@fairfox/polly 0.16.0 → 0.18.0

package/dist/tools/verify/src/cli.js

@@ -13,6 +13,48 @@ var __export = (target, all) => {
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
+// tools/verify/src/analysis/non-interference.ts
+var exports_non_interference = {};
+__export(exports_non_interference, {
+  checkNonInterference: () => checkNonInterference
+});
+function checkNonInterference(subsystems, handlers) {
+  const violations = [];
+  const fieldOwner = new Map;
+  for (const [name, sub] of Object.entries(subsystems)) {
+    for (const field of sub.state) {
+      fieldOwner.set(field, name);
+    }
+  }
+  const handlerSubsystem = new Map;
+  for (const [name, sub] of Object.entries(subsystems)) {
+    for (const h of sub.handlers) {
+      handlerSubsystem.set(h, name);
+    }
+  }
+  for (const handler of handlers) {
+    const subsystemName = handlerSubsystem.get(handler.messageType);
+    if (!subsystemName)
+      continue;
+    for (const assignment of handler.assignments) {
+      const fieldName = assignment.field;
+      const owner = fieldOwner.get(fieldName);
+      if (owner && owner !== subsystemName) {
+        violations.push({
+          handler: handler.messageType,
+          subsystem: subsystemName,
+          writesTo: fieldName,
+          ownedBy: owner
+        });
+      }
+    }
+  }
+  return {
+    valid: violations.length === 0,
+    violations
+  };
+}
+
 // tools/verify/src/codegen/invariants.ts
 import { Node as Node3, Project as Project3 } from "ts-morph";
 
@@ -341,6 +383,7 @@ class TemporalTLAGenerator {
 var exports_tla = {};
 __export(exports_tla, {
   generateTLA: () => generateTLA,
+  generateSubsystemTLA: () => generateSubsystemTLA,
   TLAValidationError: () => TLAValidationError,
   TLAGenerator: () => TLAGenerator
 });
@@ -351,6 +394,49 @@ async function generateTLA(config, analysis) {
   const generator = new TLAGenerator;
   return await generator.generate(config, analysis);
 }
+async function generateSubsystemTLA(_subsystemName, subsystem, config, analysis) {
+  const stateFields = new Set(subsystem.state);
+  const handlerNames = new Set(subsystem.handlers);
+  const filteredState = {};
+  for (const [field, fieldConfig] of Object.entries(config.state)) {
+    if (stateFields.has(field)) {
+      filteredState[field] = fieldConfig;
+    }
+  }
+  const filteredMessages = {
+    ...config.messages,
+    include: subsystem.handlers
+  };
+  filteredMessages.exclude = undefined;
+  if (filteredMessages.perMessageBounds) {
+    const filteredBounds = {};
+    for (const [msg, bound] of Object.entries(filteredMessages.perMessageBounds)) {
+      if (handlerNames.has(msg)) {
+        filteredBounds[msg] = bound;
+      }
+    }
+    filteredMessages.perMessageBounds = filteredBounds;
+  }
+  const filteredConfig = {
+    ...config,
+    state: filteredState,
+    messages: filteredMessages,
+    subsystems: undefined
+  };
+  if (filteredConfig.tier2?.temporalConstraints) {
+    filteredConfig.tier2 = {
+      ...filteredConfig.tier2,
+      temporalConstraints: filteredConfig.tier2.temporalConstraints.filter((tc) => handlerNames.has(tc.before) && handlerNames.has(tc.after))
+    };
+  }
+  const filteredAnalysis = {
+    ...analysis,
+    messageTypes: analysis.messageTypes.filter((mt) => handlerNames.has(mt)),
+    handlers: analysis.handlers.filter((h) => handlerNames.has(h.messageType))
+  };
+  const generator = new TLAGenerator;
+  return await generator.generate(filteredConfig, filteredAnalysis);
+}
 var TLAValidationError, TLAGenerator;
 var init_tla = __esm(() => {
   init_invariants();
@@ -1832,7 +1918,7 @@ var init_tla = __esm(() => {
         this.addTemporalConstraints(config.tier2.temporalConstraints);
       }
       this.line("\\* State constraint to bound state space");
-      this.addStateConstraint(config);
+      this.addStateConstraint(config, _analysis);
       this.line("=============================================================================");
     }
     addTemporalConstraints(constraints) {
@@ -1862,10 +1948,11 @@ var init_tla = __esm(() => {
         });
       }
     }
-    addStateConstraint(config) {
+    addStateConstraint(config, analysis) {
       const hasPerMessageBounds = config.messages.perMessageBounds && Object.keys(config.messages.perMessageBounds).length > 0;
       const hasBoundedExploration = config.tier2?.boundedExploration?.maxDepth !== undefined;
-      const needsConjunction = hasPerMessageBounds || hasBoundedExploration;
+      const hasUserConstraints = (analysis.globalStateConstraints?.length ?? 0) > 0;
+      const needsConjunction = hasPerMessageBounds || hasBoundedExploration || hasUserConstraints;
       this.line("StateConstraint ==");
       this.indent++;
       if (needsConjunction) {
@@ -1879,6 +1966,13 @@ var init_tla = __esm(() => {
         if (hasBoundedExploration && config.tier2?.boundedExploration?.maxDepth) {
           this.line(`/\\ TLCGet("level") <= ${config.tier2.boundedExploration.maxDepth} \\* Tier 2: Bounded exploration`);
         }
+        if (hasUserConstraints && analysis.globalStateConstraints) {
+          for (const constraint of analysis.globalStateConstraints) {
+            const tlaExpr = this.tsExpressionToTLA(constraint.expression, false);
+            this.line(`\\* ${constraint.name}${constraint.message ? `: ${constraint.message}` : ""}`);
+            this.line(`/\\ \\A ctx \\in Contexts : (${tlaExpr})`);
+          }
+        }
       } else {
         this.line("Len(messages) <= MaxMessages");
       }
@@ -1887,6 +1981,9 @@ var init_tla = __esm(() => {
       if (hasBoundedExploration && config.tier2?.boundedExploration?.maxDepth) {
         console.log(`[INFO] [TLAGenerator] Tier 2: Bounded exploration with maxDepth = ${config.tier2.boundedExploration.maxDepth}`);
       }
+      if (hasUserConstraints && analysis.globalStateConstraints) {
+        console.log(`[INFO] [TLAGenerator] ${analysis.globalStateConstraints.length} user-defined state constraint(s) added to CONSTRAINT clause`);
+      }
     }
     addDeliveredTracking() {
       this.line("");
@@ -2366,6 +2463,400 @@ var init_docker = () => {};
 import * as fs4 from "node:fs";
 import * as path4 from "node:path";
 
+// tools/verify/src/analysis/expression-validator.ts
+var SIGNAL_VALUE_FIELD = /([a-zA-Z_]\w*)\.value\.([a-zA-Z_][\w.]*)/g;
+var SIGNAL_VALUE_BARE = /([a-zA-Z_]\w*)\.value\b(?!\.)/g;
+var STATE_DOT_FIELD = /state\.([a-zA-Z_][\w.]*)/g;
+var PAYLOAD_REF = /payload\.\w+/;
+function extractFieldRefs(expression) {
+  const refs = [];
