bold>S {x \<Zinj> y} C) ps B)"
+    by (simp add: \<open>p = (x, FVar y)\<close>)
+  also have "\<dots> = \<^bold>S {x \<Zinj> FVar y} \<^bold>S ?\<theta>' B"
+  proof -
+    from Cons.prems(3,4) have "distinct (map fst ps)" and "distinct (map snd ps)"
+      by fastforce+
+    moreover have "vars (fmran' ?\<theta>') \<inter> (fmdom' ?\<theta>' \<union> vars B) = {}"
+    proof -
+      have "vars (fmran' \<theta>) = vars ({FVar y} \<union> fmran' ?\<theta>')"
+        using \<open>\<theta> = fmupd x (FVar y) ?\<theta>'\<close> and \<open>x \<notin> fmdom' ?\<theta>'\<close> by (metis fmdom'_notD fmran'_fmupd)
+      then have "vars (fmran' \<theta>) = {y} \<union> vars (fmran' ?\<theta>')"
+        using singleton_form_set_vars by auto
+      moreover have "fmdom' \<theta> = {x} \<union> fmdom' ?\<theta>'"
+        by (simp add: \<open>\<theta> = {x \<Zinj> FVar y} ++\<^sub>f ?\<theta>'\<close>)
+      ultimately show ?thesis
+        using Cons.prems(5) by auto
+    qed
+    ultimately show ?thesis
+      using Cons.IH and \<open>is_renaming_substitution ?\<theta>'\<close> by simp
+  qed
+  also have "\<dots> = \<^bold>S ({x \<Zinj> FVar y} ++\<^sub>f ?\<theta>') B"
+  proof (rule substitution_fusion)
+    show "is_substitution ?\<theta>'"
+      using \<open>is_renaming_substitution ?\<theta>'\<close> by simp
+    show "is_substitution {x \<Zinj> FVar y}"
+      using \<open>is_renaming_substitution {x \<Zinj> FVar y}\<close> by simp
+    show "?\<theta>' $$ x = None"
+      using \<open>x \<notin> fmdom' ?\<theta>'\<close> by blast
+    show "\<forall>v' \<in> fmdom' ?\<theta>'. x \<notin> vars (?\<theta>' $$! v')"
+    proof -
+      have "x \<in> fmdom' \<theta>"
+        using \<open>\<theta> = {x \<Zinj> FVar y} ++\<^sub>f ?\<theta>'\<close> by simp
+      then have "x \<notin> vars (fmran' \<theta>)"
+        using Cons.prems(5) by blast
+      moreover have "{?\<theta>' $$! v' | v'. v' \<in> fmdom' ?\<theta>'} \<subseteq> fmran' \<theta>"
+        unfolding \<open>\<theta> = ?\<theta>'(x \<Zinj> FVar y)\<close> using \<open>?\<theta>' $$ x = None\<close>
+        by (auto simp add: fmlookup_of_list fmlookup_dom'_iff fmran'I weak_map_of_SomeI)
+      ultimately show ?thesis
+        by force
+    qed
+  qed
+  also from \<open>\<theta> = {x \<Zinj> FVar y} ++\<^sub>f ?\<theta>'\<close> have "\<dots> = \<^bold>S \<theta> B"
+    by (simp only:)
+  finally show ?case ..
+qed
+
+lemma free_vars_agreement_substitution_equality:
+  assumes "fmdom' \<theta> = fmdom' \<theta>'"
+  and "\<forall>v \<in> free_vars A \<inter> fmdom' \<theta>. \<theta> $$! v = \<theta>' $$! v"
+  shows "\<^bold>S \<theta> A = \<^bold>S \<theta>' A"
+using assms proof (induction A arbitrary: \<theta> \<theta>')
+  case (FVar v)
+  have "free_vars (FVar v) = {v}"
+    using surj_pair[of v] by fastforce
+  with FVar have "\<theta> $$! v = \<theta>' $$! v"
+    by force
+  with FVar.prems(1) show ?case
+    using surj_pair[of v] by (metis fmdom'_notD fmdom'_notI option.collapse substitute.simps(1))
+next
+  case FCon
+  then show ?case
+    by (metis prod.exhaust_sel substitute.simps(2))
+next
+  case (FApp B C)
+  have "\<^bold>S \<theta> (B \<sqdot> C) = (\<^bold>S \<theta> B) \<sqdot> (\<^bold>S \<theta> C)"
+    by simp
+  also have "\<dots> = (\<^bold>S \<theta>' B) \<sqdot> (\<^bold>S \<theta>' C)"
+  proof -
+    have "\<forall>v \<in> free_vars B \<inter> fmdom' \<theta>. \<theta> $$! v = \<theta>' $$! v"
+    and "\<forall>v \<in> free_vars C \<inter> fmdom' \<theta>. \<theta> $$! v = \<theta>' $$! v"
+      using FApp.prems(2) by auto
+    with FApp.IH(1,2) and FApp.prems(1) show ?thesis
+      by blast
+  qed
+  finally show ?case
+    by simp
+next
+  case (FAbs w B)
+  from FAbs.prems(1,2) have *: "\<forall>v \<in> free_vars B - {w} \<inter> fmdom' \<theta>. \<theta> $$! v = \<theta>' $$! v"
+    using surj_pair[of w] by fastforce
+  show ?case
+  proof (cases "w \<in> fmdom' \<theta>")
+    case True
+    then have "\<^bold>S \<theta> (FAbs w B) = FAbs w (\<^bold>S (fmdrop w \<theta>) B)"
+      using surj_pair[of w] by fastforce
+    also have "\<dots> = FAbs w (\<^bold>S (fmdrop w \<theta>') B)"
+    proof -
+      from * have "\<forall>v \<in> free_vars B \<inter> fmdom' (fmdrop w \<theta>). (fmdrop w \<theta>) $$! v = (fmdrop w \<theta>') $$! v"
+        by simp
+      moreover have "fmdom' (fmdrop w \<theta>) = fmdom' (fmdrop w \<theta>')"
+        by (simp add: FAbs.prems(1))
+      ultimately show ?thesis
+        using FAbs.IH by blast
+    qed
+    finally show ?thesis
+      using FAbs.prems(1) and True and surj_pair[of w] by fastforce
+  next
+    case False
+    then have "\<^bold>S \<theta> (FAbs w B) = FAbs w (\<^bold>S \<theta> B)"
+      using surj_pair[of w] by fastforce
+    also have "\<dots> = FAbs w (\<^bold>S \<theta>' B)"
+    proof -
+      from * have "\<forall>v \<in> free_vars B \<inter> fmdom' \<theta>. \<theta> $$! v = \<theta>' $$! v"
+        using False by blast
+      with FAbs.prems(1) show ?thesis
+        using FAbs.IH by blast
+    qed
+    finally show ?thesis
+      using FAbs.prems(1) and False and surj_pair[of w] by fastforce
+  qed
+qed
+
+text \<open>
+  The following lemma proves that $
+  \d{\textsf{S}}\;^{x_\alpha}_{A_\alpha}\;
+  \d{\textsf{S}}\;^{x^1_{\alpha_1}\;\dots\;x^n_{\alpha_n}}_{A^1_{\alpha_1}\;\dots\;A^n_{\alpha_n}} B
+  =
+  \d{\textsf{S}}\;{
+  \begingroup \setlength\arraycolsep{2pt} \begin{matrix}
+  \scriptstyle{x_\alpha} & \scriptstyle{x^1_{\alpha_1}} & \scriptstyle{\dots} & \scriptstyle{x^n_{\alpha_n}} \\
+  \scriptstyle{A_\alpha} & \scriptstyle{\d{\small{\textsf{S}}}\;^{x_\alpha}_{A_\alpha} A^1_{\alpha_1}}
+  & \scriptstyle{\dots} & \scriptstyle{\d{\small{\textsf{S}}}\;^{x_\alpha}_{A_\alpha} A^n_{\alpha_n}}
+  \end{matrix} \endgroup} B$ provided that $x_\alpha$ is distinct from $x^1_{\alpha_1}, \dots, x^n_{\alpha_n}$
+  and $A^i_{\alpha_i}$ is free for $x^i_{\alpha_i}$ in $B$:
+\<close>
+
+lemma substitution_consolidation:
+  assumes "v \<notin> fmdom' \<theta>"
+  and "\<forall>v' \<in> fmdom' \<theta>. is_free_for (\<theta> $$! v') v' B"
+  shows "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> B = \<^bold>S ({v \<Zinj> A} ++\<^sub>f fmmap (\<lambda>A'. \<^bold>S {v \<Zinj> A} A') \<theta>) B"
+using assms proof (induction B arbitrary: \<theta>)
+  case (FApp B C)
+  have "\<forall>v' \<in> fmdom' \<theta>. is_free_for (\<theta> $$! v') v' B \<and> is_free_for (\<theta> $$! v') v' C"
+  proof
+    fix v'
+    assume "v' \<in> fmdom' \<theta>"
+    with FApp.prems(2) have "is_free_for (\<theta> $$! v') v' (B \<sqdot> C)"
+      by blast
+    then show "is_free_for (\<theta> $$! v') v' B \<and> is_free_for (\<theta> $$! v') v' C"
+      using is_free_for_from_app by iprover
+  qed
+  with FApp.IH and FApp.prems(1) show ?case
+    by simp
+next
+  case (FAbs w B)
+  let ?\<theta>' = "fmmap (\<lambda>A'. \<^bold>S {v \<Zinj> A} A') \<theta>"
