Great question! Let's break this down, especially tying in insights from A Metaprogramming Framework for Formal Verification when comparing Lean to Coq and Isabelle on proof surveyability.

First, to ground us: 证明可调查性（proof-surveyability） is the property that lets human users trace every detail of a formal proof. As you noted, this gets tricky with things like SMT proofs—where heuristics translate reasoning into a prover's language, making it hard to unpack failures or peek under the hood without specialized expertise.

Lean's Metaprogramming Edge for Surveyability #

Lean's metaprogramming framework (as highlighted in that paper) brings a few key advantages over Coq and Isabelle when it comes to making proofs more surveyable:

• Extensible, User-Friendly Tactics with Transparency
  Lean lets you write custom tactics using its metaprogramming layer that are designed to be human-readable, not just machine-executable. Unlike Coq's tactic language (which can feel opaque for complex custom tactics) or Isabelle's ML-based metaprogramming (which has a steeper learning curve), Lean's approach ties tactics closely to the same logic users write proofs in. This means when a tactic fails, you can inspect its intermediate steps more easily—no need to dive into low-level prover internals.

• Integrated Proof State Visualization
  Lean's tooling (like the VS Code extension) builds on its metaprogramming capabilities to show you the proof state in real time as you build or debug a proof. For SMT-backed proofs specifically, Lean can surface how the SMT solver's results map back to your original proof goals. Compare this to Coq, where you often need separate tools to visualize proof states, or Isabelle, where SMT integration is more siloed—Lean makes it simpler to trace why a proof failed without specialized SMT knowledge.

• Rewritable Proof Scripts
  The metaprogramming framework lets you create tactics that generate explicit, step-by-step proof scripts instead of opaque "black box" reasoning. For example, if you use an SMT-based tactic in Lean, you can configure it to output the detailed logical steps that the solver took, which you can then inspect, edit, or even reuse in other proofs. Coq's SMT integration (like the smt tactic) often produces less granular output, and Isabelle's SMT tools are more focused on automation than traceability.

• Unified Language for Proofs and Metaprograms
  Unlike Coq (where metaprogramming uses a separate language like Ltac2 or OCaml) or Isabelle (which relies on ML), Lean uses a single, unified language for both writing proofs and metaprograms. This means you don't have to switch mental contexts when debugging a proof—you can use the same syntax and reasoning to inspect a tactic's behavior as you do to write the proof itself. Lowering the barrier here makes surveyability accessible to users without deep metaprogramming expertise.

In short, Lean's metaprogramming framework is built with human-centric surveyability in mind. It bridges the gap between automation (like SMT solvers) and human understanding in a way that Coq and Isabelle don't, making it easier to unpack proof failures, inspect internal reasoning, and maintain control over your formal proofs—even without specialized background knowledge.

内容的提问来源于stack exchange，提问作者user1868607