+  for (const m of expression.matchAll(SIGNAL_VALUE_FIELD)) {
+    const prefix = m[1];
+    const suffix = m[2];
+    refs.push(`${prefix}.${suffix}`);
+  }
+  for (const m of expression.matchAll(SIGNAL_VALUE_BARE)) {
+    refs.push(m[1]);
+  }
+  for (const m of expression.matchAll(STATE_DOT_FIELD)) {
+    refs.push(m[1]);
+  }
+  return [...new Set(refs)];
+}
+function fieldInConfig(fieldRef, configKeys, stateConfig) {
+  if (configKeys.has(fieldRef))
+    return true;
+  const underscored = fieldRef.replace(/\./g, "_");
+  if (configKeys.has(underscored))
+    return true;
+  const dotted = fieldRef.replace(/_/g, ".");
+  if (configKeys.has(dotted))
+    return true;
+  if (stateConfig && fieldRef.endsWith(".length")) {
+    const parent = fieldRef.slice(0, -".length".length);
+    const parentEntry = resolveConfigEntry(parent, stateConfig);
+    if (parentEntry !== undefined && isArrayLike(parentEntry))
+      return true;
+  }
+  return false;
+}
+function resolveConfigEntry(fieldRef, stateConfig) {
+  if (fieldRef in stateConfig)
+    return stateConfig[fieldRef];
+  const underscored = fieldRef.replace(/\./g, "_");
+  if (underscored in stateConfig)
+    return stateConfig[underscored];
+  const dotted = fieldRef.replace(/_/g, ".");
+  if (dotted in stateConfig)
+    return stateConfig[dotted];
+  return;
+}
+function isArrayLike(configEntry) {
+  if (configEntry && typeof configEntry === "object") {
+    const obj = configEntry;
+    if (obj.type === "array")
+      return true;
+    if ("maxLength" in obj)
+      return true;
+    if ("maxSize" in obj)
+      return true;
+  }
+  return false;
+}
+function isNullable(configEntry) {
+  if (Array.isArray(configEntry)) {
+    return configEntry.includes(null);
+  }
+  if (configEntry && typeof configEntry === "object") {
+    const obj = configEntry;
+    if (obj.abstract === true)
+      return true;
+    if (Array.isArray(obj.values)) {
+      return obj.values.includes(null);
+    }
+  }
+  return false;
+}
+var UNSUPPORTED_METHODS = /\.(some|every|find|filter)\s*\(/;
+var OPTIONAL_CHAIN = /\?\./;
+var NULL_COMPARISON = /(===?\s*null|!==?\s*null|null\s*===?|null\s*!==?)/;
+function checkUnmodeledFields(expression, configKeys, stateConfig, messageType, conditionType, location) {
+  const warnings = [];
+  const refs = extractFieldRefs(expression);
+  for (const ref of refs) {
+    if (!fieldInConfig(ref, configKeys, stateConfig)) {
+      warnings.push({
+        kind: "unmodeled_field",
+        message: `${conditionType}() in ${messageType} references unmodeled field '${ref}'`,
+        messageType,
+        conditionType,
+        expression,
+        location,
+        suggestion: `Add '${ref}' to state config or remove from ${conditionType}()`
+      });
+    }
+  }
+  return warnings;
+}
+function checkUnsupportedMethods(expression, configKeys, stateConfig, messageType, conditionType, location) {
+  const match = expression.match(UNSUPPORTED_METHODS);
+  if (!match)
+    return [];
+  const refs = extractFieldRefs(expression);
+  const allUnmodeled = refs.length > 0 && refs.every((r) => !fieldInConfig(r, configKeys, stateConfig));
+  if (allUnmodeled)
+    return [];
+  return [
+    {
+      kind: "unsupported_method",
+      message: `${conditionType}() in ${messageType} uses .${match[1]}() which cannot be translated to TLA+`,
+      messageType,
+      conditionType,
+      expression,
+      location,
+      suggestion: `Rewrite without .${match[1]}() or model the check as a boolean state field`
+    }
+  ];
+}
+function checkOptionalChaining(expression, messageType, conditionType, location) {
+  if (!OPTIONAL_CHAIN.test(expression))
+    return [];
+  return [
+    {
+      kind: "optional_chaining",
+      message: `${conditionType}() in ${messageType} uses optional chaining (?.)`,
+      messageType,
+      conditionType,
+      expression,
+      location,
+      suggestion: "Optional chaining translation is fragile — consider explicit null checks or restructuring"
+    }
+  ];
+}
+function checkNullComparisons(expression, stateConfig, configKeys, messageType, conditionType, location) {
+  if (!NULL_COMPARISON.test(expression))
+    return [];
+  const warnings = [];
+  const refs = extractFieldRefs(expression);
+  for (const ref of refs) {
+    if (!fieldInConfig(ref, configKeys, stateConfig))
+      continue;
+    const entry = resolveConfigEntry(ref, stateConfig);
+    if (entry !== undefined && !isNullable(entry)) {
+      warnings.push({
+        kind: "null_comparison",
+        message: `${conditionType}() in ${messageType} compares '${ref}' to null but field is not nullable`,
+        messageType,
+        conditionType,
+        expression,
+        location,
+        suggestion: `Add null to '${ref}' values in state config, or remove the null check`
+      });
+    }
+  }
+  return warnings;
+}
+var WEAK_NEGATION = /([a-zA-Z_][\w.]*(?:\.value\.[\w.]+|\.value\b|))?\s*!==?\s*("[^"]*"|'[^']*'|\d+|true|false|null)/;
+function checkWeakPostconditions(expression, handler, messageType, conditionType, location) {
+  if (conditionType !== "ensures")
+    return [];
+  const match = expression.match(WEAK_NEGATION);
+  if (!match)
+    return [];
+  const refs = extractFieldRefs(expression);
+  if (refs.length === 0)
+    return [];
+  for (const ref of refs) {
+    const underscoredRef = ref.replace(/\./g, "_");
+    const hasAssignment = handler.assignments.some((a) => a.field === ref || a.field === underscoredRef || a.field.replace(/_/g, ".") === ref);
+    if (hasAssignment) {
+      const assignment = handler.assignments.find((a) => a.field === ref || a.field === underscoredRef || a.field.replace(/_/g, ".") === ref);
+      const assignedValue = assignment ? JSON.stringify(assignment.value) : "<value>";
+      return [
+        {
+          kind: "weak_postcondition",
+          message: `ensures() in ${messageType} uses !== for '${ref}' which has a concrete assignment`,
+          messageType,
+          conditionType,
+          expression,
+          location,
+          suggestion: `Consider ensures(${ref} === ${assignedValue}) for a stronger postcondition`
+        }
+      ];
+    }
+  }
+  return [];
+}
+function validateExpressions(handlers, stateConfig) {
+  const warnings = [];
+  let validCount = 0;
+  const configKeys = new Set(Object.keys(stateConfig));
+  for (const handler of handlers) {
+    const conditions = [
+      ...handler.preconditions.map((c) => ({
+        cond: c,
+        type: "requires"
+      })),
+      ...handler.postconditions.map((c) => ({
+        cond: c,
