def reverse {α : Type} : List α → List α
| [] => []
| (x :: xs) => reverse xs ++ [x]

theorem reverse_involutive {α : Type} (l : List α) : 
  reverse (reverse l) = l := by
  induction l with
  | nil => simp [reverse]
  | cons x xs ih => 
    simp [reverse]
    rw [reverse_append_singleton]
    rw [ih]
where
  reverse_append_singleton {α : Type} (x : α) (l : List α) :
    reverse (l ++ [x]) = x :: reverse l := by
    induction l with
    | nil => simp [reverse]
    | cons y ys ih => 
      simp [reverse, ih]
      rw [← List.cons_append]

theorem qsort_sorts (l : List ℕ) : Sorted (qsort l) := by
  unfold qsort
  match l with
  | [] => apply Sorted.nil
  | x :: xs =>
    let (lo, hi) := partition x xs
    have lo_sorted : Sorted (qsort lo) := qsort_sorts lo
    have hi_sorted : Sorted (qsort hi) := qsort_sorts hi
    apply merge_sorted; assumption

theorem qsort_perm (l : List ℕ) : Perm l (qsort l) := by
  unfold qsort
  match l with
  | [] => apply Perm.refl
  | x :: xs =>
    let (lo, hi) := partition x xs
    trans
    · apply Perm.cons
      exact qsort_perm xs
    · apply perm_trans
      apply partition_perm
      apply perm_append
      · exact qsort_perm lo
      · exact qsort_perm hi

structure Proposal where
  value : α
  ballot : Nat

inductive AcceptorState where
  | prepared (b : Nat)
  | accepted (p : Proposal)

inductive Message where
  | prepare (b : Nat)
  | promise (b : Nat) (p : Option Proposal)
  | accept (p : Proposal)
  | accepted (p : Proposal)

theorem paxos_safety (c : Consensus α) :
  ∃ v : α, ∀ p ∈ c.final_values, p.value = v := by
  apply QuorumIntersection
  intro q1 q2 hq1 hq2
  cases' highest_accepted q1 with p1 hp1
  cases' highest_accepted q2 with p2 hp2
  have : p1.ballot = p2.ballot :=
    Nat.le_antisymm (ballot_le_ballot hp1.1 hp2.2)
                   (ballot_le_ballot hp2.1 hp1.2)
  rw [this]
  exact hp1.2.trans hp2.2.symm