Dualize the unsafe flag of refine into typecheck and make it mandatory.

2 files changed, 5 insertions, 6 deletions

diff --git a/dev/doc/changes.txt b/dev/doc/changes.txt
index 8456195e6..63c064d84 100644
--- a/dev/doc/changes.txt
+++ b/dev/doc/changes.txt
@@ -144,8 +144,8 @@ In Coqlib / reference location:
 - The tclWEAK_PROGRESS and tclNOTSAMEGOAL tacticals were removed. Their usecase
   was very specific. Use tclPROGRESS instead.
 
-- The Refine.refine function and its variants now have the unsafe flag turned
-  down by default.
+- The unsafe flag of the Refine.refine function and its variants has been
+  renamed and dualized into typecheck and has been made mandatory.
 
 ** Ltac API **
 
diff --git a/dev/doc/proof-engine.md b/dev/doc/proof-engine.md
index db69b08a2..8f96ac223 100644
--- a/dev/doc/proof-engine.md
+++ b/dev/doc/proof-engine.md
@@ -42,14 +42,13 @@ goal holes thanks to the `Refine` module, and in particular to the
 `Refine.refine` primitive.
 
 ```ocaml
-val refine : ?unsafe:bool -> Constr.t Sigma.run -> unit tactic
-(** In [refine ?unsafe t], [t] is a term with holes under some
+val refine : typecheck:bool -> Constr.t Sigma.run -> unit tactic
+(** In [refine typecheck t], [t] is a term with holes under some
     [evar_map] context. The term [t] is used as a partial solution
     for the current goal (refine is a goal-dependent tactic), the
     new holes created by [t] become the new subgoals. Exceptions
     raised during the interpretation of [t] are caught and result in
-    tactic failures. If [unsafe] is [false] (default is [true]) [t] is
-    type-checked beforehand. *)
+    tactic failures. If [typecheck] is [true] [t] is type-checked beforehand. *)
 ```
 
 In a first approximation, we can think of `'a Sigma.run` as