+        type: "ensures"
+      }))
+    ];
+    for (const { cond, type } of conditions) {
+      const refs = extractFieldRefs(cond.expression);
+      const isPayloadOnly = refs.length === 0 && PAYLOAD_REF.test(cond.expression);
+      const loc = {
+        file: handler.location.file,
+        line: cond.location.line,
+        column: cond.location.column
+      };
+      const condWarnings = [];
+      if (!isPayloadOnly) {
+        condWarnings.push(...checkUnmodeledFields(cond.expression, configKeys, stateConfig, handler.messageType, type, loc));
+      }
+      condWarnings.push(...checkUnsupportedMethods(cond.expression, configKeys, stateConfig, handler.messageType, type, loc));
+      condWarnings.push(...checkOptionalChaining(cond.expression, handler.messageType, type, loc));
+      condWarnings.push(...checkNullComparisons(cond.expression, stateConfig, configKeys, handler.messageType, type, loc));
+      condWarnings.push(...checkWeakPostconditions(cond.expression, handler, handler.messageType, type, loc));
+      if (condWarnings.length === 0) {
+        validCount++;
+      } else {
+        warnings.push(...condWarnings);
+      }
+    }
+  }
+  return { warnings, validCount, warnCount: warnings.length };
+}
+
+// tools/verify/src/config/types.ts
+function isAdapterConfig(config) {
+  return "adapter" in config;
+}
+function isLegacyConfig(config) {
+  return "messages" in config && !("adapter" in config);
+}
+
+// tools/verify/src/analysis/state-space-estimator.ts
+function typedFieldCardinality(name, obj) {
+  if (!("type" in obj))
+    return null;
+  switch (obj.type) {
+    case "boolean":
+      return { name, cardinality: 2, kind: "boolean" };
+    case "enum":
+      if (Array.isArray(obj.values)) {
+        return { name, cardinality: obj.values.length, kind: "enum" };
+      }
+      return { name, cardinality: "unbounded", kind: "enum" };
+    case "number":
+      if (typeof obj.min === "number" && typeof obj.max === "number") {
+        return { name, cardinality: obj.max - obj.min + 1, kind: "number" };
+      }
+      return { name, cardinality: "unbounded", kind: "number" };
+    case "array":
+      return { name, cardinality: "unbounded", kind: "array" };
+    case "string":
+      return { name, cardinality: "unbounded", kind: "string" };
+    default:
+      return null;
+  }
+}
+function legacyFieldCardinality(name, obj) {
+  if ("values" in obj && Array.isArray(obj.values)) {
+    const base = obj.values.length;
+    const extra = obj.abstract === true ? 1 : 0;
+    return {
+      name,
+      cardinality: base + extra,
+      kind: obj.abstract ? "enum (abstract)" : "enum (values)"
+    };
+  }
+  if ("maxLength" in obj && !("type" in obj)) {
+    return { name, cardinality: "unbounded", kind: "array" };
+  }
+  if ("min" in obj && "max" in obj && typeof obj.min === "number" && typeof obj.max === "number" && !("type" in obj)) {
+    return { name, cardinality: obj.max - obj.min + 1, kind: "number" };
+  }
+  return null;
+}
+function fieldCardinality(name, value) {
+  if (Array.isArray(value)) {
+    return { name, cardinality: value.length, kind: "enum (literal)" };
+  }
+  if (typeof value !== "object" || value === null) {
+    return { name, cardinality: "unbounded", kind: "unknown" };
+  }
+  const obj = value;
+  return typedFieldCardinality(name, obj) ?? legacyFieldCardinality(name, obj) ?? { name, cardinality: "unbounded", kind: "unknown" };
+}
+function permutations(n, k) {
+  if (k > n)
+    return 1;
+  let result = 1;
+  for (let i = 0;i < k; i++) {
+    result *= n - i;
+  }
+  return result;
+}
+function getHandlerCount(config, analysis) {
+  if (isLegacyConfig(config)) {
+    const msgs = config.messages;
+    if (msgs.include) {
+      return msgs.include.length;
+    }
+    if (msgs.exclude) {
+      return Math.max(0, analysis.handlers.length - msgs.exclude.length);
+    }
+  }
+  return analysis.handlers.length;
+}
+function getMaxInFlight(config) {
+  if (isLegacyConfig(config)) {
+    return config.messages.maxInFlight ?? 1;
+  }
+  if (isAdapterConfig(config)) {
+    return config.bounds?.maxInFlight ?? 1;
+  }
+  return 1;
+}
+function getMaxTabs(config) {
+  if (isLegacyConfig(config)) {
+    return config.messages.maxTabs ?? 1;
+  }
+  return 1;
+}
+function getFeasibility(states) {
+  if (states < 1e5)
+    return "trivial";
+  if (states <= 1e6)
+    return "feasible";
+  if (states <= 1e7)
+    return "slow";
+  return "infeasible";
+}
+function feasibilityLabel(f) {
+  switch (f) {
+    case "trivial":
+      return "trivial (should complete in seconds)";
+    case "feasible":
+      return "feasible (should complete in minutes)";
+    case "slow":
+      return "slow (may take 10–30 minutes)";
+    case "infeasible":
+      return "infeasible (likely won't terminate)";
+  }
+}
+function estimateStateSpace(config, analysis) {
+  const state = config.state;
+  const fields = [];
+  const warnings = [];
+  const suggestions = [];
+  for (const [name, value] of Object.entries(state)) {
+    fields.push(fieldCardinality(name, value));
+  }
+  const unboundedFields = fields.filter((f) => f.cardinality === "unbounded");
+  const boundedFields = fields.filter((f) => f.cardinality !== "unbounded");
+  const fieldProduct = boundedFields.length > 0 ? boundedFields.reduce((acc, f) => acc * f.cardinality, 1) : 1;
+  if (unboundedFields.length > 0) {
+    warnings.push(`${unboundedFields.length} field(s) have unbounded domains: ${unboundedFields.map((f) => f.name).join(", ")}`);
+    suggestions.push(`Fields ${unboundedFields.map((f) => f.name).join(", ")} have unbounded domains — their actual impact depends on handler logic`);
+  }
+  const handlerCount = getHandlerCount(config, analysis);
+  const maxInFlight = getMaxInFlight(config);
+  const maxTabs = getMaxTabs(config);
+  const contextCount = maxTabs + 1;
+  const totalStateSpace = fieldProduct ** contextCount;
+  const interleavingFactor = permutations(handlerCount, maxInFlight);
+  const estimatedStates = totalStateSpace * interleavingFactor;
+  const feasibility = getFeasibility(estimatedStates);
+  if (handlerCount > 15) {
+    suggestions.push("Consider splitting into subsystems");
+  }
+  for (const f of boundedFields) {
+    if (f.cardinality > 50) {
+      suggestions.push(`Consider reducing bounds for field "${f.name}" (${f.cardinality} values)`);
+    }
+  }
+  if (maxInFlight > 2) {
+    const reducedInterleaving = permutations(handlerCount, 2);
+    const reduction = reducedInterleaving > 0 ? Math.round(interleavingFactor / reducedInterleaving) : 1;
