FIRST STEPS IN SYNTHETIC GUARDED DOMAIN THEORY: STEP-INDEXING IN THE TOPOS OF TREES

. We present the topos S of trees as a model of guarded recursion. We study the internal dependently-typed higher-order logic of S and show that S models two modal operators, on predicates and types, which serve as guards in recursive deﬁnitions of terms, predicates, and types. In particular, we show how to solve recursive type equations involving dependent types. We propose that the internal logic of S provides the right setting for the synthetic construction of abstract versions of step-indexed models of programming languages and program logics. As an example, we show how to construct a model of a programming language with higher-order store and recursive types entirely inside the internal logic of S . Moreover, we give an axiomatic categorical treatment of models of synthetic guarded domain theory and prove that, for any complete Heyting algebra A with a well-founded basis, the topos of sheaves over A forms a model of synthetic guarded domain theory, generalizing the results for S .


Introduction
Recursive definitions are ubiquitous in computer science.In particular, in semantics of programming languages and program logics we often use recursively defined functions and relations, and also recursively defined types (domains).For example, in recent years there has been extensive work on giving semantics of type systems for programming languages with dynamically allocated higher-order store, such as general ML-like references.Models have been expressed as Kripke models over a recursively defined set of worlds (an example of a recursively defined domain) and have involved recursively defined relations to interpret the recursive types of the programming language; see [5] and the references therein.
In this paper we study a topos S, which we show models guarded recursion in the sense that it allows for guarded recursive definitions of both recursive functions and relations as well as recursive types.The topos S is known as the topos of trees (or forests); what is new here is our application of this topos to model guarded recursion.
The internal logic of S is a standard many-sorted higher-order logic extended with modal operators on both types and terms.(Recall that terms in higher-order logic include both functions and relations, as the latter are simply Prop-valued functions.)This internal logic can then be used as a language to describe semantic models of programming languages with the features mentioned above.As an example which uses both recursively defined types and recursively defined relations in the S-logic, we present a model of F µ,ref , a call-by-value programming language with impredicative polymorphism, recursive types, and general MLlike references.
To situate our work in relation to earlier work, we now give a quick overview of the technical development of the present paper followed by a comparison to related work.We end the introduction with a summary of our contributions.
1.1.Overview of technical development.The topos S is the category of presheaves on ω, the first infinite ordinal.This topos is known as the topos of trees, and is one of the most basic examples of presheaf categories.
There are several ways to think intuitively about this topos.Let us recall one intuitive description, which can serve to understand why it models guarded recursion.An object X of S is a contravariant functor from ω (viewed as a preorder) to Set.We think of X as a variable set, i.e., a family of sets X(n), indexed over natural numbers n, and with restriction maps X(n + 1) → X(n).Morphisms f : X → Y are natural transformations from X to Y .The variable sets include the ordinary sets as so-called constant sets: for an ordinary set S, there is an object ∆(S) in S with ∆(S)(n) = S for all n.Since S is a category of presheaves, it is a topos, in particular it is cartesian closed category and has a subobject classifier Ω (a type of propositions).The internal logic of S is an extension of standard Kripke semantics: for constant sets, the truth value of a predicate is just the set of worlds (downwards closed subsets of ω) for which the predicate holds.This observation suggests that there is a modal "later" operator ✄ on predicates Ω ∆(S) on constant sets, similar to what has been studied earlier [3,11].Intuitively, for a predicate ϕ : Ω ∆(S) on constant set ∆(S), ✄(ϕ) contains n + 1 if ϕ contains n. (A future world is a smaller number, hence the name "later" for this operator.)A recursively specified predicate µr.ϕ(r) is well-defined if every occurrence of the recursion variable r in ϕ is guarded by a ✄ modality: by definition of ✄, to know whether n + 1 is in the predicate it suffices to know whether n is in the predicate.There is also an associated Löb rule for induction, (✄ ϕ → ϕ) → ϕ, as in [3].
Here we show that in fact there is a later operator not only on predicates on constant sets, but also on predicates on general variable sets, with associated Löb rule, and welldefined guarded recursive definitions of predicates.
Moreover, there is also a later operator ◮ (a functor) on the variable sets themselves: ◮(X) is given by ◮(X)(1) = {⋆} and ◮(X)(n + 1) = X(n).We can show the welldefinedness of recursive variable sets µX.F (X) in which the recursion variable X is guarded by this operator ◮.Intuitively, such a recursively specified variable set is well-defined since by definition of ◮, to know what µX.F (X) is at level n + 1 it suffices to know what it is at level n.
In the technical sections of the paper, we make the above precise.In particular, we detail the internal logic and the use of later on functions / predicates and on types.We explain how one can solve mixed-variance recursive type equations, for a wide collection of types.We show how to use the internal logic of S to give a model of F µ,ref .The model, including the operational semantics of the programming language, is defined completely inside the internal logic; we discuss the connection between the resulting model and earlier models by relating internal definitions in the internal logic to standard (external) definitions.Since S is a topos, S also models dependent types.We give technical semantic results as needed for using later on dependent types and for recursive type-equations involving dependent types.We think of this as a first step towards a formalized dependent type theory with a later operator; here we focus on the foundational semantic issues.
To explain the relationship to some of the related work, we point out that S is equivalent to the category of sheaves on ω, where ω is the complete Heyting algebra of natural numbers with the usual ordering and extended with a top element ∞.Moreover, this sheaf category, and hence also S, is equivalent to the topos obtained by the tripos-to-topos construction [21] applied to the tripos Set( , ω).The logic of constant sets in S is exactly the logic of this tripos. 1 In the first part of this paper we work with the presentation of S as presheaves since it is the most concrete, but in fact many of our results generalize to sheaf categories over other complete well-founded Heyting algebras.Indeed, we include a more general axiomatic treatment of models of synthetic guarded domain theory and prove that, for any complete Heyting algebra with a well-founded basis, the topos of sheaves over the Heyting algebra yields a model of synthetic guarded domain theory.We present this generalization after the more concrete treatment of S, since the concrete treatment of S is perhaps more accessible.
1.2.Related work.Nakano presented a simple type theory with guarded recursive types [30] which can be modelled using complete bounded ultrametric spaces [6].We show in Section 5 that the category BiCBUlt of bisected, complete bounded ultrametric spaces is a co-reflective subcategory of S. Thus, our present work can be seen as an extension of the work of Nakano to include the full internal language of a topos, in particular dependent types, and an associated higher-order logic.Pottier [32] presents an extension of System F with recursive kinds based on Nakano's calculus; hence S also models the kind language of his system.
Di Gianantonio and Miculan [10] studied guarded recursive definitions of functions in certain sheaf toposes over well-founded complete Heyting algebras, thus including S. Our work extends the work of Di Gianantonio and Miculan by also including guarded recursive definitions of types, by emphasizing the use of the internal logic (this was suggested as future work in [10]), and by including an extensive example application.Moreover, our general treatment of sheaf models includes sheaves over any well-founded complete Heyting algebra, whereas Di Gianantonio and Miculan restrict attention to those Heyting algebras that arise as the opens of a topological space.
Earlier work has advocated the use of complete bounded ultrametric spaces for solving recursive type and relation equations that come up when modelling programming languages with higher-order store [5,7].As mentioned above, BiCBUlt is a subcategory of S, and thence our present work can be seen as an improvement of this earlier work: it is an improvement since S supports full higher-order logic.In the earlier work, one had to show that the functions defined in the interpretation of the programming language types were non-expansive.Here we take the synthetic approach (cf.[20]) and place ourselves in the internal logic of the topos when defining the interpretation of the programming language, see Section 3.This means that there is no need to prove properties like non-expansiveness since, intuitively, all functions in the topos are suitably non-expansive.
Dreyer et al. [11] proposed a logic, called LSLR, for defining step-indexed interpretations of programming languages with recursive types, building on earlier work by Appel et al. [3] who proposed the use of a later modality on predicates.The point of LSLR is that it provides for more abstract ways of constructing and reasoning with step-indexed models, thus avoiding tedious calculations with step indices.The core logic of LSLR is the logic of the tripos Set( , ω) mentioned above, 2 which allows for recursively defined predicates following [3], but not recursively defined types.One point of passing from this tripos to the topos S is that it gives us a wider collection of types (variable sets rather than only constant sets), which makes it possible also to have mixed-variance recursively defined types. 3 Dreyer et al. developed an extension of LSLR called LADR for reasoning about stepindexed models of the programming language F µ,ref with higher-order store [13].LADR is a specialized logic where much of the world structure used for reasoning efficiently about local state is hidden by the model of the logic; here we are proposing a general logic that can be used to construct many step-indexed models, including the one used to model LADR.In particular, in our example application in Section 3, we define a set of worlds inside the S logic, using recursively defined types.
As part of our analysis of recursive dependent types, we define a class of types, called functorial types.We show that functorial types are closed under nested recursive types, a result which is akin to results on nested inductive types [1,14].The difference is that we allow for general mixed-variance recursive types, but on the other hand we require that all occurrences of recursion variables must be guarded.1.3.Summary of contributions.We show how the topos S, and, more generally, any topos of sheaves over a complete Heyting algebra with a well-founded basis, provides a simple but powerful model of guarded recursion, allowing for guarded recursive definitions of both terms and types in the internal dependently-typed higher-order logic.In particular, we • show that the two later modalities are well-behaved on slices; • give existence theorems for fixed points of guarded recursive terms and guarded nested dependent mixed-variance recursive types; • detail the relation of S to the category of complete bounded ultrametric spaces; 2 Dreyer et al. [11] presented the semantics of their second-order logic in more concrete terms, avoiding the use of triposes, but it is indeed a fragment of the internal logic of the mentioned tripos. 3The terminology can be slightly confusing: in [3], our notion of recursive relations were called recursive types, probably because the authors of loc.cit.used such to interpret recursive types of a programming language.Recursive types in our sense were not considered in [3].
• present, as an example application, a synthetic model of F µ,ref constructed internally in S; • give an axiomatic treatment of a general class of models of guarded recursion.Our general existence theorems for recursive types in Section 8 are phrased in terms of Sh(A)-categories, i.e., categories enriched in sheaves over a complete Heyting algebra A with a well-founded basis, and generalize earlier work on recursive types for categories enriched in complete bounded ultrametric spaces [9].