+  show ?case
+  proof (cases "w \<in> fmdom' \<theta>")
+    case True
+    then have "w \<in> fmdom' ?\<theta>'"
+      by simp
+    with True and FAbs.prems have "v \<noteq> w"
+      by blast
+    from True have "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> (FAbs w B) = \<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S (fmdrop w \<theta>) B))"
+      using surj_pair[of w] by fastforce
+    also from \<open>v \<noteq> w\<close> have "\<dots> = FAbs w (\<^bold>S {v \<Zinj> A} \<^bold>S (fmdrop w \<theta>) B)"
+      using surj_pair[of w] by fastforce
+    also have "\<dots> = FAbs w (\<^bold>S (fmdrop w ({v \<Zinj> A} ++\<^sub>f ?\<theta>')) B)"
+    proof -
+      obtain x\<^sub>w and \<alpha>\<^sub>w where "w = (x\<^sub>w, \<alpha>\<^sub>w)"
+        by fastforce
+      have "\<forall>v' \<in> fmdom' (fmdrop w \<theta>). is_free_for ((fmdrop w \<theta>) $$! v') v' B"
+      proof
+        fix v'
+        assume "v' \<in> fmdom' (fmdrop w \<theta>)"
+        with FAbs.prems(2) have "is_free_for (\<theta> $$! v') v' (FAbs w B)"
+          by auto
+        with \<open>w = (x\<^sub>w, \<alpha>\<^sub>w)\<close> and \<open>v' \<in> fmdom' (fmdrop w \<theta>)\<close>
+        have "is_free_for (\<theta> $$! v') v' (\<lambda>x\<^sub>w\<^bsub>\<alpha>\<^sub>w\<^esub>. B)" and "v' \<noteq> (x\<^sub>w, \<alpha>\<^sub>w)"
+          by auto
+        then have "is_free_for (\<theta> $$! v') v' B"
+          using is_free_for_from_abs by presburger
+        with \<open>v' \<noteq> (x\<^sub>w, \<alpha>\<^sub>w)\<close> and \<open>w = (x\<^sub>w, \<alpha>\<^sub>w)\<close> show "is_free_for (fmdrop w \<theta> $$! v') v' B"
+          by simp
+      qed
+      moreover have "v \<notin> fmdom' (fmdrop w \<theta>)"
+        by (simp add: FAbs.prems(1))
+      ultimately show ?thesis
+        using FAbs.IH and \<open>v \<noteq> w\<close> by (simp add: fmdrop_fmupd)
+    qed
+    finally show ?thesis
+      using \<open>w \<in> fmdom' ?\<theta>'\<close> and surj_pair[of w] by fastforce
+  next
+    case False
+    then have "w \<notin> fmdom' ?\<theta>'"
+      by simp
+    from FAbs.prems have "v \<notin> fmdom' ?\<theta>'"
+      by simp
+    from False have *: "\<^bold>S {v \<Zinj> A} \<^bold>S \<theta> (FAbs w B) = \<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S \<theta> B))"
+      using surj_pair[of w] by fastforce
+    then show ?thesis
+    proof (cases "v \<noteq> w")
+      case True
+      then have "\<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S \<theta> B)) = FAbs w (\<^bold>S {v \<Zinj> A} (\<^bold>S \<theta> B))"
+        using surj_pair[of w] by fastforce
+      also have "\<dots> = FAbs w (\<^bold>S ({v \<Zinj> A} ++\<^sub>f ?\<theta>') B)"
+      proof -
+        obtain x\<^sub>w and \<alpha>\<^sub>w where "w = (x\<^sub>w, \<alpha>\<^sub>w)"
+          by fastforce
+        have "\<forall>v' \<in> fmdom' \<theta>. is_free_for (\<theta> $$! v') v' B"
+        proof
+          fix v'
+          assume "v' \<in> fmdom' \<theta>"
+          with FAbs.prems(2) have "is_free_for (\<theta> $$! v') v' (FAbs w B)"
+            by auto
+          with \<open>w = (x\<^sub>w, \<alpha>\<^sub>w)\<close> and \<open>v' \<in> fmdom' \<theta>\<close> and False
+          have "is_free_for (\<theta> $$! v') v' (\<lambda>x\<^sub>w\<^bsub>\<alpha>\<^sub>w\<^esub>. B)" and "v' \<noteq> (x\<^sub>w, \<alpha>\<^sub>w)"
+            by fastforce+
+          then have "is_free_for (\<theta> $$! v') v' B"
+            using is_free_for_from_abs by presburger
+          with \<open>v' \<noteq> (x\<^sub>w, \<alpha>\<^sub>w)\<close> and \<open>w = (x\<^sub>w, \<alpha>\<^sub>w)\<close> show "is_free_for (\<theta> $$! v') v' B"
+            by simp
+        qed
+        with FAbs.IH show ?thesis
+          using FAbs.prems(1) by blast
+      qed
+      finally show ?thesis
+      proof -
+        assume "
+          \<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S \<theta> B)) = FAbs w (\<^bold>S ({v \<Zinj> A} ++\<^sub>f fmmap (substitute {v \<Zinj> A}) \<theta>) B)"
+        moreover have "w \<notin> fmdom' ({v \<Zinj> A} ++\<^sub>f fmmap (substitute {v \<Zinj> A}) \<theta>)"
+          using False and True by auto
+        ultimately show ?thesis
+          using * and surj_pair[of w] by fastforce
+      qed
+    next
+      case False
+      then have "v \<notin> free_vars (FAbs w (\<^bold>S \<theta> B))"
+        using surj_pair[of w] by fastforce
+      then have **: "\<^bold>S {v \<Zinj> A} (FAbs w (\<^bold>S \<theta> B)) = FAbs w (\<^bold>S \<theta> B)"
+        using free_var_singleton_substitution_neutrality by blast
+      also have "\<dots> = FAbs w (\<^bold>S ?\<theta>' B)"
+      proof -
+        {
+          fix v'
+          assume "v' \<in> fmdom' \<theta>"
+          with FAbs.prems(1) have "v' \<noteq> v"
+            by blast
+          assume "v \<in> free_vars (\<theta> $$! v')" and "v' \<in> free_vars B"
+          with \<open>v' \<noteq> v\<close> have "\<not> is_free_for (\<theta> $$! v') v' (FAbs v B)"
+            using form_with_free_binder_not_free_for by blast
+          with FAbs.prems(2) and \<open>v' \<in> fmdom' \<theta>\<close> and False have False
+            by blast
+        }
+        then have "\<forall>v' \<in> fmdom' \<theta>. v \<notin> free_vars (\<theta> $$! v') \<or> v' \<notin> free_vars B"
+          by blast
+        then have "\<forall>v' \<in> fmdom' \<theta>. v' \<in> free_vars B \<longrightarrow> \<^bold>S {v \<Zinj> A} (\<theta> $$! v') = \<theta> $$! v'"
+          using free_var_singleton_substitution_neutrality by blast
+        then have "\<forall>v' \<in> free_vars B. \<theta> $$! v' = ?\<theta>' $$! v'"
+          by (metis fmdom'_map fmdom'_notD fmdom'_notI fmlookup_map option.map_sel)
+        then have "\<^bold>S \<theta> B = \<^bold>S ?\<theta>' B"
+          using free_vars_agreement_substitution_equality by (metis IntD1 fmdom'_map)
+        then show ?thesis
+          by simp
+      qed
+      also from False and FAbs.prems(1) have "\<dots> = FAbs w (\<^bold>S (fmdrop w ({v \<Zinj> A} ++\<^sub>f ?\<theta>')) B)"
+        by (simp add: fmdrop_fmupd_same fmdrop_idle')
+      also from False have "\<dots> = \<^bold>S ({v \<Zinj> A} ++\<^sub>f ?\<theta>') (FAbs w B)"
+        using surj_pair[of w] by fastforce
+      finally show ?thesis
+        using * and ** by (simp only:)
+    qed
+  qed
+qed force+
+
+lemma vars_range_substitution:
+  assumes "is_substitution \<theta>"
+  and "v \<notin> vars (fmran' \<theta>)"
+  shows "v \<notin> vars (fmran' (fmdrop w \<theta>))"
+using assms proof (induction \<theta>)
+  case fmempty
+  then show ?case
+    by simp
+next
+  case (fmupd v' A \<theta>)
+  from fmdom'_notI[OF fmupd.hyps] and fmupd.prems(1) have "is_substitution \<theta>"
+    by (rule updated_substitution_is_substitution)
