Whenever clients get this stuff out of invariants, this is much more convenient for them, compared to applying timelessness themselves.
On the other hand, this makes the test proofs slightly more annoying, since they have to manually strip away that later. I am not sure if it is worth having separate lemmas (well, tactics, soon) for that.
Eventually, we should have a tactic which, given "... * P * ... |- ... * \later^n P * ...", automatically gets rid of the P.

We only use wp_value in the end if the resulting goal is yet
another wp. Otherwise we may not be able to do a final view
shift (as observed by Ralf).

Also, make our redefinition of done more robust under different
orders of Importing modules.

The rationale is that, just like the always lemmas about uPred and the frame-preserving updates for maps and iprdos, the versions with the ' are the "more specific" versions, hard-coding more assumptions in the shape of their conclusion.

Also do some minor clean up.

Now notations are pretty printed in the same way as they are parsed.
Before "let x := e1 in e2" was notation for "(fun x => e2) e1",
resulting in overlapping notations for the same thing.

We can use a named representation because we only substitute closed values. This
idea is borrowed from Pierce's Software Foundations.

The named representation has the following advantages:
* Programs are much better readable than those using De Bruijn indexes.
* Substitutions on closed terms (where all variables are explicit strings) can
  be performed by a mere simpl instead of Autosubst's asimpl. The performance
  of simpl seems better than asimpl.
* Syntactic sugar refolds better.

add basic notions of literals, unary operators and binary operators, and use them to define +, -, <=, ...

Actual proofs will end up using own and inv, and none of the notions defined in ownership.v