The S Topos
The category S is that of presheaves on ω, the preorder of natural numbers starting from 1 and ordered by inclusion.Explicitly, the objects of S = Set ω op are families of sets indexed by natural numbers together with restriction maps r n : X(n + 1) → X(n).Morphisms are families (f n ) n of maps commuting with the restriction maps as indicated in the diagram As all presheaf categories, S is a topos, in particular it is cartesian closed and has a subobject classifier.Moreover, it is complete and cocomplete, and limits and colimits are computed pointwise.The n'th component of the exponential Y X (n) is the set of tuples (f 1 , . . ., f n ) commuting with the restriction maps, and the restriction maps of Y X are given by projection.We sometimes use the notation X → Y for Y X .
A subobject A of X is a family of subsets A(n) ⊆ X(n) such that r n (A(n + 1)) ⊆ A(n).The subobject classifier has Ω(n) = {0, . . ., n} and restriction maps r n (x) = min(n, x).The characteristic morphism χ A : X → Ω maps x ∈ X(n) to the maximal m such that x| m ∈ A(m) if such an m exists and 0 otherwise.
The natural numbers object N in S is the constant set of natural numbers.Intuitively, we can think of the set X(n) as what the type X looks like, if one has at most n time steps to reason about it.The restriction maps r n : X(n + 1) → X(n) describe what happens to the data when one time step passes.This intuition is illustrated by the following example.
Example 2.1.We can define the object Str ∈ S of (variable) streams of natural numbers as follows: where the restriction maps r m : N m+1 → N m map (n 1 , . . ., n m , n m+1 ) to (n 1 , . . ., n m ).Intuitively, this is the type of streams where the head is immediately available, but the tail is only available after one time step.If we have n time steps to reason about this type we can access the n first elements, hence Str (n) = N n .The successor function succ on streams, which adds one to every element in a stream, can be defined in the model by Clearly succ is a natural transformation from Str to Str ; hence it is a well-defined map in S. Observe that succ m can also be defined by induction as succ 1 (n) = n + 1 and succ m+1 (n 1 , n 2 , . . ., n m+1 ) = (n 1 + 1, succ m (n 2 , . . ., n m+1 )).
The subobject A ⊆ Str of increasing streams can be defined by letting A m ⊆ N m be the set of tuples (n 1 , . . ., n m ) that are increasing (i.e., n i > n j , for i > j).Note that A is trivially closed under the restriction maps, and thus it is a well-defined subobject of Str .
2.1.The ◮ endofunctor.Define the functor ◮ : S → S by ◮ X(1) = {⋆} and ◮ X(n + 1) = X(n).This functor, called later, has a left adjoint (so ◮ preserves all limits) given by ◭ X(n) = X(n + 1).Since limits are computed pointwise, ◭ preserves them, and so the adjunction ◭ ⊣ ◮ defines a geometric morphism, in fact an embedding.However, we shall not make use of this fact in the present paper (because ◭ is not a fibred endo-functor on the codomain fibration, hence is not a useful operator in the dependent type theory; see Section 4).
There is a natural transformation next X : X → ◮ X whose 1st component is the unique map into {⋆} and whose (n + 1)th component is r n .Although next looks like a unit ◮ is not a monad: there are no natural transformations ◮ ◮ → ◮.
Since ◮ preserves finite limits, there is always a morphism

An operator on predicates.
There is a morphism ✄ : Ω → Ω mapping n ∈ Ω(m) to min(m, n + 1).By setting χ ✄A = ✄ •χ A there is an induced operation on subobjects, again denoted ✄.This operation, which we also call "later", is connected to the ◮ functor, since there is a pullback diagram for any subobject m : A → X.

Recursive morphisms.
We introduce a notion of contractive morphism and show that these have unique fixed points.
For instance, contractiveness of ✄ on Ω is witnessed by succ : If f : X → Y is contractive as witnessed by g, the value of f n+1 (x) can be computed from r n (x) and moreover, f 1 must be constant.If X = Y we can define a fixed point x : 1 → X by defining x 1 = g 1 (⋆) and x n+1 = g n+1 (x n ).This construction can be generalized to include fixed points of morphisms with parameters as follows.
Theorem 2.4.There exists a natural family of morphisms fix X : (◮ X → X) → X, indexed by the collection of all objects X, which computes unique fixed points in the sense that if f : X×Y → X is contractive in the first variable as witnessed by g, i.e., f = g•(next X ×id Y ), then fix X •ĝ is the unique h : Y → X such that f • h, id Y = h (here ĝ denotes the exponential transpose of g).
2.4.Internal logic.We start by calling to mind parts of the Kripke-Joyal forcing semantics for S. For X 1 , . . ., X m in S, ϕ : The standard clauses for the forcing relation are as follows [26,Example 9.5] (we write α for a sequence α 1 , . . ., α m ): The following definition will be useful for presenting facts about the internal logic of S. Definition 2.6.An object X in S is total if all the restriction maps r n are surjective.Hence all constant objects ∆(S) are total, but the total objects also include many nonconstant objects, e.g., the subobject classifier.The above definition is phrased in terms of the model; the internal logic can be used to give a simple characterization of when X is total and inhabited by a global element4 : that is the case iff next X is internally surjective in S, i.e., iff ∀y : ◮ X.∃x : X.next X (x) = y holds in S. The following proposition can be proved using the forcing semantics; note that the distribution rules below for ✄ generalize the ones for constant sets described in [11] (since constant sets are total).Theorem 2.7.In the internal logic of S we have: (1) (Monotonicity).∀p : Ω. p → ✄ p.
We now define an internal notion of contractiveness in the logic of S which implies (in the logic) the existence of a unique fixed point for inhabited types.
Definition 2.8.The predicate Contr on Y X is defined in the internal logic by For a morphism f : X → Y , corresponding to a global element of Y X , we have that if f is contractive (in the external sense of Definition 2.2), then Contr(f ) holds in the logic of S. The converse is true if X is total and inhabited, but not in general.We use both notions of contractiveness: the external notion provides for a simple algebraic theory of fixed points for not only morphisms but also functors (see Section 2.6), whereas the internal notion is useful when working in the internal logic.
The internal notion of contractiveness generalizes the usual metric notion of contractiveness for functions between complete bounded ultrametric spaces; see Section 5.
Theorem 2.9 (Internal Banach Fixed-Point Theorem).The following holds in S: The above theorem (the Internal Banach Fixed-Point Theorem) is proved in the internal logic using the following lemma, which expresses a non-classical property.The lemma can be proved in the internal logic using the Löb rule (and using that N is a total object)below we give a semantic proof using the Kripke-Joyal semantics.
Lemma 2.10.The following holds in S: Proof.We must show that any m forces the predicate.Unfolding the definition of the forcing relation, we see that it suffices to show that for all m and all f ∈ X X (m) there exists an n such that The element f is a family (f i : X(i) → X(i)) i≤m and the condition m |= Contr(f ) implies that f i i (x) = f i i (y) for all i ≤ m and all x, y ∈ X(i).In particular 2.5.Recursive relations.As an example application of Theorem 2.9, we consider the definition of recursive predicates.Let ϕ(r) : Ω X be a predicate on X in the internal logic of S as presented above (over non-dependent types, but possibly using ✄) with free variable r, also of type Ω X .Note that Ω X is inhabited by a global element.If r only occurs under a ✄ in ϕ, then ϕ defines an internally contractive map ϕ : Ω X → Ω X (proved by external induction on ϕ).Therefore, by Theorem 2.9, ∃! r : Ω X .ϕ(r)= r holds in S. By description (aka axiom of unique choice), which holds in any topos [26], there is then a morphism R : 1 → Ω X such that ϕ(R) = R in S, and since internal and external equality coincides, also ϕ(R) = R externally as morphisms 1 → Ω X .In summa, we have shown the well-definedness of recursive predicates r = ϕ(r) where r only occurs guarded by ✄ in ϕ.
Note that we have proved the existence of recursive guarded relations (and thus do not have to add them to the language with special syntax) since we are working with a higher-order logic.
Example 2.11.Suppose R ⊆ X × X is some relation on a set X. We can include it into S by using the functor ∆ : Set → S, obtaining ∆R ⊆ ∆X × ∆X.Consider the recursive relation y) states the extent to which we can determine if x rewrites to y by inspecting all rewrite sequences of length at most n.
A variant of Example 2.11 is used in Section 3.
2.6.Recursive domain equations.In this section we present a simplified version of our results on solutions to recursive domain equations in S sufficient for the example of Section 3. The full results on recursive domain equations can be found in Section 4.
Denote by f : 1 → Y X the curried version of f : X → Y .Following Kock [25] we say that an endofunctor F : S → S is strong if, for all X, Y , there exists a morphism Definition 2.12.A strong endofunctor on S is locally contractive if each F X,Y is contractive, i.e., there exists a family G X,Y such that G X,Y • next X Y = F X,Y and moreover G respects identity and composition, that is the following diagrams commute This notion readily generalizes to mixed-variance endofunctors on S.
Remark 2.13.Definition 2.12 is slightly less general than the one given in the conference version of this paper [4] where local contractiveness simply required F X,Y to be contractive.The definition given here greatly simplifies the proof of existence of solutions to recursive domain equations, especially in the general case as presented in Section 8, and at the same time, the extra requirements used here do not rule out any examples we know of.In particular, the syntactic conditions for well-definedness of recursive types remain unchanged.
The requirement of G commuting with composition and identity can be rephrased as G defining an enriched functor.In Section 6 we use this observation to generalise the notion of locally contractive functor.
For example, ◮ is locally contractive (as witnessed by J (2.1)), and one can show that the composition of a strong functor and a locally contractive functor (in either order) is locally contractive (see Lemma 7.3 for a generalized statement).As a result, one can show that any type expression A(X, Y ) constructed from type variables X, Y using ◮ and simple type constructors in which X occurs only negatively and Y only positively and both only under ◮ gives rise to a locally contractive functor.Indeed, in Section 4 we present such syntactic conditions ensuring that a type expression in dependent type theory induces a locally contractive functor.
Theorem 2.14.Let F : S op × S → S be a locally contractive functor.Then there exists a unique X (up to isomorphism) such that F (X, X) ∼ = X.
Section 8 gives a detailed proof of a generalised version of this theorem.Here we just sketch a proof.We consider first the covariant case.
Lemma 2.15.Let F : S → S be locally contractive and say that f : The sequence above is a sequence of morphisms and objects in S and so represents a diagram of sets and functions as in By the above observation, F n (!) k is an isomorphism for k ≤ n, in other words, after k iterations of F the first k components are fixed by further iterations of F .Intuitively, we can therefore form a fixed point for F by taking the diagonal of (2.3), i.e, the object whose k'th component is F k (1)(k).Indeed, in Section 8 we construct this object as the limit of (2.2).Any fixed point for such an F must be at the same time an initial algebra and a final coalgebra: given any fixed point f : F X ∼ = X and algebra g : Since F is locally contractive, ξ is contractive and so must have a unique fixed point.The case of final coalgebras is similar.
Thus, S is algebraically compact in the sense of Freyd [15][16][17] with respect to locally contractive functors.The solutions to general recursive domain equations can then be established using Freyd's constructions.
Note that F is clearly contractive (in the external sense) since the argument f is only used under next in F (f ).Hence F has a fixed point, which is indeed the successor function from Example 2.1, i.e., succ = fix Str →Str F .

