A Cubical Language for Bishop Sets

We present XTT, a version of Cartesian cubical type theory specialized for Bishop sets \`a la Coquand, in which every type enjoys a definitional version of the uniqueness of identity proofs. Using cubical notions, XTT reconstructs many of the ideas underlying Observational Type Theory, a version of intensional type theory that supports function extensionality. We prove the canonicity property of XTT (that every closed boolean is definitionally equal to a constant) using Artin gluing.


Introduction
Little attention has been paid to notions of liberty and fraternity in dependent type theory, but the same cannot be said about equality. Why? To define the typing judgment a : A we must determine which types are equal-because terms of type A may be cast (coerced) to any type A equal to A-but in the presence of dependency, equality of types is contingent on equality of terms. In this way, dependency transmutes term equality from a purely semantic consideration to a core aspect of syntax.
As a practical matter, it is desirable to automate as many of these coercions as possible. To that end, type theorists have spent decades refining decision procedures for type equality modulo e.g., α-, β-, δ-, and certain η-laws [Coq91, Coq96, SH00, HP05, SH06, ACD08, ACP09, AS12, Abe13, AOV17, GSB19]. Unfortunately, not all desirable coercions can be automated-for instance, mathematical equality of functions N → N is famously undecidable. The collection of automated equations in a given type theory is called definitional equality; 1 the more equations are definitional, the less time users must spend providing coercions.
Next, one must determine which coercions, if any, are recorded in terms. A priori, which coercions are recorded is independent of which equations are definitional, but in practice these considerations are inextricably linked-silent coercions along non-definitional 1.1.3. Setoids. Another way to avoid the shortcomings of identity types in ITT is to work in setoids [Hof95], or Bishop sets [Bis67], an exact completion which replaces types by pairs of a carrier type |A| and a type-valued "equivalence relation" = A . Each type former is lifted to setoids extensionally: the setoid of functions (|A|, = A ) → (|B|, = B ) consists of functions f : |A| → |B| equipped with proofs f = : (x, y : |A|) → x = A y → f (x) = B f (y) that they respect equivalence.
The framework of setoids allows users of type theory to ensure their constructions are appropriately extensional, at the cost of manually proving those conditions. In contrast, respect for the identity type is automatic (by its elimination principle) but insufficiently powerful to imply function extensionality. An ideal treatment of equality should, unlike setoids, take advantage of the fact that constructions in type theory do respect function extensionality; syntactically well-behaved examples of this approach include Observational Type Theory, cubical type theory, and XTT, discussed below. Another recent proposal is to translate a type-theoretic language, setoid type theory, into setoids in ITT; however, it is unknown whether this language is complete or enjoys good syntactic properties [ABKT19].
1.1.4. Observational Type Theory. The first systematic account of extensional equality types in intensional type theory was Observational Type Theory (OTT) [AM06,AMS07], which built on earlier work by Altenkirch and McBride [Alt99,McB99]. The main idea of OTT is to consider a closed (inductive-recursive) universe of types, and to define propositional equality and its operations by recursion on type structure. Concretely, for any two types A, B there is a type of proofs that A equals B, and a coercion operation sending these proofs to functions A → B; then, for any a : A and b : B, there is a type of proofs that a heterogeneously equals b, and a coherence operation stating that terms heterogeneously equal their coercions. Propositional equality in OTT satisfies a definitional form of UIP.
Because OTT's equality types are defined by recursion, they will unfold into complex types (reminiscent of the equality relations on setoids) when sufficiently specialized; in XTT, path types do not unfold, but are easily characterized up isomorphism when necessary. In both OTT and XTT, however, any algorithm to check definitional equality of coercions must rely on type constructors being injective up to the equality type, which we have ensured by adding a type-case operator to the universe. Although type-case is acceptable or even desirable in programming [Con82,CZ84,HM95,Dag13], it is not justified by standard interpretations of the universe as a Grothendieck universe.
Observational Type Theory also pioneered the idea that coercions should compute on non-reflexive proofs of equality, a design principle which also plays a significant role in the usability of cubical path types in contrast to standard identity types. Recently, McBride and collaborators have made progress toward a cubical version of OTT based on a different cube category and coercion operation than the ones considered in XTT [CFM18].
We discuss in more detail the relationship to observational type theory, as well as the type-case problem, in Section 8. because two types can be equivalent in several inequivalent ways. Unfortunately, adding univalence to ITT as an axiom results in coercions that are "stuck" on non-reflexive identity proofs, as in the case of adding axioms for function extensionality or UIP.
To address this problem, researchers have developed a number of cubical type theories [CCHM17, ABC + 21, AHH18] whose propositional equality and coercion operations support univalence in a computationally well-behaved way. The core idea is to introduce a judgmental notion of equality proof which is then internalized as the path type.
Concretely, cubical type theories extend type theory with an abstract interval I populated by dimension variables i : I and constant endpoints 0, 1 : I. A type parametrized by a dimension variable i : I A type represents a proof that [0/i]A and [1/i]A are equal types, and a term i : I a : A is a heterogeneous equality proof between [0/i]a : [0/i]A and [1/i]a : [1/i]A. Coercion in cubical type theory is a primitive operation which computes based on the structure of the proof i : I A type, and admits an OTT-style "coherence" operation as a special case. Because cubical type theory defines propositional equality in A using parametrized elements of A, propositional equality automatically inherits the properties of each type and therefore satisfies function extensionality and related principles.
There are several versions of cubical type theory. For instance, the Cubical Agda proof assistant [VMA19] implements a variant of the De Morgan version of cubical type theory [CCHM17], which equips I with negation and binary minimum and maximum operations. Cartesian cubical type theory [ABC + 21, AHH18], implemented in the RedPRL [ACH + 18b] and redtt [ACH + 18a] proof assistants, imposes no further structure on I but requires a stronger coercion operation. In addition, Awodey, Cavallo, Coquand, Riehl, and Sattler [Rie19] have recently proposed an equivariant Cartesian cubical type theory which is homotopically well-behaved, and Cavallo, Mörtberg, and Swan [CMS20] have developed a common generalization of the De Morgan and Cartesian type theories.
1.1.6. Our contribution: XTT. We describe XTT, a type theory without equality reflection whose propositional equality connective satisfies function extensionality and definitional UIP. XTT was introduced in a preliminary version of this work, which appeared in the 4th International Conference on Formal Structures for Computation and Deduction under the title Cubical Syntax for Reflection-Free Extensional Equality [SAG19].
Using ideas from Cartesian cubical type theory, XTT reconstructs the decisive aspects of OTT in a more modular, judgmental fashion. For instance, instead of defining equality separately at each type, we define path types uniformly in terms of dimension variables; similarly, we impose UIP by means of a boundary separation rule which does not mention path types.
Compared to other cubical type theories [CCHM17, ABC + 21, AHH18], XTT has clear advantages and disadvantages. Whereas other cubical type theories have two separate connectives for path types and identity types, XTT's path types strictly satisfy the rules of Martin-Löf's identity types definitionally. In addition, the rules governing composition-the most complex rules of every cubical type theory-are substantially simpler in XTT than in Cartesian cubical type theory. On the other hand, these simplifications are only possible because XTT is concerned with Bishop sets, a specific kind of cubical set analogous to a setoid [Coq17], of which univalent universes and higher inductive types are not instances.
In addition to the XTT calculus, our second contribution is an abstract canonicity proof for XTT using the language of categorical gluing, summarized in Section 1.2.3. equality can have no special status and therefore admits non-trivial interpretations, whereas mathematicians generally require that it be interpreted as mathematical equality.
In the language of category theory, these considerations amount to specifying a category of models of a type theory and exhibiting an initial object in that category. Luckily, the rules of XTT are sufficiently non-exotic as to allow us to obtain its functorial semantics by appealing to general existence theorems [Car86,KKA19,Uem19,Uem21], thereby sidestepping the so-called conjecture of initiality famously raised by Voevodsky [Voe16].
In previous work [SAG19], we specified an early version of XTT's logical semantics by regarding XTT as a generalized algebraic theory (GAT) in the sense of Cartmell [Car86]. Models of GATs determine choices of objects up to equality, and morphisms of models preserve these choices strictly; models of the GAT of type theory thus determine up to isomorphism a category of contexts, and up to equality the context extension. This is a much stronger notion of "category" than can be comfortably manipulated using the language of category theory: universal properties determine object-level structure only up to canonical isomorphism, and category-level structure only up to categorical equivalence ("isomorphism up to isomorphism"). Accordingly, in the GAT discipline, one cannot usually leverage general existence theorems but must instead provide explicit constructions in order to strictly determine and preserve object-level structures.
We advocate for a more categorical viewpoint, in which morphisms of models preserve structures only up to coherent isomorphism. In this paper, following Sterling and Angiuli [SA20], we instantiate Uemura's framework [Uem19] to generate a functorial semantics for XTT; models form a 2-category with a bi-initial object, and morphisms satisfy compatibilities like F (Γ.A) ∼ = F (Γ).F (A) which generalize pseudomorphisms of natural models [CD14,New18]. While it may seem at first that these canonical isomorphisms would incur additional bureaucracy, these weaker morphisms in fact enable us to work much more abstractly, choosing representations of objects only locally and as needed. Consequently, we have managed to avoid nearly all the concrete computations that characterized the technical development of our previous work on XTT [SAG19].
1.2.2. Artin gluing. Many important metatheorems famously cannot be proven by a straightforward induction on the rules of type theory but require instead a more semantic induction principle, such as the method of computability pioneered by Tait for the simply typed λ-calculus [Tai67] and further developed by Girard [Gir71,Gir72], Martin-Löf [ML75b], and others. These methods associate to each type/context a proof-irrelevant predicate or relation over its elements, and then establish that every element satisfies the predicate associated to its type. To prove canonicity, one defines the elements of a type to be its closed terms, and the predicate over · b : bool states that b ⇓ tt or b ⇓ ff where ⇓ is a deterministic evaluation relation contained in judgmental equality.
These techniques have a few major disadvantages in the context of dependent type theory. First, evaluation must be defined on typed terms modulo α-equivalence, not judgmental equality, because evaluation draws distinctions between β-equivalent terms (e.g., tt is an output of evaluation whereas (λx.x)(tt) is not); therefore, evaluation cannot be studied using the machinery of models of type theory. 4 Secondly, the predicate over · A : U should intuitively state that A determines a type and thence a predicate over its elements, but a (proof-irrelevant) predicate for U cannot store the data of a predicate for each A; instead, we define a global lookup table for predicates [All87,Har92], and store in the predicate over · A : U the assertion that A has an entry in the table. However, constructing these type systems requires fixing a collection of types at the outset, making these proofs brittle and difficult to extend.
Recently, type theorists have discovered that these difficulties can be overcome by considering instead proof-relevant predicates [AK16, Coq19,Shu15b], and that the resulting constructions are best understood as instances of Artin gluing [AGV72, Exposé I, Ch. 9]. 5 Gluing-based techniques for type theory are perhaps most developed in the context of weak metatheorems such as homotopy canonicity [KS19,Shu15b] and homotopy parametricity [Uem17], where it suffices to consider mathematically natural notions of model in which substitution does not strictly commute with the constructs of type theory [Joy17]. Canonicity and normalization are also susceptible to gluing arguments, but these arguments have generally relied on explicit constructions and computations rather than leveraging categorical results as in the weak case [Coq19,KHS19]. Subsequent to the writing of this paper, Sterling and Angiuli [SA21] have used proof-relevant logical predicates to establish normalization for cubical type theory, building on Sterling and Harper's observation that such arguments can be carried out in the internal type theory of a gluing model [SH21].
1.2.3. Our contribution. In this paper, we prove a canonicity theorem for XTT stating that any closed term of boolean type in the initial model is judgmentally equal to either tt or ff. Our canonicity proof builds on results of Sterling and Angiuli [SA20] concerning the gluing of models of type theory along a flat functor. We emphasize the conceptual nature of our canonicity proof, which avoids the explicit computations that pervaded both our prior work on XTT [SAG19] and much of the related work.

XTT: a cubical language for Bishop sets
We begin by introducing the XTT language informally ( Figure 1) and sketching how we recover (and improve upon) ordinary type-theoretic equality reasoning for Bishop sets. For the sake of exposition, we elide structural rules, congruence rules, and obvious premises to equational rules; formally, we define XTT as the bi-initial object in a 2-category of models in Section 4, presented by the signature in Uemura's logical framework [Uem19,Uem21] in Section 2.4. Our presentation differs slightly from the original formulation of XTT [SAG19]; we remark on these differences as they appear.
