@fairfox/polly 0.17.0 → 0.19.0

package/dist/tools/verify/src/cli.js

@@ -13,6 +13,48 @@ var __export = (target, all) => {
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
+// tools/verify/src/analysis/non-interference.ts
+var exports_non_interference = {};
+__export(exports_non_interference, {
+  checkNonInterference: () => checkNonInterference
+});
+function checkNonInterference(subsystems, handlers) {
+  const violations = [];
+  const fieldOwner = new Map;
+  for (const [name, sub] of Object.entries(subsystems)) {
+    for (const field of sub.state) {
+      fieldOwner.set(field, name);
+    }
+  }
+  const handlerSubsystem = new Map;
+  for (const [name, sub] of Object.entries(subsystems)) {
+    for (const h of sub.handlers) {
+      handlerSubsystem.set(h, name);
+    }
+  }
+  for (const handler of handlers) {
+    const subsystemName = handlerSubsystem.get(handler.messageType);
+    if (!subsystemName)
+      continue;
+    for (const assignment of handler.assignments) {
+      const fieldName = assignment.field;
+      const owner = fieldOwner.get(fieldName);
+      if (owner && owner !== subsystemName) {
+        violations.push({
+          handler: handler.messageType,
+          subsystem: subsystemName,
+          writesTo: fieldName,
+          ownedBy: owner
+        });
+      }
+    }
+  }
+  return {
+    valid: violations.length === 0,
+    violations
+  };
+}
+
 // tools/verify/src/codegen/invariants.ts
 import { Node as Node3, Project as Project3 } from "ts-morph";
 
@@ -341,6 +383,7 @@ class TemporalTLAGenerator {
 var exports_tla = {};
 __export(exports_tla, {
   generateTLA: () => generateTLA,
+  generateSubsystemTLA: () => generateSubsystemTLA,
   TLAValidationError: () => TLAValidationError,
   TLAGenerator: () => TLAGenerator
 });
@@ -351,6 +394,58 @@ async function generateTLA(config, analysis) {
   const generator = new TLAGenerator;
   return await generator.generate(config, analysis);
 }
+async function generateSubsystemTLA(_subsystemName, subsystem, config, analysis) {
+  const stateFields = new Set(subsystem.state);
+  const handlerNames = new Set(subsystem.handlers);
+  const filteredState = {};
+  for (const [field, fieldConfig] of Object.entries(config.state)) {
+    if (stateFields.has(field)) {
+      filteredState[field] = fieldConfig;
+    }
+  }
+  const filteredMessages = {
+    ...config.messages,
+    include: subsystem.handlers
+  };
+  filteredMessages.exclude = undefined;
+  if (filteredMessages.perMessageBounds) {
+    const filteredBounds = {};
+    for (const [msg, bound] of Object.entries(filteredMessages.perMessageBounds)) {
+      if (handlerNames.has(msg)) {
+        filteredBounds[msg] = bound;
+      }
+    }
+    filteredMessages.perMessageBounds = filteredBounds;
+  }
+  const filteredConfig = {
+    ...config,
+    state: filteredState,
+    messages: filteredMessages,
+    subsystems: undefined
+  };
+  if (filteredConfig.tier2?.temporalConstraints) {
+    filteredConfig.tier2 = {
+      ...filteredConfig.tier2,
+      temporalConstraints: filteredConfig.tier2.temporalConstraints.filter((tc) => handlerNames.has(tc.before) && handlerNames.has(tc.after))
+    };
+  }
+  const subsystemFieldPatterns = subsystem.state.map((field) => {
+    const dotIdx = field.indexOf(".");
+    if (dotIdx >= 0) {
+      return `${field.substring(0, dotIdx)}.value.${field.substring(dotIdx + 1)}`;
+    }
+    return `${field}.value`;
+  });
+  const filteredGlobalStateConstraints = (analysis.globalStateConstraints ?? []).filter((constraint) => subsystemFieldPatterns.some((pattern) => constraint.expression.includes(pattern)));
+  const filteredAnalysis = {
+    ...analysis,