Application to Step-Indexing
As an example, we now construct a model of a programming language with higher-order store and recursive types entirely inside the internal logic of S.There are two points we wish to make here.First, although the programming language is quite expressive, the internal model looks-almost-like a naive, set-theoretic model.The exception is that guarded recursion is used in a few, select places, such as defining the meaning of recursive types, where the naive approach would fail.Second, when viewed externally, we recover a standard, step-indexed model.This example therefore illustrates that the topos of trees gives rise to simple, synthetic accounts of step-indexed models.
All definitions and results in Sections 3.1 to 3.4 are in the internal logic of S. In Section 3.5 we investigate what these results mean externally.
3.1.Language.The types and terms of F µ,ref are as follows: (The full term language also includes sum types, and can be found in Appendix A.) Here l ranges over location constants, which are encoded as natural numbers.
More explicitly, the sets OType and OTerm of possibly open types and terms are defined by induction according to the grammars above (using that toposes model W -types [28]), and then by quotienting with respect to α-equivalence.
The set OValue of syntactic values is an inductively defined subset of OTerm: Let Term and Value be the subsets of closed terms and closed values, respectively.Let Store be the set of finite maps from natural numbers to closed values; this is encoded as the set of those finite lists of pairs of natural numbers and closed values that contain no number twice.Finally, let Config = Term × Store.
The typing judgements have the form Ξ | Γ ⊢ t : τ where Ξ is a context of type variables and Γ is a context of term variables.The typing rules are standard and can be found in Appendix A. Notice, however, that there is no context of location variables and no typing judgement for stores: we only need to type-check terms that can occur in programs.

Operational semantics.
We assume a standard one-step relation step : P(Config × Config) on configurations by induction, following the usual presentation of such relations by means of inference rules (see, e.g., the online appendix to [13]).For simplicity, allocation is deterministic: when allocating a new reference cell, we choose the smallest location not already in the store.Notice that the step relation is defined on untyped configurations.Erroneous configurations are "stuck." So far, we have defined the language and operational semantics exactly as we would in standard set theory.Next comes the crucial difference.We use Theorem 2.9 to define the predicate eval : Intuitively, the predicate Q is a post-condition, and eval(t, s, Q) is a partial correctness specification, in the sense of Hoare logic, meaning the following: (1) The configuration (t, s) is safe, i.e., it does not lead to an error.( 2) If the configuration (t, s) evaluates to some pair (v, s ′ ), then at that point in time (v, s ′ ) satisfies Q.We shall justify this intuition in Section 3.5 below.The use of ✄ ensures that the predicate is well-defined; in effect, we postulate that one evaluation step in the programming language actually takes one unit of time in the sense of the internal logic.As we shall see below, this "temporal" semantics is essential in the proof of the fundamental theorem of logical relations.Notice how guarded recursion is used to give a simple, coinduction-style definition of partial correctness.The Löb rule can then be conveniently used for reasoning about this definition.For example, the rule gives a very easy proof that if (t, s) is a configuration that reduces to itself in the sense that step((t, s), (t, s)) holds, then eval(t, s, Q) holds for any Q.The Löb rule also proves the following results, which are used to show the fundamental theorem below.
Then for all t and s we have that eval(t, s, Q) implies eval(t, s, Q ′ ).Proposition 3.2.For all stores s, all terms t, all evaluation contexts E such that E[t] is closed, and all predicates

Definition of Kripke worlds.
The main idea behind our interpretation of types is as in [5,8]: Since F µ,ref includes reference types, we use a Kripke model of types, where a semantic type is defined to be a world-indexed family of sets of syntactic values.A world is a map from locations to semantic types.This introduces a circularity between semantic types T and worlds W, which can be expressed as a pair of domain equations: W = N → fin T and T = W → mon P(Value).
Rather than solving the above stated domain equations exactly, we solve a guarded variant.More precisely, we define the set Here N → fin X is the set A : P fin (N ) X A where P fin (N ) = {A ⊂ N | ∃m∀n ∈ A. n < m}.The set A : P fin (N ) X A is ordered by graph inclusion and → mon is the set of monotonic functions realized as a subset type on the function space.
The type T can be seen to be well-defined as a consequence of the theory of Section 4, in particular Proposition 4.10.Alternatively, observe that the corresponding functor is of the form F = ◮ • G.Here G is strong because its action on morphisms can be defined as a term Y X → GY GX in the internal logic.Now, since ◮ is locally contractive so is F .Hence by Theorem 2.14, F has a unique fixed point T , with an isomorphism i : T → F ( T ).We define and T c = W → P(Term).Notice that T is isomorphic to ◮ T .We now define app : T → T and lam : T → T as follows.First, app is the isomorphism i composed with the operator d : ◮ T → T given by where J is the map in (2.1) and succ : ◮ Ω → Ω is as defined on page 6. (This is a general way of lifting algebras for ◮ to function spaces.)Here one needs to check that d is welldefined, i.e., preserves monotonicity.Second, lam : We show some cases of the definition here; the complete definition can be found in Appendix A.2.
Here the operations comp : T → T c and states : W → P(Store) are given by Notice that this definition is almost as simple as an attempt at a naive, set-theoretic definition, except for the two explicit uses of ✄.In the definition of [[µα.τ]], the use of ✄ ensures that the fixed point is well-defined according to Theorem 2.9.As for the definition of [[ref τ ]], the ✄ is needed because we have ✄ instead of the identity in Lemma 3.3.In both cases, the intuition is the usual one from step-indexing: since an evaluation step takes a unit of time, it suffices that a certain formula only holds later.
Proof.To show this, one first generalizes to open types and open terms in the standard way, and then one shows semantic counterparts of all the typing rules of the language.See Appendix A.3.To illustrate the use of ✄, we outline the case of reference lookup: To show this, we unfold the definition of comp.Let s ∈ states(w) be given; we must show By the assumption that v ∈ [[ref τ ]]∅(w), we know that v = l for some location l such that l ∈ dom(w) and app(w(l))(w 1 ) = ✄([[τ ]]∅)(w 1 ) for all w 1 ≥ w.Since s ∈ states(w), we know that l ∈ dom(s) = dom(w) and s(l) ∈ app(w(l))(w).We therefore have step((!v,s), (s(l), s)).
Hence, by unfolding the definition of eval in (3.1) and using the rules from Proposition 2.7, it remains to show that ∃w 3.5.The view from the outside.We now return to the standard universe of sets and give external interpretations of the internal results above.One basic ingredient is the fact that the constant-presheaf functor ∆ : Set → S commutes with formation of W -types.This fact can be shown by inspection of the concrete construction of W -types for presheaf categories given in [28].Let OType ′ and OTerm ′ be the sets of possibly open types and terms, respectively, as defined by the grammars above.Similarly, let Value ′ , Store ′ , Config ′ , and step ′ be the external counterparts of the definitions from the previous sections.This result essentially says that the external interpretation of the step relation is worldindependent, and has the expected meaning: for all n we have that n |= step((t ′ , s ′ ), (t ′ , s ′ )) holds iff (t, s) actually steps to (t ′ , s ′ ) in the standard operational semantics.We next consider the eval predicate: Proposition 3.6.n |= eval(t, s, Q) iff the following property holds: for all m < n, if (t, s) Using this property and the forcing semantics from Section 2.4, one obtains that the external meaning of the interpretation of types is a step-indexed model in the standard sense.In particular, note that an element of P(Value)(n) can be viewed as a set of pairs (m, v) of natural numbers m ≤ n and values which is downwards closed in the first component.
3.6.Discussion.For simplicity, we have just considered a unary model in this extended example; we believe the approach scales well both to relational models and to more sophisticated models for reasoning about local state [2,7,12].In particular, we have experimented with an internal-logic formulation of parts of [7], which involve recursively defined relations on recursively defined types.
As mentioned above, the operational semantics of this example was for simplicity chosen to be deterministic.We expect that one can easily adapt the approach presented here to non-deterministic languages.For that, the evaluation predicate must be changed to quantify universally (rather than existentially) over computation steps, and errors must explicitly be ruled out, as in: eval As mentioned in the Introduction, in [5] the recursive equation for T was solved in the category CBUlt of ultrametric spaces.Using the space T the model was then defined in the usual universe of sets in the standard, explicit step-indexed style.Here instead we observe that the relevant part of CBUlt is a full subcategory of S (Section 5), solve the recursive equation in S, and then stay within S to give a simpler model that does not refer to step indices.In particular, the proof of the fundamental theorem is much simpler when done in S.