2.1. Judgmental structure of XTT. Like other cubical type theories [CCHM17, ABC + 21, AHH18,RS17], XTT extends the judgmental apparatus of type theory with an abstract interval I and a collection F of face formulas, or propositions ranging over the interval. Neither I nor F are types, but we can extend contexts by assumptions of either sort, in addition to ordinary typing assumptions. (Previously, we collected assumptions of I and F in a separate context Ψ to the left of Γ.) 5 Researchers have been aware of connections between computability predicates and gluing for much longer, but restricted to the fiberwise proof-irrelevant fragment of a gluing category [MS93,JT93,FS99]. (contexts) Γ, ∆ ::= · | Γ, i : Figure 1: A summary of the informal syntax of XTT. Note that some binders, e.g. those in λi.a and path i.A (a, b), range over dimensions rather than terms.
Assumptions of all three sorts are subject to the structural rules of hypothesis, substitution, and weakening. In addition to dimension variables i : I, the interval has two global elements 0 and 1 representing its endpoints. (We call such an interval Cartesian because it is the free finite-product theory on two generators [Awo18a].) The face formulas F are closed under disjunction (unlike [SAG19]) and equality of dimensions.
Given Γ φ : F, we write Γ φ true when φ holds under the assumptions in Γ. The rules governing this judgment are the evident ones, with the caveat that under an assumption of r = s, one obtains a judgmental equality r = s : I; we may safely adopt this principle because, unlike propositional equality in arbitrary types, r = s is decidable.
In XTT, maps out of I correspond to equality proofs: Assumptions of face formulas act as constraints, restricting the domain of maps out of I n . A hypothesis of i = 0 sets i to 0 in the hypotheses and conclusions that follow, whereas a type/element under the false constraint 0 = 1 is nothing at all. Finally, an element under a disjunction φ ∨ ψ is a pair of elements under φ and ψ that agree on the overlap φ, ψ.
Unlike [SAG19], and following [CCHM17], we include syntax for these partial elements defined on nullary and binary disjunctions: Notation 2.1 (Boundary). The interval has more generalized points than 0 and 1; therefore, it is not the case that i : I i = 0 ∨ i = 1 true. This formula, called the boundary of i, is important for expressing the rules of path types and compositions; we therefore impose the following notation: Notation 2.2 (Judgmental restriction). We often want to consider a total term whose subcube coincides with some other term. We will write Γ a : A [φ → b] to abbreviate that a is a term that restricts on φ to b, that is: Example 2.3. Combining Notations 2.1 and 2.2, we may succinctly express the situation where p(i) : A exhibits a path (proof of equality) between two elements a 0 , a 1 : A, writing 2. Dependent path types in XTT. The rules for dependent product, dependent sum, and boolean types in XTT are completely standard and are located in Figure 2. Cubical type theories internalize the judgmental "equality situation" of Example 2.3 by means of (dependent) path types; a path type is, in essence, a dependent function out of the interval subject to a restriction on the boundary of this function (i.e. the behavior of this function on the endpoints 0, 1 : I).
Given a line of types i : I A type and two elements a 0 : [0/i]A, a 1 : [1/i]A, the type of paths between a 0 and a 1 is written path i.A (a 0 , a 1 ); because the type A can depend on i, path types express a kind of heterogeneous equality (though different from the one proposed by McBride [McB99]). The rules for path types are summarized below:  formation Remark 2.4. One can also express the data of a path type as a line of types i : I A type together with a partial element i : I, ∂(i) a : A; then, the elements of the path type path i.A (i.a) would consist in elements i : In fact, we use exactly this style of definition in our mathematical version of the syntax of XTT (see Section 4). k We are already prepared to see one of the advantages of cubical type theories over intensional Martin-Löf type theory. Because we use maps out of the interval to represent equality, equations in A naturally take the form of (parametrized) elements of A; therefore, the "introduction rules" for equality in A are the same as the introduction rules for A itself.
Example 2.5. Function extensionality, provable in cubical type theories, provides a particularly convincing example, considering that it can be derived directly using only the rules for dependent function and path types. Given two functions f, g : (x : A) → B and a family of paths h : (x : A) → path .B (f (x), g(x)), we have: 3. Universe of Bishop sets. XTT is equipped with a universe of Bishop sets, i.e. types that satisfy a definitional version of the unicity of identity proofs. As was the case for Observational Type Theory, it is essential that that this universe is closed -a matter we will discuss in more detail in Sections 2.3.4 and 8.1. In our original presentation of XTT [SAG19], we required that all types were Bishop sets. Here, we require this property only of elements of the universe, in order to suggest how one might integrate XTT into a standard (univalent) Cartesian cubical type theory in which not all types are Bishop sets (notably, univalent universes and higher inductive types). Additionally, whereas we previously described an infinite and cumulative hierarchy of universesà la Coquand, 6 here we have opted to specify only a single universeà la Tarski for the sake of simplicity and clarity of presentation.
We begin with the basic formation rules for the universe of Bishop sets: Notation 2.6. As above, we adopt the convention of writingÂ for an element of set; then, we will write a ∈Â as a shorthand for a : el(Â). k 2.3.1. Boundary separation and UIP. What makes types classified by set special is that they satisfy the boundary separation principle below, a modular reconstruction of the uniqueness of identity proofs: boundary separation Γ Â : set Γ r : I Γ, ∂(r) a = b ∈Â Γ a = b ∈Â To see that boundary separation implies the unicity of identity proofs, consider the context Γ def == (∆,Â : set, a ∈Â, b ∈Â, p : path .el(Â) (a, b), q : path .el(Â) (a, b)); we may derive Γ p = q : path .el(Â) (a, b) as follows: 6 Universesà la Coquand [Coq13] differ from universesà la Tarski in a few ways: one eschews the standard Γ A type judgment for a stratified judgment Γ A type i , and then the rules for each universe Ui exhibit an isomorphism between the collection of types of level i and the collection of elements of Ui.
In essence, these operations implement the action of paths in every set, simultaneously enabling coercions between equal types, as well providing a way to compose and invert paths. The coercion operation above allows, in particular, an element of a set to be transformed into an element of any equal set: this is the action of coe 0 1 i.Â a. In Observational Type Theory, there is an additional coherence operation that (heterogeneously) equates a with its coercion coe 0 1 i.Â a; in XTT (and Cartesian cubical type theories generally), this is accomplished using another instance of the general coercion operator called a "filler": λi.coe 0 i i.Â a : path i.el(Â) a, coe 0 1 i.Â a Composition is analogous to coercion, except that it may additionally constrain the result to match a partial element defined on a boundary ∂(s) for some s : I. (Because of boundary separation and regularity, XTT's composition operator is substantially simpler than those of other cubical type theories, which consider partial elements defined on arbitrary φ : F.) Composition can be used to define combinators expressing the symmetry and transitivity of equality, as well as to implement Martin-Löf's J eliminator. In fact, to express symmetry and transitivity, it suffices to first consider the case whereÂ doesn't depend on i, called homogeneous composition: .Â i.a Example 2.7 (Symmetry). LetÂ : set and let a, b ∈Â and let p : path .el(Â) (a, b). We may use homogeneous composition to define an inverse pathp : path .el(Â) (b, a): Example 2.8 (Transitivity). LetÂ : set and let a, b, c ∈Â and let p : path .el(Â) (a, b), q : path .el(Â) (b, c). We may use homogeneous composition to define a composite path p · q : path .el(Â) (a, c): Remark 2.9. By boundary separation, the symmetry and transitivity operators act very strictly. For instance, given p : path i.A (a, b) one hasp · p = (λi.b) definitionally. Similarly, composition of paths is definitionally associative: p · (q · w) = (p · q) · w. In the absence of boundary separation, these coherences would hold up to another path, using a more complex instance of the composition operation. k Example 2.10 (Identity type). Using composition, we may define a combinator with the same type as Martin-Löf's J eliminator for the identity type. LetÂ : set be a set and x ∈Â, y ∈Â, z : path .el(Â) (x, y) Ĉ (x, y, z) : set be a motive of induction. Fixing What is the behavior of the J combinator from Example 2.10 on a reflexive proof of equality λ .a : path .el(Â) (a, a)? From Martin-Löf type theory, we would expect JĈ(λ .a, c) to compute to c(a); in ordinary cubical type theory, this equation only holds up to another path, but in XTT we can force it to hold using the following regularity principle: Γ el( bool) = bool type Considering that boundary separation applies to all elements of set, we are restricted to connectives that preserve the condition of being boundary separated. Next, we must include equations specifying the behavior of coe and com on each type code. We begin with coercion, verifying in each case that the equation is compatible with coercion regularity. x/x B f coe r r i.Â x Vol Of course, coercion regularity implies coe r r i. bool a = a. We additionally observe that the behavior of homogeneous composition (and thence general composition) is totally determined by the combination of the above and boundary separation; in particular, the following equations are derivable by pivoting on ∂(s): 2.3.4. Algorithmic type checking and type-case. Although a type checking algorithm for XTT is beyond the scope of this paper, such an algorithm is important to fully substantiate our claim that XTT can act as a more tractable alternative to extensional type theory. As a step towards applying existing type checking algorithms to XTT, we include one final construct.
Most type checking algorithms going back to the work of Coquand [Coq96] check M : A by first evaluating A to a weak-head normal form, in order to determine whether A is a dependent product type, a dependent sum type, the booleans, etc. Such a determination is crucial because the head constructor of A, in turn, determines how to type check M (e.g., by applying it to an argument, considering its projections, etc.).
Consider the case that we have a variable x : path .set (Â×B,Ĉ×D) in scope, and we are attempting to check u, v ∈ x(i) for some variable i : I. The equational rules of XTT do not suggest any reductions for x(i), so we might naïvely return a type error: u, v can only be an element of a product type, but el(x(i)) appears to be neutral.
However, such a strategy is not complete in the presence of the boundary separation rule. Suppose that in addition, we have proofs p : path .set (Â,Ĉ) and q : path .set (B,D) in scope. Then we may form the path λj.p(j)× q(j) : path .set (Â×B,Ĉ×D); by boundary separation, el(x(i)) = el(p(i)) × el(q(i)) definitionally, and therefore we must proceed to check u ∈ p(i) and v ∈ q(i) (and possibly succeed).
Of course, an algorithm cannot guess out of thin air whether such p, q exist! A way around this impasse, pioneered in OTT [AM06,AMS07], is to ensure that from a path betweenÂ×B andĈ×D, we can always obtain a path betweenÂ andĈ. Under those circumstances, we have a uniform strategy to type check terms on neutral equations between product types (etc.): ignore the proof of equality, and consider only its boundary.
This approach does not make sense for mathematical sets or spaces, since there are more ways for two product sets to be equal than that their components are equal, but it does make sense for closed universes, such as the inductive-recursive universes of Martin-Löf [ML84]. We discuss the semantic disadvantages of these closed universes in Section 8.1.
Concretely, we achieve this "injectivity up to paths" of type constructors in XTT by including a "type-case" operator enabling intensional analysis of sets [Con82,CZ84,HM95].
This operator is equipped with the obvious reduction rules: 2.4. The LF signature of XTT. Thus far, we have presented the syntax of XTT as a series of informal inference rules; formally, however, XTT is the bi-initial object in the 2-category of models defined in Section 4. As a middle ground between those two styles, we now give a definition of XTT as a sequence of constants ( Figure 4) in a logical framework (LF). By results of Uemura [Uem19,Uem21], these constants can be systematically elaborated into the definitions of Section 4, and automatically induce a 2-category of models with a biinitial object. Conversely, connecting these LF constants to standard (but highly annotated) inference rule presentations requires an adequacy theorem [HHP93]; we are using Uemura's logical framework [Uem19,Uem21], which is adequate for a wide variety of type theories.
2.4.1. Uemura's logical framework. Uemura's LF is essentially a fragment of extensional dependent type theory; the only important difference is that Uemura's LF stratifies types into two kinds: representable types and types . Elements J : correspond to judgments that can be hypothesized (such as object-level term judgments), whereas elements J : correspond to arbitrary judgments (such as object-level type judgments, which generally cannot be hypothesized). We summarize the rules of Uemura's LF in Figure 3, omitting the standard definitional equalities for dependent products and extensional equality; readers can consult Section 5 of [Uem19] for a thorough introduction. 7 In addition to the model theory and initiality result mentioned above, another major advantage of using a logical framework is higher-order abstract syntax, in which variable binders are encoded using the LF's λ-abstractions over representable types. As a result, 7 Note that [Uem19] does not explicitly include dependent sums, but these are present in the semantics and do not impact any of the results of that paper. unlike inference rules, LF encodings need not explicitly represent the object-level contexts, and in fact automatically ensure that all operations are stable under substitution.