+    suggestions.push(`Reducing maxInFlight from ${maxInFlight} to 2 would reduce interleaving by ~${reduction}x`);
+  }
+  return {
+    fields,
+    fieldProduct,
+    handlerCount,
+    maxInFlight,
+    contextCount,
+    totalStateSpace,
+    interleavingFactor,
+    estimatedStates,
+    feasibility,
+    warnings,
+    suggestions
+  };
+}
+
 // tools/verify/src/codegen/config.ts
 class ConfigGenerator {
   lines = [];
@@ -2930,6 +3421,9 @@ class ConfigValidator {
     if (config.tier2) {
       this.validateTier2Optimizations(config.tier2);
     }
+    if (config.subsystems) {
+      this.validateSubsystems(config.subsystems, config.state);
+    }
   }
   findNullPlaceholders(obj, path2) {
     if (obj === null || obj === undefined) {
@@ -3246,6 +3740,68 @@ class ConfigValidator {
       }
     }
   }
+  validateSubsystems(subsystems, stateConfig) {
+    const stateFieldNames = Object.keys(stateConfig);
+    const allAssignedHandlers = new Map;
+    const allAssignedFields = new Map;
+    for (const [subsystemName, subsystem] of Object.entries(subsystems)) {
+      for (const field of subsystem.state) {
+        if (!stateFieldNames.includes(field)) {
+          this.issues.push({
+            type: "invalid_value",
+            severity: "error",
+            field: `subsystems.${subsystemName}.state`,
+            message: `State field "${field}" does not exist in top-level state config`,
+            suggestion: `Available fields: ${stateFieldNames.join(", ")}`
+          });
+        }
+        const existingOwner = allAssignedFields.get(field);
+        if (existingOwner) {
+          this.issues.push({
+            type: "invalid_value",
+            severity: "warning",
+            field: `subsystems.${subsystemName}.state`,
+            message: `State field "${field}" is assigned to both "${existingOwner}" and "${subsystemName}"`,
+            suggestion: "State fields should be partitioned across subsystems for non-interference"
+          });
+        } else {
+          allAssignedFields.set(field, subsystemName);
+        }
+      }
+      if (subsystem.handlers.length === 0) {
+        this.issues.push({
+          type: "invalid_value",
+          severity: "warning",
+          field: `subsystems.${subsystemName}.handlers`,
+          message: `Subsystem "${subsystemName}" has no handlers`,
+          suggestion: "Add at least one handler to the subsystem"
+        });
+      }
+      for (const handler of subsystem.handlers) {
+        const existingOwner = allAssignedHandlers.get(handler);
+        if (existingOwner) {
+          this.issues.push({
+            type: "invalid_value",
+            severity: "error",
+            field: `subsystems.${subsystemName}.handlers`,
+            message: `Handler "${handler}" is assigned to both "${existingOwner}" and "${subsystemName}"`,
+            suggestion: "Each handler must belong to exactly one subsystem"
+          });
+        } else {
+          allAssignedHandlers.set(handler, subsystemName);
+        }
+      }
+      if (subsystem.state.length === 0) {
+        this.issues.push({
+          type: "invalid_value",
+          severity: "warning",
+          field: `subsystems.${subsystemName}.state`,
+          message: `Subsystem "${subsystemName}" has no state fields`,
+          suggestion: "Add at least one state field to the subsystem"
+        });
+      }
+    }
+  }
 }
 function validateConfig(configPath) {
   const validator = new ConfigValidator;
@@ -3664,7 +4220,8 @@ class HandlerExtractor {
   packageRoot;
   warnings;
   currentFunctionParams = [];
-  constructor(tsConfigPath) {
+  contextOverrides;
+  constructor(tsConfigPath, contextOverrides) {
     this.project = new Project({
       tsConfigFilePath: tsConfigPath
     });
@@ -3672,6 +4229,7 @@ class HandlerExtractor {
     this.relationshipExtractor = new RelationshipExtractor;
     this.analyzedFiles = new Set;
     this.warnings = [];
+    this.contextOverrides = contextOverrides || new Map;
     this.packageRoot = this.findPackageRoot(tsConfigPath);
   }
   warnUnsupportedPattern(pattern, location, suggestion) {
@@ -3717,13 +4275,14 @@ class HandlerExtractor {
     const messageTypes = new Set;
     const invalidMessageTypes = new Set;
     const stateConstraints = [];
+    const globalStateConstraints = [];
     const verifiedStates = [];
     this.warnings = [];
     const allSourceFiles = this.project.getSourceFiles();
     const entryPoints = allSourceFiles.filter((f) => this.isWithinPackage(f.getFilePath()));
     this.debugLogSourceFiles(allSourceFiles, entryPoints);
     for (const entryPoint of entryPoints) {
-      this.analyzeFileAndImports(entryPoint, handlers, messageTypes, invalidMessageTypes, stateConstraints, verifiedStates);
+      this.analyzeFileAndImports(entryPoint, handlers, messageTypes, invalidMessageTypes, stateConstraints, globalStateConstraints, verifiedStates);
     }
     if (verifiedStates.length > 0) {
       if (process.env["POLLY_DEBUG"]) {
@@ -3753,11 +4312,12 @@ class HandlerExtractor {
       handlers,
       messageTypes,
       stateConstraints,
+      globalStateConstraints,
       verifiedStates,
       warnings: this.warnings
     };
   }
-  analyzeFileAndImports(sourceFile, handlers, messageTypes, invalidMessageTypes, stateConstraints, verifiedStates) {
+  analyzeFileAndImports(sourceFile, handlers, messageTypes, invalidMessageTypes, stateConstraints, globalStateConstraints, verifiedStates) {
     const filePath = sourceFile.getFilePath();
     if (this.analyzedFiles.has(filePath)) {
       return;
@@ -3771,6 +4331,8 @@ class HandlerExtractor {
     this.categorizeHandlerMessageTypes(fileHandlers, messageTypes, invalidMessageTypes);
     const fileConstraints = this.extractStateConstraintsFromFile(sourceFile);
     stateConstraints.push(...fileConstraints);
+    const fileGlobalConstraints = this.extractGlobalStateConstraintsFromFile(sourceFile);
+    globalStateConstraints.push(...fileGlobalConstraints);
     const fileVerifiedStates = this.extractVerifiedStatesFromFile(sourceFile);
     verifiedStates.push(...fileVerifiedStates);
     const importDeclarations = sourceFile.getImportDeclarations();
@@ -3784,7 +4346,7 @@ class HandlerExtractor {
           }
           continue;
         }
-        this.analyzeFileAndImports(importedFile, handlers, messageTypes, invalidMessageTypes, stateConstraints, verifiedStates);
+        this.analyzeFileAndImports(importedFile, handlers, messageTypes, invalidMessageTypes, stateConstraints, globalStateConstraints, verifiedStates);