Dependent Types
Since S is a topos it models not only higher-order logic over simple type theory, but also over dependent type theory.The aim of this section is to provide the semantic foundation for extending the dependent type theory with type constructors corresponding to ◮ and guarded recursive types, although we postpone a detailed syntactic formulation of such a type theory to a later paper.
Recall that dependent types in context are interpreted in slice categories, 5 in particular a type Γ ⊢ A is interpreted as an object of S/[[Γ]].To extend the interpretation of dependent type theory with a type constructor corresponding to ◮, we must therefore extend the definition of ◮ to slice categories.We first recall the construction of the category of elements for presheaves over partial orders.For B a partial order, we write B for the category of presheaves over B, i.e., category of functors and natural transformations from B op to Set.Note that if one applies this construction to an object X of S one gets a forest X: the roots are the elements of X(1) the children of the roots are the elements of X(2) and so on.Indeed any forest is of the form X for some X in S. Proof.This is a standard theorem of sheaf theory [27, Ex.III.8], and we just recall one direction of the equivalence.An object p X : X → I of the slice category B/I corresponds to the presheaf that maps (b, i Thus we conclude that the slices of S are of the form presheaves over a forest.

Generalising ◮ to slices.
There is a simple generalisation of the ◮ functor from S to presheaves over any forest I: if X is a presheaf over I then In Section 8 we shall see how to generalise this even further.
The map next X : X → ◮ I X is represented by the following natural transformation in I: The fixed point combinator also generalizes to slices.Indeed, if f : X → X in I is contractive, in the sense that there exists a g : ◮ I X → X such that f = g • next, then we can construct a fixed point of f (i.e., a natural transformation 1 → X) by: This construction generalises to a fixed point combinator fix X : (◮ I X → X) → X satisfying the properties of the global fixed point operator described in Theorem 2.4.
One could have also taken the pullback diagram of Proposition 4.3 as a definition of ◮ I , and indeed we do so in our axiomatic treatment of models of guarded recursion in Section 6.
The definition above allows us to consider ◮ as a type constructor on dependent types, interpreting The following proposition expresses that this interpretation of ◮ behaves well wrt.substitution.Proposition 4.4.For every u : J → I in S there is a natural isomorphism u * •◮ I ∼ = ◮ J •u * .As a consequence, the collection of functors (◮ I ) I∈S define a fibred endofunctor on the codomain fibration.Moreover, next defines a fibred natural transformation from the fibred identity on the codomain fibration to ◮.
We remark that each ◮ I has a left adjoint, but in Section 6.1 we prove that this family of left adjoints does not commute with reindexing.As a consequence, it does not define a well-behaved dependent type constructor.4.3.Recursive dependent types.Since the slices of S are cartesian closed, the notions of strong functors and locally contractive functors from Definition 2.12 also make sense in slices.Thus we can formulate a version of Theorem 2.14 generalised to all slices of S. The next theorem does that, and further generalises to parametrized domain equations, a step necessary for modelling nested recursive types.
For the statement of the theorem recall the symmetrization F : Theorem 4.5.Let F : ((S/I) op × S/I) n+1 → S/I be strong and locally contractive in the (n + 1)th variable pair.Then there exists a unique (up to isomorphism) We postpone the proof of this theorem to Section 8, where we prove the existence of solutions to recursive domain equations for a wider class of categories and functors.
One can prove that the fixed points obtained by Theorem 4.5 are initial dialgebras in the sense of Freyd [15][16][17].This universal property generalises initial algebras and final coalgebras to mixed-variance functors, and can be used to prove mixed induction / coinduction principles [31].
The formation of recursive types is well-behaved wrt.substitution:

❄
For the moment, our proof of Proposition 4.6 is conditional on the existence of unique fixed points, i.e., we prove that if Fix F and Fix G exist, then they make the required diagram commute up to isomorphism.
and so we conclude u * Fix F ( X, Y ) ∼ = Fix G(u * ( X, Y )) 4.4.A higher order dependent type theory with guarded recursion.In this section we sketch a type theory for guarded recursive types in combination with dependent types and explain how it can be interpreted soundly in S. Since the type theory is an extension of standard higher-order dependent type theory, which can be interpreted in any topos, we focus on the extension to guarded recursion, and refer to [23] for details on dependent higherorder type theory and its interpretation in a topos.This section is meant to illustrate how the semantic results above can be understood type theoretically; we leave a full investigation of the syntactic aspects of the type theory to future work.
Recursive types are naturally formulated using type variables, and thus we allow types to contain type variables.Hence our type judgements live in contexts Γ that can be formed using the rules below () : Ctx Γ ⊢ τ : Type (Γ, x : τ ) : Ctx Γ : Ctx (Γ, X : Type) : Ctx Type variables can be introduced as types using the rule Γ : Ctx X : Type ∈ Γ Γ ⊢ X : Type The exchange rule of dependent type theory should be extended to allow a type variable X to be exchanged with a term variable x : σ if X does not appear in σ.
Dependent products and sums and subset types are added to the type theory in the usual way [23], but we also add a special type constructor called ◮ which acts as a functor.The rules are Γ ⊢ τ : Type τ and the external equality rules include equations expressing the functoriality of ◮.Moreover, we add, for each pair of types σ, τ in the same context, a term of type ◮ σ × ◮ τ → ◮(σ ×τ ) plus equations stating that this is inverse to The natural transformation next is introduced as follows: Γ ⊢ τ : Type Γ ⊢ next τ : τ → ◮ τ plus equality rules stating that next τ is natural in τ (i.e., next σ • u = ◮(u) • next τ ).We omit term formation rules for fixed point terms.
We now introduce the notion of functorial contractiveness which will be used as a condition ensuring well-formedness of recursive types.The definition is a syntactic reformulation of the semantic notion of local contractiveness.
A type τ is functorial in X if there is some way to split up the occurences of the variables X in τ into positive and negative ones, in such a way that τ becomes a functor expressible in the type theory.Above, and in the exact definition below we use vectors X to denote vectors of type variables and use x : σ to denote vectors of typing assumptions of the form x 1 : σ 1 . . .x n : σ n .An assumption of the form f : Definition 4.7.Let Γ, X : Type ⊢ τ : Type be a valid typing judgement.We say that τ is functorial in X if there exists some other type judgement Γ, X : Type, Y : Type ⊢ τ ′ : Type and a term and such that st is functorial in the sense that st( id, id) = id, st( f The definition of τ being contractively functorial in X is similar, except that the strength st( f , g) must be defined for f : ◮( X + → X − ), g : ◮( Y − → Y + ).To make sense of functoriality write f ′ • f for the composite applied to f ′ and f .Definition 4.8.Let Γ, X : Type ⊢ τ : Type be a valid typing judgement.We say that τ is contractively functorial in X if there exists some other type judgement Γ, X : Type, Y : Type ⊢ τ ′ : Type and a term such that τ ′ ( X, X) = τ , and such that st is functorial in the sense that st( id, id) = id, st( f Lemma 4.9.If τ is contractively functorial in X then it is also functorial in X.
We now give the introduction rule for recursive types Γ, X : Type ⊢ τ : Type τ contractively functorial in X Γ ⊢ µX.τ : Type As usual, there are associated term constructors fold M and unfold M that mediate between the recursive type and its unfolding together with equations expressing that fold and unfold are each others inverses.
There is a rich supply of types contractively functorial in X as can be seen from the following proposition.Proposition 4.10 is stated compactly, and some of the items in fact cover two statements.For example, item (4) states that if σ is functorial, so are i : I σ and i : I σ and if σ is contractively functorial so are i : I σ and i : I σ.Proposition 4.10.Let X be type variables and let σ, τ be types (1) any type variable X is functorial in X (2) if X do not appear in σ then σ is contractively functorial in X (3) if σ and τ are both (contractively) functorial in X so are σ → τ and σ × τ (4) if σ is (contractively) functorial in X and X do not appear in I then i : I σ and i : I σ are both (contractively) functorial in X (5) If σ is (contractively) functorial in X (witnessed by σ ′ and st σ ) and φ is a predicate on σ Proof.The proof is a standard construction of functors from type expressions, and we just show a few examples.For (3) if σ ′ and τ ′ along with st σ and st τ witness that σ and τ are functorial, then σ ′ ( Y , X) → τ ′ along with st σ→τ ( f , g) defined as witness that σ → τ is functorial.
For (4) the assumption gives us a type σ ′ plus a term and we can define st i : I σ ( f , g) as λx : (This uses the exchange rule mentioned earlier.)For item 5 the assumption is exactly the condition needed to show that st σ ( f , g) restricts to a term of the type To allow for nested recursive types, one needs to prove that if σ is functorial in X and contractively functorial in Y , then µY.σ is functorial in X.In the type theory sketched above this is not provable because in general st µY.σ ( f , g) is not definable, but as we shall see when we sketch the interpretation of the type theory, it is safe to add st µY.σ as a constant, together with appropriate equations, such that nested recursive types can in fact be defined.
Remark 4.11.The rules for well-definedness of recursive types are complicated because of the subset types, which require explicit mention of the syntactic strength st.Alternatively, one could give a simple grammar for well-defined recursive types not including subset types, but including nested recursive types not mentioning st, and then show how to interpret these by inductively constructing the contractive strength in the model.We chose the above approach because it is more expressive and because the subset types are needed in applications as illustrated in Section 3.3.