+    messageTypes: analysis.messageTypes.filter((mt) => handlerNames.has(mt)),
+    handlers: analysis.handlers.filter((h) => handlerNames.has(h.messageType)),
+    globalStateConstraints: filteredGlobalStateConstraints
+  };
+  const generator = new TLAGenerator;
+  return await generator.generate(filteredConfig, filteredAnalysis, `UserApp_${_subsystemName}`);
+}
 var TLAValidationError, TLAGenerator;
 var init_tla = __esm(() => {
   init_invariants();
@@ -372,6 +467,7 @@ var init_tla = __esm(() => {
     resolvedActionNames = new Map;
     tabSymmetryEnabled = false;
     tabCount = 0;
+    moduleName = "UserApp";
     constructor(options) {
       this.options = options;
     }
@@ -381,7 +477,10 @@ var init_tla = __esm(() => {
       }
       return /^[a-zA-Z][a-zA-Z0-9_]*$/.test(s);
     }
-    async generate(config, analysis) {
+    async generate(config, analysis, moduleName) {
+      if (moduleName) {
+        this.moduleName = moduleName;
+      }
       this.validateInputs(config, analysis);
       this.extractInvariantsIfEnabled();
       this.generateTemporalPropertiesIfEnabled(analysis);
@@ -671,7 +770,7 @@ var init_tla = __esm(() => {
       }
     }
     addHeader() {
-      this.line("------------------------- MODULE UserApp -------------------------");
+      this.line(`------------------------- MODULE ${this.moduleName} -------------------------`);
       this.line("(*");
       this.line("  Auto-generated TLA+ specification for web extension");
       this.line("  ");
@@ -1276,19 +1375,61 @@ var init_tla = __esm(() => {
       return assignment;
     }
     emitStateUpdates(validAssignments, preconditions) {
-      if (validAssignments.length > 0) {
-        const exceptClauses = validAssignments.map((a) => {
+      if (validAssignments.length === 0) {
+        if (preconditions.length === 0) {
+          this.line("\\* No state changes in handler");
+        }
+        this.line("/\\ UNCHANGED contextStates");
+        return true;
+      }
+      const ndetAssignments = [];
+      const detAssignments = [];
+      for (const a of validAssignments) {
+        if (typeof a.value === "string" && a.value.startsWith("NDET:")) {
+          ndetAssignments.push({ field: a.field, value: a.value });
+        } else {
+          detAssignments.push(a);
+        }
+      }
+      if (ndetAssignments.length === 0) {
+        const exceptClauses = detAssignments.map((a) => {
           const tlaValue = this.assignmentValueToTLA(a.value);
           return `![ctx].${this.sanitizeFieldName(a.field)} = ${tlaValue}`;
         });
         this.line(`/\\ contextStates' = [contextStates EXCEPT ${exceptClauses.join(", ")}]`);
         return false;
       }
-      if (preconditions.length === 0) {
-        this.line("\\* No state changes in handler");
+      this.emitNDETStateUpdates(ndetAssignments, detAssignments);
+      return false;
+    }
+    emitNDETStateUpdates(ndetAssignments, detAssignments) {
+      const detExceptClauses = detAssignments.map((a) => {
+        const tlaValue = this.assignmentValueToTLA(a.value);
+        return `![ctx].${this.sanitizeFieldName(a.field)} = ${tlaValue}`;
+      });
+      const ndetExceptClauses = [];
+      const quantifierOpeners = [];
+      for (const a of ndetAssignments) {
+        const fieldName = this.sanitizeFieldName(a.field);
+        const fieldRef = `contextStates[ctx].${fieldName}`;
+        if (a.value === "NDET:FILTER") {
+          quantifierOpeners.push(`/\\ \\E newLen_${fieldName} \\in 0..Len(${fieldRef}) :`);
+          ndetExceptClauses.push(`![ctx].${fieldName} = SubSeq(@, 1, newLen_${fieldName})`);
+        } else if (a.value === "NDET:MAP") {
+          quantifierOpeners.push(`/\\ \\E mapIdx_${fieldName} \\in 1..Len(${fieldRef}) :`);