+  moreover from fmupd.prems(2) and fmupd.hyps have "v \<notin> vars (fmran' \<theta>)"
+    by simp
+  ultimately have "v \<notin> vars (fmran' (fmdrop w \<theta>))"
+    by (rule fmupd.IH)
+  with fmupd.hyps and fmupd.prems(2) show ?case
+    by (simp add: fmdrop_fmupd)
+qed
+
+lemma excluded_var_from_substitution:
+  assumes "is_substitution \<theta>"
+  and "v \<notin> fmdom' \<theta>"
+  and "v \<notin> vars (fmran' \<theta>)"
+  and "v \<notin> vars A"
+  shows "v \<notin> vars (\<^bold>S \<theta> A)"
+using assms proof (induction A arbitrary: \<theta>)
+  case (FVar v')
+  then show ?case
+  proof (cases "v' \<in> fmdom' \<theta>")
+    case True
+    then have "\<theta> $$! v' \<in> fmran' \<theta>"
+      by (simp add: fmlookup_dom'_iff fmran'I)
+    with FVar(3) have "v \<notin> vars (\<theta> $$! v')"
+      by simp
+    with True show ?thesis
+      using surj_pair[of v'] and fmdom'_notI by force
+  next
+    case False
+    with FVar.prems(4) show ?thesis
+      using surj_pair[of v'] by force
+  qed
+next
+  case (FCon k)
+  then show ?case
+    using surj_pair[of k] by force
+next
+  case (FApp B C)
+  then show ?case
+    by auto
+next
+  case (FAbs w B)
+  have "v \<notin> vars B" and "v \<noteq> w"
+    using surj_pair[of w] and FAbs.prems(4) by fastforce+
+  then show ?case
+  proof (cases "w \<notin> fmdom' \<theta>")
+    case True
+    then have "\<^bold>S \<theta> (FAbs w B) = FAbs w (\<^bold>S \<theta> B)"
+      using surj_pair[of w] by fastforce
+    moreover from FAbs.IH have "v \<notin> vars (\<^bold>S \<theta> B)"
+      using FAbs.prems(1-3) and \<open>v \<notin> vars B\<close> by blast
+    ultimately show ?thesis
+      using \<open>v \<noteq> w\<close> and surj_pair[of w] by fastforce
+  next
+    case False
+    then have "\<^bold>S \<theta> (FAbs w B) = FAbs w (\<^bold>S (fmdrop w \<theta>) B)"
+      using surj_pair[of w] by fastforce
+    moreover have "v \<notin> vars (\<^bold>S (fmdrop w \<theta>) B)"
+    proof -
+      from FAbs.prems(1) have "is_substitution (fmdrop w \<theta>)"
+        by fastforce
+      moreover from FAbs.prems(2) have "v \<notin> fmdom' (fmdrop w \<theta>)"
+        by simp
+      moreover from FAbs.prems(1,3) have "v \<notin> vars (fmran' (fmdrop w \<theta>))"
+        by (fact vars_range_substitution)
+      ultimately show ?thesis
+        using FAbs.IH and \<open>v \<notin> vars B\<close> by simp
+    qed
+    ultimately show ?thesis
+      using \<open>v \<noteq> w\<close> and surj_pair[of w] by fastforce
+  qed
+qed
+
+subsection \<open>Renaming of bound variables\<close>
+
+fun rename_bound_var :: "var \<Rightarrow> nat \<Rightarrow> form \<Rightarrow> form" where
+  "rename_bound_var v y (x\<^bsub>\<alpha>\<^esub>) = x\<^bsub>\<alpha>\<^esub>"
+| "rename_bound_var v y (\<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>) = \<lbrace>c\<rbrace>\<^bsub>\<alpha>\<^esub>"
+| "rename_bound_var v y (B \<sqdot> C) = rename_bound_var v y B \<sqdot> rename_bound_var v y C"
+| "rename_bound_var v y (\<lambda>x\<^bsub>\<alpha>\<^esub>. B) =
+    (
+      if (x, \<alpha>) = v then
+        \<lambda>y\<^bsub>\<alpha>\<^esub>. \<^bold>S {(x, \<alpha>) \<Zinj> y\<^bsub>\<alpha>\<^esub>} (rename_bound_var v y B)
+      else
+        \<lambda>x\<^bsub>\<alpha>\<^esub>. (rename_bound_var v y B)
+    )"
+
+lemma rename_bound_var_preserves_typing:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  shows "rename_bound_var (y, \<gamma>) z A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+using assms proof (induction A)
+  case (abs_is_wff \<beta> A \<delta> x)
+  then show ?case
+  proof (cases "(x, \<delta>) = (y, \<gamma>)")
+    case True
+    from abs_is_wff.IH have "\<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A) \<in> wffs\<^bsub>\<beta>\<^esub>"
+      using substitution_preserves_typing by (simp add: wffs_of_type_intros(1))
+    then have "\<lambda>z\<^bsub>\<gamma>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A) \<in> wffs\<^bsub>\<gamma>\<rightarrow>\<beta>\<^esub>"
+      by blast
+    with True show ?thesis
+      by simp
+  next
+    case False
+    from abs_is_wff.IH have "\<lambda>x\<^bsub>\<delta>\<^esub>. rename_bound_var (y, \<gamma>) z A \<in> wffs\<^bsub>\<delta>\<rightarrow>\<beta>\<^esub>"
+      by blast
+    with False show ?thesis
+      by auto
+  qed
+qed auto
+
+lemma old_bound_var_not_free_in_abs_after_renaming:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  and "(z, \<gamma>) \<notin> vars A"
+  shows "(y, \<gamma>) \<notin> free_vars (rename_bound_var (y, \<gamma>) z (\<lambda>y\<^bsub>\<gamma>\<^esub>. A))"
+  using assms and free_var_in_renaming_substitution by (induction A) auto
+
+lemma rename_bound_var_free_vars:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  and "(z, \<gamma>) \<notin> vars A"
+  shows "(z, \<gamma>) \<notin> free_vars (rename_bound_var (y, \<gamma>) z A)"
+  using assms by (induction A) auto
+
+lemma old_bound_var_not_free_after_renaming:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  and "(z, \<gamma>) \<notin> vars A"
+  and "(y, \<gamma>) \<notin> free_vars A"
+  shows "(y, \<gamma>) \<notin> free_vars (rename_bound_var (y, \<gamma>) z A)"
+using assms proof induction
+  case (abs_is_wff \<beta> A \<alpha> x)
+  then show ?case
+  proof (cases "(x, \<alpha>) = (y, \<gamma>)")
+    case True
+    with abs_is_wff.hyps and abs_is_wff.prems(2) show ?thesis
+      using old_bound_var_not_free_in_abs_after_renaming by auto
+  next
+    case False
+    with abs_is_wff.prems(2,3) and assms(2) show ?thesis
+      using abs_is_wff.IH by force
+  qed
+qed fastforce+
+
+lemma old_bound_var_not_ocurring_after_renaming:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  shows "\<not> occurs_at (y, \<gamma>) p (\<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A))"
+using assms(1) proof (induction A arbitrary: p)
+  case (var_is_wff \<alpha> x)
+  from assms(2) show ?case
+    using subform_size_decrease by (cases "(x, \<alpha>) = (y, \<gamma>)") fastforce+
+next
+  case (con_is_wff \<alpha> c)
+  then show ?case
+    using occurs_at_alt_def(2) by auto
+next
+  case (app_is_wff \<alpha> \<beta> A B)
+  then show ?case
+  proof (cases p)
+    case (Cons d p')
+    then show ?thesis
+      by (cases d) (use app_is_wff.IH in auto)
+  qed simp
+next
+  case (abs_is_wff \<beta> A \<alpha> x)
+  then show ?case
+  proof (cases p)
+    case (Cons d p')
+    then show ?thesis
+    proof (cases d)
+      case Left
+      have *: "\<not> occurs_at (y, \<gamma>) p (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A))"
+        for x and \<alpha>
+        using Left and Cons and abs_is_wff.IH by simp
+      then show ?thesis
+      proof (cases "(x, \<alpha>) = (y, \<gamma>)")
+        case True
+        with assms(2) have "
+          \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z (\<lambda>x\<^bsub>\<alpha>\<^esub>. A))
+          =