       } else if (process.env["POLLY_DEBUG"]) {
         const specifier = importDecl.getModuleSpecifierValue();
         if (!specifier.startsWith("node:") && !this.isNodeModuleImport(specifier)) {
@@ -3885,8 +4447,20 @@ class HandlerExtractor {
           handlers.push(handler);
         }
       }
+      if (methodName === "ws") {
+        this.extractElysiaWsHandlers(node, context, filePath, handlers);
+      }
+      if (this.isRestMethod(methodName) && this.isWebFrameworkFile(node.getSourceFile())) {
+        const restHandler = this.extractRestHandler(node, methodName, context, filePath);
+        if (restHandler) {
+          handlers.push(restHandler);
+        }
+      }
     }
   }
+  isRestMethod(name) {
+    return ["get", "post", "put", "delete", "patch"].includes(name);
+  }
   isElseIfStatement(node) {
     const parent = node.getParent();
     return parent !== undefined && Node2.isIfStatement(parent);
@@ -3952,6 +4526,135 @@ class HandlerExtractor {
       parameters
     };
   }
+  extractElysiaWsHandlers(node, context, filePath, handlers) {
+    const args = node.getArguments();
+    if (args.length < 2)
+      return;
+    const routeArg = args[0];
+    if (!routeArg || !Node2.isStringLiteral(routeArg))
+      return;
+    const routePath = routeArg.getLiteralValue();
+    const configArg = args[1];
+    if (!configArg || !Node2.isObjectLiteralExpression(configArg))
+      return;
+    const callbacks = ["message", "open", "close"];
+    for (const cbName of callbacks) {
+      const prop = configArg.getProperty(cbName);
+      if (!prop)
+        continue;
+      let funcBody = null;
+      if (Node2.isMethodDeclaration(prop)) {
+        funcBody = prop;
+      } else if (Node2.isPropertyAssignment(prop)) {
+        const init = prop.getInitializer();
+        if (init && (Node2.isArrowFunction(init) || Node2.isFunctionExpression(init))) {
+          funcBody = init;
+        }
+      }
+      if (!funcBody)
+        continue;
+      if (cbName === "message") {
+        const body = funcBody.getBody();
+        if (!body)
+          continue;
+        const subHandlers = this.extractSubHandlersFromBody(body, context, filePath);
+        if (subHandlers.length > 0) {
+          handlers.push(...subHandlers);
+        } else {
+          handlers.push(this.buildWsHandler(`ws_message`, routePath, context, filePath, funcBody, node.getStartLineNumber()));
+        }
+      } else {
+        handlers.push(this.buildWsHandler(`ws_${cbName}`, routePath, context, filePath, funcBody, node.getStartLineNumber()));
+      }
+    }
+  }
+  extractSubHandlersFromBody(body, context, filePath) {
+    const subHandlers = [];
+    body.forEachDescendant((child) => {
+      if (Node2.isIfStatement(child) && !this.isElseIfStatement(child)) {
+        const typeGuardHandlers = this.extractTypeGuardHandlers(child, context, filePath);
+        subHandlers.push(...typeGuardHandlers);
+      }
+      if (Node2.isSwitchStatement(child)) {
+        const switchHandlers = this.extractSwitchCaseHandlers(child, context, filePath);
+        subHandlers.push(...switchHandlers);
+      }
+    });
+    return subHandlers;
+  }
+  buildWsHandler(messageType, _routePath, context, filePath, funcBody, line) {
+    const assignments = [];
+    const preconditions = [];
+    const postconditions = [];
+    this.currentFunctionParams = this.extractParameterNames(funcBody);
+    this.extractAssignments(funcBody, assignments);
+    this.extractVerificationConditions(funcBody, preconditions, postconditions);
+    this.currentFunctionParams = [];
+    return {
+      messageType,
+      node: context,
+      assignments,
+      preconditions,
+      postconditions,
+      location: { file: filePath, line },
+      origin: "event"
+    };
+  }
+  extractRestHandler(node, methodName, context, filePath) {
+    const args = node.getArguments();
+    if (args.length < 2)
+      return null;
+    const routeArg = args[0];
+    if (!routeArg || !Node2.isStringLiteral(routeArg))
+      return null;
+    const routePath = routeArg.getLiteralValue();
+    const httpMethod = methodName.toUpperCase();
+    const messageType = `${httpMethod} ${routePath}`;
+    const handlerArg = args[1];
+    const assignments = [];
+    const preconditions = [];
+    const postconditions = [];
+    let actualHandler = null;
+    if (Node2.isArrowFunction(handlerArg) || Node2.isFunctionExpression(handlerArg)) {
+      actualHandler = handlerArg;
+    } else if (Node2.isIdentifier(handlerArg)) {
+      actualHandler = this.resolveFunctionReference(handlerArg);
+    }
+    let parameters;
+    if (actualHandler) {
+      this.currentFunctionParams = this.extractParameterNames(actualHandler);
+      parameters = this.currentFunctionParams.length > 0 ? [...this.currentFunctionParams] : undefined;
+      this.extractAssignments(actualHandler, assignments);
+      this.extractVerificationConditions(actualHandler, preconditions, postconditions);
+      this.currentFunctionParams = [];
+    }
+    return {
+      messageType,
+      node: context,
+      assignments,
+      preconditions,
+      postconditions,
+      location: {
+        file: filePath,
+        line: node.getStartLineNumber()
+      },
+      origin: "event",
+      parameters,
+      handlerKind: "rest",
+      httpMethod,
+      routePath
+    };
+  }
+  isWebFrameworkFile(sourceFile) {
+    const frameworks = ["elysia", "express", "hono", "fastify", "koa", "@elysiajs/eden"];
+    for (const importDecl of sourceFile.getImportDeclarations()) {
+      const specifier = importDecl.getModuleSpecifierValue();
+      if (frameworks.some((fw) => specifier === fw || specifier.startsWith(`${fw}/`))) {
+        return true;
+      }
+    }
+    return false;
+  }
   extractAssignments(funcNode, assignments) {
     funcNode.forEachDescendant((node) => {
       if (Node2.isBinaryExpression(node)) {
@@ -4786,32 +5489,64 @@ class HandlerExtractor {
     try {
       const ifStmt = ifNode;
       const condition = ifStmt.getExpression();
-      if (!Node2.isCallExpression(condition)) {
-        return null;
+      if (Node2.isCallExpression(condition)) {
+        const funcExpr = condition.getExpression();
+        const funcName = Node2.isIdentifier(funcExpr) ? funcExpr.getText() : undefined;
+        this.debugLogProcessingFunction(funcName);
+        const messageType = this.resolveMessageType(funcExpr, funcName, typeGuards);
+        if (!messageType) {
+          this.debugLogUnresolvedMessageType(funcName);
+          return null;
