**Definition** (negative formulation of hereditary termination):
* 🆕 HT{T₁ × T₂}(M) ≝ HT{T₁}(M.1) ∧ HT{T₂}(M.2)
* 🆕 HT{T₁ → T₂}(M) ≝ ∀M₁, HT{T₁}(M₁) ⊃ HT{T₂}(M M₁)
* HT{1}(M) ≝ M →* ⟨⟩
* HT{Ans}(M) ≝ M →* yes ∨ M →* no

**Lemma** (head expansion): If M' → M and HT{A}(M) then HT{A}(M').

**Theorem** (fundamental): If Γ ⊢ M : A then Γ ≫ M ∈ A.
**Proof**: By induction on the typing derivation. Assume γ and HT{Γ}(γ); the goal is to show HT{A}(γ̂(M)).
* Case Lam: The premise is Γ, x : A₁ ⊢ M₂ : A₂, with conclusion Γ ⊢ λx. M₂ : A₁ → A₂.
  Assuming M₁ and HT{A₁}(M₁), the goal is to show HT{A₂}((λx. γ̂(M₂)) M₁).
  Using the assumptions, we have HT{Γ, x : A₁}(γ, x ↦ M₁),
  which we apply to the induction hypothesis on the premise to get HT{A₂}(γ̂(M₂)[x ↦ M₁]).
  By head expansion on (λx. γ̂(M₂)) M₁ → γ̂(M₂)[x ↦ M₁], we obtain our goal.
* Case App: The premises are Γ ⊢ M : A₁ → A₂ and Γ ⊢ M₁ : A₁, with conclusion is Γ ⊢ M M₁ : A₂; the goal is to show HT{A₂}(γ̂(M) γ̂(M₁)).
  By the induction hypothesis on the first premise specialized to γ̂(M₁),
  we have that HT{T₁}(γ̂(M₁)) implies HT{T₂}(γ̂(M) γ̂(M₁)), our goal.
  It suffices to show the antecedent, which holds by the induction hypothesis on the second premise.
* Case Pair: The premises are Γ ⊢ M₁ : A₁ and Γ ⊢ M₂ : A₂, with conclusion Γ ⊢ ⟨M₁, M₂⟩ : A₁ × A₂.
  The goal is to show HT{A₁}(⟨γ̂(M₁), γ̂(M₂)⟩.1) and HT{A₂}(⟨γ̂(M₁), γ̂(M₂)⟩.2).
  By the induction hypotheses on the two premises, we have HT{A₁}(γ̂(M₁)) and HT{A₂}(γ̂(M₂)).
  By head expansion on ⟨γ̂(M₁), γ̂(M₂)⟩.i → γ̂(Mᵢ), we have our goal.
* Case Left/Right: The premise is Γ ⊢ M : A₁ × A₂, and the conclusion is Γ ⊢ M.i : Aᵢ.
  The goal is to show HT{Aᵢ}(γ̂(M).i).
  By the induction hypothesis on the premise, we have HT{Aᵢ}(γ̂(M).i) as needed.
* Cases Var, Yes, No, Unit: Unchanged.

----

**Lemma**: If M₁ and M₂[x ↦ M₁] are strongly normalizing, then M₂ is strongly normalizing.
**Proof**: By induction on M₂. In the variable case for x, we use strong normalization of M₂.

**Claim**: The largest saturated set is SN itself. Obviously there is no larger set, since all saturated sets are subsets of SN. To check saturation:
* If N... ∈ SN then x N... ∈ SN: By congruence of application, the only possible reduction paths are through reduction of N..., which are strongly normalizing.
* If M₁, N... ∈ SN and M₂[x ↦ M₁] N... ∈ SN then (λx. M₂) M₁ N... ∈ SN: The possible reduction paths are by congruence through M₁, M₂, or N..., or by β-reduction of the head redex.
	* β-reduction: (λx. M₂) M₁ N... → M₂[x ↦ M₁] N..., which was assumed to be strongly normalizing.
	* Congruence (M₁ and N...): They were assumed to be strongly normalizing.
	* Congruence (M₂): By assumption, M₂[x ↦ M₁] N... is strongly normalizing, so M₂[x ↦ M₁] must be strongly normalizing.† Then by the above lemma, M₂ is strongly normalizing.
		† I'm fairly certain this is true, but I'm now doubting that it's simple to prove rigorously...