2.4.2. The signature of XTT. In Figure 4, we present XTT as a signature, or sequence of constants, in Uemura's LF. In accordance with the judgments-as-types methodology [HHP93], we render each judgment of XTT as a type constant in its LF signature. We encode the judgment Γ r : I as a nullary representable type with two elements; it is representable because XTT allows context extension by dimension variables (Γ, i : I).
I : 0 : I 1 : I We encode the face formula judgment Γ φ : F as a (non-representable) type equipped with a representable decoding function [−]; contexts cannot be extended by face formula variables, but we can extend contexts by an assumption that φ holds, (Γ, φ).
F : [−] : F → Note that [−] is silent in our earlier notation; in both the inference rules and in Figure 4, we suppress the instantiation of partial elements by (the unique) proofs of [φ].
Likewise, we encode Γ A type as a (non-representable) type and Γ a : A as a representable type family.
tp : tm : tp → We do not add constants for the equality judgments of XTT, as these are encoded by LF equality at the corresponding type.
Finally, we encode the connectives and rules of XTT as constants, taking advantage of the LF's type structure for brevity. For example, the formation rule for dependent products corresponds to the following LF constant: The force of the remaining rules for dependent product types is simply to assert an isomorphism between tm(pi(A, B)) and x:tm(A) tm(B(a)). To express this pattern concisely, we introduce the notation Γ f : A ∼ = B for the following four constants: Using this notation, we encode the introduction, elimination, β, and η laws of dependent products in one stroke:

Categorical preliminaries
All the categorical machinery we assume can be found in standard introductory textbooks and references [ML98, Bor94a, Bor94b, Bor10, Awo10, Joh02]; in order to fix notations and render our presentation as self-contained as possible, however, we have included a number of definitions. The beginning of Section 3.1 recalls basic categorical definitions and fixes notation, while Section 3.1.1 covers more specific facts related to presheaves and representables. The remaining sections discuss functorial semantics and the categorical machinery necessary to account for the semantics of type theory. We recommend only skimming this section on a first read, and return to it as needed.
Notation 3.1. Given a category C and objects C, D : C, we write C[C, D] for the collection of arrows between C and D. We will also write [ C, D] for the category of functors C D and natural transformations between them. k Convention 3.2. Conventionally, we write Set and Cat for the categories of sets and categories respectively; of course, to be more precise, we should instead refer to Set α and Cat α for some strongly inaccessible cardinal α, or equivalently a Grothendieck universe U.
We leave the resolution of these universes implicit, noting them explicitly in sensitive places.
Notation 3.3. We will write ∆ n for the n-simplex regarded as a category; in particular, ∆ 0 is the terminal category { * }, and ∆ 1 is the category {• •} of the walking arrow. Therefore [∆ 1 , C] is the category of arrows and commutative squares in C. k Definition 3.4 (Cartesian arrow category). We write [∆ 1 , C] cart [∆ 1 , C] for the wide subcategory of arrows and cartesian squares between them. Concretely, given f, g : [∆ 1 , C] cart a morphism between them exhibits f as a pullback of g: Definition 3.6 (Opcartesian morphism). Dually, given a functor , the comma category F ↓ G has as objects arrows F D GE X and commutative squares of the following kind for arrows: The comma category F ↓ G may be constructed more abstractly in terms of the following (1-categorical) pullback in Cat, the category of categories and functors: Notation 3.13. Let X : C; we will write ∆ 0 C {X} for the constant functor * → X. k Notation 3.14. A common abuse of notation in the comma construction is that, when either F or G is the identity functor C C id C , they shall be written simply C. For instance, An important instance of the comma construction is the slice category.
Definition 3.15 (Slice category). Given an object X : C, the slice or "over-category" of C at X is the comma category C /X = C ↓ {X}. The objects of C /X can be seen to be arrows Y X; morphisms in the slice are commutative triangles. k Fact 3.16. In a category with pullbacks C, a morphism X Y Notation 3.17. We will adopt a common abuse of notation and suppress the weakening Definition 3.18. Let κ be a regular cardinal; we say that a category C is κ-(co)complete when C has all (co)limits of κ-small diagrams; a functor that preserves these (co)limits is called κ-(co)continuous. When κ is omitted, a sufficiently large strongly inaccessible cardinal is assumed. 3.1.1. Presheaves, representability, and discrete fibrations.
Presheaves capture the geometric intuition of probing a space or other object by small figures: the role of contexts and substitutions in (strict) type theory supplies type theorists and logicians with a useful concrete intuition for presheaves. A more structural perspective on presheaves is, however, essential: the category Pr( C) may be characterized universally as the free cocompletion of C, equipping C with new colimits. When C already has some colimits, it is important to note that the new ones do not coincide with the old ones.
Construction 3.20 (The Yoneda embedding). To be more precise, there is a universal functor C Pr( C) y C , called the Yoneda embedding, taking each object C : C to a "formal colimit" y C C = C[•, C], such that every functor C E with E cocomplete factors as y C and a cocontinuous functorF in an essentially unique way: For each presheaf X : Pr( C), we have the following isomorphism: As a consequence, the Yoneda embedding is full and faithful.
Definition 3.22. A presheaf X : Pr( C) is called representable when it lies in the essential image of y C , i.e. X is isomorphic to y C C for some C : C. k The notion of representable object is extended to maps in a canonical way, by considering fibers over representable objects.
Definition 3.23 (Representable natural transformation). A representable natural transformation is a map Y X f : Pr( C) whose every fiber over a representable object is representable. In other words, the fiber product of f with any y C C X x is representable.
In Section 3.2, we observe that the representing object of this fiber product plays a role analogous to context extension, so we denote it C.x. k Representable natural transformations are a prime example of Grothendieck's "relative point of view", extending a notion that is first defined on objects to have sense on morphisms. It is useful to remark that the slice Pr( C) /X is itself the category of presheaves Pr( C/X) on the category of elements C/X of X, and that the representability of the map Y X f agrees with the representability of the object f : Pr( C) /X .
Construction 3.24 (Category of elements). The category of elements C/X of a presheaf X : Pr( C) has as objects pairs C/x with x ∈ X(C) and morphisms In fact, the category of elements of a presheaf X : Pr( C) is the total category of a discrete fibration over C.
equivalently, if the fibers of p are discrete categories. The collection of discrete fibrations over C forms a full subcategory DF C ⊆ Fib C ⊆ Cat / C , with morphisms given by commuting triangles. k As might be expected, the assignment X → p X extends to a functor Pr( C) which is full, faithful, and essentially surjective (i.e. an equivalence of categories). Therefore DF C may be used as an alternative to Pr( C), and has its own Yoneda embedding In the context of discrete fibrations, there is an alternative characterization of representable maps in addition to the Grothendieck-style extension of the essential image of the Yoneda embedding C DF C y C to maps via pullbacks.
: Cat has a (non-fibered) right adjoint, which we may write ∂ 0 f q f .
In contrast with presheaves, it is natural to simultaneously work with discrete fibrations over different base categories: we may write DF ⊆ Fib ⊆ [∆ 1 , Cat] for the category of fibrations over arbitrary base, rendered a full subcategory of the category of arrows of Cat. Therefore, a morphism of discrete fibrations is a commuting square: Lemma 3.28. The map sending a discrete fibration to its base category DF Cat ∂ 1 is a fibration. We will write DF C for the fiber ∂ 1 [ C]. 3.1.2. Density of the Yoneda embedding. The Yoneda lemma (Lemma 3.21) is indispensable, but the closely related density theorem more deeply exposes the character of Pr( C) as free cocompletion.
Of course, to understand Lemma 3.30 we must first have an understanding of density in the category theoretic sense. Every functor C E F generates a canonical cocone over . Visually, the cocone might look something like this: Therefore, Lemma 3.30 says exactly that every presheaf is a formal colimit of representable objects in a canonical way.
3.1.3. Philo-logie and Diaconescu's theorem. Categories of presheaves E = Pr( C) are complete, cocomplete, locally cartesian closed, and exhibit certain non-trivial compatibilities between certain limits and colimits which may be boiled down to the existence of a classifying family for subobjects (monomorphisms). This subobject classifier is a monomorphism that is universal in the sense that all monomorphisms arise in a unique way from A category with these properties may be referred to as a logos following the terminology of Anel and Joyal [AJ21], though we defer the actual definition of logoi until Definition 3.34. Recalling our characterization of Pr( C) as the free cocompletion of C, we argue that the correct way to understand categories of presheaves is as a class of logoi that are generated in a specific way: namely, all colimits are added freely without imposing any relations. We may also generate logoi in which the added colimits satisfy some relations; historically, the most common way to do so is to augment the category C with the data of a coverage. The canonical motivating example arises when considering presheaves on the frame of open sets O(X) of a topological space X. The logos of presheaves Pr(O(X)) does not have the geometrically correct colimits corresponding to the gluing together of components of an open cover {U i U }, but some presheaves treat y O(X) U "as if" it were the appropriate colimit of the covering diagram to varying degrees: (1) A presheaf X that has no more than one section x ∈ XU compatible with a family of sections {x i ∈ XU i } defined on the cover is called separated.
(2) A presheaf X that has exactly one such section x ∈ XU for each such compatible family of sections is called local. 8 Separated presheaves will play an important role in the algebraic syntax and semantics of XTT (Section 4), in which we wish to ensure that there is at most one path I A compatible with a boundary 1 + 1 A in the following sense: Not all presheaves are local; one may correct this defect by quotienting or localizing the logos, forcing certain maps out of colimits to become isomorphisms. Although generally localizing a category may result in a category which is almost entirely unrecognizable, in this case the resultant localization has a straightforward characterization: it is precisely the full subcategory spanned by local presheaves. More formally, the inclusion of this subcategory into Pr( C) has a left adjoint which preserves finite limits and this left adjoint sends certain maps out of colimits to isomorphisms. This adjunction presents the subcategory of local presheaves as a left exact localization of Pr( C). We may therefore define a logos to be a left exact localization of the category of presheaves on a small category C.
Definition 3.34 (Logos). A logos is a left exact localization of the category of presheaves on a small category C; a morphism E F between logoi is a functor between the underlying categories that is both left exact and cocontinuous. Such a morphism is often called an algebraic morphism. We will write Logos for the 2-category of logoi, with 2-cells given by natural transformations between the underlying functors. k Remark 3.35 (Direct image). Because logoi are left exact localizations of presheaves, they are locally presentable [AR94]. While we do not make extensive use of this fact, we do require the following consequences of local presentability: all logoi are complete and cocomplete and every algebraic morphism Two different base categories C, D may yet generate the same presheaf logos; however, presheaf logoi enjoy a special relationship with their base categories embodied in Diaconescu's Theorem below [Bor94b].
A flat functor is a generalization of the notion of left exact functor which may be used in case the domain category C is not finitely complete: in other words, a flat functor C E is one that preserves "even the finite limits that don't exist". While the general definition is slightly complex (see [Bor94a, Definition 8.2.8]), for our purposes it suffices to consider the special case where C is finitely complete and when a flat functor is precisely one which preserves finite limits.
Flat functors play an essential role in the general gluing theorem for models of Martin-Löf type theory into logoi developed by Sterling and Angiuli [SA20] which we have applied in this paper.
3.1.4. Topos-logos duality. Following the philosophy of Anel and Joyal [AJ21], we have (perhaps surprisingly to some readers) not referred to categories of presheaves as "topoi". This is because we prefer to think of a topos as a geometrical object, whereas a logos is algebraic in nature: for instance, Diaconescu's Theorem (Theorem 3.36) shows that the category of presheaves is an invariant form of the theory of flat functors in the style of Lawvere's functorial semantics [Law63].
It is instructive to start from the prototype of geometry-algebra duality embodied in the relationship between (sober) topological spaces and their frames of open sets; in this case, the frame of opens is an algebraic object, and the corresponding space is its geometric dual. By an analogy that may be substantiated in a precise way, a logos is the algebraic object corresponding to a topos, which is in contrast a kind of generalized space.