+        }
+        const line = ifStmt.getStartLineNumber();
+        const relationships = this.extractRelationshipsFromIfBlock(ifStmt, messageType);
+        return {
+          messageType,
+          node: context,
+          assignments: [],
+          preconditions: [],
+          postconditions: [],
+          location: { file: filePath, line },
+          relationships
+        };
       }
-      const funcExpr = condition.getExpression();
-      const funcName = Node2.isIdentifier(funcExpr) ? funcExpr.getText() : undefined;
-      this.debugLogProcessingFunction(funcName);
-      const messageType = this.resolveMessageType(funcExpr, funcName, typeGuards);
-      if (!messageType) {
-        this.debugLogUnresolvedMessageType(funcName);
-        return null;
+      if (Node2.isBinaryExpression(condition)) {
+        const messageType = this.extractMessageTypeFromEqualityCheck(condition);
+        if (messageType) {
+          const line = ifStmt.getStartLineNumber();
+          const relationships = this.extractRelationshipsFromIfBlock(ifStmt, messageType);
+          return {
+            messageType,
+            node: context,
+            assignments: [],
+            preconditions: [],
+            postconditions: [],
+            location: { file: filePath, line },
+            relationships
+          };
+        }
       }
-      const line = ifStmt.getStartLineNumber();
-      const relationships = this.extractRelationshipsFromIfBlock(ifStmt, messageType);
-      return {
-        messageType,
-        node: context,
-        assignments: [],
-        preconditions: [],
-        postconditions: [],
-        location: { file: filePath, line },
-        relationships
-      };
+      return null;
     } catch (_error) {
       return null;
     }
   }
+  extractMessageTypeFromEqualityCheck(expr) {
+    const operator = expr.getOperatorToken().getText();
+    if (operator !== "===" && operator !== "==")
+      return null;
+    const left = expr.getLeft();
+    const right = expr.getRight();
+    const stringLiteral = Node2.isStringLiteral(right) ? right : Node2.isStringLiteral(left) ? left : null;
+    const propAccess = Node2.isPropertyAccessExpression(left) ? left : Node2.isPropertyAccessExpression(right) ? right : null;
+    if (!stringLiteral || !propAccess)
+      return null;
+    const propName = propAccess.getName();
+    if (propName !== "type" && propName !== "kind" && propName !== "action") {
+      return null;
+    }
+    return stringLiteral.getLiteralValue();
+  }
   debugLogProcessingFunction(funcName) {
     if (process.env["POLLY_DEBUG"] && funcName) {
       console.log(`[DEBUG] Processing if condition with function: ${funcName}`);
@@ -5021,6 +5756,10 @@ class HandlerExtractor {
     return messageType;
   }
   inferContext(filePath) {
+    for (const [pathPrefix, context] of this.contextOverrides.entries()) {
+      if (filePath.startsWith(pathPrefix))
+        return context;
+    }
     const path2 = filePath.toLowerCase();
     return this.inferElectronContext(path2) || this.inferWorkerContext(path2) || this.inferServerAppContext(path2) || this.inferChromeExtensionContext(path2) || "unknown";
   }
@@ -5119,6 +5858,81 @@ class HandlerExtractor {
     });
     return constraints;
   }
+  extractGlobalStateConstraintsFromFile(sourceFile) {
+    const constraints = [];
+    const filePath = sourceFile.getFilePath();
+    sourceFile.forEachDescendant((node) => {
+      const constraint = this.recognizeGlobalStateConstraint(node, filePath);
+      if (constraint) {
+        constraints.push(constraint);
+      }
+    });
+    return constraints;
+  }
+  recognizeGlobalStateConstraint(node, filePath) {
+    if (!Node2.isCallExpression(node)) {
+      return null;
+    }
+    const expression = node.getExpression();
+    if (!Node2.isIdentifier(expression)) {
+      return null;
+    }
+    const functionName = expression.getText();
+    if (functionName !== "stateConstraint") {
+      return null;
+    }
+    const args = node.getArguments();
+    if (args.length < 2) {
+      return null;
+    }
+    const nameArg = args[0];
+    if (!Node2.isStringLiteral(nameArg)) {
+      return null;
+    }
+    const name = nameArg.getLiteralValue();
+    const predicateArg = args[1];
+    if (!Node2.isArrowFunction(predicateArg)) {
+      return null;
+    }
+    const body = predicateArg.getBody();
+    let expressionText;
+    if (Node2.isBlock(body)) {
+      const returnStatement = body.getStatements().find((s) => Node2.isReturnStatement(s));
+      if (!returnStatement || !Node2.isReturnStatement(returnStatement)) {
+        return null;
+      }
+      const returnExpr = returnStatement.getExpression();
+      if (!returnExpr) {
+        return null;
+      }
+      expressionText = returnExpr.getText();
+    } else {
+      expressionText = body.getText();
+    }
+    let message;
+    if (args.length >= 3) {
+      const optionsArg = args[2];
+      if (Node2.isObjectLiteralExpression(optionsArg)) {
+        for (const prop of optionsArg.getProperties()) {
+          if (Node2.isPropertyAssignment(prop) && prop.getName() === "message") {
+            const value = prop.getInitializer();
+            if (value && Node2.isStringLiteral(value)) {
+              message = value.getLiteralValue();
+            }
+          }
+        }
+      }
+    }
+    return {
+      name,
+      expression: expressionText,
+      message,
+      location: {
+        file: filePath,
+        line: node.getStartLineNumber()
+      }
+    };
+  }
   recognizeStateConstraint(node, filePath) {
     if (!Node2.isCallExpression(node)) {
       return [];
@@ -5433,7 +6247,8 @@ class TypeExtractor {
       messageTypes: validMessageTypes,
       fields,
       handlers: completeHandlers,
-      stateConstraints: handlerAnalysis.stateConstraints
+      stateConstraints: handlerAnalysis.stateConstraints,
+      globalStateConstraints: handlerAnalysis.globalStateConstraints
     };
   }
   extractHandlerAnalysis() {
@@ -5864,6 +6679,10 @@ async function main() {
     case "validate":
       await validateCommand();
       break;
+    case "--estimate":
+    case "estimate":
+      await estimateCommand();
+      break;
     case "--help":
     case "help":
       showHelp();
@@ -5980,6 +6799,70 @@ async function validateCommand() {
 `, COLORS.red));
   process.exit(1);
 }
+async function estimateCommand() {
+  const configPath = path4.join(process.cwd(), "specs", "verification.config.ts");
+  console.log(color(`
+\uD83D\uDCCA Estimating state space...