+          quantifierOpeners.push(`\\E mapVal_${fieldName} \\in Value :`);
+          ndetExceptClauses.push(`![ctx].${fieldName} = [@ EXCEPT ![mapIdx_${fieldName}] = mapVal_${fieldName}]`);
+        }
+      }
+      for (const opener of quantifierOpeners) {
+        this.line(opener);
+        this.indent++;
+      }
+      const allExceptClauses = [...detExceptClauses, ...ndetExceptClauses];
+      this.line(`/\\ contextStates' = [contextStates EXCEPT ${allExceptClauses.join(", ")}]`);
+      for (const _opener of quantifierOpeners) {
+        this.indent--;
       }
-      this.line("/\\ UNCHANGED contextStates");
-      return true;
     }
     tsExpressionToTLA(expr, isPrimed = false) {
       if (!expr || typeof expr !== "string") {
@@ -1701,6 +1842,9 @@ var init_tla = __esm(() => {
         return "NULL";
       }
       if (typeof value === "string") {
+        if (value.startsWith("NDET:")) {
+          throw new Error(`NDET marker "${value}" reached assignmentValueToTLA — should have been partitioned in emitStateUpdates`);
+        }
         if (value.startsWith("param:")) {
           const paramName = value.substring(6);
           return `payload.${this.sanitizeFieldName(paramName)}`;
@@ -3335,6 +3479,9 @@ class ConfigValidator {
     if (config.tier2) {
       this.validateTier2Optimizations(config.tier2);
     }
+    if (config.subsystems) {
+      this.validateSubsystems(config.subsystems, config.state);
+    }
   }
   findNullPlaceholders(obj, path2) {
     if (obj === null || obj === undefined) {
@@ -3651,6 +3798,68 @@ class ConfigValidator {
       }
     }
   }
+  validateSubsystems(subsystems, stateConfig) {
+    const stateFieldNames = Object.keys(stateConfig);
+    const allAssignedHandlers = new Map;
+    const allAssignedFields = new Map;
+    for (const [subsystemName, subsystem] of Object.entries(subsystems)) {
+      for (const field of subsystem.state) {
+        if (!stateFieldNames.includes(field)) {
+          this.issues.push({
+            type: "invalid_value",
+            severity: "error",
+            field: `subsystems.${subsystemName}.state`,
+            message: `State field "${field}" does not exist in top-level state config`,
+            suggestion: `Available fields: ${stateFieldNames.join(", ")}`
+          });
+        }
+        const existingOwner = allAssignedFields.get(field);
+        if (existingOwner) {
+          this.issues.push({
+            type: "invalid_value",
+            severity: "warning",
+            field: `subsystems.${subsystemName}.state`,
+            message: `State field "${field}" is assigned to both "${existingOwner}" and "${subsystemName}"`,
+            suggestion: "State fields should be partitioned across subsystems for non-interference"
+          });
+        } else {
+          allAssignedFields.set(field, subsystemName);
+        }
+      }
+      if (subsystem.handlers.length === 0) {
+        this.issues.push({
+          type: "invalid_value",
+          severity: "warning",
+          field: `subsystems.${subsystemName}.handlers`,
+          message: `Subsystem "${subsystemName}" has no handlers`,
+          suggestion: "Add at least one handler to the subsystem"
+        });
+      }
+      for (const handler of subsystem.handlers) {
+        const existingOwner = allAssignedHandlers.get(handler);
+        if (existingOwner) {
+          this.issues.push({
+            type: "invalid_value",
+            severity: "error",
+            field: `subsystems.${subsystemName}.handlers`,
+            message: `Handler "${handler}" is assigned to both "${existingOwner}" and "${subsystemName}"`,
+            suggestion: "Each handler must belong to exactly one subsystem"
