.. package:gdp

(...) :: a -> Proof p -> a ::: p
gdp Data.Refined
Given a value and a proof, attach the proof as a ghost proof on the value.
(...>) :: (a ::: p) -> (p -> Proof q) -> a ::: q
gdp Data.Refined
Apply an implication to the ghost proof attached to a value, leaving the value unchanged.
(...?) :: (forall name . (a ~~ name) -> b ~~ f name) -> (forall name . p name -> Proof (q (f name))) -> (a ? p) -> b ? q
gdp Data.Refined
Take a simple function with one named argument and a named return, plus an implication relating a precondition to a postcondition of the function, and produce a function between refined input and output types. 
newtype NonEmpty xs = NonEmpty Defn
type role Nonempty nominal -- disallows coercion of Nonempty's argument.

newtype Reverse  xs = Reverse  Defn
type role Reverse nominal

rev :: ([a] ~~ xs) -> ([a] ~~ Reverse xs)
rev xs = defn (reverse (the xs))

rev_nonempty_lemma :: NonEmpty xs -> Proof (NonEmpty (Reverse xs))

rev' :: ([a] ?NonEmpty) -> ([a] ?NonEmpty)
rev' = rev ...? rev_nonempty_lemma