The duality between topoi and logoi is captured in a formal equivalence of categories Sh : Topos op Logos , taking a topos to its "logos of sheaves". While historically, many authors have thought of sheaves as local presheaves for a specific generators-and-relations presentation of a logos, Grothendieck insisted that this presentation is not at all the main object of study [AGV72,Gro86]: sheaves should be thought of as algebraic data varying over a (generalized) space, including both topological spaces and topoi. Indeed, it is enough to consider sheaves on topoi, recalling that any sober space corresponds to an essentially unique enveloping topos [AJ21].
On the other hand, the algebraic perspective of logoi and their algebraic morphisms is the most germane to this paper, so we do not refer to topoi in subsequent sections.
3.2. Functorial semantics of dependent type theoryà la Uemura. Classically, the notion of an "algebraic theory" was understood in terms of sets of operations and equations. For instance, the theory of monoids may be written in terms of two operations: ε of arity [0] and of arity [2]. Then, a set of equations is imposed on the set of trees generated by {ε, } to express the associativity and unit laws of a monoid. A model of a theory in this old-fashioned sense was then a structure comprising the following data: (1) a carrier set A, (4) subject to the following equations: ) Models in this sense arrange themselves into a category, with morphisms given by functions between carrier sets that commute with the specified maps; of course, this is nothing more than the category of monoids in Set. Generally, one considers models in categories other than Set, a notion that makes sense for any category C having the requisite structure (in this case, finite products).
However, there are many other collections of operations and axioms that equally well express the concept of monoid, evidently exhibiting the same categories of models. For instance, one may use the set of operations {list n | n ∈ N} ∪ { } where each operation list n has arity [n]. Lawvere famously observed that none of the important computations in universal algebra actually depend on which specific operations and axioms are used to encode a theory, advocating a perspective that regards the presentations above not as the theories themselves, but as structures lying over the theories.
A theory for Lawvere is a category T closed under certain structures (e.g. finite products, finite limits, etc.); a model of a theory in a category C is a functor T C preserving (finite products, finite limits, etc.). A collection of operations and axioms that generates a theory is called a equational presentation of that theory.
Lawvere's functorial perspective on theories and their models is called the functorial semantics [Law63]. Lawvere has observed that many of the fundamental operations by which new theories are constructed from old theories are unnatural to describe in terms of presentations, but are simple at the level of categories and functors. One may continue to present theories T by sets of operations and axioms as before, but the spirit of the functorial method is to freely adopt whichever presentation is most useful in a specific context. 3.2.1. Natural models, the judgmental essence of strict type theory. We recall from Definition 3.23 the notion of a representable natural transformation of presheaves: it is a family of presheaves that, at every fiber over a representable object, is a representable object. This notion, which first arose in the context of algebraic geometry in the Grothendieck school [AGV72], plays a fundamental role in the semantics of dependent type theory as well as the categorical study of set theory and universes [Awo18b,Awo08,Str05,Str14b].
From the type theoretic perspective, the importance of representable maps is easy to explain. In type theory, the basic objects under consideration are contexts Γ, types in context Γ A, and typed terms in context Γ a : A. The collection of types carries an action for each substitution ∆ Γ γ of contexts, and so does the collection of elements: we have ∆ γ * A and ∆ γ * a : γ * A. Moreover, while there is no context that represents the collection of all types, for any specific type Γ A, we have a context Γ.A that represents the elements of the type A.
This type theoretic situation can be captured mathematically in three steps: (1) First of all, the collection of contexts may be organized into a category C with morphisms given by simultaneous substitutions.
(2) Next, the collection of types may be viewed as a presheaf T C : Pr( C): a section A ∈ T C (Γ) is exactly a type Γ A, and the functorial action implements substitution We therefore obtain representing contexts Γ.A for each such type A by requiring that the family be a representable natural transformation: is the weakening substitution, and the map Γ.A T C q A is the variable term. By chasing Diagram 3.37, it is easy to see that the type of the term q A is p * A A as expected. The structure defined above captures the decisive judgmental aspects of dependent type theory, and has been referred to by Awodey as a natural model : natural in both the informal sense, and in the sense that it is defined in terms of a representable natural transformation.
Definition 3.38 [Awo18b]. A natural model is a category C with a terminal object, together with a representable natural transformation in Pr( C). k

3.2.2.
Representable map categories and the semantics of type theory. A given type theory is more than just a natural model in the sense of Definition 3.38: one must also specify other generators, such as type connectives and their elements. Most type connectives can be specified by writing down a family in Pr( C) and then asking for a cartesian square between that family and the natural model. This raises some questions: (1) What kinds of structures can be added to the notion of a natural model and still give rise to a type theory? (2) What is a morphism between models of such a type theory?
Uemura proposes to answer this question by developing a notion of "general type theory" and associated functorial semantics [Uem19,Uem21]; while Lawvere defines an algebraic theory to be (roughly) a category with finite products, Uemura defines a type theory T to be a representable map category, which is a lex category C together with a distinguished class R of "representable maps" which captures the decisive aspects of the class of representable natural transformations in presheaf logoi.
Definition 3.39. A class of representable maps in a lex category C is a collection of maps R with the following closure conditions: (1) Each identity map is representable, and the composition of representable maps is representable.
(2) Every pullback of a representable map along an arbitrary map is representable.
(3) Pullback along a representable map has a right adjoint, pushforward. k Notation 3.40. In particular, if the terminal map X 1 C is representable, then all exponentials (internal homs) out of X may be computed by pushforward, which we may write either X ⇒ Y or X, Y . k Definition 3.41. A representable map category is a lex category C together with a class R of representable maps in C; a representable map functor between two representable map categories is a functor between the underlying categories that takes representable maps to representable maps. k Remark 3.42. Every lex category C can be thought of as a very weak kind of extensional type theory, in which dependent types are maps and substitutions are given by pullback. A representable map structure on C does nothing more than enrich this language as follows: (1) There is a class of small types called "representable" types.
(3) Types are closed under dependent products with representable base. The "type theory" of a representable map category T = ( C, R) can be thought of as a logical framework in the sense of [HHP93,NPS90], in which hypothetical judgments are represented by pushforward. From this perspective, it is most appropriate to refer to arbitrary objects and families in T as judgments, following the "judgments as types" philosophy of Harper, Honsell, and Plotkin [HHP93]. k Example 3.43 (The walking natural model). The type theory with judgments for types and terms is specified by the representable map category T generated by a single representable map T T τ . k Example 3.44. Pr( C) supports the structure of a representable map category with the class of representable maps given by representable natural transformations. k The classic notion of a representable map in a category of presheaves is of course an instance, giving rise to the "canonical representable structures" on Pr( C) and DF C .
Example 3.45. DF C supports the structure of a representable map category, with representable maps given by a functors between discrete fibrations that have a non-fibered right adjoint [Awo18b,ABSS14]. Explicitly, a morphism X Y : Cat such that f q f . Moreover, with this class of representable maps, the equivalence between DF C and Pr( C) induces an equivalence between representable map categories. In other words, viewing a representable natural transformation of presheaves as a functor between categories of elements, one has such a right adjoint, and vice versa. k The functorial semantics of type theoriesà la Uemura is then given in terms of these canonical representable map categories: where C is a category with a terminal object. k In Definition 3.46, the base category C is the category of contexts, and each J C is the interpretation of a "judgment" J : T as a presheaf over C. To a first approximation, a morphism M F between two T-models M C , M D should be a functor C D F together with a natural assignment of functors X → X F for each X : T: In addition to these requirements, a morphism of models should also preserve context extension up to isomorphism; from a categorical perspective, there is not much meaning in asking for context extension to be preserved "on the nose", since contexts are objects of a category and therefore considered only up to isomorphism. Therefore, given a context C : C and a type y C C T C A , we would expect that the context extension F C.T F A shall be isomorphic to F (C.A).
In Uemura's framework, as with natural models [Awo18a], context extension is modeled by the representability of T T τ . In fact, calculation shows that the (non-fibered) right adjoint q τ C to τ C sends a type y C C T C A to the variable term y C (C.A) T C in the extended context. We may therefore phrase the preservation of context extensions, called Beck-Chevalley by Uemura, in terms of q f C and q f D for each representable map f , including T T τ . First, observe that for each representable map J I f , we have a canonical 2-cell in Cat with the following boundary: The 2-cell of Diagram 3.48 may be computed as follows:  be a morphism of T-models; given X : T, x : X C , we will abusively write F x for X F x. k Because morphisms of models necessarily require preservation of context extensions only up to isomorphism, a higher level of morphism naturally arises, lending the collection of models Mod T with the structure of a 2-category. Remark 3.52. The uniqueness of the map X F X G Xα lying over α is ensured by the discreteness of X D . Summarizing, the existence of X α is nothing more than the condition that for each x : X C lying over Γ : C, the following equation obtains: Theorem 3.53. The 2-category of models Mod T has a bi-initial object: an object I such that for each X : Mod T , the category of morphisms [I, X] is contractible.
This bi-initial object is the democratic heart of the embedding T DF T y : the smallest full subcategory of T containing the terminal object and closed under context extension. The universal property of this bi-initial object ensures that there is at most one morphism M I M C for each M C , up to a unique invertible 2-morphism.
3.3. Left lifting structures, orthogonality, and separation. In this section, let E be a category with finite limits. We call an object X : E exponentiable when every exponential X, Y exists. We begin by recalling some basic definitions and facts from [Awo18b, ABFJ18, ABFJ20].
Definition 3.54 (Cartesian gap map). Let the following square commute in E: The universal property of the pullback of g along h states that the span f, k induces a map f, k , which we call the cartesian gap map of Diagram 3.55: Remark 3.63. A left lifting structure j : f g exhibits f as internally left orthogonal to g when j is simultaneously a retraction. k Because both left lifting structures and orthogonality conditions may be expressed in the language of finite limits as above, it is justified to freely extend a representable map category T by either f g or j : f g. In many cases, however, an orthogonality condition or lifting structure will need to be expressed in the free cocompletion Pr(T) because it may involve colimits that don't exist in T; when defining a representable map category by a sequence of clauses, it is not a priori clear that this move is legitimate.
We will therefore characterize a useful class of orthogonality and lifting conditions on Pr( C) which may be unravelled into a suitable condition on a lex category C, expressible using the language of finite limits. be a diagram such that for each i : I, the object Φ i is exponentiable. We will writê Φ ∞ for the colimit of Φ • taken in Pr( C), i.e.Φ ∞ = colim I (y C Φ • ). Now letΦ ∞ y C B f : Pr( C) with B exponentiable, and let X Y g be an arbitrary map in C. Then, there exists a left lifting structure j : f y C g in T iff there exists a section of the cartesian gap map for the canonical Diagram 3.65 in C below: Moreover, the left lifting structure j exhibits f as internally left orthogonal to y C g iff the cartesian gap map of Diagram 3.65 is an isomorphism.
Before proving Lemma 3.64, we first clarify the construction of Diagram 3.65. For each i : I, we have the following composite map: Therefore, letting Z range over X, Y , we may construct a map into lim I Φ • , Z from a cone defined as follows: The force of Lemma 3.64 is therefore to assert that the existence of a left lifting structure j : f y C g in Pr( C) is equivalent to the existence of a section to the cartesian gap map of Diagram 3.68 below: (3.68) Proof of Lemma 3.64. The condition of the internal pullback hom ⟪f, y C g⟫ may be portrayed as follows: But for each Z : C, the presheaf Φ ∞ , y C Z is canonically represented by the object lim I Φ • , Z : C, using the universality of colimits in Pr( C) and the fact that the Yoneda embedding commutes with limits and exponentials. Therefore, Diagram 3.70 below faithfully translates the existence of the dotted map in Diagram 3.69 into the language of C: But the above is exactly the existence of a section to the cartesian gap map for Diagram 3.68. It is likewise easy to see that one section is a retraction iff the other is.
We will have need of an orthogonality-like notion in which lifts may not exist, but when they do, they are unique. It is most appropriate to call this condition separation, by analogy with coverages and Grothendieck topologies.
and X Y g be maps in a category C; then we say that g is separated with respect to f when, for every object Z : C, there is at most one lift for any square of the following shape: 4. Using Artin gluing to prove canonicity. In this section, we give a gentle introduction to the use of Artin gluing for proving ordinary canonicity results in order to set the stage for our more sophisticated application. Let C be the free cartesian closed category generated by a base type ans : C and two constants 1 C ans yes, no . We wish to prove the following closed canonicity theorem:  sense that the following commutative diagram exists: The diagram above states the traditional condition for extending a logical predicate to open terms: for any closed c ∈C, the evaluation f (c) is inD.