+          });
+        } else {
+          allAssignedHandlers.set(handler, subsystemName);
+        }
+      }
+      if (subsystem.state.length === 0) {
+        this.issues.push({
+          type: "invalid_value",
+          severity: "warning",
+          field: `subsystems.${subsystemName}.state`,
+          message: `Subsystem "${subsystemName}" has no state fields`,
+          suggestion: "Add at least one state field to the subsystem"
+        });
+      }
+    }
+  }
 }
 function validateConfig(configPath) {
   const validator = new ConfigValidator;
@@ -4069,7 +4278,8 @@ class HandlerExtractor {
   packageRoot;
   warnings;
   currentFunctionParams = [];
-  constructor(tsConfigPath) {
+  contextOverrides;
+  constructor(tsConfigPath, contextOverrides) {
     this.project = new Project({
       tsConfigFilePath: tsConfigPath
     });
@@ -4077,6 +4287,7 @@ class HandlerExtractor {
     this.relationshipExtractor = new RelationshipExtractor;
     this.analyzedFiles = new Set;
     this.warnings = [];
+    this.contextOverrides = contextOverrides || new Map;
     this.packageRoot = this.findPackageRoot(tsConfigPath);
   }
   warnUnsupportedPattern(pattern, location, suggestion) {
@@ -4294,8 +4505,20 @@ class HandlerExtractor {
           handlers.push(handler);
         }
       }
+      if (methodName === "ws") {
+        this.extractElysiaWsHandlers(node, context, filePath, handlers);
+      }
+      if (this.isRestMethod(methodName) && this.isWebFrameworkFile(node.getSourceFile())) {
+        const restHandler = this.extractRestHandler(node, methodName, context, filePath);
+        if (restHandler) {
+          handlers.push(restHandler);
+        }
+      }
     }
   }
+  isRestMethod(name) {
+    return ["get", "post", "put", "delete", "patch"].includes(name);
+  }
   isElseIfStatement(node) {
     const parent = node.getParent();
     return parent !== undefined && Node2.isIfStatement(parent);
@@ -4361,6 +4584,135 @@ class HandlerExtractor {
       parameters
     };
   }
+  extractElysiaWsHandlers(node, context, filePath, handlers) {
+    const args = node.getArguments();
+    if (args.length < 2)
+      return;
+    const routeArg = args[0];
+    if (!routeArg || !Node2.isStringLiteral(routeArg))
+      return;
+    const routePath = routeArg.getLiteralValue();
+    const configArg = args[1];
+    if (!configArg || !Node2.isObjectLiteralExpression(configArg))
+      return;
+    const callbacks = ["message", "open", "close"];
+    for (const cbName of callbacks) {
+      const prop = configArg.getProperty(cbName);
+      if (!prop)
+        continue;
+      let funcBody = null;
+      if (Node2.isMethodDeclaration(prop)) {
+        funcBody = prop;
+      } else if (Node2.isPropertyAssignment(prop)) {
+        const init = prop.getInitializer();
+        if (init && (Node2.isArrowFunction(init) || Node2.isFunctionExpression(init))) {
+          funcBody = init;
+        }
+      }
+      if (!funcBody)
+        continue;
+      if (cbName === "message") {
+        const body = funcBody.getBody();
+        if (!body)
+          continue;
+        const subHandlers = this.extractSubHandlersFromBody(body, context, filePath);
+        if (subHandlers.length > 0) {
+          handlers.push(...subHandlers);
+        } else {
+          handlers.push(this.buildWsHandler(`ws_message`, routePath, context, filePath, funcBody, node.getStartLineNumber()));
+        }
+      } else {
+        handlers.push(this.buildWsHandler(`ws_${cbName}`, routePath, context, filePath, funcBody, node.getStartLineNumber()));
+      }
+    }
+  }
+  extractSubHandlersFromBody(body, context, filePath) {
+    const subHandlers = [];
+    body.forEachDescendant((child) => {