+          \<lambda>z\<^bsub>\<gamma>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A)"
+          using free_var_in_renaming_substitution and free_var_singleton_substitution_neutrality
+          by simp
+        moreover have "\<not> occurs_at (y, \<gamma>) p (\<lambda>z\<^bsub>\<gamma>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A))"
+          using Left and Cons and * by simp
+        ultimately show ?thesis
+          by simp
+      next
+        case False
+        with assms(2) have "
+          \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z (\<lambda>x\<^bsub>\<alpha>\<^esub>. A))
+          =
+          \<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A)"
+          by simp
+        moreover have "\<not> occurs_at (y, \<gamma>) p (\<lambda>x\<^bsub>\<alpha>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A))"
+          using Left and Cons and * by simp
+        ultimately show ?thesis
+          by simp
+      qed
+    qed (simp add: Cons)
+  qed simp
+qed
+
+text \<open>
+  The following lemma states that the result of \<^term>\<open>rename_bound_var\<close> does not contain bound
+  occurrences of the renamed variable:
+\<close>
+
+lemma rename_bound_var_not_bound_occurrences:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  and "(z, \<gamma>) \<notin> vars A"
+  and "occurs_at (y, \<gamma>) p (rename_bound_var (y, \<gamma>) z A)"
+  shows "\<not> in_scope_of_abs (z, \<gamma>) p (rename_bound_var (y, \<gamma>) z A)"
+using assms(1,3,4) proof (induction arbitrary: p)
+  case (var_is_wff \<alpha> x)
+  then show ?case
+    by (simp add: subforms_from_var(2))
+next
+  case (con_is_wff \<alpha> c)
+  then show ?case
+    using occurs_at_alt_def(2) by auto
+next
+  case (app_is_wff \<alpha> \<beta> B C)
+  from app_is_wff.prems(1) have "(z, \<gamma>) \<notin> vars B" and "(z, \<gamma>) \<notin> vars C"
+    by simp_all
+  from app_is_wff.prems(2)
+  have "occurs_at (y, \<gamma>) p (rename_bound_var (y, \<gamma>) z B \<sqdot> rename_bound_var (y, \<gamma>) z C)"
+    by simp
+  then consider
+    (a) "\<exists>p'. p = \<guillemotleft> # p' \<and> occurs_at (y, \<gamma>) p' (rename_bound_var (y, \<gamma>) z B)"
+  | (b) "\<exists>p'. p = \<guillemotright> # p' \<and> occurs_at (y, \<gamma>) p' (rename_bound_var (y, \<gamma>) z C)"
+    using subforms_from_app by force
+  then show ?case
+  proof cases
+    case a
+    then obtain p' where "p = \<guillemotleft> # p'" and "occurs_at (y, \<gamma>) p' (rename_bound_var (y, \<gamma>) z B)"
+      by blast
+    then have "\<not> in_scope_of_abs (z, \<gamma>) p' (rename_bound_var (y, \<gamma>) z B)"
+      using app_is_wff.IH(1)[OF \<open>(z, \<gamma>) \<notin> vars B\<close>] by blast
+    then have "\<not> in_scope_of_abs (z, \<gamma>) p (rename_bound_var (y, \<gamma>) z (B \<sqdot> C))" for C
+      using \<open>p = \<guillemotleft> # p'\<close> and in_scope_of_abs_in_left_app by simp
+    then show ?thesis
+      by blast
+  next
+    case b
+    then obtain p' where "p = \<guillemotright> # p'" and "occurs_at (y, \<gamma>) p' (rename_bound_var (y, \<gamma>) z C)"
+      by blast
+    then have "\<not> in_scope_of_abs (z, \<gamma>) p' (rename_bound_var (y, \<gamma>) z C)"
+      using app_is_wff.IH(2)[OF \<open>(z, \<gamma>) \<notin> vars C\<close>] by blast
+    then have "\<not> in_scope_of_abs (z, \<gamma>) p (rename_bound_var (y, \<gamma>) z (B \<sqdot> C))" for B
+      using \<open>p = \<guillemotright> # p'\<close> and in_scope_of_abs_in_right_app by simp
+    then show ?thesis
+      by blast
+  qed
+next
+  case (abs_is_wff \<beta> A \<alpha> x)
+  from abs_is_wff.prems(1) have "(z, \<gamma>) \<notin> vars A" and "(z, \<gamma>) \<noteq> (x, \<alpha>)"
+    by fastforce+
+  then show ?case
+  proof (cases "(y, \<gamma>) = (x, \<alpha>)")
+    case True
+    then have "occurs_at (y, \<gamma>) p (\<lambda>z\<^bsub>\<gamma>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A))"
+      using abs_is_wff.prems(2) by simp
+    moreover have "\<not> occurs_at (y, \<gamma>) p (\<lambda>z\<^bsub>\<gamma>\<^esub>. \<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} (rename_bound_var (y, \<gamma>) z A))"
+      using old_bound_var_not_ocurring_after_renaming[OF abs_is_wff.hyps assms(2)] and subforms_from_abs
+      by fastforce
+    ultimately show ?thesis
+      by contradiction
+  next
+    case False
+    then have *: "rename_bound_var (y, \<gamma>) z (\<lambda>x\<^bsub>\<alpha>\<^esub>. A) = \<lambda>x\<^bsub>\<alpha>\<^esub>. rename_bound_var (y, \<gamma>) z A"
+      by auto
+    with abs_is_wff.prems(2) have "occurs_at (y, \<gamma>) p (\<lambda>x\<^bsub>\<alpha>\<^esub>. rename_bound_var (y, \<gamma>) z A)"
+      by auto
+    then obtain p' where "p = \<guillemotleft> # p'" and "occurs_at (y, \<gamma>) p' (rename_bound_var (y, \<gamma>) z A)"
+      using subforms_from_abs by fastforce
+    then have "\<not> in_scope_of_abs (z, \<gamma>) p' (rename_bound_var (y, \<gamma>) z A)"
+      using abs_is_wff.IH[OF \<open>(z, \<gamma>) \<notin> vars A\<close>] by blast
+    then have "\<not> in_scope_of_abs (z, \<gamma>) (\<guillemotleft> # p') (\<lambda>x\<^bsub>\<alpha>\<^esub>. rename_bound_var (y, \<gamma>) z A)"
+      using \<open>p = \<guillemotleft> # p'\<close> and in_scope_of_abs_in_abs and \<open>(z, \<gamma>) \<noteq> (x, \<alpha>)\<close> by auto
+    then show ?thesis
+      using * and \<open>p = \<guillemotleft> # p'\<close> by simp
+  qed
+qed
+
+lemma is_free_for_in_rename_bound_var:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  and "(z, \<gamma>) \<notin> vars A"
+  shows "is_free_for (z\<^bsub>\<gamma>\<^esub>) (y, \<gamma>) (rename_bound_var (y, \<gamma>) z A)"
+proof (rule ccontr)
+  assume "\<not> is_free_for (z\<^bsub>\<gamma>\<^esub>) (y, \<gamma>) (rename_bound_var (y, \<gamma>) z A)"
+  then obtain p
+    where "is_free_at (y, \<gamma>) p (rename_bound_var (y, \<gamma>) z A)"
+    and "in_scope_of_abs (z, \<gamma>) p (rename_bound_var (y, \<gamma>) z A)"
+    by force
+  then show False
+    using rename_bound_var_not_bound_occurrences[OF assms] by fastforce
+qed
+
+lemma renaming_substitution_preserves_bound_vars:
+  shows "bound_vars (\<^bold>S {(y, \<gamma>) \<Zinj> z\<^bsub>\<gamma>\<^esub>} A) = bound_vars A"
+proof (induction A)
+  case (FAbs v A)
+  then show ?case
+    using singleton_substitution_simps(4) and surj_pair[of v]
+    by (cases "v = (y, \<gamma>)") (presburger, force)
+qed force+
+
+lemma rename_bound_var_bound_vars:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  shows "(y, \<gamma>) \<notin> bound_vars (rename_bound_var (y, \<gamma>) z A)"
+  using assms and renaming_substitution_preserves_bound_vars by (induction A) auto
+
+lemma old_var_not_free_not_occurring_after_rename:
+  assumes "A \<in> wffs\<^bsub>\<alpha>\<^esub>"
+  and "z\<^bsub>\<gamma>\<^esub> \<noteq> y\<^bsub>\<gamma>\<^esub>"
+  and "(y, \<gamma>) \<notin> free_vars A"