We have a fibration P C p sending (C,C) to C; moreover, we can show that P is cartesian closed and the fibration p preserves the cartesian closed structure. The latter amounts to constructing products and exponentials in P whose C-parts are the corresponding products and exponentials from the syntactic category, which is always built into logical predicates arguments.
In functorial semantics, a logical predicates model of C is the same as a functor C P that preserves the cartesian closed structure for which the composite with the fibration P C p is the identity, i.e. a section of p. Because C is the free cartesian closed category generated by {ans, yes, no}, such a functor is uniquely determined by a choice of an object ans : P such that p ans = ans, and a choice of constants yes , no configured as follows: In this paper, we prove a much more sophisticated canonicity theorem and therefore must change the construction in a few important ways.
(1) We replace the proof-irrelevant logical predicate interpretation (based on subsets) with a proof-relevant interpretation (based on families). (2) Rather than considering closed terms (i.e. elements of the hom sets C[1 C , C]), we consider terms relative to purely cubical contexts Ψ = [i : I, .
The modifications described above are actually parameters to a much more general construction called Artin gluing. When C is a category and C E F is a functor, the Artin gluing of C along F is defined be the comma category G ≡ {E} ↓ F . It is instructive to view the gluing as a restriction of the codomain fibration in the case that E has finite limits: Artin gluing theorems express the relationship between various properties of C and F and E to corresponding properties on G. For instance, if F is a binary product preserving functor between cartesian closed categories, then G is cartesian closed and G C p preserves the cartesian closed structure. Similar results hold for topoi, which we make use of in this paper.

Functorial semantics of XTT
In Section 2.4 we defined XTT as a signature in Uemura's logical framework. Following Uemura [Uem19], for the purposes of our canonicity proof we systematically elaborate this signature to a series of structures on an arbitrary representable map category T [Uem19, Theorem 5.17]. T is a model of XTT precisely when it admits all of these structures. We write : T for the terminal object of T.
Specification 4.1 (Judgmental structure). The basic judgmental structure of XTT is specified below.
(1) A representable map T T τ which encodes the collection of typed elements lying over typed terms; the representability of τ allows the (abstract) context to be extended by an element x : A of a type A.
(2) A representable map I , implementing the interval and its context extension. (3) A representable map F , implementing the face formula judgment and its context extension.
is the "true" face formula. As a map out of the terminal object, is automatically monomorphic: this means that two proofs of the same face formula are identical. k Specification 4.2 (The interval). We require only minimal structure on the interval, the two endpoints I 0, 1 . k Specification 4.3 (Dimension equality). We require that there is a code I 2 F (=) for the diagonal map I I × I δ in the following sense: We must be careful when specifying disjunction of face formulas; the "true" disjunction of [φ] and [ψ] ought to be a pushout, but we don't expect to have pushouts in T, and moreover, we do not wish to require the ability to "split" on a disjunction in all the syntactic sorts of our type theory. Instead, we make T T τ think that this pushout exists, in a certain sense.
We begin by formulating the "true" disjunction in the free cocompletion Pr(T). First, we have a characteristic map that decodes a face condition φ : y T F to a proposition φ : Ω.
As a first cut toward disjunction, we may define the non-representable subobject ∨ * |F tr of true disjunctions of face conditions: We will then define the disjunction of face conditions to be a representable approximation of ∨ * |F tr that is respected by certain judgments of XTT.
Specification 4.6 (Disjunction). We require a face condition formation map F 2 F ∨ : T satisfying some conditions which we will describe forthwith. We then require an "introduction" rule ∨ * |F tr y T ∨ * in∨ in the slice Pr(T) /y T F 2 . The "elimination" rules for the disjunction are then expressed as a pair of internal orthogonality conditions in Pr(T) /y T F 2 : (1) We require in ∨ y T F 2 * y T in Pr(T) /y T F 2 , ensuring that the truth of a face condition may be established by eliminating a disjunction.
(2) We must have in ∨ y T F 2 * y T τ in Pr(T) /y T F 2 , ensuring that a "matching family" for a term on two disjuncts shall be a term under a disjunction. k . We may therefore test the truth of this "false" equation: There is a universal comparison map ∅ y T ⊥ * in ⊥ in Pr(T) given by the universal property of the initial object; to support the "elimination rule" of the inconsistent face condition, then, we require orthogonalities in ⊥ y T and in ⊥ y T τ in Pr(T). k Remark 4.9. The orthogonality conditions from Specification 4.6 may be restated in the language of T /F 2 . Let Span be the walking span, and let Span The following canonical squares must be cartesian: Remark 4.10. The orthogonality condition of Specification 4.7 may be restated in the language of T as the requirement that the following canonical squares are cartesian: The following notation will often be used in the internal language of T.  The boundary of a dimension will be used in specifying the closure under path types.
Specification 4.13 (Closure under connectives). We will require that typing judgment T T τ is closed under dependent sum, dependent product, and dependent path types. We first express the generic map underlying each connective, and then force it to be representable. The closure of the type theory under these connectives is then accomplished by requiring in [∆ 1 , T] cart algebras τ Σ τ, τ Π τ, and τ P τ. k Remark 4.14. Unfolding Specification 4.13 into the language of T, this means that we have the following cartesian squares: We will add a type of booleans; as usual in type theory, the boolean type is not the coproduct of the point with itself, but a weak version thereof. The simplest way to specify a weak coproduct is by means of a left lifting structure (Definition 3.60) internal to the free cocompletion Pr(T) of T. (1) A morphism 2 Pr(T) y T (bool * τ) Translated into the type theoretic internal language of T, this corresponds to a dependent eliminator of the following form: [i : I ] in the slice T /I , in the sense of Definition 3.71. Unfolding, this means that for any map Z I r , any square of the following shape in T has at most one lift: The concept of boundary separation can be expressed in the language of T as follows:  The codes for each type constructor can be arranged into an algebra F set y T set We then require a left lifting structure case set : α set y T τ, which provides solutions to lifting problems of the following shape: Remark 4.24. In the language of T, the lifting structure from Specification 4.23 amounts to a section of the cartesian gap map for the following canonical square: The types encoded by XTT's closed universe must be "fibrant" in the sense that they support transport along paths and composition of paths. We will express these as two separate left lifting structures, with suitable compatibility laws. Specification 4.28 (Regularity). We will require the following regularity laws: Lemma 4.29. As a consequence of boundary separation, the following compatibility law between homogeneous and heterogeneous equality holds: λi, α.coe i r A a(i, α) Specification 4.30 (Coercion at connectives). In order to satisfy the canonicity property, our theory must further constrain the behavior of the coercion operation at each type. (λi,α.π 1 (p(i,α)))) (λi, α.π 2 (p(i, α))) hcom s r r pi(Â,B) p (a) = hcom s r r B (a) (λi, α.p(i, α, a)) hcom s r r path(Â,a) p (s ) = hcom s r r Â s (λi, α.p(i, α, s )) hcom s r r bool p = p(r, * ) Proof. By boundary separation, pivoting on s : I.

Summary.
We have expressed the necessary and sufficient conditions on a representable map category to be an algebra for the XTT language. From now on, we will take T to be the smallest representable map category satisfying the present specification, hence T is the syntactic category of XTT. The existence of such a representable map category follows from Proposition 5.16 of [Uem19]. A model of XTT in a representable map category C is then precisely a functor T DF C M C .

Cubical computability structures
In this section we develop the building blocks of the canonicity proof for XTT. While eventually these shall be applied to the initial model, we work with an arbitrary model Definition 5.1. The category of Cartesian cubes is the free category with finite products generated by a bi-pointed object, i.e. the Lawvere category of the theory of bi-pointed objects [Awo15]. We will write Set for the category Pr( ) of Cartesian cubical sets. k A finite product preserving functor C • is determined by an interval object (i.e. a bi-pointed object) in C, which we construct in Construction 5.2 below.
Construction 5.2 (An interval object in C). Because the Yoneda embedding reflects limits, the terminal discrete fibration C : DF C is represented by the terminal object of C, which we may write [ C ]. We have required that the terminal map (I ) C : DF C is a representable family; therefore, the discrete fibration I C : DF C is represented by some object [I C ] : C. Since the Yoneda embedding is fully faithful, the constants I , which can also be seen to be fully faithful; in other words, the category of cubes is the full subcategory of C spanned by cubical objects. By change of base, we obtain a reindexing functor Pr( C) Set * • which has both left and right adjoints by Kan extension. Composing with the equivalence DF C Pr( C), we define a functor F to glue along below: Thus the functor DF C Pr( ) F is in fact an algebraic morphism of logoi, and therefore a good candidate for type theoretic gluing [SA20].
Construction 5.4 (A cubical nerve). By composing the change of base DF C Set F with the Yoneda embedding, we obtain a nerve functor from the category of contexts of M C into cubical sets: In 2015, Awodey suggested the idea of gluing along a cubical nerve like Construction 5.4 to develop the metatheory of cubical type theory; to many researchers, it seemed as though Huber's operational proof of canonicity for cubical type theory [Hub18] could be reconstructed in a mathematical way. Since then, Awodey and Fiore have used this cubical gluing technique to study a version of intensional type theory with an interval in unpublished joint work; in 2019, the present authors applied cubical gluing to prove canonicity for an earlier version of XTT [SAG19].
Lemma 5.5. The cubical nerve is flat.
Proof. By Diaconescu's theorem [Bor10], it suffices to show that DF C Set is an algebraic morphism of logoi; but this Kan extension is just F * • , which has both left and right adjoints. The classical gluing construction. We may obtain a category of glued contexts as the comma category Set ↓ N , whose objects are "cubically computable contexts" and whose morphisms are natural transformations of cubical sets that are tracked by substitutions from the model M C . Intuitively, a glued context is a pair of a syntactic context with a (proof-relevant) Kripke predicate indexed in dimension variable contexts. By analogy with [Tai67], we regard the image of these predicates as the computable closing substitutions of contexts. Because glued substitutions are commuting squares, they automatically send computable elements to computable elements; the top map of such a square sends computability witnesses to computability witnesses. By defining a model of XTT in this category (i.e. collections of glued types and elements closed under the rules), we obtain a categorical version of a logical relations model of XTT. Our categorical perspective immediately offers some advantages over "free-style" logical relations for dependent type theory-much of the indexing can be moved behind categorical abstractions, and certain results become automatic, such as computable substitutions being closed under composition. By choosing certain predicates appropriately, we can moreover ensure that the computable elements of boolean types are precisely tt and ff, etc.
This is the perspective pursued in previous work on gluing for strict type theory [SAG19, KHS19, CHS19, GKNB20]; in recent joint work, the first two authors of this paper have argued that it is considerably simpler to first glue over DF C rather than C, and then restrict further to C by pulling back along C DF C y C [SA20]. Following [SA20], we prefer to first glue along DF C Set F rather than C Set N , because the comma category G = Set ↓ F has more regular properties than G K = Set ↓ N , being a Grothendieck logos [AGV72]. The resulting two-step gluing process amounts to enlarging the collection of computability structures to ones that lie over arbitrary discrete fibrations X : DF C , in addition to the familiar ones that lie directly over contexts Γ : C. Computability structures lying over a context Γ : C will be referred to as "compact"; the fundamental example of a computability structure which is not compact is the computability structure of computable types, lying over the non-representable discrete fibration T C : DF C .
The general computability structures are connected to a model of type theory (which must take place in discrete fibrations over compact computability structures) via a nerverealization adjunction. The nerve functor G DF G K is fully faithful and even locally cartesian closed, and may therefore be used to transform general computability families into constituents of a model of type theory over G K which are otherwise vastly more difficult to compute. 5.1. General and compact computability structures. The picture painted at the end of the previous section is depicted in Diagram 5.6 below: We call G the category of (general) computability structures, whereas the full subcategory G K is the category of compact computability families. Here the fibration j * projects a discrete fibration from a general computability structure, and the restriction j * K projects a context from a compact computability structure. The "compact" terminology is justified by Theorem 5.7 below.
Theorem 5.7 [SA20, Theorem 4.8]. The subcategory inclusion G K G K is dense in the sense that every object X : G is canonically the colimit of the following diagram of compact objects: We reproduce a variant of the proof given by Sterling and Angiuli [SA20].