4.5.
Interpreting the type theory.The interpretation of an open type Γ ⊢ σ : Type is defined modulo an environment mapping the type variables in Γ to semantic types, i.e., objects in slice categories.Precisely, if Γ is of the form Γ ′ , X : Type, Γ ′′ then ρ should map X to an object of S/[[Γ ′ ]] ρ ′ where ρ ′ is the restriction of ρ to the type variables of Γ ′ .The interpretation of open types is defined by induction and most of the cases are exactly as in the usual interpretation of dependent type theory [23], and we just mention the new cases.The interpretation of a type variable introduction is defined as [[Γ ′ , X : Type, Γ ′′ ⊢ X : Type]] = p * Γ,Γ ′ (ρ(X)), where p Γ,Γ ′ denotes the projection For the interpretation of recursive types, note that for every type Γ, X ⊢ σ : Type functorial in X and every environment ρ mapping the free type variables in Γ to semantic types, one can define a strong functor of the type as follows.Assuming that the functoriality of σ is witnessed by σ ′ and st as in Definition 4.7, the action of [[σ]] ρ on objects is defined by the interpretation of σ ′ .Given objects Similarly, if σ is functorial in the n first type variables and contractively functorial in the last one then the interpretation of the witness st defines a strong functor which is locally contractive in the last variable and so we can define [[µX.τ]] ρ = Fix ([[τ ]] ρ ) using the fixed point given by Theorem 4.5.
There is a question of well-definedness here, since the fixed point of [[σ]] ρ a priori could depend on the choice of σ ′ and st.The uniqueness of the fixed point of Theorem 4.5, however, ensures that even for different such choices, the resulting [[σ]] ρ will be isomorphic.Usually, σ comes with a canonical choice of σ ′ and st as given by Proposition 4.10.
As mentioned earlier, for allowing nested recursive types in the type theory we need to add constants of the form st µY.σ ( f , g).Having sketched the interpretation of the type theory we can now see that it is safe to do so: st µY.σ ( f , g) can be interpreted using the strength of Fix [[σ]] ρ which exists by Theorem 4.5.4.6.On Coherence.Above, we have worked in the codomain fibration and ignored coherence issues, i.e., the fact that the codomain fibration and the associated fibred functors needed for the interpretation of the type theory are not split.One further advantage of the concrete representation of slices S/I as presheaves over I is that the latter gives rise to a split model.The idea is to form a split indexed category P : S → Cat op , with fibre over I given by P (I) = I, and reindexing P (u : I → J) given by P (u)(X)(n, i) = X(u n (i)).By forming the Grothendieck construction [23] on P one obtains a split fibration Fam(S) → S which is equivalent to the codomain fibration.Then one uses this fibration to interpret the types and terms without free type variables, and uses split fibred functors to interpret open types Γ ⊢ τ : Type.Finally, one checks that the fibred constructs (e.g., right adjoints to reindexing) used to interpret the dependent type theory are split, and that ◮ and the construction of recursive types is also split.The latter essentially boils down to observing that the actual construction of initial algebras in Section 8 is done fibrewise and thus preserved on-the-nose by reindexing.We omit further details.

Relation to metric spaces
Let CBUlt be the category of complete bounded ultrametric spaces and non-expansive maps.
In [5][6][7][8]34] only those spaces that were also bisected were used: a metric space is bisected if all non-zero distances are of the form 2 −n for some natural number n ≥ 0. Let BiCBUlt be the full subcategory of CBUlt of bisected spaces, and let BiUlt be the category of all bisected ultrametric spaces (necessarily bounded).
Let tS be the full subcategory of S on the total objects.

Proposition 5.1.
There is an adjunction between BiU lt and S, which restricts to an equivalence between tS and BiCBUlt, as in the diagram: Proof sketch.The functor F : BiUlt → S is defined as follows.A space (X, d) ∈ BiUlt gives rise to an indexed family of equivalence relations by x = n x ′ ⇔ d(x, x ′ ) ≤ 2 −n , which can then be viewed as a presheaf: at index n, it is the quotient X/(= n ), see, e.g.[10].One can check that F in fact maps into tS and that F has a right adjoint that maps into BiCBUlt.
The right adjoint maps a variable set into a metric space on the limit of the family of variable sets; the metric expresses up to what level elements in the limit agree.The left adjoint from BiU lt to BiCBUlt is given by the Cauchy-completion.
Proposition 5.2.A morphism in BiCBUlt is contractive in the metric sense iff it is contractive in the internal sense of S.
The later operator on S corresponds to multiplying by 1 2 in ultra-metric spaces, except on the empty space.Specifically, F ( 1 2 X) is isomorphic to ◮(F X), for all non-empty X.For ultra-metric spaces, the formulation of existence of solutions to guarded recursive domain equations has to consider the empty space as a special case.Here, in S, we do not have to do so, since ◮ behaves better than 1  2 on the empty set.

General models of guarded recursive terms
Having presented the specific model S we now turn to general models of guarded recursion.
We give an axiomatic definition of what models of guarded recursion are, and in Section 8 we show that S is just one in a large class of models.We start by defining a notion of model of guarded recursive terms, and showing that the class of such models is closed under taking slices.This result is not only of interest in its own right, but also needed for showing that the general models of Section 8 model guarded recursive dependent types.Definition 6.1.A model of guarded recursive terms is a category E with finite products together with an endofunctor ◮ : E → E and a natural transformation next : id → ◮ such that • for every morphism f : ◮ X → X there exists a unique morphism h : 1 → X such that f • next • h = h.• ◮ preserves finite limits Lemma 6.2.If E models guarded recursive terms then ◮ is strong.
Proof.Using next one can define a strength for ◮ as the composite The notion of contractive morphism as well as Lemma 2.3 and Theorem 2.4 generalises directly to the current setting.Theorem 6.3.If E is a locally cartesian closed model of guarded recursive terms, then so is every slice of E.
To prove Theorem 6.3 we must first show how to generalise ◮ to slices.We do this by taking the pullback diagram of Proposition 4.3 as a definition of ◮ I X.In other words we define ◮ I as the composite where the first functor maps p X : X → I to ◮(p X ) : ◮ X → ◮ I and the second is given by pullback along next.Recall that next * has a left adjoint next mapping p Y : Y → I to next • p Y and so preserves limits.It is easy to see that also the first functor of (6.1) preserves finite limits because ◮ does, and thus we have the following: Lemma 6.4.The functor ◮ I : E/I → E/I preserves finite limits.
We define next I : p Y → p ◮ I Y in the slice over I as indicated in the diagram below Y It is easy to show that next I is a natural transformation.
The following proposition states that ◮ defines a fibred functor and hence can serve as a type constructor in the dependent type theory of E. Proposition 6.5.For every u : J → I in E the following diagram commutes up to isomorphism As a consequence, the collection of functors (◮ I ) I∈E define a fibred endofunctor on the codomain fibration.
Proof.We can write the diagram as a composite as below.
The square on the left commutes because ◮ preserves pullbacks, the one on the right follows from the naturality square for next.
Proposition 6.6.The collection of next morphisms defines a fibred natural transformation from the fibred identity on the codomain fibration to ◮: A fibred natural transformation between fibred functors is a natural transformation with vertical components.The components of next are clearly vertical, but we must show that next defines a natural transformation between the two functors on the total category E → .So consider a morphism in E → from Y → I to X → J, and write it as a composition of a vertical morphism g and a cartesian morphism f .We must verify naturality diagrams for next with respect to f and g.Naturality wrt.g is just naturality of next as a functor E/I → E/I, and naturality wrt.f can be verified by a diagram chase that we omit.
It remains to prove the existence (and uniqueness) of fixed points in slices.We do that by reducing those to global fixed points.In the next lemma we use internal language notation, writing i : I X i for the functor applied to an object p X : X → I, where !: I→1 is the right adjoint to ! * , and using similar notation for the result of applying the same functor to morphisms.Lemma 6.7.Suppose that f : p X → p Y is a contractive morphism in slice E/I.Then As a consequence any contractive endomorphism in E/I has a unique fixed point.

Proof.
The assumption gives us a g such that f = g • next and from that we can derive a factorisation of i : I f i as Writing π i for the term i : I ⊢ λx : i : I X i .xi : X i the adjoint correspondent of (6.2) can be expressed in the internal language of E as which is simply naturality of next.This sketch in the internal language can be turned into a formal diagrammatic argument.Now, it is easy to see that if f is an endomorphism then there is a bijective correspondence between fixed points of i : I f i in the global sense, and fixed points of f in the slice.
Proof of Theorem 6.3.We have seen how every slice of E has an endofunctor ◮ I and a natural transformation next : id → ◮ I , and we have seen that ◮ I preserves finite limits (Lemma 6.4).Lemma 6.7 gives existence of the needed fixed points.