+  and "(z, \<gamma>) \<notin> vars A"
+  shows "(y, \<gamma>) \<notin> vars (rename_bound_var (y, \<gamma>) z A)"
+  using assms and rename_bound_var_bound_vars[OF assms(1,2)]
+  and old_bound_var_not_free_after_renaming and vars_is_free_and_bound_vars by blast
+
+end
diff --git a/thys/Q0_Metatheory/Utilities.thy b/thys/Q0_Metatheory/Utilities.thy
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/Utilities.thy
@@ -0,0 +1,265 @@
+section \<open>Utilities\<close>
+
+theory Utilities
+  imports
+    "Finite-Map-Extras.Finite_Map_Extras"
+begin
+
+subsection \<open>Utilities for lists\<close>
+
+fun foldr1 :: "('a \<Rightarrow> 'a \<Rightarrow> 'a) \<Rightarrow> 'a list \<Rightarrow> 'a" where
+  "foldr1 f [x] = x"
+| "foldr1 f (x # xs) = f x (foldr1 f xs)"
+| "foldr1 f [] = undefined f"
+
+abbreviation lset where "lset \<equiv> List.set"
+
+lemma rev_induct2 [consumes 1, case_names Nil snoc]:
+  assumes "length xs = length ys"
+  and "P [] []"
+  and "\<And>x xs y ys. length xs = length ys \<Longrightarrow> P xs ys \<Longrightarrow> P (xs @ [x]) (ys @ [y])"
+  shows "P xs ys"
+using assms proof (induction xs arbitrary: ys rule: rev_induct)
+  case (snoc x xs)
+  then show ?case by (cases ys rule: rev_cases) simp_all
+qed simp
+
+subsection \<open>Utilities for finite maps\<close>
+
+no_syntax
+  "_fmaplet" :: "['a, 'a] \<Rightarrow> fmaplet" ("_ /$$:=/ _")
+  "_fmaplets" :: "['a, 'a] \<Rightarrow> fmaplet" ("_ /[$$:=]/ _")
+
+syntax
+  "_fmaplet" :: "['a, 'a] \<Rightarrow> fmaplet" ("_ /\<Zinj>/ _")
+  "_fmaplets" :: "['a, 'a] \<Rightarrow> fmaplet" ("_ /[\<Zinj>]/ _")
+
+lemma fmdom'_fmap_of_list [simp]:
+  shows "fmdom' (fmap_of_list ps) = lset (map fst ps)"
+  by (induction ps) force+
+
+lemma fmran'_singleton [simp]:
+  shows "fmran' {k \<Zinj> v} = {v}"
+proof -
+  have "v' \<in> fmran' {k \<Zinj> v} \<Longrightarrow> v' = v" for v'
+  proof -
+    assume "v' \<in> fmran' {k \<Zinj> v}"
+    fix k'
+    have "fmdom' {k \<Zinj> v} = {k}"
+      by simp
+    then show "v' = v"
+    proof (cases "k' = k")
+      case True
+      with \<open>v' \<in> fmran' {k \<Zinj> v}\<close> show ?thesis
+        using fmdom'I by fastforce
+    next
+      case False
+      with \<open>fmdom' {k \<Zinj> v} = {k}\<close> and \<open>v' \<in> fmran' {k \<Zinj> v}\<close> show ?thesis
+        using fmdom'I by fastforce
+    qed
+  qed
+  moreover have "v \<in> fmran' {k \<Zinj> v}"
+    by (simp add: fmran'I)
+  ultimately show ?thesis
+    by blast
+qed
+
+lemma fmran'_fmupd [simp]:
+  assumes "m $$ x = None"
+  shows "fmran' (m(x \<Zinj> y)) = {y} \<union> fmran' m"
+using assms proof (intro subset_antisym subsetI)
+  fix x'
+  assume "m $$ x = None" and "x' \<in> fmran' (m(x \<Zinj> y))"
+  then show "x' \<in> {y} \<union> fmran' m"
+    by (auto simp add: fmlookup_ran'_iff, metis option.inject)
+next
+  fix x'
+  assume "m $$ x = None" and "x' \<in> {y} \<union> fmran' m"
+  then show "x' \<in> fmran' (m(x \<Zinj> y))"
+    by (force simp add: fmlookup_ran'_iff)
+qed
+
+lemma fmran'_fmadd [simp]:
+  assumes "fmdom' m \<inter> fmdom' m' = {}"
+  shows "fmran' (m ++\<^sub>f m') = fmran' m \<union> fmran' m'"
+using assms proof (intro subset_antisym subsetI)
+  fix x
+  assume "fmdom' m \<inter> fmdom' m' = {}" and "x \<in> fmran' (m ++\<^sub>f m')"
+  then show "x \<in> fmran' m \<union> fmran' m'"
+    by (auto simp add: fmlookup_ran'_iff) meson
+next
+  fix x
+  assume "fmdom' m \<inter> fmdom' m' = {}" and "x \<in> fmran' m \<union> fmran' m'"
+  then show "x \<in> fmran' (m ++\<^sub>f m')"
+    using fmap_disj_comm and fmlookup_ran'_iff by fastforce
+qed
+
+lemma finite_fmran':
+  shows "finite (fmran' m)"
+  by (simp add: fmran'_alt_def)
+
+lemma fmap_of_zipped_list_range:
+  assumes "length ks = length vs"
+  and "m = fmap_of_list (zip ks vs)"
+  and "k \<in> fmdom' m"
+  shows "m $$! k \<in> lset vs"
+  using assms by (induction arbitrary: m rule: list_induct2) auto
+
+lemma fmap_of_zip_nth [simp]:
+  assumes "length ks = length vs"
+  and "distinct ks"
+  and "i < length ks"
+  shows "fmap_of_list (zip ks vs) $$! (ks ! i) = vs ! i"
+  using assms by (simp add: fmap_of_list.rep_eq map_of_zip_nth)
+
+lemma fmap_of_zipped_list_fmran' [simp]:
+  assumes "distinct (map fst ps)"
+  shows "fmran' (fmap_of_list ps) = lset (map snd ps)"
+using assms proof (induction ps)
+  case Nil
+  then show ?case
+    by auto
+next
+  case (Cons p ps)
+  then show ?case
+  proof (cases "p \<in> lset ps")
+    case True
+    then show ?thesis
+      using Cons.prems by auto
+  next
+    case False
+    obtain k and v where "p = (k, v)"
+      by fastforce
+    with Cons.prems have "k \<notin> fmdom' (fmap_of_list ps)"
+      by auto
+    then have "fmap_of_list (p # ps) = {k \<Zinj> v} ++\<^sub>f fmap_of_list ps"
+      using \<open>p = (k, v)\<close> and fmap_singleton_comm by fastforce
+    with Cons.prems have "fmran' (fmap_of_list (p # ps)) = {v} \<union> fmran' (fmap_of_list ps)"
+      by (simp add: \<open>p = (k, v)\<close>)
+    then have "fmran' (fmap_of_list (p # ps)) = {v} \<union> lset (map snd ps)"
+      using Cons.IH and Cons.prems by force
+    then show ?thesis
+      by (simp add: \<open>p = (k, v)\<close>)
+  qed
+qed
+
+lemma fmap_of_list_nth [simp]:
+  assumes "distinct (map fst ps)"
+    and "j < length ps"
+  shows "fmap_of_list ps $$ ((map fst ps) ! j) = Some (map snd ps ! j)"
+  using assms by (induction j) (simp_all add: fmap_of_list.rep_eq)
+
+lemma fmap_of_list_nth_split [simp]:
+  assumes "distinct xs"
+    and "j < length xs"
+    and "length ys = length xs" and "length zs = length xs"
+  shows "fmap_of_list (zip xs (take k ys @ drop k zs)) $$ (xs ! j) =
+          (if j < k then Some (take k ys ! j) else Some (drop k zs ! (j - k)))"
+using assms proof (induction k arbitrary: xs ys zs j)
+  case 0
+  then show ?case
+    by (simp add: fmap_of_list.rep_eq map_of_zip_nth)
+next
+  case (Suc k)
+  then show ?case
+  proof (cases xs)
+    case Nil
+    with Suc.prems(2) show ?thesis
+      by auto
+  next
+    case (Cons x xs')
+    let ?ps = "zip xs (take (Suc k) ys @ drop (Suc k) zs)"
+    from Cons and Suc.prems(3,4) obtain y and z and ys' and zs'
+      where "ys = y # ys'" and "zs = z # zs'"
+      by (metis length_0_conv neq_Nil_conv)
+    let ?ps' = "zip xs' (take k ys' @ drop k zs')"
+    from Cons have *: "fmap_of_list ?ps = fmap_of_list ((x, y) # ?ps')"
+      using \<open>ys = y # ys'\<close> and \<open>zs = z # zs'\<close> by fastforce
+    also have "\<dots> = {x \<Zinj> y} ++\<^sub>f fmap_of_list ?ps'"
+    proof -
+      from \<open>ys = y # ys'\<close> and \<open>zs = z # zs'\<close> have "fmap_of_list ?ps' $$ x = None"
+        using Cons and Suc.prems(1,3,4) by (simp add: fmdom'_notD)
+      then show ?thesis
+        using fmap_singleton_comm by fastforce
+    qed
+    finally have "fmap_of_list ?ps = {x \<Zinj> y} ++\<^sub>f fmap_of_list ?ps'" .