+      if (Node2.isIfStatement(child) && !this.isElseIfStatement(child)) {
+        const typeGuardHandlers = this.extractTypeGuardHandlers(child, context, filePath);
+        subHandlers.push(...typeGuardHandlers);
+      }
+      if (Node2.isSwitchStatement(child)) {
+        const switchHandlers = this.extractSwitchCaseHandlers(child, context, filePath);
+        subHandlers.push(...switchHandlers);
+      }
+    });
+    return subHandlers;
+  }
+  buildWsHandler(messageType, _routePath, context, filePath, funcBody, line) {
+    const assignments = [];
+    const preconditions = [];
+    const postconditions = [];
+    this.currentFunctionParams = this.extractParameterNames(funcBody);
+    this.extractAssignments(funcBody, assignments);
+    this.extractVerificationConditions(funcBody, preconditions, postconditions);
+    this.currentFunctionParams = [];
+    return {
+      messageType,
+      node: context,
+      assignments,
+      preconditions,
+      postconditions,
+      location: { file: filePath, line },
+      origin: "event"
+    };
+  }
+  extractRestHandler(node, methodName, context, filePath) {
+    const args = node.getArguments();
+    if (args.length < 2)
+      return null;
+    const routeArg = args[0];
+    if (!routeArg || !Node2.isStringLiteral(routeArg))
+      return null;
+    const routePath = routeArg.getLiteralValue();
+    const httpMethod = methodName.toUpperCase();
+    const messageType = `${httpMethod} ${routePath}`;
+    const handlerArg = args[1];
+    const assignments = [];
+    const preconditions = [];
+    const postconditions = [];
+    let actualHandler = null;
+    if (Node2.isArrowFunction(handlerArg) || Node2.isFunctionExpression(handlerArg)) {
+      actualHandler = handlerArg;
+    } else if (Node2.isIdentifier(handlerArg)) {
+      actualHandler = this.resolveFunctionReference(handlerArg);
+    }
+    let parameters;
+    if (actualHandler) {
+      this.currentFunctionParams = this.extractParameterNames(actualHandler);
+      parameters = this.currentFunctionParams.length > 0 ? [...this.currentFunctionParams] : undefined;
+      this.extractAssignments(actualHandler, assignments);
+      this.extractVerificationConditions(actualHandler, preconditions, postconditions);
+      this.currentFunctionParams = [];
+    }
+    return {
+      messageType,
+      node: context,
+      assignments,
+      preconditions,
+      postconditions,
+      location: {
+        file: filePath,
+        line: node.getStartLineNumber()
+      },
+      origin: "event",
+      parameters,
+      handlerKind: "rest",
+      httpMethod,
+      routePath
+    };
+  }
+  isWebFrameworkFile(sourceFile) {
+    const frameworks = ["elysia", "express", "hono", "fastify", "koa", "@elysiajs/eden"];
+    for (const importDecl of sourceFile.getImportDeclarations()) {
+      const specifier = importDecl.getModuleSpecifierValue();
+      if (frameworks.some((fw) => specifier === fw || specifier.startsWith(`${fw}/`))) {
+        return true;
+      }
+    }
+    return false;
+  }
   extractAssignments(funcNode, assignments) {
     funcNode.forEachDescendant((node) => {
       if (Node2.isBinaryExpression(node)) {
@@ -4411,7 +4763,9 @@ class HandlerExtractor {
       return;
     if (this.tryExtractSetConstructorPattern(fieldPath, right, assignments))
       return;
-    this.tryExtractMapConstructorPattern(fieldPath, right, assignments);
+    if (this.tryExtractMapConstructorPattern(fieldPath, right, assignments))
+      return;
+    this.tryExtractSignalDirectValuePattern(fieldPath, right, assignments);
   }
   tryExtractStateFieldPattern(fieldPath, right, assignments) {
     if (!fieldPath.startsWith("state."))