+`, COLORS.blue));
+  const validation = validateConfig(configPath);
+  if (!validation.valid) {
+    const errors = validation.issues.filter((i) => i.severity === "error");
+    console.log(color(`❌ Configuration incomplete (${errors.length} error(s))
+`, COLORS.red));
+    for (const error of errors.slice(0, 3)) {
+      console.log(color(`   • ${error.message}`, COLORS.red));
+    }
+    console.log(`
+   Run 'polly verify --validate' to see all issues`);
+    process.exit(1);
+  }
+  const config = await loadVerificationConfig(configPath);
+  const analysis = await runCodebaseAnalysis();
+  const typedConfig = config;
+  const typedAnalysis = analysis;
+  const exprValidation = validateExpressions(typedAnalysis.handlers, typedConfig.state);
+  if (exprValidation.warnings.length > 0) {
+    displayExpressionWarnings(exprValidation);
+  }
+  const estimate = estimateStateSpace(typedConfig, typedAnalysis);
+  displayEstimate(estimate);
+}
+function displayEstimate(estimate) {
+  console.log(color(`State space estimate:
+`, COLORS.blue));
+  console.log(color("  Fields:", COLORS.blue));
+  for (const field of estimate.fields) {
+    const name = field.name.padEnd(28);
+    const kind = field.kind.padEnd(18);
+    const card = field.cardinality === "unbounded" ? color("(excluded — unbounded)", COLORS.yellow) : `${field.cardinality} values`;
+    console.log(`    ${name} ${kind} ${card}`);
+  }
+  console.log();
+  console.log(`  Field combinations:     ${color(String(estimate.fieldProduct), COLORS.green)}`);
+  console.log(`  Handlers:               ${estimate.handlerCount}`);
+  console.log(`  Max in-flight:          ${estimate.maxInFlight}`);
+  console.log(`  Contexts:               ${estimate.contextCount} (${estimate.contextCount - 1} tab${estimate.contextCount - 1 !== 1 ? "s" : ""} + background)`);
+  console.log(`  Interleaving factor:    ${estimate.interleavingFactor}`);
+  console.log();
+  console.log(`  Estimated states:       ${color(`~${estimate.estimatedStates.toLocaleString()}`, COLORS.green)}`);
+  const feasColor = estimate.feasibility === "trivial" || estimate.feasibility === "feasible" ? COLORS.green : estimate.feasibility === "slow" ? COLORS.yellow : COLORS.red;
+  console.log();
+  console.log(`  Assessment: ${color(feasibilityLabel(estimate.feasibility), feasColor)}`);
+  if (estimate.warnings.length > 0) {
+    console.log();
+    for (const w of estimate.warnings) {
+      console.log(color(`  ⚠️  ${w}`, COLORS.yellow));
+    }
+  }
+  if (estimate.suggestions.length > 0) {
+    console.log();
+    console.log(color("  Suggestions:", COLORS.blue));
+    for (const s of estimate.suggestions) {
+      console.log(color(`    • ${s}`, COLORS.gray));
+    }
+  }
+  console.log();
+}
 function displayValidationErrors(errors) {
   if (errors.length === 0)
     return;
@@ -6011,6 +6894,19 @@ function displayValidationWarnings(warnings) {
     console.log();
   }
 }
+function displayExpressionWarnings(result) {
+  if (result.warnings.length === 0)
+    return;
+  console.log(color(`⚠️  Found ${result.warnCount} expression warning(s):
+`, COLORS.yellow));
+  for (const w of result.warnings) {
+    console.log(color(`   ⚠  ${w.message}`, COLORS.yellow));
+    console.log(color(`      ${w.expression}`, COLORS.gray));
+    console.log(color(`      at ${w.location.file}:${w.location.line}`, COLORS.gray));
+    console.log(color(`      → ${w.suggestion}`, COLORS.yellow));
+    console.log();
+  }
+}
 async function verifyCommand() {
   const configPath = path4.join(process.cwd(), "specs", "verification.config.ts");
   console.log(color(`
@@ -6073,15 +6969,29 @@ function getMaxDepth(config) {
 async function runFullVerification(configPath) {
   const config = await loadVerificationConfig(configPath);
   const analysis = await runCodebaseAnalysis();
+  const typedConfig = config;
+  const typedAnalysis = analysis;
+  const exprValidation = validateExpressions(typedAnalysis.handlers, typedConfig.state);
+  if (exprValidation.warnings.length > 0) {
+    displayExpressionWarnings(exprValidation);
+  }
+  if (typedConfig.subsystems && Object.keys(typedConfig.subsystems).length > 0) {
+    await runSubsystemVerification(typedConfig, typedAnalysis);
+    return;
+  }
+  await runMonolithicVerification(config, analysis);
+}
+async function runMonolithicVerification(config, analysis) {
   const { specPath, specDir } = await generateAndWriteTLASpecs(config, analysis);
   findAndCopyBaseSpec(specDir);
   console.log(color("✓ Specification generated", COLORS.green));
   console.log(color(`   ${specPath}`, COLORS.gray));
   console.log();
   const docker = await setupDocker();
-  const timeoutSeconds = getTimeout(config);
-  const workers = getWorkers(config);
-  const maxDepth = getMaxDepth(config);
+  const typedConfig = config;
+  const timeoutSeconds = getTimeout(typedConfig);
+  const workers = getWorkers(typedConfig);
+  const maxDepth = getMaxDepth(typedConfig);
   console.log(color("⚙️  Running TLC model checker...", COLORS.blue));
   if (timeoutSeconds === 0) {
     console.log(color("   No timeout set - will run until completion", COLORS.gray));
@@ -6101,6 +7011,122 @@ async function runFullVerification(configPath) {
   });
   displayVerificationResults(result, specDir);
 }
+async function runSubsystemVerification(config, analysis) {
+  const subsystems = config.subsystems;
+  const subsystemNames = Object.keys(subsystems);
+  console.log(color(`\uD83D\uDCE6 Subsystem-scoped verification (${subsystemNames.length} subsystems)
+`, COLORS.blue));
+  const { checkNonInterference: checkNonInterference2 } = await Promise.resolve().then(() => exports_non_interference);
+  const interference = checkNonInterference2(subsystems, analysis.handlers);
+  if (interference.valid) {