+    then show ?thesis
+    proof (cases "j = 0")
+      case True
+      with \<open>ys = y # ys'\<close> and Cons show ?thesis
+        by simp
+    next
+      case False
+      then have "xs ! j = xs' ! (j - 1)"
+        by (simp add: Cons)
+      moreover from \<open>ys = y # ys'\<close> and \<open>zs = z # zs'\<close> have "fmdom' (fmap_of_list ?ps') = lset xs'"
+        using Cons and Suc.prems(3,4) by force
+      moreover from False and Suc.prems(2) and Cons have "j - 1 < length xs'"
+        using le_simps(2) by auto
+      ultimately have "fmap_of_list ?ps $$ (xs ! j) = fmap_of_list ?ps' $$ (xs' ! (j - 1))"
+        using Cons and * and Suc.prems(1) by auto
+      with Suc.IH and Suc.prems(1,3,4) and Cons have **: "fmap_of_list ?ps $$ (xs ! j) =
+        (if j - 1 < k then Some (take k ys' ! (j - 1)) else Some (drop k zs' ! ((j - 1) - k)))"
+        using \<open>j - 1 < length xs'\<close> and \<open>ys = y # ys'\<close> and \<open>zs = z # zs'\<close> by simp
+      then show ?thesis
+      proof (cases "j - 1 < k")
+        case True
+        with False and ** show ?thesis
+          using \<open>ys = y # ys'\<close> by auto
+      next
+        case False
+        from Suc.prems(1) and Cons and \<open>j - 1 < length xs'\<close> and \<open>xs ! j = xs' ! (j - 1)\<close> have "j > 0"
+          using nth_non_equal_first_eq by fastforce
+        with False have "j \<ge> Suc k"
+          by simp
+        moreover have "fmap_of_list ?ps $$ (xs ! j) = Some (drop (Suc k) zs ! (j - Suc k))"
+          using ** and False and \<open>zs = z # zs'\<close> by fastforce
+        ultimately show ?thesis
+          by simp
+      qed
+    qed
+  qed
+qed
+
+lemma fmadd_drop_cancellation [simp]:
+  assumes "m $$ k = Some v"
+  shows "{k \<Zinj> v} ++\<^sub>f fmdrop k m = m"
+using assms proof (induction m)
+  case fmempty
+  then show ?case
+    by simp
+next
+  case (fmupd k' v' m')
+  then show ?case
+  proof (cases "k' = k")
+    case True
+    with fmupd.prems have "v = v'"
+      by fastforce
+    have "fmdrop k' (m'(k' \<Zinj> v')) = m'"
+      unfolding fmdrop_fmupd_same using fmdrop_idle'[OF fmdom'_notI[OF fmupd.hyps]] by (unfold True)
+    then have "{k \<Zinj> v} ++\<^sub>f fmdrop k' (m'(k' \<Zinj> v')) = {k \<Zinj> v} ++\<^sub>f m'"
+      by simp
+    then show ?thesis
+      using fmap_singleton_comm[OF fmupd.hyps] by (simp add: True \<open>v = v'\<close>)
+  next
+    case False
+    with fmupd.prems have "m' $$ k = Some v"
+      by force
+    from False have "{k \<Zinj> v} ++\<^sub>f fmdrop k (m'(k' \<Zinj> v')) = {k \<Zinj> v} ++\<^sub>f (fmdrop k m')(k' \<Zinj> v')"
+      by (simp add: fmdrop_fmupd)
+    also have "\<dots> = ({k \<Zinj> v} ++\<^sub>f fmdrop k m')(k' \<Zinj> v')"
+      by fastforce
+    also from fmupd.prems and fmupd.IH[OF \<open>m' $$ k = Some v\<close>] have "\<dots> = m'(k' \<Zinj> v')"
+      by force
+    finally show ?thesis .
+  qed
+qed
+
+lemma fmap_of_list_fmmap [simp]:
+  shows "fmap_of_list (map2 (\<lambda>v' A'. (v', f A')) xs ys) = fmmap f (fmap_of_list (zip xs ys))"
+  unfolding fmmap_of_list
+  using cond_case_prod_eta
+    [where f = "\<lambda>v' A'.(v', f A')" and g = "apsnd f", unfolded apsnd_conv, simplified]
+  by (rule arg_cong)
+
+end
diff --git a/thys/Q0_Metatheory/document/root.bib b/thys/Q0_Metatheory/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/document/root.bib
@@ -0,0 +1,21 @@
+@book{andrews:1965,
+    author     = {Andrews, Peter B.},
+	title      = {A Transfinite Type Theory with Type Variables},
+	year       = {1965},
+    series     = {Studies in Logic and the Foundations of Mathematics},
+    volume     = {36},
+	publisher  = {North-Holland Publishing Company},
+    isbn       = {978-0-4445-3402-6}
+}
+
+@book{andrews:2002,
+    author     = {Andrews, Peter B.},
+    title      = {An Introduction to Mathematical Logic and Type Theory: To Truth Through Proof},
+    year       = {2002},
+    series     = {Applied Logic Series},
+    volume     = {27},
+    publisher  = {Springer Dordrecht},
+    doi        = {10.1007/978-94-015-9934-4},
+    isbn       = {978-1-4020-0763-7}
+}
+
diff --git a/thys/Q0_Metatheory/document/root.tex b/thys/Q0_Metatheory/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Q0_Metatheory/document/root.tex
@@ -0,0 +1,38 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage[T1]{fontenc}
+\usepackage{isabelle,isabellesym}
+
+\usepackage{latexsym}
+\usepackage{amssymb}
+\usepackage{amsmath}
+\usepackage{pdfsetup}
+
+\addtolength{\hoffset}{-1,5cm}
+\addtolength{\textwidth}{3cm}
+
+\urlstyle{rm}
+\isabellestyle{it}
+
+\begin{document}
+
+\title{Metatheory of $\mathcal{Q}_0$}
+\author{Javier D\'iaz\\\url{<javier.diaz.manzi@gmail.com>}}
+\maketitle
+
+\begin{abstract}
+This entry is a formalization of the metatheory of $\mathcal{Q}_0$ in Isabelle/HOL. $\mathcal{Q}_0$ \cite{andrews:2002} is a classical higher-order logic equivalent to Church's Simple Theory of Types. In this entry we formalize Chapter 5 of \cite{andrews:2002}, up to and including the proofs of soundness and consistency of $\mathcal{Q}_0$. These proof are, to the best of our knowledge, the first to be formalized in a proof assistant.
+\end{abstract}
+
+\newpage
+\tableofcontents
+
+\parindent 0pt\parskip 0.5ex
+
+\newpage
+\input{session}
+
+\bibliographystyle{abbrv}
+\bibliography{root.bib}
+
+\end{document}
+
diff --git a/thys/ROOTS b/thys/ROOTS
--- a/thys/ROOTS
+++ b/thys/ROOTS
@@ -1,778 +1,779 @@
 ABY3_Protocols
 ADS_Functor
 AI_Planning_Languages_Semantics
 AODV
 AOT
 AVL-Trees
 AWN
 Abortable_Linearizable_Modules
 Abs_Int_ITP2012
 Abstract-Hoare-Logics
 Abstract-Rewriting
 Abstract_Completeness
 Abstract_Soundness
 Ackermanns_not_PR
 Actuarial_Mathematics
 Adaptive_State_Counting
 Affine_Arithmetic
 Aggregation_Algebras
 Akra_Bazzi
 Algebraic_Numbers
 Algebraic_VCs
 Allen_Calculus
 Amicable_Numbers
 Amortized_Complexity
 AnselmGod
 Applicative_Lifting
 Approximation_Algorithms
 Architectural_Design_Patterns
 Aristotles_Assertoric_Syllogistic
 Arith_Prog_Rel_Primes
 ArrowImpossibilityGS
 Attack_Trees
 Auto2_HOL
 Auto2_Imperative_HOL
 AutoFocus-Stream
 Automated_Stateful_Protocol_Verification
 Automatic_Refinement
 AxiomaticCategoryTheory
 BDD
 BD_Security_Compositional
 BNF_CC
 BNF_Operations
 BTree
 Balog_Szemeredi_Gowers
 Banach_Steinhaus
 Belief_Revision
 Bell_Numbers_Spivey
 BenOr_Kozen_Reif
 Berlekamp_Zassenhaus
 Bernoulli
 Bertrands_Postulate
 Bicategory
 BinarySearchTree
 Binary_Code_Imprimitive
 Binding_Syntax_Theory
 Binomial-Heaps
 Binomial-Queues
 BirdKMP
 Birkhoff_Finite_Distributive_Lattices
 Blue_Eyes
 Bondy
 Boolean_Expression_Checkers
 Boolos_Curious_Inference