Proof. Using the universality of colimits in a Grothendieck logos and the fact that F is cocontinuous, we will show that X is the colimit of a particular canonical diagram in G which is final for Diagram 5.8. First, we use the dual Yoneda lemma (that C is dense in DF C ) to observe that j * X is the colimit of the following diagram: Each leg y C C i j * X α i of the colimiting cone for Diagram 5.9 induces a cartesian lift at X in the gluing fibration: We will see that the resulting cocone α * i X X in G is universal for X. Because colimits in the comma category may be computed pointwise, we may reason as follows. Cartesian lifts in the gluing fibration are computed as pullbacks in Set ; because colimits in the presheaf logos Set are universal, it suffices to check that the cone F y is universal. Finally, the universality of Cartesian lifts ensures that the collection {α * i X} is final for Diagram 5.8.
Definition 5.11. An object X : G is compact when it lies in the essential image of K; equivalently, when j * (X) : DF C is representable. k We may impose the structure of a representable map category on G, based on generalizing the notion of compactness from objects to families. Definition 5.12. A family Y X p : G is called compact when every change of base to a compact object KΓ is compact in the sense of the following diagram: Then, we say that the representable families in G are exactly the compact ones. It is simple to verify that this class of maps satisfies the axioms of a representable map category: they are clearly closed under change of base, and since G is locally cartesian closed, pushforwards along representable maps always exist.
Lemma 5.13. The gluing fibrations G DF C j * and G K C j * K have both left and right adjoints, and are therefore both continuous and cocontinuous; moreover, both adjoints are sections.
Proof. From the perspective of the left and right adjoints as sections of the fibration, it is particularly simple to explain their behavior: the left adjoint takes a discrete fibration X to the initial object of the fiber category j * [X], and the right adjoint takes X to the terminal object of the fiber category j * [X]. Considering that j * [X] is just the slice Set /F X, we may compute the families as follows: In fact, this characterization already describes the left and right adjoints to j * K , considering that the fibers j * K [C] = Set /N C are equivalent to j * [y C C] = Set /F y C C.
Lemma 5.14. The gluing fibration G DF C j * is a representable map functor.
Proof. j * is a logical morphism, preserving in particular finite limits and all pushforwards. Therefore, it remains to check that it takes representable maps to representable maps. We fix a compact family Y X p to check that the map j * Y X p is representable. In this case, it will be simplest to use the Grothendieck-style characterization of representable maps in DF C in terms of change of base to a representable object. Fixing C : C and a generalized element y C C j * X x , we must check that the fiber product j * Y × j * X y C C is representable: By transposing along the adjunction j ! j * , we have a map j ! y C C X x : G; noting that j ! y C C ∼ = Kj K ! C, we therefore have the following cartesian square in G using the compactness of p: The image of Diagram 5.16 under G DF C j * has the same cospan as Diagram 5.15; but j * preserves pullbacks and KYx must lie over a representable object, so we are finished.
Lemma 5.17. The gluing fibration G DF C j * reflects representable maps.
Proof. Fixing a family Y X p : G such that j * Y X p is representable, we must check that p is a compact family; in other words, fixing KΓ X x , we must check that the fiber product Y × X KΓ below is compact: It suffices to check that j * Y × X KΓ is representable; because j * p is representable, Diagram 5.18 lies over the square below: ; in particular, we must construct a natural model in DF G K which is closed under all the connectives of XTT and its universe of Bishop sets. These objects are, however, particularly difficult to construct from the perspective of discrete fibrations or presheaves; in previous work, it has accordingly been necessary to construct the constitutents of the computability model at the level of sets [SAG19, Coq19, KHS19], manually quantifying over computable contexts and computable substitutions.
In recent work, Sterling and Angiuli have shown that it is simpler to construct these objects internally to the logos G of general computability structures, and then transfer them in a single motion to DF G K . This is accomplished by means of a nerve functor G DF G K N K which, by virtue of the density of G K G K (Theorem 5.7), is not only fully faithful but also locally cartesian closed. Crucially, N K will also turn out to be a representable map functor.
Construction 5.19 (Nerve). Let X : G be a general computability structure; we may define a discrete fibration N K X : DF G K whose fiber at a compact computability structure Γ : G K is the hom set G[KΓ, X]. This assignment extends to a functor G DF G K N K , which may be viewed either as a restriction of the Yoneda embedding of G, or a left Kan extension of the Yoneda embedding of G K : Lemma 5.20 (Realization). The nerve functor has a left adjoint DF G K G |−| K , the realization of a discrete fibration on compact computability structures; consequently, N K preserves small limits.
Proof. The realization functor is obtained by left Kan extension: The realization of a specific discrete fibration may be computed as a coend, using the general formula for pointwise Kan extensions. Letting F : DF G K , we calculate: for the presheaf corresponding to the discrete fibration F , we may package the computation of F 's realization in terms of the tensor calculus of functors: From Lemma 5.22 below, we can see that the nerve exhibits a true "Yoneda embedding" of general computability structures into discrete fibrations.
Lemma 5.22. The nerve functor G DF G K N K is fully faithful.
Proof. This is equivalent to the density of the inclusion K.
Lemma 5.23 (Equivalent subcategories). The nerve-realization adjunction |−| K N K restricts to an equivalence (of categories) between the subcategories of generating objects (compact computability structures and representable presheaves respectively).
Proof. We first check that the nerve of any compact computability structure X ∼ = KΓ is a representable discrete fibration. It suffices to compute in terms of the corresponding presheaves, Next, we check that the realization of any representable discrete fibration F ∼ = y G K Γ is compact; by the above, we have |y G K Γ| K ∼ = |N K KΓ| K ; because the nerve is fully faithful (Lemma 5.22), the counit to the adjunction |−| K N K is an isomorphism, so we further have |y We have shown that the nerve-realization adjunction restricts to a pair of functors between subcategories. It is easy to see that this is in fact an equivalence, since we have shown that To establish the behavior of the nerve on pushforwards, it will be useful to choose a good dense subcategory of each slice (DF G K ) /F . Remark 5.24. First we recall that in presheaves, each slice Pr( G K ) /F• may be reconstructed equivalently as the category of presheaves Pr F • = Pr(F ) on the total category of F ; therefore, by the Yoneda lemma, each slice (DF G K ) /F is densely generated by the functor F (DF G K ) /F which sends every element x ∈ F Γ to the corresponding map y G K Γ F x . Furthermore, by Lemma 5.23 each generating object y G K Γ F may be written equivalently as N K KΓ F . If F = N K X, we may observe that the slice (DF G K ) /F is in fact densely generated by the comma category K ↓ {X} under the functor which sends each KΓ X preserves all pushfor- Proof. Letting g : G /X , we intend to check that N K (f * g) is the pushforward (N K f * )N K g. By Remark 5.24, it suffices to check the universal property at the generators Corollary 5.26. The nerve functor G DF G K N K is locally cartesian closed. Proof. We fix a representable map Y X f : G, to check that its nerve N K Y N K X N K f : DF G K is representable; it will be simplest to check this condition formulated in the classical Grothendieck-style, considering fiber products with representable objects: First of all, we may replace y G K Γ with the isomorphic N K KΓ; since N K is fully faithful and left exact, the entire square lies in the image of the nerve: Therefore, it suffices to check that the fiber product Y × X KΓ is taken by the nerve to a representable object; by Lemma 5.23, this follows from the compactness of Y × X KΓ by virtue of the representability of f . 5.3. Universes in the gluing fibration. As a technical matter, we will require suitable type theoretic universes in G that are sent to appropriate universes in DF C . While there are a variety of ways to construct these by combining the existing universes of Set and DF C (see Uemura [Uem17]), there is a considerably simpler alternative that becomes available once we observe that G is (equivalent to) a presheaf logos.
Lemma 5.31. There is a small category D such that G Pr(D).
Proof. This follows from the result of Carboni and Johnstone [CJ95], itself an explication and generalization of an exercise posed in SGA 4 [AGV72, Tome 1, Exposé iv, Exercise 9.5.10].
In particular, it suffices to observe that the gluing functor DF C Set F is the inverse image part of an essential morphism between presheaf topoi and is hence continuous.
Therefore the Hofmann-Streicher lifting of Grothendieck universes [HS97] from Set into presheaf logoi applies, yielding a cumulative hiearchy of universes G G g in G. These universes can be seen to lie over a corresponding universe hierarchy U U u in DF C , defined simply by j * G G g . A small map is then defined to be one that arises by pullback from a given universe. Definition 5.32. Given a universe U U u , we say that two codes X U A, B are isomorphic when they have the same extensions, i.e. the pullbacks A * u, B * u are isomorphic. In other words, the two codes are characteristic for the same family. k Our chosen universes satisfy a strict realignment principle that will play an important role in our development.
Lemma 5.33 (Realignment). Let X G A : G be a code for a small computability family in the following configuration: be a code isomorphic to j * X U A ; then, we have a code X G A B lying strictly over B which is isomorphic to A.
Proof. This follows from the strict gluing principle for topos-theoretic universes [Awo21, OP16, BBC + 16, Shu15a, Str14a, KL21], which is known to hold for Hofmann-Streicher universes. In the internal language of G, there exists a distinguished subterminal object ¶ := j ! 1 DF C with the property that G / ¶ DF C and under this identification, the gluing fibration j * is the pullback functor G G / ¶ ¶ * . In the internal language of G, we may speak of U as j * j * G ∼ = ¶ * ¶ * G ∼ = ¶, G . Therefore, if G satisfies the strict gluing axiom, we may internally realign any total element A : G to agree strictly with any partial element A : ¶, G equipped with a partial isomorphism A(z) ∼ = A under z : ¶.

XTT in computability structures
The essence of the canonicity argument for XTT lies in constructing a representable map functor T G in the sense of Diagram 6.1 below: In keeping with the previous section, G − is constructed over an arbitrary model . Eventually, we shall specialize to the initial model of XTT and use this to derive canonicity.
Recall that the specification of T in Section 4 is derived from the signature for XTT in Uemura's logical framework (see Section 2.4). Therefore, to see that the canonical natural isomorphism χ • exists, it will suffice to choose suitable isomorphisms χ J for just the generating objects J : T, the components of the signature; in all cases, the isomorphism χ J will be canonical (or even the identity), because we will always define G I J to lie essentially over (I J) C . 6.1. Glued cubical structure.
Construction 6.2 (The interval). We must construct a computability structure G I lying over I C ; at the level of cubical sets, we will use the "generic dimension" y 1 Set Diagram 6.3 can be seen to commute, considering the definition of • as the finite product preserving functor corresponding to the interval-algebra in C. k Lemma 6.4. The syntactic interval I C is taken by the base change DF C Set Proof. This follows by computation, recalling that I C is represented in C by an interval context [I C ] ∼ = [1] , and using the fact that C • is fully faithful: Lemma 6.5 (Tininess of the interval). The interval object G I is tiny in the sense that the exponential functor −, G I has a further right adjoint.
Proof. G is the Artin gluing the inverse image part of a morphism of topoi; under these circumstances, the universality of colimits ensures that it is enough for the restrictions of G I to both DF C and Set to be tiny (see [SA21, Lemma 32] for a more detailed argument). These restrictions happen to be representable (Lemma 6.4), so tininess follows from the fact that both C and have finite products.
Construction 6.6 (The face formula classifier). We recall that the gluing category G is a logos [AGV72], and moreover, the gluing fibration G DF C j * is a logical morphism and therefore preserves the subobject classifier and its first-order logic [Joh02]. Therefore, we may obtain a glued face formula classifier in a conceptual way.
Because Ω DF C : DF C classifies monomorphisms, we obtain a unique cartesian classifying square in DF C for the generic face formula of M C : Therefore, we may construct a suitable glued face formula classifier by taking a cartesian lift in the gluing fibration of the subobject classifier Ω G along − from Diagram 6.7, considering that Ω G lies over Ω DF C : The generic face formula G is then obtained by pullback in G: Because j * preserves finite limits and pullback cones are unique up to unique isomorphism, we see that G lies over C as required. k We may prove a Beck-Chevalley lemma for dimension equality in DF C : Lemma 6.10 (Beck-Chevalley). The following diagram commutes in DF C .
Proof. Recalling the diagram from Specification 4.3, we observe that both maps are characteristic of the same subobject, and thence equal.
