@fairfox/polly 0.40.0 → 0.49.0

package/dist/tools/verify/src/cli.js

@@ -17,6 +17,236 @@ var __export = (target, all) => {
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
+// tools/verify/src/analysis/expression-validator.ts
+function extractFieldRefs(expression) {
+  const refs = [];
+  for (const m of expression.matchAll(SIGNAL_VALUE_FIELD)) {
+    const prefix = m[1];
+    const suffix = m[2];
+    refs.push(`${prefix}.${suffix}`);
+  }
+  for (const m of expression.matchAll(SIGNAL_VALUE_BARE)) {
+    if (m[1])
+      refs.push(m[1]);
+  }
+  for (const m of expression.matchAll(STATE_DOT_FIELD)) {
+    if (m[1])
+      refs.push(m[1]);
+  }
+  return [...new Set(refs)];
+}
+function fieldInConfig(fieldRef, configKeys, stateConfig) {
+  if (configKeys.has(fieldRef))
+    return true;
+  const underscored = fieldRef.replace(/\./g, "_");
+  if (configKeys.has(underscored))
+    return true;
+  const dotted = fieldRef.replace(/_/g, ".");
+  if (configKeys.has(dotted))
+    return true;
+  if (stateConfig && fieldRef.endsWith(".length")) {
+    const parent = fieldRef.slice(0, -".length".length);
+    const parentEntry = resolveConfigEntry(parent, stateConfig);
+    if (parentEntry !== undefined && isArrayLike(parentEntry))
+      return true;
+  }
+  return false;
+}
+function resolveConfigEntry(fieldRef, stateConfig) {
+  if (fieldRef in stateConfig)
+    return stateConfig[fieldRef];
+  const underscored = fieldRef.replace(/\./g, "_");
+  if (underscored in stateConfig)
+    return stateConfig[underscored];
+  const dotted = fieldRef.replace(/_/g, ".");
+  if (dotted in stateConfig)
+    return stateConfig[dotted];
+  return;
+}
+function isArrayLike(configEntry) {
+  if (configEntry && typeof configEntry === "object") {
+    const obj = configEntry;
+    if (obj["type"] === "array")
+      return true;
+    if ("maxLength" in obj)
+      return true;
+    if ("maxSize" in obj)
+      return true;
+  }
+  return false;
+}
+function isNullable(configEntry) {
+  if (Array.isArray(configEntry)) {
+    return configEntry.includes(null);
+  }
+  if (configEntry && typeof configEntry === "object") {
+    const obj = configEntry;
+    if (obj["abstract"] === true)
+      return true;
+    if (Array.isArray(obj["values"])) {
+      return obj["values"].includes(null);
+    }
+  }
+  return false;
+}
+function checkUnmodeledFields(expression, configKeys, stateConfig, messageType, conditionType, location) {
+  const warnings = [];
+  const refs = extractFieldRefs(expression);
+  for (const ref of refs) {
+    if (!fieldInConfig(ref, configKeys, stateConfig)) {
+      warnings.push({
+        kind: "unmodeled_field",
+        message: `${conditionType}() in ${messageType} references unmodeled field '${ref}'`,
+        messageType,
+        conditionType,
+        expression,
+        location,
+        suggestion: `Add '${ref}' to state config or remove from ${conditionType}()`
+      });
+    }
+  }
+  return warnings;
+}
+function checkUnsupportedMethods(expression, configKeys, stateConfig, messageType, conditionType, location) {
+  const match = expression.match(UNSUPPORTED_METHODS);
+  if (!match)
+    return [];
+  const refs = extractFieldRefs(expression);
+  const allUnmodeled = refs.length > 0 && refs.every((r) => !fieldInConfig(r, configKeys, stateConfig));
+  if (allUnmodeled)
+    return [];
+  return [
+    {
+      kind: "unsupported_method",
+      message: `${conditionType}() in ${messageType} uses .${match[1]}() which cannot be translated to TLA+`,
+      messageType,
+      conditionType,
+      expression,
+      location,
+      suggestion: `Rewrite without .${match[1]}() or model the check as a boolean state field`
+    }
+  ];
+}
+function checkOptionalChaining(expression, messageType, conditionType, location) {
+  if (!OPTIONAL_CHAIN.test(expression))
+    return [];
+  return [
+    {
+      kind: "optional_chaining",
+      message: `${conditionType}() in ${messageType} uses optional chaining (?.)`,
+      messageType,
+      conditionType,
+      expression,
+      location,
+      suggestion: "Optional chaining translation is fragile — consider explicit null checks or restructuring"
+    }
+  ];
+}
+function checkNullComparisons(expression, stateConfig, configKeys, messageType, conditionType, location) {
+  if (!NULL_COMPARISON.test(expression))
+    return [];
+  const warnings = [];
+  const refs = extractFieldRefs(expression);
+  for (const ref of refs) {
+    if (!fieldInConfig(ref, configKeys, stateConfig))
+      continue;
+    const entry = resolveConfigEntry(ref, stateConfig);
+    if (entry !== undefined && !isNullable(entry)) {
+      warnings.push({
+        kind: "null_comparison",
+        message: `${conditionType}() in ${messageType} compares '${ref}' to null but field is not nullable`,
+        messageType,
+        conditionType,
+        expression,
+        location,
+        suggestion: `Add null to '${ref}' values in state config, or remove the null check`
+      });
+    }
+  }
+  return warnings;
+}
+function checkWeakPostconditions(expression, handler, messageType, conditionType, location) {
+  if (conditionType !== "ensures")
+    return [];
+  const match = expression.match(WEAK_NEGATION);
+  if (!match)
+    return [];
+  const refs = extractFieldRefs(expression);
+  if (refs.length === 0)
+    return [];
+  for (const ref of refs) {
+    const underscoredRef = ref.replace(/\./g, "_");
+    const hasAssignment = handler.assignments.some((a) => a.field === ref || a.field === underscoredRef || a.field.replace(/_/g, ".") === ref);
+    if (hasAssignment) {
+      const assignment = handler.assignments.find((a) => a.field === ref || a.field === underscoredRef || a.field.replace(/_/g, ".") === ref);
+      const assignedValue = assignment ? JSON.stringify(assignment.value) : "<value>";
+      return [
+        {
+          kind: "weak_postcondition",
+          message: `ensures() in ${messageType} uses !== for '${ref}' which has a concrete assignment`,
+          messageType,
+          conditionType,
+          expression,
+          location,
+          suggestion: `Consider ensures(${ref} === ${assignedValue}) for a stronger postcondition`
+        }
+      ];
+    }
+  }
+  return [];
+}
+function validateExpressions(handlers, stateConfig) {
+  const warnings = [];
+  let validCount = 0;
+  const configKeys = new Set(Object.keys(stateConfig));
+  for (const handler of handlers) {
+    const conditions = [
+      ...handler.preconditions.map((c) => ({
+        cond: c,
+        type: "requires"
+      })),
+      ...handler.postconditions.map((c) => ({
+        cond: c,
+        type: "ensures"
+      }))
+    ];
+    for (const { cond, type } of conditions) {
+      const refs = extractFieldRefs(cond.expression);
+      const isPayloadOnly = refs.length === 0 && PAYLOAD_REF.test(cond.expression);
+      const loc = {
+        file: handler.location.file,
+        line: cond.location.line,
+        column: cond.location.column
+      };
+      const condWarnings = [];
+      if (!isPayloadOnly) {
+        condWarnings.push(...checkUnmodeledFields(cond.expression, configKeys, stateConfig, handler.messageType, type, loc));
+      }
+      condWarnings.push(...checkUnsupportedMethods(cond.expression, configKeys, stateConfig, handler.messageType, type, loc));
+      condWarnings.push(...checkOptionalChaining(cond.expression, handler.messageType, type, loc));
+      condWarnings.push(...checkNullComparisons(cond.expression, stateConfig, configKeys, handler.messageType, type, loc));
+      condWarnings.push(...checkWeakPostconditions(cond.expression, handler, handler.messageType, type, loc));
+      if (condWarnings.length === 0) {
+        validCount++;
+      } else {
+        warnings.push(...condWarnings);
+      }
+    }
+  }
+  return { warnings, validCount, warnCount: warnings.length };
+}
+var SIGNAL_VALUE_FIELD, SIGNAL_VALUE_BARE, STATE_DOT_FIELD, PAYLOAD_REF, UNSUPPORTED_METHODS, OPTIONAL_CHAIN, NULL_COMPARISON, WEAK_NEGATION;
+var init_expression_validator = __esm(() => {
+  SIGNAL_VALUE_FIELD = /([a-zA-Z_]\w*)\.value\.([a-zA-Z_][\w.]*)/g;
+  SIGNAL_VALUE_BARE = /([a-zA-Z_]\w*)\.value\b(?!\.)/g;
+  STATE_DOT_FIELD = /state\.([a-zA-Z_][\w.]*)/g;
+  PAYLOAD_REF = /payload\.\w+/;
+  UNSUPPORTED_METHODS = /\.(some|every|find|filter)\s*\(/;
+  OPTIONAL_CHAIN = /\?\./;
+  NULL_COMPARISON = /(===?\s*null|!==?\s*null|null\s*===?|null\s*!==?)/;
+  WEAK_NEGATION = /([a-zA-Z_][\w.]*(?:\.value\.[\w.]+|\.value\b|))?\s*!==?\s*("[^"]*"|'[^']*'|\d+|true|false|null)/;
+});
+
 // tools/verify/src/analysis/non-interference.ts
 var exports_non_interference = {};
 __export(exports_non_interference, {
@@ -59,6 +289,80 @@ function checkNonInterference(subsystems, handlers) {
   };
 }
 