 Boolos_Curious_Inference_Automated
 Bounded_Deducibility_Security
 Buchi_Complementation
 Budan_Fourier
 Buffons_Needle
 Buildings
 BytecodeLogicJmlTypes
 C2KA_DistributedSystems
 CAVA_Automata
 CAVA_LTL_Modelchecker
 CCS
 CHERI-C_Memory_Model
 CISC-Kernel
 CRDT
 CRYSTALS-Kyber
 CSP_RefTK
 CVP_Hardness
 CYK
 CZH_Elementary_Categories
 CZH_Foundations
 CZH_Universal_Constructions
 CakeML
 CakeML_Codegen
 Call_Arity
 Card_Equiv_Relations
 Card_Multisets
 Card_Number_Partitions
 Card_Partitions
 Cartan_FP
 Case_Labeling
 Catalan_Numbers
 Category
 Category2
 Category3
 Catoids
 Cauchy
 Cayley_Hamilton
 Certification_Monads
 Ceva
 Chandy_Lamport
 Chord_Segments
 Circus
 Clean
 Clique_and_Monotone_Circuits
 ClockSynchInst
 Closest_Pair_Points
 CoCon
 CoSMeDis
 CoSMed
 CofGroups
 Coinductive
 Coinductive_Languages
 Collections
 Combinable_Wands
 Combinatorial_Enumeration_Algorithms
 Combinatorics_Words
 Combinatorics_Words_Graph_Lemma
 Combinatorics_Words_Lyndon
 CommCSL
 Commuting_Hermitian
 Comparison_Sort_Lower_Bound
 Compiling-Exceptions-Correctly
 Complete_Non_Orders
 Completeness
 Complex_Bounded_Operators
 Complex_Geometry
 Complx
 ComponentDependencies
 ConcurrentGC
 ConcurrentIMP
 Concurrent_Ref_Alg
 Concurrent_Revisions
 Conditional_Simplification
 Conditional_Transfer_Rule
 Consensus_Refined
 Constructive_Cryptography
 Constructive_Cryptography_CM
 Constructor_Funs
 Containers
 Cook_Levin
 CoreC++
 Core_DOM
 Core_SC_DOM
 Correctness_Algebras
 Cotangent_PFD_Formula
 Count_Complex_Roots
 Coupledsim_Contrasim
 CryptHOL
 CryptoBasedCompositionalProperties
 Crypto_Standards
 Cubic_Quartic_Equations
 DCR-ExecutionEquivalence
 DFS_Framework
 DOM_Components
 DPRM_Theorem
 DPT-SAT-Solver
 DataRefinementIBP
 Datatype_Order_Generator
 Decl_Sem_Fun_PL
 Decreasing-Diagrams
 Decreasing-Diagrams-II
 Dedekind_Real
 Deep_Learning
 Delta_System_Lemma
 Density_Compiler
 Dependent_SIFUM_Refinement
 Dependent_SIFUM_Type_Systems
 Depth-First-Search
 Derangements
 Deriving
 Descartes_Sign_Rule
 Design_Theory
 Dict_Construction
 Differential_Dynamic_Logic
 Differential_Game_Logic
 DigitsInBase
 Digit_Expansions
 Dijkstra_Shortest_Path
 Diophantine_Eqns_Lin_Hom
 Directed_Sets
 Dirichlet_L
 Dirichlet_Series
 DiscretePricing
 Discrete_Summation
 Disintegration
 DiskPaxos
 Distributed_Distinct_Elements
 Dominance_CHK
 DynamicArchitectures
 Dynamic_Tables
 E_Transcendental
 Earley_Parser
 Echelon_Form
 EdmondsKarp_Maxflow
 Edwards_Elliptic_Curves_Group
 Efficient-Mergesort
 Efficient_Weighted_Path_Order
 Elimination_Of_Repeated_Factors
 Elliptic_Curves_Group_Law
 Encodability_Process_Calculi
 Epistemic_Logic
 Equivalence_Relation_Enumeration
 Ergodic_Theory
 Error_Function
 Euler_MacLaurin
 Euler_Partition
 Euler_Polyhedron_Formula
 Eudoxus_Reals
 Eval_FO
 Example-Submission
 Executable_Randomized_Algorithms
 Expander_Graphs
 Extended_Finite_State_Machine_Inference
 Extended_Finite_State_Machines
 FFT
 FLP
 FOL-Fitting
 FOL_Axiomatic
 FOL_Harrison
 FOL_Seq_Calc1
 FOL_Seq_Calc2
 FOL_Seq_Calc3
 FO_Theory_Rewriting
 FSM_Tests
 Factor_Algebraic_Polynomial
 Factored_Transition_System_Bounding
 Falling_Factorial_Sum
 Farkas
 FeatherweightJava
 Featherweight_OCL
 Fermat3_4
 FileRefinement
 FinFun
 Finger-Trees
 Finite-Map-Extras
 Finite_Automata_HF
 Finite_Fields
 Finitely_Generated_Abelian_Groups
 First_Order_Terms
 First_Welfare_Theorem
 Fishburn_Impossibility
 Fisher_Yates
 Fishers_Inequality
 Fixed_Length_Vector
 Flow_Networks
 Floyd_Warshall
 Flyspeck-Tame
 FocusStreamsCaseStudies
 Forcing
 Formal_Puiseux_Series
 Formal_SSA
 Formula_Derivatives
 Foundation_of_geometry
 Fourier
 Free-Boolean-Algebra
 Free-Groups
 Frequency_Moments
 Fresh_Identifiers
 FunWithFunctions
 FunWithTilings
 Functional-Automata
 Functional_Ordered_Resolution_Prover
 Furstenberg_Topology
 GPU_Kernel_PL
 Gabow_SCC
 GaleStewart_Games
 Gale_Shapley
 Game_Based_Crypto
 Gauss-Jordan-Elim-Fun
 Gauss_Jordan
 Gauss_Sums
 Gaussian_Integers
 GenClock
 General-Triangle
 Generalized_Counting_Sort
 Generic_Deriving
 Generic_Join
 GewirthPGCProof
 Girth_Chromatic
 Given_Clause_Loops
 GoedelGod
 Goedel_HFSet_Semantic
 Goedel_HFSet_Semanticless
 Goedel_Incompleteness
 Goodstein_Lambda
 GraphMarkingIBP
 Graph_Saturation
 Graph_Theory
 Gray_Codes
 Green
 Groebner_Bases
 Groebner_Macaulay
 Gromov_Hyperbolicity
 Grothendieck_Schemes
 Group-Ring-Module
 HOL-CSP
 HOLCF-Prelude
 HRB-Slicing
 Hahn_Jordan_Decomposition
 Hales_Jewett
 Heard_Of
 Hello_World
 HereditarilyFinite
 Hermite
 Hermite_Lindemann
 Hidden_Markov_Models
 Higher_Order_Terms
 HoareForDivergence
 Hoare_Time
 Hood_Melville_Queue
 HotelKeyCards
 Huffman
 Hybrid_Logic
 Hybrid_Multi_Lane_Spatial_Logic
 Hybrid_Systems_VCs
 HyperCTL
 HyperHoareLogic
 Hyperdual
 Hypergraph_Basics
 Hypergraph_Colourings
 IEEE_Floating_Point
 IFC_Tracking
 IMAP-CRDT
 IMO2019
 IMP2
 IMP2_Binary_Heap
 IMP_Compiler
 IMP_Compiler_Reuse
 IO_Language_Conformance
 IP_Addresses
 Imperative_Insertion_Sort
 Implicational_Logic
 Impossible_Geometry
 Incompleteness
 Incredible_Proof_Machine
 Independence_CH
 Inductive_Confidentiality
 Inductive_Inference
 InfPathElimination
 InformationFlowSlicing
 InformationFlowSlicing_Inter
 Integration
 Interpolation_Polynomials_HOL_Algebra
 Interpreter_Optimizations
 Interval_Arithmetic_Word32
 Intro_Dest_Elim
 Involutions2Squares
 Iptables_Semantics
 Irrational_Series_Erdos_Straus
 Irrationality_J_Hancl
 Irrationals_From_THEBOOK
 IsaGeoCoq
 IsaNet
 Isabelle_C
 Isabelle_Marries_Dirac
 Isabelle_Meta_Model
 Jacobson_Basic_Algebra
 Jinja
 JinjaDCI
 JinjaThreads
 JiveDataStoreModel
 Jordan_Hoelder
 Jordan_Normal_Form
 KAD
 KAT_and_DRA
 KBPs
 KD_Tree
 Key_Agreement_Strong_Adversaries
 Khovanskii_Theorem
 Kleene_Algebra
 Kneser_Cauchy_Davenport
 Knights_Tour
 Knot_Theory
 Knuth_Bendix_Order
 Knuth_Morris_Pratt
 Koenigsberg_Friendship
 Kruskal
 Kuratowski_Closure_Complement
 LLL_Basis_Reduction
 LLL_Factorization
 LOFT
 LP_Duality
 LTL
 LTL_Master_Theorem
 LTL_Normal_Form
 LTL_to_DRA
 LTL_to_GBA
 Lam-ml-Normalization
 LambdaAuth
 LambdaMu
 Lambda_Free_EPO
 Lambda_Free_KBOs
 Lambda_Free_RPOs
 Lambert_W
 Landau_Symbols
 Laplace_Transform
 Latin_Square
 LatticeProperties
 Launchbury
 Laws_of_Large_Numbers
 Lazy-Lists-II
 Lazy_Case
 Lehmer
 Lifting_Definition_Option
 Lifting_the_Exponent
 LightweightJava
 LinearQuantifierElim
 Linear_Inequalities
 Linear_Programming
 Linear_Recurrences
 Liouville_Numbers
 List-Index
 List-Infinite
 List_Interleaving
 List_Inversions
 List_Update
 LocalLexing
 Localization_Ring
 Locally-Nameless-Sigma
 Logging_Independent_Anonymity
 Lovasz_Local
 Lowe_Ontological_Argument
 Lower_Semicontinuous
 Lp
 Lucas_Theorem
 MDP-Algorithms
 MDP-Rewards
 MFMC_Countable