6.1.
A left adjoint to ◮.In our model S, the functor ◮ has a left adjoint ◭ mapping the presheaf X(1) ← X(2) ← X(3) ← . . . to the presheaf X(2) ← X(3) ← X(4) ← . . . .Moreover, ◭ preserves limits and so ◭ ⊣ ◮ defines a geometric morphism from S to itself, in fact it is an embedding.Hence ◮ I , as defined in (6.1), has a left adjoint ◭ I because next * has a left adjoint next and also ◮ : E/I → E/ ◮ I has a left adjoint defined by mapping p X : X → ◮ I to its adjoint correspondent ◭ X → I.
Even though ◭ preserves limits, ◭ I does not.The simplest counter example is that of the terminal object id I of E/I which is mapped to the adjoint correpondent prev : ◭ I → I of next : I → ◮ I. So, in particular, ◭ I ⊣ ◮ I does not define a geometric morphism.
We choose not to take ◭ as part of the basic structure of a model of guarded recursion because ◭ in S does not define a fibred functor, and so it cannot be used in an internal language based on dependent type theory.To see why, observe that if f : J → I then ◭ J f * (id I ) ∼ = ◭ J (id J ) = prev J and f * ◭ I (id I ) = f * prev I , and these two are in general not isomorphic.
Observe also that ◮ does not preserve dependent products, i.e., the diagram does not in general commute.The reason is that the diagram obtained by taking left adjoints to all functors above is the diagram stating that ◭ is a fibred functor, which we have just established does not commute.
6.2.An operation on predicates.We now assume that E is a topos modelling guarded recursion and we shall see how to obtain the principle of Löb induction in E.
As we have seen, ◮ X preserves limits, hence monos, and thus defines a map ✄ : Sub(X) → Sub(X) for all X, which is easily seen to be order preserving.The term next X verifies that m ≤ ✄ m.As a consequence of Proposition 6.5 this family is natural in X and thus, by the usual Yoneda argument, it corresponds to an operation on propositions ✄ : Ω → Ω.We now embark on proving the following theorem.To prove the theorem, we need a few lemmas.The first describes the action of ✄ : Sub(X) → Sub(X) as an action on characteristic maps.Lemma 6.9.Let m : M → X be a mono and let χ m : X → Ω be its characteristic map.Then succ • ◮ χ m • next is the characteristic map of ✄(m), where succ : ◮ Ω → Ω is the characteristic map of the mono ◮ ⊤ : ◮ 1 → ◮ Ω.

Proof. Consider the diagram
All the squares are pullbacks, and so also the outer square is a pullback, which proves the lemma.
Subobjects of X correspond to morphisms X → Ω which in turn correspond to global elements of Ω X .As a consequence of Lemma 6.9, the operation ✄ on subobjects corresponds to composing the global elements with the morphism Ω X → Ω X mapping χ m to succ•◮ χ m • next.Since this morphism is contractive, it has a unique fixed point.Corollary 6.10.Let m be a subobject of X.If ✄(m) ≤ m then m is the maximal subobject.
Proof of Theorem 6.8.The principle is proved using Joyal-Kripke semantics, see [26,Thm 8.4].Using items (7) and ( 6) of the referenced theorem, it suffices to show that for any X and any f : X → Ω, if the map λx : X. ✄ f (x) → f (x) factors through ⊤ : 1 → Ω, then so does f .Expressing this using subobjects rather than representable maps, we must show that, for any subobject m of X, if ✄ m → m is the maximal subobject, then so is m.But ✄ m → m is maximal iff ✄ m ≤ m, and so the principle follows from Corollary 6.10.

General models of guarded recursive types
In this section we formulate the most general existence theorem for recursive types in models of guarded recursion.Moreover, we reduce the problem of solving general recursive domain equations to that of solving covariant domain equations using the uniqueness of fixed points in combination with Freyd's theory of algebraic compactness [15][16][17].
Note first that Definition 2.12 of locally contractive functor on our concrete model S, carries over verbatim to general cartesian closed models E of guarded recursive terms.Definition 7.1.A model of guarded recursive types is a cartesian closed model of guarded recursive terms (in the sense of Definition 6.1) E such that every locally contractive functor F : E → E has a fixed point (up to isomorphism).A model of guarded recursive dependent types is a locally cartesian closed category whose slices all are models of guarded recursive types.
As a justification of the above definition we shall prove that fixed points for locally contractive covariant functors give fixed points of general (locally contractive) mixed variance functors.In fact, we state and prove this not only for functors on E, but, more generally, for functors on E-enriched categories.This is in line with classical work on recursive types in O-categories [35] (categories enriched in complete partial orders) and more recent work on recursive types in M -categories [9] (categories enriched in complete bounded ultrametric spaces).
Recall that an E-enriched category C is a collection of objects together with for each pair of objects X, Y of C an E-object Hom C (X, Y ) together with composition morphisms Hom C (X, Y ) × Hom C (Y, Z) → Hom C (X, Z) and morphisms id X : 1 → Hom C (X, X) satisfying commutative diagrams corresponding to the rules for morphism composition in category theory [24].To each enriched category C we can associate a category in the usual sense with the same objects as C and set of morphisms from X to Y all E-morphisms from 1 to Hom C (X, Y ).This category is called the externalisation of C. Given a category C in the usual sense, we say that it is E-enriched if there exists an E-enriched category whose externalisation is C. Any cartesian closed category C is self-enriched: one can take Hom C (X, Y ) to be the exponent Y X .
The notion of locally contractive functor readily generalises to E-enriched categories: if C is E-enriched consider the E-enriched category ◮ C with the same objects as C, homobjects Hom ◮C (X, Y ) = ◮ Hom C (X, Y ), composition given as the composite and identity as next The natural transformation next defines an enriched functor [24] C → ◮ C whose action on objects is the identity and whose action on morphisms is given by next :  Then H is locally contractive in the first variable iff Ĥ : B → D C is locally contractive.
Definition 7.4.An E-enriched category C is contractively complete if any locally contractive functor F : C → C has a fixed point, i.e., an object X such that F X ∼ = X.
The isomorphism F X ∼ = X is an isomorphism in the externalisation of C. Similarly, the notation f : X → Y always refers to morphisms in the external version of C.
We can now state the main theorem.It uses the symmetrization of G of a mixed variance functor G defined in Section 4.3.The proof follows after a brief series of lemmas.
Theorem 7.5.Let E be a model of guarded recursive terms, C be E-enriched and contractively complete, and let F : (C op × C) n+1 → C be locally contractive in the (n + 1)th variable pair.Then there exists a unique (up to isomorphism) locally contractive in all variables, so is Fix F .In particular, the above statement holds for C= E if E is a model of guarded recursive types.Lemma 7.6.Let C be E-enriched and let F : C → C be a locally contractive functor.If X ∼ = F (X), then the two directions of the isomorphism give an initial algebra structure and a final coalgebra structure for F on X.In particular, if Proof.Given an isomorphism f : F X → X and some other algebra g : , which is a contractive endomorphism on Hom C (X, Z) (as F is locally contractive).Since this map has exactly one fixed point, we conclude that there is exactly one algebra homomorphism from f to g.The argument for final coalgebras is similar.
There is also a morphism in E computing the unique mediating homomorphism from the initial algebra.Lemma 7.7.Let C and F be as in Lemma 7.6, and let f : F X → X be an isomorphism.For any Z there exists a morphism k : Hom C (F Z, Z) → Hom C (X, Z) such that ∀g : Hom C (F Z, Z).k(g) • f = g • F (k(g)) holds in the internal language of E.

Proof. Define k to be the fixed point of the map Hom
Lemma 7.8.Let C, D be E-enriched categories and let F : D × C → C be enriched and locally contractive in the second variable.If the functor F (X, −) : C → C has an initial algebra for all X in D, then there is an E-enriched functor µF : D → C mapping X to the carrier of the initial algebra.If, moreover, F is locally contractive in the first variable, then µF is locally contractive.
Proof.The functor µF is defined (as is standard) to map f : X → Y to the unique µF (f ) making the diagram F (X, µF (X)) ✲ µF (X) commute.Now, the enrichment of µF is obtained by composing the morphism Hom D (X, Y ) → Hom C (F (X, µF (Y )), µF (Y )) mapping f to the composite in the bottom line of (7.1) with the morphism of Lemma 7.7.In the case of F being locally contractive in both variables, the first stage of this composite morphism is contractive and so µF becomes locally contractive.
Recall that an initial dialgebra for G : C op × C → C is an initial algebra of G [15][16][17].Proof.If G is locally contractive, so is G. Thence Lemma 7.6 proves that (X, Y ) is an initial dialgebra.To show X ∼ = Y note that the hypothesis of the lemma is symmetric in X and Y , so we may apply what we have just proved to conclude that (Y, X) is an initial dialgebra.By uniqueness of initial dialgebras (X, Y ) ∼ = (Y, X).
We can now give the promised proofs of the main theorem and proposition in this section.
Proof of Theorem 7.5.Consider first the case of n = 0. Recall the functor µF : C op → C from Lemma 7.8 mapping X to the unique fixed point of F (X, −).Define Z to be the unique fixed point of the functor X → F (µF (X), X) and define W = µF (Z).Then F (W, Z) = F (µF (Z), Z) ∼ = Z and F (Z, W ) = F (Z, µF (Z)) ∼ = µF (Z) = W , and so Lemma 7.9 applies giving the unique solution to F and proving that W ∼ = Z.
In the general case of n = 0, Lemma 7.8 applies to give the functor Fix F .
The statement and proof of Proposition 4.6 carries over verbatim from the case of S to the general case of E a model of guarded recursive dependent types.