+    console.log(color("✓ Non-interference: verified (no cross-subsystem state writes)", COLORS.green));
+    console.log();
+  } else {
+    console.log(color(`⚠️  Non-interference violations detected:
+`, COLORS.yellow));
+    for (const v of interference.violations) {
+      console.log(color(`   • Handler "${v.handler}" (${v.subsystem}) writes to "${v.writesTo}" owned by "${v.ownedBy}"`, COLORS.yellow));
+    }
+    console.log();
+    console.log(color("   Compositional verification may not be sound. Consider restructuring subsystem boundaries.", COLORS.yellow));
+    console.log();
+  }
+  const assignedHandlers = new Set(Object.values(subsystems).flatMap((s) => s.handlers));
+  const unassigned = analysis.messageTypes.filter((mt) => !assignedHandlers.has(mt));
+  if (unassigned.length > 0) {
+    console.log(color(`⚠️  ${unassigned.length} handler(s) not assigned to any subsystem (will not be verified):`, COLORS.yellow));
+    for (const h of unassigned.slice(0, 10)) {
+      console.log(color(`   • ${h}`, COLORS.yellow));
+    }
+    if (unassigned.length > 10) {
+      console.log(color(`   ... and ${unassigned.length - 10} more`, COLORS.yellow));
+    }
+    console.log();
+  }
+  const docker = await setupDocker();
+  const timeoutSeconds = getTimeout(config);
+  const workers = getWorkers(config);
+  const maxDepth = getMaxDepth(config);
+  const { generateSubsystemTLA: generateSubsystemTLA2 } = await Promise.resolve().then(() => (init_tla(), exports_tla));
+  const results = [];
+  for (const name of subsystemNames) {
+    const sub = subsystems[name];
+    const startTime = Date.now();
+    console.log(color(`⚙️  Verifying subsystem: ${name}...`, COLORS.blue));
+    const { spec, cfg } = await generateSubsystemTLA2(name, sub, config, analysis);
+    const specDir = path4.join(process.cwd(), "specs", "tla", "generated", name);
+    if (!fs4.existsSync(specDir)) {
+      fs4.mkdirSync(specDir, { recursive: true });
+    }
+    const specPath = path4.join(specDir, `UserApp_${name}.tla`);
+    const cfgPath = path4.join(specDir, `UserApp_${name}.cfg`);
+    fs4.writeFileSync(specPath, spec);
+    fs4.writeFileSync(cfgPath, cfg);
+    findAndCopyBaseSpec(specDir);
+    const result = await docker.runTLC(specPath, {
+      workers,
+      timeout: timeoutSeconds > 0 ? timeoutSeconds * 1000 : undefined,
+      maxDepth
+    });
+    const elapsed = (Date.now() - startTime) / 1000;
+    results.push({
+      name,
+      success: result.success,
+      handlerCount: sub.handlers.length,
+      stateCount: result.stats?.distinctStates ?? 0,
+      elapsed,
+      stats: result.stats,
+      error: result.error
+    });
+    if (result.success) {
+      console.log(color(`   ✓ ${name} passed (${elapsed.toFixed(1)}s)`, COLORS.green));
+    } else {
+      console.log(color(`   ✗ ${name} failed`, COLORS.red));
+      if (result.violation) {
+        console.log(color(`     Invariant violated: ${result.violation.name}`, COLORS.red));
+      } else if (result.error) {
+        console.log(color(`     Error: ${result.error}`, COLORS.red));
+      }
+      fs4.writeFileSync(path4.join(specDir, "tlc-output.log"), result.output);
+    }
+  }
+  console.log();
+  displayCompositionalReport(results, interference.valid);
+}
+function displayCompositionalReport(results, nonInterferenceValid) {
+  console.log(color(`Subsystem verification results:
+`, COLORS.blue));
+  for (const r of results) {
+    const status = r.success ? color("✓", COLORS.green) : color("✗", COLORS.red);
+    const name = r.name.padEnd(20);
+    const handlers = `${r.handlerCount} handler${r.handlerCount !== 1 ? "s" : ""}`;
+    const states = `${r.stateCount} states`;
+    const time = `${r.elapsed.toFixed(1)}s`;
+    console.log(`  ${status} ${name} ${handlers.padEnd(14)} ${states.padEnd(14)} ${time}`);
+  }
+  console.log();
+  const nonIntLabel = nonInterferenceValid ? color("✓ verified (no cross-subsystem state writes)", COLORS.green) : color("⚠ violations detected", COLORS.yellow);
+  console.log(`  Non-interference: ${nonIntLabel}`);
+  console.log();
+  const allPassed = results.every((r) => r.success);
+  if (allPassed && nonInterferenceValid) {
+    console.log(color("Compositional result: ✓ PASS", COLORS.green));
+    console.log(color("  All subsystems verified independently. By non-interference,", COLORS.gray));
+    console.log(color("  the full system satisfies all per-subsystem invariants.", COLORS.gray));
+  } else if (allPassed && !nonInterferenceValid) {
+    console.log(color("Compositional result: ⚠ PASS (with warnings)", COLORS.yellow));
+    console.log(color("  All subsystems passed, but non-interference violations exist.", COLORS.gray));
+    console.log(color("  Compositional soundness is not guaranteed.", COLORS.gray));
+  } else {
+    console.log(color("Compositional result: ✗ FAIL", COLORS.red));
+    const failed = results.filter((r) => !r.success);
+    for (const f of failed) {
+      console.log(color(`  Failed: ${f.name}`, COLORS.red));
+    }
+    process.exit(1);
+  }
+  console.log();
+}
 async function loadVerificationConfig(configPath) {
   const resolvedPath = path4.resolve(configPath);
   const configModule = await import(`file://${resolvedPath}?t=${Date.now()}`);
@@ -6260,6 +7286,9 @@ ${color("Commands:", COLORS.blue)}
   ${color("bun verify --validate", COLORS.green)}
     Validate existing configuration without running verification
 
+  ${color("bun verify --estimate", COLORS.green)}
+    Estimate state space without running TLC
+
   ${color("bun verify --help", COLORS.green)}
     Show this help message
 
@@ -6314,4 +7343,4 @@ main().catch((error) => {
   process.exit(1);
 });
 
-//# debugId=0CD51D5DC046B30964756E2164756E21
+//# debugId=7EE824400DEB8F7564756E2164756E21