@@ -4530,6 +4884,25 @@ class HandlerExtractor {
     }
     return true;
   }
+  tryExtractSignalDirectValuePattern(fieldPath, right, assignments) {
+    if (!fieldPath.endsWith(".value"))
+      return false;
+    const signalName = fieldPath.slice(0, -6);
+    const literalValue = this.extractValue(right);
+    if (literalValue !== undefined) {
+      assignments.push({ field: signalName, value: literalValue });
+      return true;
+    }
+    if (Node2.isPropertyAccessExpression(right)) {
+      const rightPath = this.getPropertyPath(right);
+      const parts = rightPath.split(".");
+      if (parts.length === 2 && parts[0] !== undefined && parts[1] !== undefined && this.currentFunctionParams.includes(parts[0])) {
+        assignments.push({ field: signalName, value: `param:${parts[1]}` });
+        return true;
+      }
+    }
+    return false;
+  }
   extractSetOperation(newExpr, fieldPath, signalName) {
     const args = newExpr.getArguments();
     if (args.length === 0) {
@@ -4646,11 +5019,11 @@ class HandlerExtractor {
       return null;
     switch (methodName) {
       case "filter":
-        return { field: signalName, value: "SelectSeq(@, LAMBDA t: TRUE)" };
+        return { field: signalName, value: "NDET:FILTER" };
       case "map":
-        return { field: signalName, value: "[i \\in DOMAIN @ |-> @[i]]" };
+        return { field: signalName, value: "NDET:MAP" };
       case "slice":
-        return { field: signalName, value: "SubSeq(@, 1, Len(@))" };
+        return { field: signalName, value: "NDET:FILTER" };
       case "concat":
         return { field: signalName, value: "@ \\o <<payload>>" };
       case "reverse":
@@ -5195,32 +5568,64 @@ class HandlerExtractor {
     try {
       const ifStmt = ifNode;
       const condition = ifStmt.getExpression();
-      if (!Node2.isCallExpression(condition)) {
-        return null;
+      if (Node2.isCallExpression(condition)) {
+        const funcExpr = condition.getExpression();
+        const funcName = Node2.isIdentifier(funcExpr) ? funcExpr.getText() : undefined;
+        this.debugLogProcessingFunction(funcName);
+        const messageType = this.resolveMessageType(funcExpr, funcName, typeGuards);
+        if (!messageType) {
+          this.debugLogUnresolvedMessageType(funcName);
+          return null;
+        }
+        const line = ifStmt.getStartLineNumber();
+        const relationships = this.extractRelationshipsFromIfBlock(ifStmt, messageType);
+        return {
+          messageType,
+          node: context,
+          assignments: [],
+          preconditions: [],
+          postconditions: [],
+          location: { file: filePath, line },
+          relationships
+        };
       }
-      const funcExpr = condition.getExpression();
-      const funcName = Node2.isIdentifier(funcExpr) ? funcExpr.getText() : undefined;
-      this.debugLogProcessingFunction(funcName);
-      const messageType = this.resolveMessageType(funcExpr, funcName, typeGuards);
-      if (!messageType) {
-        this.debugLogUnresolvedMessageType(funcName);
-        return null;
+      if (Node2.isBinaryExpression(condition)) {
+        const messageType = this.extractMessageTypeFromEqualityCheck(condition);
+        if (messageType) {
+          const line = ifStmt.getStartLineNumber();
+          const relationships = this.extractRelationshipsFromIfBlock(ifStmt, messageType);
+          return {
+            messageType,
+            node: context,
+            assignments: [],
+            preconditions: [],
+            postconditions: [],
+            location: { file: filePath, line },
+            relationships
+          };
+        }
       }
-      const line = ifStmt.getStartLineNumber();
-      const relationships = this.extractRelationshipsFromIfBlock(ifStmt, messageType);
-      return {
-        messageType,
-        node: context,
-        assignments: [],
-        preconditions: [],
-        postconditions: [],
-        location: { file: filePath, line },
-        relationships
-      };
+      return null;
     } catch (_error) {
       return null;
     }
   }
+  extractMessageTypeFromEqualityCheck(expr) {
+    const operator = expr.getOperatorToken().getText();
+    if (operator !== "===" && operator !== "==")