Construction 6.11 (Glued dimension equality). Dimension equality is lifted from M C to the gluing category by the universal property of the cartesian lift below, using the Beck-Chevalley triangle of Lemma 6.10 and the fact that j * is a logical morphism. We must check that the square below from Specification 4.3 is cartesian: By the pullback lemma, it would suffice to check that the outer square below is cartesian.
Using the upstairs triangle of Diagram 6.12, it suffices to observe that the following classification square is cartesian: We do not expect a Beck-Chevalley lemma for disjunction analogous to Lemma 6.10, since φ ∨ ψ is not (and cannot be) the "true" disjunction of DF C : instead, we imposed orthogonality conditions in Specification 4.6 to ensure that certain judgments of XTT (typehood, typing, and formula satisfaction) treat φ ∨ ψ as if it were a disjunction.
Construction 6.15 (Glued disjunction). We may test a pair of glued face conditions for truth of disjunction as follows: must have representable fibers, and but the real disjunction is a colimit in DF C and therefore not representable. We need something that lies instead over the following pullback: Because the "ideal" disjunction ∨ * |F C tr is more universal than the disjunction of F C , we obtain a unique map ∨ * |F C tr (∨ * ) C i ; taking an opcartesian lift, we may shift ∨ * | G F tr (the subobject corresponding to the upstairs map of Diagram 6.16) to lie over (∨ * ) C : This lift can be seen to be a subobject of G F 2 using the universal property of the opcartesian lift: Consider the characteristic map of the dotted monomorphism from Diagram 6.19: Because j * is a logical functor and Ω DF C classifies subobjects strictly, Diagram 6.20 must lie over the following square: Therefore, we may use the universal property of the cartesian lift to obtain a code for disjunction of glued face conditions: Lemma 6.22 (Disjunction elimination / truth). The glued disjunction satisfies the internal orthogonality condition with respect to G written in Specification 4.6.
Proof. Fixing X G F 2 (φ, ψ) , we must find a unique lift for the following square, lying over the corresponding unique lift in DF C : Because the lift in DF C is assumed to exist and is unique, it suffices to find a unique lift for the image of Diagram 6.23 under G Set E• ; but G ∨ * is an opcartesian lift of ∨ * | G F tr, so the left-hand map becomes an identity in Set .
6.2. Glued type structure. We will now show the sense in which the semantic constructions of Uemura summarized above suffice to develop the type structure of XTT in the gluing fibration.
Construction 6.24 (Universe of glued types). We will define a computability structure G T : G lying over T C in the gluing fibration G DF C j * . Because we have assumed T T τ C is small for U U u , we have a characteristic map: We therefore obtain the base of a universe by cartesian lift: Then, the rest of the universe G T T τ is obtained by pullback: Lemma 6.25 (Disjunction elimination / elements). The glued disjunction satisfies the internal orthogonality condition with respect to G τ written in Specification 4.6.
Proof. The proof is identical to that of Lemma 6.22.
Construction 6.26 (Closure under dependent product). We must show that G τ has a code for dependent products lying over the corresponding algebra τ Π C τ C . First of all, we have a potential code in G for the dependent product of G τ -families in G, defined using functoriality and the closure of G G g under dependent products, and the fact that j * preserves dependent products: By realignment (Lemma 5.33), using the fact pi U • τ C Π and τ C • pi C are (different) characteristic maps for the same family, we obtain a new code in G for the same family in the following configuration: Therefore, we are in a position to define the type code using the universal property of the cartesian lift: We have got the downstairs map aligned properly; to complete the algebra τ Π C τ C with a properly aligned upstairs map, we may use the universal property of the pullback and the fact that j * is lex. k The closure under dependent sum works identically. We will, however, illustrate the closure under path types.
Construction 6.27 (Closure under path types). First of all, the universe G is closed under path types because path types may be constructed (up to isomorphism) using the interval, dependent products, and subobject comprehension (all of which are small). Therefore, we have a cartesian map g P g : [∆ 1 , G] cart . Using functoriality of • P and the fact that path types are preserved by j * , we have: By Lemma 5.33, we may realign the upstairs map to lie over path C • τ C ; therefore, we obtain a code for the glued path type lying over the original code by the universal property of the cartesian lift: Construction 6.28. We may form a computability structure over the booleans by opcartesian lift, using the fact that the gluing (op)fibration preserves colimits: Lemma 6.29. The computability structure G bool * τ from Construction 6.28 is small.
Proof. By the characterization theorem, it suffices to check that it lies over a small object (obvious), and that vertical map it induces is small in j * [(bool * τ) C ]. To see that this is the case, we compute this vertical map as follows: The vertical map above can be seen to be small using the fact that 2 Set F (bool * τ) C is small. Construction 6.30 (Booleans). By Lemma 6.29, there exists some characteristic map G G bool * τ for G bool * τ lying over a characteristic map for the object (bool * τ) C . Therefore, again using the realignment lemma, we may define a suitable code for the booleans using the universal property of the cartesian lift: To define the elimination form, we must exhibit a choice of lifts of the following form natural in X : G, lying over the corresponding lifts that we have fixed in DF C : For each X : G, the existence of such a lift is guaranteed by the universal property of the induced opcartesian map X × 2 G X × G bool * τ : To see that the choice of b is natural in X, we will observe the stronger property that it is the unique lift lying over j * b. Computing the opcartesian lift explicitly, we see that E G bool * τ = E 2 G ; moreover E • preserves colimits because F is left exact [Tay99], so in fact E G bool * τ = 2 Set . Therefore, the (non-unique) lifting situation of Diagram 6.31 becomes a unique lifting situation in cubical sets. k 6.3. Universe of Bishop sets.
Construction 6.32 (Glued universeà la Tarski). By induction-recursion, we may define a universe U IR : G simultaneously with a decoding function U IR G T [−] IR closed under dependent product, dependent sum, path, and boolean.
bool U IR lies not over the type-theoretic universeà la Tarski set C : DF C , but rather over a genuine inductive-recursive universe in DF C . Because this j * U IR is the least universe closed under the mentioned connectives, we obtain a universal map j * U IR set C i set C which automatically commutes with all connectives. We may therefore shift U IR to lie over set C by opcartesian lift against this universal map: is inherited using the universal property of the opcartesian lift: The map [−] IR can be seen to lie strictly over the downstairs composite in Diagram 6.34 using the uniqueness of maps out of inductive-recursive universes. Moreover, the object G set is small, so we have a characteristic map G G G set . The constructions above may be used as the basis for a universeà la Tarski G set : G T lying over the type set C : T C . By Lemma 5.33, we may realign the characteristic map G G G set to lie over the composite C U τ C • set C ; in this way, we obtain an appropriate code for the universeà la Tarski by means of the universal property of the cartesian lift below: We have not shown that the universeà la Tarski G set is closed under the appropriate connectives -we only know that U IR is closed under those connectives. Prior to demonstrating this, however, we must record a few facts about the behavior of F on pushfowards.
Corollary 6.36. We have a canonical comparison map commuting the generic dependent product family past F • M C in the following sense: Proof. By Lemma 6.35, using the fact that F is left exact.
Construction 6.37 (Constructors for the universeà la Tarski). We will now show that G set is closed under the necessary connectives; we consider only the case of dependent products, since the remaining constructors work identically.
We must construct a morphism G set Π G set G pi that lies over set Π C set C pi C . Unfolding this situation, we wish to construct the following dotted map in Set : We will define this map in the language of cubical sets. Accordingly, we begin by computing the fibers of G set and G set Π : Proof. By induction, using the fact that s et set el C is boundary separated. Construction 6.39 (Lifting structure). The type-case lifting structure of Specification 4.23 may be constructed using the induction-recursion principle of G set , and using the corresponding lifting structure for set C . k 6.4. Summary. By means of the foregoing constructions, we have defined a functorial interpretation G − of XTT into a glued logos G lying over DF C for an arbitrary XTTmodel M C . In Section 7, we will reassamble this data into a gluing model M G K equipped with a structure map M G K M C that can be used to prove canonicity.

Canonicity for XTT
In Section 5, we introduced the logos G of computability structures, along with a representable map functor T G G − . These constructions contain the essence of the proof of canonicity for XTT, but in order to complete the proof we must assemble G and G − into a model of T equipped with a morphism to M C . In this section, we construct this gluing model of XTT and prove the following canonicity theorem: . The category of computability structures G is not a category of discrete fibrations, and therefore we cannot directly take G, G − as the gluing model. Instead, following [SA20] we will shift to working with discrete fibrations on compact computability structures DF G K and use the representable map functor G DF G K N K to uniformly transfer the computability structures from Section 5 from G to DF G K .
It remains to construct the morphism M G K M C : Mod T . We will begin by constructing the data of this morphism, checking the Beck-Chevalley condition afterward.
Construction 7.2 (Gluing homomorphism data). We expect a morphism of models tracked by the gluing fibration G K C j * K at the level of contexts; it remains to make a choice of functors J G K J C : DF lying over j * K in DF Cat (natural in J : T) to exhibit the action of the homomorphism on judgments. Fixing a judgment J : T, we construct each of the components as follows: : DF C is a representable map, the right adjoint q f sends an element y C C I y to the upstairs element x determined by the following pullback square: T is a representable map, the following naturality square satisfies the Beck-Chevalley condition: We must show that the following square commutes up to canonical isomorphism: To begin with, we fix an element KΓ G J y : J G K . Inspecting the definition of I j * K from Construction 7.2, we see that I j * K (y) = χ I • j * y. Therefore, by Lemma 7.4, q f C (I j * K (y)) = q f C (χ I • j * y) is the top map of the following pullback square: Similarly, we may compute q f C (I j * K (y)) as the top of the following composite square: To show that the top of Diagram 7.7 is isomorphic to Diagram 7.8, it suffices to check that the outer square of Diagram 7.8 is cartesian. Both χ J and χ I are isomorphisms so the right-hand square of Diagram 7.8 is cartesian, so the result follows immediately from the pullback pasting lemma.
Corollary 7.9. The natural transformation M j * K from Construction 7.2 is a morphism of models. (bool * τ) G K f such that j * K f = f . Canonicity followed more-or-less immediately by inspection of f .
In this work, we have used a weaker notion of morphism and as a consequence, M I is merely bi -initial. Accordingly, we cannot immediately conclude that f is in the image of M j * K . In fact, while it is not generally the case that f = f j * , it is possible to realign x i G K to an isomorphic arrow which does lie strictly over f . Lemma 7.10 (Realignment). Given a morphism y I Γ X I x : DF I , there exists an object Γ : G K and a morphism y Proof. First we note that i G K x lies over j * is a fibration, we may construct a cartesian lift of Γ j * K i G K Γ ι . Diagrammatically, there exists two squares: Observe that ι † is an isomorphism because it is cartesian over an isomorphism. Unfolding the definition of a 2-morphism, we see that j * K (i G K x • y G K ι) = x. Accordingly, we may paste together these two diagrams to obtain the following: Remark 7.11. One might hope that Lemma 7.10 implies the existence of a morphism M I M G K M j which satisfies the identity M j * K • M j = id I on the nose. Simply applying the realignment procedure to every element of M I does not result in a morphism, however, because it is not functorial, merely pseudo-functorial. This should not be surprising: realignment relies on a choice of cartesian lift, which is only pseudo-functorial in general. k Unfolding further, any morphism 1 G G bool * τ M must be a commuting square of the following shape in Set : It is immediate that E M = inl or E M = inr; the fact that Diagram 7.13 commutes ensures that M lies over either tt I or ff I .

Perspective and outlook
For decades now, the puzzle of Martin-Löf's intensional identity type has remained at the center of type theorists' minds. In 1994, Streicher showed that intensional type theory was independent of seemingly sensible principles (like function extensionality) by constructing extremely intensional counter-models [Str94]; in 1998, Hofmann and Streicher went a step further and demonstrated that the same type theory was independent of the uniqueness of identity proofs (UIP) principle by constructing a model of type theory in groupoids [HS98]. Hofmann and Streicher's contribution showed that it was possible for identity in a universe of sets to "mean" bijection, a precursor to the univalence principle of Voevodsky [Voe06,Voe10], later codified in the language of homotopy type theory (HoTT) [Uni13]. Later, it was discovered that the identity type conferred an infinite-dimensional structure already familiar in the context of homotopy theory [AW09,vdBG11,Lum10].