A class of models of guarded recursion
The aim of this section is to establish a large class of models of guarded recursive dependent types including our main example, the topos S.This involves showing existence of fixed points for locally contractive functors.The special case of S, together with the results of Section 7, prove Theorem 4.5.
The class of models we consider are sheaves over a complete Heyting algebra with a well-founded basis.In this section we assume some familiarity with the basics of complete Heyting algebras and sheaves over such [27].Definition 8.1.A partial order A is well-founded if there are no infinite descending sequences a 0 > a 1 > a 2 > . . .
Here a > a ′ means a ≥ a ′ and a = a ′ as usual.Note that any forest is well-founded.Definition 8.2.Let A be a partial order and let K ⊆ A. Then K is a basis for A if each a ∈ A is a least upper bound of all the base elements below it, i.e. a = {k ∈ K | k ≤ a}.
Example 8.3.If K is a well-founded partial order then the ideal completion Idl(K) consisting of down-closed subsets of K is a complete Heyting algebra and the set In the following we reserve a's and b's for elements of A and k's for elements in K.A sieve B on a in A is just a downward closed subset of {b ∈ A | b ≤ a} and it is covering if B = a.If A is a complete Heyting algebra then this defines a Grothendieck topology, and the corresponding category Sh(A) of sheaves is the full subcategory of presheaves X such that (X( B) → X(b)) b∈B is a limiting cone for all B ⊆ A. We recall the following well-known fact.Collectively Proposition 8.4 and Example 8.3 state that the general class of models we consider include all toposes of the form A for A a well-founded partial order, in particular all slices of S. Theorem 8.5.Let A be a complete Heyting algebra with a well-founded base.Then Sh(A) is a model of guarded recursive dependent types.In particular S and indeed any topos of the form A for A a well-founded partial order is a model of guarded recursive dependent types.
Di Gianantonio and Miculan [10] essentially prove that Sh(A) is a model of guarded recursive terms if A is the set of opens of a topological space with a well-founded basis; here we extend their results to guarded recursive types and, moreover, consider more general models (not necessarily arising from topological spaces).Theorem 8.6.Let A be a complete Heyting algebra with a well-founded basis and let C be a Sh(A)-enriched category.If C is complete (precisely, the externalisation of C is complete in the usual sense) then it is contractively complete.
Note that the notion of completeness assumed for C above is the usual one (rather than the enriched notion of completeness).
In the remainder of this section we prove Theorems 8.6 and 8.5.We start by showing that Sh(A) models guarded recursive terms.The predecessor map induces an endofuntor on the category of presheaves on A; following standard notation, we write p * : A → A for this functor, defined by p * (X) = X • p.We define ◮ : Sh(A) → Sh(A) by ◮ X = a(p * X), where a is the associated sheaf functor.Define next pre : X → p * X by next pre a (x ∈ X(a)) = x| p(a) and define next = a(next pre ) : X → ◮ X for all sheaves X.
Note that next = η • next pre (8.1) where η is the unit of the adjunction a ⊣ I, with I : Sh(A) → A the inclusion of sheaves into presheaves.This can be seen by applying a to both sides of the equation since a fixes maps between sheaves and because a(η) is the identity.
Remark 8.8.The use of the associated sheaf functor a in the definition of ◮ is necessary, because p * X needs not be a sheaf.Consider, for example, the situation where A is the powerset of a 2-element set {a, b}.Then a sheaf is a presheaf X such that X(∅) = 1 and X({a, b}) = X({a}) × X({b}).The map p is So p * X({a, b}) = X({a, b}), but p * X({a}) = p * X({b}) = 1, in particular p * X is in general not a sheaf.On the other hand ◮ X = 1.
We will now show that the above definition of ◮ generalises the definition of ◮ from Section 4.2 on slices of S, see Proposition 8.11 below.For that we first need a lemma: Proof.Since a is left adjoint to the inclusion, the composite sought for is left adjoint to the functor P → P , and it is easy to check that the functor of the lemma satisfies this condition.
Proposition 8.11.Let I be an object of S. The composite which we shall also call ◮ agrees with ◮ I as defined in Section 4.2 Proof.We compute = (a p * P )(↓ (n, i)) = (p * P )(↓ (n, i)) Now, it is easy to see that if n = 1 then p(↓ (n, i)) = ∅ so that ◮ P (1, i) = P (∅) = 1 and and otherwise P (p(↓ (n, i)) which implies the result.
Using the well-founded basis we can reason by well-founded induction over A as the following easy lemma shows.Lemma 8.12.Let φ(a) be a predicate on A. If then φ(a) holds for all a in A.
Proof.First use well-founded induction to conclude that φ(k) holds for all k ∈ K, then use the condition again to conclude that φ(a) holds for all a.
We now aim to show that any morphism f : ◮ X → X has a unique fixed point.Since the associated sheaf functor is left adjoint to the inclusion of sheaves into presheaves such morphisms correspond bijectively to morphisms of presheaves f : p * X → X (where f = f • η), and we shall start by constructing fixed points of morphisms of the latter form.Lemma 8.13.Let X be a sheaf and let f : p * X → X and a ∈ A. Then there exists a unique family (x b ) b≤a such that (1) Proof.The proof is by well-founded induction on a using Lemma 8.12.Thus suppose the lemma holds for all k < a, i.e., for any k < a there exists a unique family (x k,b ) b≤k satisfying the requirements.Note that by uniqueness, if b ≤ k ′ ≤ k then x k,b = x k ′ ,b , so for any b < a we can define x b to be the unique amalgamation of the family (x k,k ) k≤b .This gives us a compatible family (x b ) b<a , i.e., To see that this family also satisfies (2), for all b < a, note that it suffices to show that f It only remains to extend this family with a component x a .By the sheaf condition there is a unique y in X(p(a)) such that y| b = x b .Define x a = f a (y).We must check that the extended family (x b ) b≤a satisfies the conditions, and all that remains to prove is the case of b = a.
For (1) we must show that x a | b = x b for all b < a.
For (2) we branch on whether a = pa or not (using classical reasoning).If pa < a then y = x pa , and we are done.If a = pa then, by the sheaf condition, it suffices to prove that For the proof of uniqueness, we must show that x a as defined above gives the unique extension of (x b ) b<a satisfying the conditions.Again we branch on pa = a or pa < a.In the first case, (1) together with the sheaf condition gives uniqueness and in the second it is (2) that gives uniqueness.Theorem 8.14.If A is a complete Heyting algebra with a well-founded basis then every slice of Sh(A) is a model of guarded recursive terms.
Proof.By Theorem 6.3 it suffices to show that Sh(A) is a model of guarded recursive terms, and for this it remains to show that if f : ◮ X → X, then there exists a unique fix(f The family (x b ) b≤ A given by Lemma 8.13 defines a map fix(f ) : 1 → X: the naturality condition needed to have a map in A is (1) and ( 2) 2) which by (8.1) is equivalent to f • next • fix(f ) = fix(f ).In fact we see that to give a map fix(f ) : 1 → X satisfying the (8.2) is the same as giving a family (x b ) b≤ A and so the uniqueness statement of Lemma 8.13 shows that fix(f ) : 1 → X is the unique such map.8.2.Recursive types in sheaf models.Having proved that Sh(A) models guarded recursive terms, we now show that it models guarded recursive dependent types.We first prove Theorem 8.6 and then show how Theorem 8.5 follows from it.So in the following, let C be a complete Sh(A)-enriched category.
In the technical development it is simpler to work with presheaves and p * than it is to work with sheaves and ◮, so we first reformulate the definition of local contractiveness in terms of p * .Note that we can define p * C in the same way as we defined ◮ C, using p * rather than ◮.This gives us an A-enriched category rather than a Sh(A)-enriched one.Any Sh(A)-enriched category is also A-enriched and so in particular, C and ◮ C are A-enriched.
There is a commutative diagram of A-enriched functors and the following lemma tells us that we can proceed to work with p * and presheaves rather than ◮ and sheaves.Now suppose F : C → C is locally contractive.We will construct a fixed point for F by a sufficiently large induction.To determine the height of the induction we start by assigning to each element a of A an ordinal by well-founded induction on a.We use ordinals (rather than just the elements of A) to get a linear diagram to take limits over when constructing the fixed point for F .We shall use p : Ord( A) → Ord( A) defined as p(α) = {β | β < α}.
In the following we distinguish notationally between ordinals and elements of A by using Greek letters for the former and latin letters for the latter.
Next we generalise the notion of n-isomorphism of Lemma 2.15.Recall that a morphism f : X → Y in C is the same as a morphism 1 → Hom C (X, Y ) in Sh(A), which is the same as a family (f a ) a∈A with f a ∈ Hom C (X, Y ) a such that f a | b = f b for all a and b ≤ a.We say that f a is an isomorphism if there exists g a ∈ Hom C (X, Y ) a such that comp a (f a , g a ) = id a and comp a (g a , f a ) = id a .In the following we shall simply write f a • g a for comp a (g a , f a ).Definition 8.18.Let f : X → Y be a morphism in C, let a ∈ A and let α be an ordinal.We say that f is an a-isomorphism if for all b ≤ a the component f b is an isomorphism.We say that f is an α-isomorphism if it is a b-isomorphism, for all b such that Ord(b) ≤ α.Lemma 8.19.Let F : C → C be locally contractive, and suppose f : X → Y is a bisomorphism for all b < a. Then F f is an a-isomorphism.As a consequence, F f is an α-isomorphism if f is a β-isomorphism, for all β < α, or, equivalently, if f is a p(α) isomorphism.
Proof.Formulating the assumption of local contractiveness using the equivalent condition of Lemma 8.15 we get maps H X,Y : p The functoriality conditions on H are commutative diagrams in A. These amount to the following equations required to hold for each ) is an inverse of F (f ) b , for all b ≤ a.For the last statement, suppose f is a β-isomorphism for all β < α, and suppose Ord(a) ≤ α.We must show that F f is an a-isomorphism.By what we have just proved, it suffices to show that f is a b-isomorphism, for all b < a, and for this, by the sheaf property, it suffices to show that f is a k-isomorphism, for all k < a, k ∈ K.But this is true because Ord(k) < Ord(a) ≤ α.
Remark 8.20.The strengthening of the definition of locally contractive functor compared to the definition used in the conference version of this paper [4] was introduced in order to make Lemma 8.19 true, also with the weaker notion of a-isomorphism used here.Without the requirement of functoriality of H, equation ( 8 We construct, by well-founded induction, for every α ≤ Ord( A) a C-object X α and maps φ Precisely, each α is an ordered set and so can be considered a category.We define X α as the limit of a diagram indexed over α mapping an inequality β ′ ≤ β < α to F (π β,β ′ ) : F (X β ) → F (X β ′ ).
Proof of Theorem 8.21.The theorem is proved by induction on α, but the induction hypothesis must be strengthened with the following two statements.
We now give the induction steps of the inductive proof, proving each part of the induction hypothesis in turn.
We will now show that φ α is an α-isomorphism.Consider the following commutative diagram lim Since (1) and (2) state that both projections π β are β-isomorphisms and by induction hypothesis φ β is a β-isomorphism, also lim β ′ <α φ β ′ must be a β-isomorphism.Since this holds for all β < α, by Lemma 8.19 also F (lim β<α φ β ) must be an α-isomorphism.Now, consider the diagram F ( lim It only remains to show that the vertical map is an α-isomorphism.By induction hypothesis (2) the maps F (π β ) and π β are γ-isomorphisms for any γ such that pγ ≤ β.Since this holds for all β, the vertical map is a {γ | pγ < α}-isomorphism, and we conclude by Lemma 8.23.
Proof of Theorem 8.6.We must show that any locally contractive endofunctor F : C → C has a fixed point, but Theorem 8.21 gives such a fixed point.
For Theorem 8.5 it remains to show that any slice of Sh(A) is a model of guarded recursive types.We do that by reducing to Theorem 8.6, using the fact that slices of Sh(A) are all Sh(A)-enriched.Indeed this holds for any locally cartesian closed category E, because one can take as homobject from p X to p Y the object i : I Y i X i (using internal language notation as in Lemma 6.7).Since each slice E/I is also self-enriched, this gives us two possible notions of local contractiveness.The next lemma states a relation between the two.Lemma 8.24.Let E be a locally cartesian closed model of guarded recursive terms, and let F : E/I → E/I be a functor.If F is locally contractive in the E/I-enriched sense then it is also locally contractive in the E-enriched sense.
Proof.The assumption gives an E/I-enrichment of F as a composite Lemma 6.7 then tells us that each i : I F X i ,Y i is contractive in the E-enriched sense.To show that F is locally contractive in the E-enriched sense one must check that the derived witness of contractiveness commutes with composition and identity, but this follows from naturality of the morphism ◮ i : I X i → i : I ◮ X i used in Lemma 6.7.
Proof of Theorem 8.