+      return null;
+    const left = expr.getLeft();
+    const right = expr.getRight();
+    const stringLiteral = Node2.isStringLiteral(right) ? right : Node2.isStringLiteral(left) ? left : null;
+    const propAccess = Node2.isPropertyAccessExpression(left) ? left : Node2.isPropertyAccessExpression(right) ? right : null;
+    if (!stringLiteral || !propAccess)
+      return null;
+    const propName = propAccess.getName();
+    if (propName !== "type" && propName !== "kind" && propName !== "action") {
+      return null;
+    }
+    return stringLiteral.getLiteralValue();
+  }
   debugLogProcessingFunction(funcName) {
     if (process.env["POLLY_DEBUG"] && funcName) {
       console.log(`[DEBUG] Processing if condition with function: ${funcName}`);
@@ -5430,6 +5835,10 @@ class HandlerExtractor {
     return messageType;
   }
   inferContext(filePath) {
+    for (const [pathPrefix, context] of this.contextOverrides.entries()) {
+      if (filePath.startsWith(pathPrefix))
+        return context;
+    }
     const path2 = filePath.toLowerCase();
     return this.inferElectronContext(path2) || this.inferWorkerContext(path2) || this.inferServerAppContext(path2) || this.inferChromeExtensionContext(path2) || "unknown";
   }
@@ -6645,15 +7054,23 @@ async function runFullVerification(configPath) {
   if (exprValidation.warnings.length > 0) {
     displayExpressionWarnings(exprValidation);
   }
+  if (typedConfig.subsystems && Object.keys(typedConfig.subsystems).length > 0) {
+    await runSubsystemVerification(typedConfig, typedAnalysis);
+    return;
+  }
+  await runMonolithicVerification(config, analysis);
+}
+async function runMonolithicVerification(config, analysis) {
   const { specPath, specDir } = await generateAndWriteTLASpecs(config, analysis);
   findAndCopyBaseSpec(specDir);
   console.log(color("✓ Specification generated", COLORS.green));
   console.log(color(`   ${specPath}`, COLORS.gray));
   console.log();
   const docker = await setupDocker();
-  const timeoutSeconds = getTimeout(config);
-  const workers = getWorkers(config);
-  const maxDepth = getMaxDepth(config);
+  const typedConfig = config;
+  const timeoutSeconds = getTimeout(typedConfig);
+  const workers = getWorkers(typedConfig);
+  const maxDepth = getMaxDepth(typedConfig);
   console.log(color("⚙️  Running TLC model checker...", COLORS.blue));
   if (timeoutSeconds === 0) {
     console.log(color("   No timeout set - will run until completion", COLORS.gray));
@@ -6673,6 +7090,122 @@ async function runFullVerification(configPath) {
   });
   displayVerificationResults(result, specDir);
 }
+async function runSubsystemVerification(config, analysis) {
+  const subsystems = config.subsystems;
+  const subsystemNames = Object.keys(subsystems);
+  console.log(color(`\uD83D\uDCE6 Subsystem-scoped verification (${subsystemNames.length} subsystems)
+`, COLORS.blue));
+  const { checkNonInterference: checkNonInterference2 } = await Promise.resolve().then(() => exports_non_interference);
+  const interference = checkNonInterference2(subsystems, analysis.handlers);
+  if (interference.valid) {
+    console.log(color("✓ Non-interference: verified (no cross-subsystem state writes)", COLORS.green));
+    console.log();
+  } else {
+    console.log(color(`⚠️  Non-interference violations detected:
+`, COLORS.yellow));
+    for (const v of interference.violations) {
+      console.log(color(`   • Handler "${v.handler}" (${v.subsystem}) writes to "${v.writesTo}" owned by "${v.ownedBy}"`, COLORS.yellow));
+    }
+    console.log();
+    console.log(color("   Compositional verification may not be sound. Consider restructuring subsystem boundaries.", COLORS.yellow));
+    console.log();
+  }
+  const assignedHandlers = new Set(Object.values(subsystems).flatMap((s) => s.handlers));
+  const unassigned = analysis.messageTypes.filter((mt) => !assignedHandlers.has(mt));
+  if (unassigned.length > 0) {
+    console.log(color(`⚠️  ${unassigned.length} handler(s) not assigned to any subsystem (will not be verified):`, COLORS.yellow));
+    for (const h of unassigned.slice(0, 10)) {
+      console.log(color(`   • ${h}`, COLORS.yellow));
+    }
+    if (unassigned.length > 10) {
+      console.log(color(`   ... and ${unassigned.length - 10} more`, COLORS.yellow));