Cubical type theories were invented in order to repair several semantic and syntactic anomalies of the new homotopy type theory; homotopy type theory lacks canonicity, a property closely related to but distinct from the existence of a computational "proofs-as-programs" interpretation of the language. On the other hand, the standard model of homotopy type theory in simplicial sets [KL21] must be formulated in a boolean metatheory [BC15]. The discovery of a constructive model for univalent type theory in cubical sets [BCH14] sparked a flurry of work on explicitly cubical type theories [CCHM17, AHH17, ABC + 21] which resolved both the matters of canonicity and computational interpretation [Hub18,AHH17].
While the benefits of cubical ideas for solving problems in infinite-dimensional type theory are clear, we believed that it might be possible to bring the cubical perspective to bear on the problems of traditional one-dimensional type theory, in which the intensional identity type is augmented with enough uniqueness and extensionality principles for it to behave like classical mathematical equality. In the context of the strongest possible such uniqueness principle, equality reflection, it remains an open question whether it is possible to implement a usable proof assistant; on the other hand, extending type theories with axioms for function extensionality destroys canonicity and has significant usability problems.
Inspired by the work of Altenkirch, McBride, and Swierstra on Observational Type Theory [AM06,AMS07], which internalized aspects of the setoid model of type theory, we sought to internalize Coquand's semantic universe of Bishop sets [Coq17] as a type theory in its own right, XTT. We believe that XTT is an ideal language for dependently typed programming, in which it is very important that coercions may be erased prior to execution (a procedure that cannot be applied to coercions arising from the univalence principle). Unfortunately, there are several obstacles rendering both OTT and XTT unsuitable for use as languages for formalizing general mathematics, disadvantages not shared by homotopy type theory or its cubical variants.
8.1. Trade-offs with universes. In mathematics, a universe is a "family of (some) families", an object from which every family in some class arises by pullback; we cannot have a universe of all families for general reasons, but there are several restrictions of this naïve idea that make sense, such as a universe of all monomorphisms (a subobject classifier), or a universe of κ-compact families for some regular or inaccessible cardinal κ.
Universes in mathematics are important for two reasons: first, they tame subtle but essentially bureaucratic questions of size [AGV72, Exposé I, Ch. 0], and second, they provide a (stronger) alternative to the set-theoretical axiom of replacement that enables concepts to be formulated in the convenient fiber-wise style familiar from dependent type theory [Str05]. Here, it is very important to ensure that the universe imposes no spurious structures on the maps it classifies; for instance, if U is the universe of κ-compact maps, we may develop the theory of κ-compact groups in terms of U . Then, a predicate defined over κ-compact groups should have the same meaning as a predicate defined over U -groups.  AMS07] and XTT (both [SAG19] and the present paper) share an infelicitous interpretation of universes from the perspective of mathematics: universes are modeled by closed inductiverecursive types, hence in the semantics there is a corresponding elimination principle for the universe that proceeds by cases on whether a given code is (e.g.) a dependent product type, a dependent sum type, the boolean type, etc. This defect appears in both the syntax and semantics of OTT and XTT: in the former case, because OTT is not a type theory per se but rather a syntactical model construction, and in the latter, because we have explicitly added a type-case operator to the theory of XTT. The reason we view the closed universe semantics as infelicitous is that it changes the meaning of quantification over (e.g.) algebraic structures in a way that is not really compatible with ordinary mathematical usage. The existence of a codeÂ for a type A in these universes expresses not only the smallness of A, but also the fact that A is either a dependent product, a dependent sum, an equation, or it is the booleans (etc.), and the same for all of A's subterms. Hence a mathematical statement quantifying over the elements of A does not have the right meaning when interpreted into such a model, considering these additional assumptions on the form of A. At the very least, a universe that is suitable for use by mathematicians should be characterized (up to equivalence) by some intrinsic property such as smallness or compactness, rather than by the syntactical form of the classified types.
As we have discussed in Section 2.3.4, the reason for internalizing the type-case principle in the syntax of XTT is to ensure that type constructors are internally injective, a prerequisite for deciding type checking in the presence of boundary separation in OTT/XTT-style theories. 9 Although it is obvious in syntax that one could choose a less heavy-handed implementation of internal injectivity than type-case, e.g. by adding constants witnessing the internal injectivity of each individual type constructor, we did not at the time believe that such a generalization would meaningfully enlarge the space of semantic models of XTT. 8.1.2. Syntax and semantics of internal injectivity. Subsequent to the introduction of XTT by the present authors [SAG19], Pujet and Tabareau [PT22] have introduced a new noncubical reconstruction of observational type theory called TT obs that has a number of attractive properties going beyond the ones proved in the present paper, including normalization and decidability of type checking. Just as XTT, TT obs improves on OTT by defining a true type theory that is distinguished from any particular syntactic model or translation; TT obs deviates from XTT, however, by witnessing the internal injectivity of type constructors directly rather than by means of a type-case primitive.
Gratzer [Gra22] has recently demonstrated a construction of open inductive-recursive universes that are generic for a suitable class of families (e.g. relatively κ-small or relatively κ-compact families for some a strongly inaccessible cardinal κ) and yet validate the injectivity assumptions needed by XTT and TT obs . Gratzer's construction refutes our previous assumption that weakening type-case to a direct account of internal injectivity would not lead to new and more useful models of XTT, and provides some vindication to the choice of Pujet and Tabareau to treat internal injectivity directly.
Therefore we conclude in hindsight that a type theory for boundary-separated sets, whether treated cubically or not, need not internalize a closed universe but can instead be usefully equipped with explicit laws governing the internal injectivity of type constructors. We do maintain, however, that there remains a contradiction between the intended meaning of universes in mathematical practice and the need for injectivity in the implementation of boundary separation in OTT/XTT/TT obs : the statement "If A → B is equal to C → D, then A is equal to C" is arguably a junk theorem akin to 1 ∈ π or 4 ⊆ 9.
8.2. What is a proposition? A considerably more subtle obstacle for using either OTT or XTT in the formalization of mathematics is to be found when choosing a suitable notion of proposition or relation. In type theory, there are a priori two ways to formalize propositions: (1) A strict proposition is a type whose elements are all judgmentally equal.
(2) A weak proposition is a type X together with a function (x, y : X) → path X (x, y).
In OTT/XTT, the strict and weak notions of proposition do not agree, though they could be forced to agree by adding equality reflection. Unfortunately, when investigating the interplay between the indispensable principles of function comprehension and effectivity of equivalence relations, we will find that this mismatch cannot be resolved by favoring either the strict or the weak notion.
As soon as one has chosen a notion of proposition, one may consider the corresponding "squash type", the reflection of types into propositions: (1) Given a type A, the strict squash type |A| s is a strict proposition; a function |A| s → B is a function f : A → B such that every f (x) is judgmentally equal to f (y). The strict squash type was investigated by Awodey and Bauer [AB04], and appears in recent versions of Coq and Agda [GCST19].
(2) Given a type A, the weak squash type |A| w is a weak proposition; a function |A| w → B is a function f : A → B together with a function assigning to each x, y : A an element of path B (f (x), f (y)). The weak squash type appears in homotopy type theory as propositional truncation [Uni13].
Dependent product and binary product preserve the property of being a (strict, weak) proposition, and may therefore be used as universal quantification and conjunction in a logic of propositions. Dependent sum and binary sum do not preserve this property, but they can be squashed in order to define existential quantification and disjunction. The logic of (strict, weak) propositions is summarized below: 8.2.1. Function comprehension. What is the meaning of "function"? There is only one possible answer: it is an element of an exponential object. In some categories, however, these exponentials can be reconstructed as representing objects for collections of functional relations. This isomorphism between the collection of functions A → B and subobjects of A × B satisfying a unique existence property is traditionally referred to as the "axiom of unique choice", though it is perhaps better to refer to it as function comprehension. Function comprehension is a crucial feature of both classical and constructive mathematics, and life becomes very difficult in categories where function comprehension fails. A (strict, weak) functional relation from A to B is a family of (strict, weak) propositions x : A, y : B R(x, y) together with a proof of the following (strict, weak) proposition: ∀x : A. ∃ s/w y : B. R(x, y) ∧ ∀y : B. R(x, y ) ⊃ y = B y (functionality) The proposition above may be rendered into the language of types as follows: (x : A) → |(y : B) × R(x, y) × ((y : B) → R(x, y ) → path B (y, y ))| s/w The function comprehension principle is immediate for weak propositions in OTT and XTT, but fails for strict propositions.
(1) To exhibit a function A → B from a weak functional relation, we may extract the y : B using the universal property of the weak squash type, fulfilling the auxiliary obligation using the weak uniqueness of y with R(x, y).
(2) In doing the same with a strict functional relation, we run into a problem: to make a function out of an element of the strict squash type, we end up needing that y is unique with R(x, y) up to judgmental equality, but we have only an element of path B (y, y ) for each y such that R(x, y ).
Therefore, short of adding equality reflection, we must conclude that the weak notion of proposition is the "correct" one, and the strict one is not particularly useful for mathematics in an environment without equality reflection. Unfortunately, we will see that another indispensable reasoning principle in constructive and classical mathematics, the effectivity of equivalence relations, appears to be compatible only with the strict notion in a boundary separated environment lacking equality reflection. (In contrast, full cubical type theory satisfies a vastly stronger exactness condition called descent, generalizing both the disjointness of coproducts and the effectivity of equivalence relations.) 8.2.2. Effectivity of equivalence relations. It is possible to add quotient types to both XTT and OTT (an extension implemented, for instance, as part of the experimental Epigram 2 proof assistant [McB10]); likewise, Nuprl has supported a version of quotient types for decades. Unfortunately, these quotients can be made to have good properties only for certain equivalence relations: (1) In Nuprl, only equivalence relations valued in "strong propositions" (types having at most one element up to the intensional untyped equivalence of Howe [How89]) have good quotients. Equivalence relations valued in general propositions (types having at most one element up to extensional equality) do not necessarily have good quotients, a serious problem alluded to in the work of Nogin [Nog02]. Writing [−] : A → A/R for the quotient map, the quotient A/R is "good" when each type path A/R ([x], [y]) is equivalent to R(x, y); this property, called the effectivity of R, does not follow from the rules of quotient types alone and in fact fails in many categories (such as categories of partial equivalence relations). The effectivity of all equivalence relations is, however, indispensable for practical use of quotients in mathematics.
In type theory, the effectivity of equivalence relations follows from propositional extensionality, a restricted version of the univalence principle that places bi-implications (f, g) : P ↔ Q into correspondence with proofs of equality pua(f, g) : path(P, Q); in topos theory, this corresponds to the existence of a subobject classifier. We will see, however, that it is not possible to extend either XTT or OTT (or any type theory satisfying boundary separation or definitional UIP) with a univalence principle for weak propositions without some fundamentally new ideas.
In cubical type theories, univalence is supported by means of a special connective taking an equivalence of types and returning a path between the corresponding types [Ang19]; we might attempt to extend XTT by a version of this connective restricted to weak propositions: Unfortunately, we can show that a univalent universe of weak propositions Prop cannot be boundary separated.
Lemma 8.1. Suppose that we have a boundary separated universe of propositions closed under V-types (thence univalent); then, all equivalences between two propositions are judgmentally equal.
Proof. Let P, Q be two propositions classified by the univalent universe of propositions, and let (f, g) and (f , g ) be two equivalences between them. Abstracting a dimension i : I, we therefore have two V-types V i (P, Q, f, g) and V i (P, Q, f , g ); by boundary separation, we in fact have V i (P, Q, f, g) = V i (P, Q, f , g ).
We will show that f = f judgmentally by using coercion in the V-type, following the computation rules described by Angiuli [Ang19]. To see that g = g , simply repeat the procedure with the inverse equivalences.
Remark 8.2. Lemma 8.1 can likewise be replayed when glue-typesà la [ABC + 21] are used instead of V-typesà la [AHH17]. In either case, coercion can be used (modulo regularity) to recover the equivalence from the line of types. k The assumptions of Lemma 8.1 imply some intensional type theoretic taboos.  Proof. Let P be a proposition, and let x, y be proofs of P . The constant functions λ .x and λ .y are both equivalences P ↔ P ; by Lemma 8.1, they are judgmentally equal. Therefore, x and y are judgmentally equal.
Corollary 8.4. Under the assumptions of Lemma 8.1, equality reflection holds.
Proof. Let A : set and let a ∈ A; then S A (a) def == (x ∈ A) × path el(A) (a, x) is a weak proposition. By Corollary 8.3, S A (a) is moreover a strict proposition. Let a ∈ A and p : path el(A) (a, a ); therefore we have a, λ .a = a , p : S A (a), whence a = a judgmentally.