Conclusion and Future Work
We have shown that the topos of sheaves over a complete Heyting algebra with a wellfounded basis, in particular S, the topos of trees, provides a model for an extension of higherorder logic over dependent type theory with guarded recursive types and terms.Moreover, we have argued that this logic provides the right setting for the synthetic construction of step-indexed models of programming languages and program logics, by constructing a model of the programming language F µ,ref in the logic.
In this paper we have focused solely on guarded recursion.As future work, it would be interesting to study further the connections between guarded and unguarded recursion in S. For example, it might be possible to show the existence of recursive types in which only negative occurrences of the recursion variable were guarded.
We plan to make a tool for formalized reasoning in the internal logic of S. We have conducted some initial experiments by adding axioms to Coq and used it to formalize some of the proofs from [7] involving recursively defined relations on recursively defined types.These experiments suggest that it will be important to have special support for the manipulation of the isomorphisms involved in recursive type equations, such as the coercions and canonical structures of [18].An alternative approach, inspired by the conference version of the present paper, has recently been proposed by Jaber et.al. [22], who show how to internalize the construction of the topos of trees in Coq and thus model guarded recursive types.Future work includes investigating how easy or difficult it is in practice to develop and work with step-indexed models using that approach.
Future work also includes studying further applications of guarded recursion in connection with step-indexed models.In particular, we plan to give a synthetic account of a recent step-indexed model by the first and third author for a language with countable non-determinism [33].That model uses step-indexing over ω 1 , the first uncountable ordinal, so would naturally live in sheaves over ω 1 .Indeed, this was part of the motivation for generalizing the study of models of guarded recursion from S to general sheaf categories Sh(A).
It could also be interesting to study predicative models of guarded recursive dependent type theory, thus extending the work of Moerdijk and Palmgren [28,29] on "predicative toposes".9.1.Acknowledgments.We thank Andy Pitts and Paul Blain Levy for encouraging discussions.This work was supported in part by grants from the Danish research council (Birkedal and Møgelberg) and from the Carlsberg Foundation (Støvring).
As an immediate corollary of the fundamental theorem we get a type-safety result for the "temporal" semantics given by the eval predicate.This is formulated by means of a trivial post-condition.
Corollary A.2 (Type safety).Assume that ⊢ t : τ holds.Then eval(t, s init , ⊤) holds where s init is the empty store.
Proof.Follows directly from the fundamental theorem (using the empty world ∅ ∈ W) and Proposition 3.1.
This work is licensed under the Creative Commons Attribution-NoDerivs License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/or send a letter to Creative Commons, 171 Second St, Suite 300, San Francisco, CA 94105, USA, or Eisenacher Strasse 2, 10777 Berlin, Germany

Example 2 . 16 .
Recall the type Str of streams defined concretely in the model in Example 2.1.It can be defined in the internal language using Theorem 2.14, namely as the type satisfying the recursive domain equation Str ∼ = N × ◮ Str .Write i : N ×◮ Str → Str for the isomorphism.(Observe that i m is nothing but the identity function.)Now, we can define the successor function in the internal language as the fixed point of the following contractive function F : (Str → Str ) → (Str → Str ):

4. 1 .
Slice categories concretely.Before defining ◮ I : S/I → S/I we give a concrete description of the slice categories S/I.

Definition 4 . 1 .
Let B be a partially ordered set and let X be a presheaf over B. Define the partially ordered set of elements of X as X = {(b, x) | b ∈ B ∧ x ∈ X(b)} with order defined as (b, x) ≤ (c, y) iff b ≤ c and y| b = x.

Proposition 4 . 2 .
Let B be a partially ordered set and let I be a presheaf over B. Then B/I ≃ I.

Proposition 4 . 3 .
Let p Y : Y → I be an object of S/I.There is a map ◮ I Y → ◮ Y making the diagram below a pullback.

Proposition 4 . 6 .
If ((S/I) op × S/I) n+1 F ✲ S/I ((S/J) op × S/J) n+1 u * ❄ G ✲ S/J u * ❄ commutes up to isomorphism, so does ((S/I) op × S/I) n Fix F ✲ S/I ((S/J) op × S/J) n where the products and exponentials are those of the slice S/[[Γ]] ρ .The interpretation of st defines the strength of [[σ]] ρ , from which the action of [[σ]] ρ on morphisms can be derived in the usual way.

Definition 7 . 2 .
An enriched functor F : D → C is locally contractive if it factors as a composition of enriched functors D next ✲ ◮ D ✲ C Specialising Definition 7.2 to the case of S as self-enriched gives Definition 2.12.Lemma 7.3.

( 1 )
If F : B → C and G : C → D are enriched functors and either F or G is locally contractive also GF is locally contractive.(2) If F : C → D and G : C ′ → D ′ are locally contractive, so is F × G : C × C ′ → D × D ′ .(3) Let H : B × C → D be enriched and suppose the enriched functor category D C exists.

Lemma 7 . 9 .
Let C be E-enriched and G : C op × C → C be a locally contractive functor.If G(X, Y ) ∼ = Y and G(Y, X) ∼ = X thenthe pair (X, Y ) together with the isomorphisms constitute an initial dialgebra for G.In particular (X, Y ) is unique up to isomorphism with this property.Moreover X ∼ = Y .

Proposition 8 . 4 .
If A is a partial order then Sh(Idl(A)) ≃ A.Proof.The equivalence maps X in A to λB. lim b∈B X(b) (we shall write X for this sheaf) and Y in Sh(Idl(A)) to λa.Y (↓ a).

3 )
H b (id p(b) ) = id b (8.4) Now, suppose f : X → Y is a b-isomorphism, for all b < a. Define f −1 p(a) to be the unique amalgamation of (f −1 b ) b<a .Then f p(a) −1 is an inverse to f p(a) : to show f −1 p(a) • f p(a) = id p(a) it suffices to show (f −1 p(a) • f p(a) )| b = id b for all b < a, which is clear since composition commutes with restriction.So f b has an inverse f −1 b for all b ≤ p(a), in particular f p(b) has an inverse, for all b ≤ a. Equations (8.3) and (8.4) then say that H b (f −1 p(b) .3) only holds for families (f b ) b≤p(a) , (g b ) b≤p(a) in the image of next, i.e., families that extend to families (f b ) b≤a , (g b ) b≤a

5 .
We have already shown (Theorem 8.14) that every slice of Sh(A) is a model of guarded recursive terms.It remains to show that any functor F : Sh(A)/I → Sh(A)/I, which is locally contractive in the Sh(A)/I-enriched sense, has a fixed point.Since Sh(A) is complete [27, Prop.III.4.4], its slices Sh(A)/I are also complete and thus the required follows from Theorem 8.6 and Lemma 8.24.
Lemma 8.15.An enriched functor F : C → C is locally contractive iff there exist a Aenriched functor H :p * C → C such that H • next pre = F .Proof.If F is locally contractive and G is a witness of this, we can construct H by precomposing G with η.On the other hand, given H as above we can construct G by applying a to each hom-action of H.