+    }
+    console.log();
+  }
+  const docker = await setupDocker();
+  const timeoutSeconds = getTimeout(config);
+  const workers = getWorkers(config);
+  const maxDepth = getMaxDepth(config);
+  const { generateSubsystemTLA: generateSubsystemTLA2 } = await Promise.resolve().then(() => (init_tla(), exports_tla));
+  const results = [];
+  for (const name of subsystemNames) {
+    const sub = subsystems[name];
+    const startTime = Date.now();
+    console.log(color(`⚙️  Verifying subsystem: ${name}...`, COLORS.blue));
+    const { spec, cfg } = await generateSubsystemTLA2(name, sub, config, analysis);
+    const specDir = path4.join(process.cwd(), "specs", "tla", "generated", name);
+    if (!fs4.existsSync(specDir)) {
+      fs4.mkdirSync(specDir, { recursive: true });
+    }
+    const specPath = path4.join(specDir, `UserApp_${name}.tla`);
+    const cfgPath = path4.join(specDir, `UserApp_${name}.cfg`);
+    fs4.writeFileSync(specPath, spec);
+    fs4.writeFileSync(cfgPath, cfg);
+    findAndCopyBaseSpec(specDir);
+    const result = await docker.runTLC(specPath, {
+      workers,
+      timeout: timeoutSeconds > 0 ? timeoutSeconds * 1000 : undefined,
+      maxDepth
+    });
+    const elapsed = (Date.now() - startTime) / 1000;
+    results.push({
+      name,
+      success: result.success,
+      handlerCount: sub.handlers.length,
+      stateCount: result.stats?.distinctStates ?? 0,
+      elapsed,
+      stats: result.stats,
+      error: result.error
+    });
+    if (result.success) {
+      console.log(color(`   ✓ ${name} passed (${elapsed.toFixed(1)}s)`, COLORS.green));
+    } else {
+      console.log(color(`   ✗ ${name} failed`, COLORS.red));
+      if (result.violation) {
+        console.log(color(`     Invariant violated: ${result.violation.name}`, COLORS.red));
+      } else if (result.error) {
+        console.log(color(`     Error: ${result.error}`, COLORS.red));
+      }
+      fs4.writeFileSync(path4.join(specDir, "tlc-output.log"), result.output);
+    }
+  }
+  console.log();
+  displayCompositionalReport(results, interference.valid);
+}
+function displayCompositionalReport(results, nonInterferenceValid) {
+  console.log(color(`Subsystem verification results:
+`, COLORS.blue));
+  for (const r of results) {
+    const status = r.success ? color("✓", COLORS.green) : color("✗", COLORS.red);
+    const name = r.name.padEnd(20);
+    const handlers = `${r.handlerCount} handler${r.handlerCount !== 1 ? "s" : ""}`;
+    const states = `${r.stateCount} states`;
+    const time = `${r.elapsed.toFixed(1)}s`;
+    console.log(`  ${status} ${name} ${handlers.padEnd(14)} ${states.padEnd(14)} ${time}`);
+  }
+  console.log();
+  const nonIntLabel = nonInterferenceValid ? color("✓ verified (no cross-subsystem state writes)", COLORS.green) : color("⚠ violations detected", COLORS.yellow);
+  console.log(`  Non-interference: ${nonIntLabel}`);
+  console.log();
+  const allPassed = results.every((r) => r.success);
+  if (allPassed && nonInterferenceValid) {
+    console.log(color("Compositional result: ✓ PASS", COLORS.green));
+    console.log(color("  All subsystems verified independently. By non-interference,", COLORS.gray));
+    console.log(color("  the full system satisfies all per-subsystem invariants.", COLORS.gray));
+  } else if (allPassed && !nonInterferenceValid) {
+    console.log(color("Compositional result: ⚠ PASS (with warnings)", COLORS.yellow));
+    console.log(color("  All subsystems passed, but non-interference violations exist.", COLORS.gray));
+    console.log(color("  Compositional soundness is not guaranteed.", COLORS.gray));
+  } else {
+    console.log(color("Compositional result: ✗ FAIL", COLORS.red));
+    const failed = results.filter((r) => !r.success);
+    for (const f of failed) {
+      console.log(color(`  Failed: ${f.name}`, COLORS.red));
+    }
+    process.exit(1);
+  }
+  console.log();
+}
 async function loadVerificationConfig(configPath) {
   const resolvedPath = path4.resolve(configPath);
   const configModule = await import(`file://${resolvedPath}?t=${Date.now()}`);
@@ -6889,4 +7422,4 @@ main().catch((error) => {
   process.exit(1);
 });
 
-//# debugId=35FC1B345D5CADC664756E2164756E21
+//# debugId=E5DA6950FD1E0C7764756E2164756E21