 MFODL_Monitor_Optimized
 MFOTL_Monitor
 MSO_Regex_Equivalence
 Markov_Models
 Marriage
 Mason_Stothers
 Matrices_for_ODEs
 Matrix
 Matrix_Tensor
 Matroids
 Max-Card-Matching
 Maximum_Segment_Sum
 Median_Method
 Median_Of_Medians_Selection
 Menger
 Mereology
 Mersenne_Primes
 Metalogic_ProofChecker
 MHComputation
 MiniML
 MiniSail
 Minimal_SSA
 Minkowskis_Theorem
 Minsky_Machines
 MLSS_Decision_Proc
 ML_Unification
 Modal_Logics_for_NTS
 Modular_Assembly_Kit_Security
 Modular_arithmetic_LLL_and_HNF_algorithms
 Monad_Memo_DP
 Monad_Normalisation
 MonoBoolTranAlgebra
 MonoidalCategory
 Monomorphic_Monad
 MuchAdoAboutTwo
 Multi_Party_Computation
 Multirelations
 Multirelations_Heterogeneous
 Multiset_Ordering_NPC
 Multitape_To_Singletape_TM
 Myhill-Nerode
 Name_Carrying_Type_Inference
 Nano_JSON
 Nash_Williams
 Nat-Interval-Logic
 Native_Word
 Nested_Multisets_Ordinals
 Network_Security_Policy_Verification
 Neumann_Morgenstern_Utility
 No_FTL_observers
 No_FTL_observers_Gen_Rel
 Nominal2
 Noninterference_CSP
 Noninterference_Concurrent_Composition
 Noninterference_Generic_Unwinding
 Noninterference_Inductive_Unwinding
 Noninterference_Ipurge_Unwinding
 Noninterference_Sequential_Composition
 NormByEval
 Nullstellensatz
 Number_Theoretic_Transform
 Octonions
 OpSets
 Open_Induction
 Optics
 Optimal_BST
 Orbit_Stabiliser
 Order_Lattice_Props
 Ordered_Resolution_Prover
 Ordinal
 Ordinal_Partitions
 Ordinals_and_Cardinals
 Ordinary_Differential_Equations
 PAC_Checker
 PAL
 PAPP_Impossibility
 PCF
 PLM
 POPLmark-deBruijn
 PSemigroupsConvolution
 Package_logic
 Padic_Field
 Padic_Ints
 Pairing_Heap
 Paraconsistency
 Parity_Game
 Partial_Function_MR
 Partial_Order_Reduction
 Password_Authentication_Protocol
 Pell
 Perfect_Fields
 Perfect-Number-Thm
 Perron_Frobenius
 Physical_Quantities
 Pi_Calculus
 Pi_Transcendental
 Planarity_Certificates
 Pluennecke_Ruzsa_Inequality
 Poincare_Bendixson
 Poincare_Disc
 Polygonal_Number_Theorem
 Polynomial_Factorization
 Polynomial_Interpolation
 Polynomials
 Pop_Refinement
 Posix-Lexing
 Possibilistic_Noninterference
 Power_Sum_Polynomials
 Pratt_Certificate
 Prefix_Free_Code_Combinators
 Presburger-Automata
 Prim_Dijkstra_Simple
 Prime_Distribution_Elementary
 Prime_Harmonic_Series
 Prime_Number_Theorem
 Priority_Queue_Braun
 Priority_Search_Trees
 Probabilistic_Noninterference
 Probabilistic_Prime_Tests
 Probabilistic_System_Zoo
 Probabilistic_Timed_Automata
 Probabilistic_While
 Probability_Inequality_Completeness
 Program-Conflict-Analysis
 Progress_Tracking
 Projective_Geometry
 Projective_Measurements
 Promela
 Proof_Strategy_Language
 PropResPI
 Propositional_Logic_Class
 Propositional_Proof_Systems
 Prpu_Maxflow
 PseudoHoops
 Psi_Calculi
 Ptolemys_Theorem
 Public_Announcement_Logic
+Q0_Metatheory
 QHLProver
 QR_Decomposition
 Quantales
 Quantales_Converse
 Quantifier_Elimination_Hybrid
 Quasi_Borel_Spaces
 Quaternions
 Query_Optimization
 Quick_Sort_Cost
 RIPEMD-160-SPARK
 ROBDD
 RSAPSS
 Ramsey-Infinite
 Random_BSTs
 Random_Graph_Subgraph_Threshold
 Randomised_BSTs
 Randomised_Social_Choice
 Rank_Nullity_Theorem
 Real_Impl
 Real_Power
 Real_Time_Deque
 Recursion-Addition
 Recursion-Theory-I
 Refine_Imperative_HOL
 Refine_Monadic
 RefinementReactive
 Regex_Equivalence
 Registers
 Regression_Test_Selection
 Regular-Sets
 Regular_Algebras
 Regular_Tree_Relations
 Relation_Algebra
 Relational-Incorrectness-Logic
 Relational_Cardinality
 Relational_Disjoint_Set_Forests
 Relational_Forests
 Relational_Method
 Relational_Minimum_Spanning_Trees
 Relational_Paths
 Rensets
 Rep_Fin_Groups
 ResiduatedTransitionSystem
 Residuated_Lattices
 Resolution_FOL
 Rewrite_Properties_Reduction
 Rewriting_Z
 Ribbon_Proofs
 Risk_Free_Lending
 Robbins-Conjecture
 Robinson_Arithmetic
 Root_Balanced_Tree
 Roth_Arithmetic_Progressions
 Routing
 Roy_Floyd_Warshall
 SATSolverVerification
 SCC_Bloemen_Sequential
 SC_DOM_Components
 SDS_Impossibility
 SIFPL
 SIFUM_Type_Systems
 SPARCv8
 S_Finite_Measure_Monad
 Safe_Distance
 Safe_OCL
 Safe_Range_RC
 Saturation_Framework
 Saturation_Framework_Extensions
 Sauer_Shelah_Lemma
 Schutz_Spacetime
 Schwartz_Zippel
 Secondary_Sylow
 Security_Protocol_Refinement
 Selection_Heap_Sort
 SenSocialChoice
 Separata
 Separation_Algebra
 Separation_Logic_Imperative_HOL
 Separation_Logic_Unbounded
 SequentInvertibility
 Shadow_DOM
 Shadow_SC_DOM
 Shivers-CFA
 ShortestPath
 Show
 Sigma_Commit_Crypto
 Signature_Groebner
 Simpl
 Simple_Clause_Learning
 Simple_Firewall
 Simplex
 Simplicial_complexes_and_boolean_functions
 SimplifiedOntologicalArgument
 Skew_Heap
 Skip_Lists
 Slicing
 Sliding_Window_Algorithm
 Smith_Normal_Form
 Smooth_Manifolds
 Solidity
 Sophomores_Dream
 Sort_Encodings
 Source_Coding_Theorem
 SpecCheck
 Special_Function_Bounds
 Splay_Tree
 Sqrt_Babylonian
 Stable_Matching
 Stalnaker_Logic
 Standard_Borel_Spaces
 Statecharts
 Stateful_Protocol_Composition_and_Typing
 Stellar_Quorums
 Stern_Brocot
 Stewart_Apollonius
 Stirling_Formula
 Stochastic_Matrices
 Stone_Algebras
 Stone_Kleene_Relation_Algebras
 Stone_Relation_Algebras
 Store_Buffer_Reduction
 Stream-Fusion
 Stream_Fusion_Code
 StrictOmegaCategories
 Strong_Security
 Sturm_Sequences
 Sturm_Tarski
 Stuttering_Equivalence
 Subresultants
 Subset_Boolean_Algebras
 SumSquares
 Sunflowers
 SuperCalc
 Suppes_Theorem
 Surprise_Paradox
 Symmetric_Polynomials
 Syntax_Independent_Logic
 Synthetic_Completeness
 Szemeredi_Regularity
 Szpilrajn
 TESL_Language
 TLA
 Tail_Recursive_Functions
 Tarskis_Geometry
 Taylor_Models
 Three_Circles
 Three_Squares
 Timed_Automata
 Topological_Semantics
 Topology
 TortoiseHare
 TsirelsonBound
 Transcendence_Series_Hancl_Rucki
 Transformer_Semantics
 Transition_Systems_and_Automata
 Transitive-Closure
 Transitive-Closure-II
 Transitive_Models
 Transport
 Treaps
 Tree-Automata
 Tree_Decomposition
 Tree_Enumeration
 Triangle
 Trie
 Turans_Graph_Theorem
 Twelvefold_Way
 Two_Generated_Word_Monoids_Intersection
 Tycon
 Types_Tableaus_and_Goedels_God
 Types_To_Sets_Extension
 UPF
 UPF_Firewall
 UTP
 Undirected_Graph_Theory
 Universal_Hash_Families
 Universal_Turing_Machine
 UpDown_Scheme
 VYDRA_MDL
 Valuation
 Van_Emde_Boas_Trees
 Van_der_Waerden
 VectorSpace
 VeriComp
 Verified-Prover
 Verified_SAT_Based_AI_Planning
 VerifyThis2018
 VerifyThis2019
 Vickrey_Clarke_Groves
 Virtual_Substitution
 VolpanoSmith
 WHATandWHERE_Security
 WOOT_Strong_Eventual_Consistency
 WebAssembly
 Weight_Balanced_Trees
 Weighted_Arithmetic_Geometric_Mean
 Weighted_Path_Order
 Well_Quasi_Orders
 Wetzels_Problem
 Winding_Number_Eval
 Word_Lib
 WorkerWrapper
 X86_Semantics
 XML
 Youngs_Inequality
 ZFC_in_HOL
 Zeckendorf
 Zeta_3_Irrational
 Zeta_Function
 pGCL