+// tools/verify/src/analysis/precondition-locality.ts
+var exports_precondition_locality = {};
+__export(exports_precondition_locality, {
+  checkPreconditionLocality: () => checkPreconditionLocality
+});
+function findOwner(fieldRef, fieldOwner) {
+  const candidates = [fieldRef, fieldRef.replace(/\./g, "_"), fieldRef.replace(/_/g, ".")];
+  for (const c of candidates) {
+    const owner = fieldOwner.get(c);
+    if (owner)
+      return owner;
+  }
+  if (fieldRef.endsWith(".length")) {
+    return findOwner(fieldRef.slice(0, -".length".length), fieldOwner);
+  }
+  return;
+}
+function buildFieldOwner(subsystems) {
+  const fieldOwner = new Map;
+  for (const [name, sub] of Object.entries(subsystems)) {
+    for (const field of sub.state) {
+      fieldOwner.set(field, name);
+    }
+  }
+  return fieldOwner;
+}
+function buildHandlerSubsystem(subsystems) {
+  const handlerSubsystem = new Map;
+  for (const [name, sub] of Object.entries(subsystems)) {
+    for (const h of sub.handlers) {
+      handlerSubsystem.set(h, name);
+    }
+  }
+  return handlerSubsystem;
+}
+function violationsForPrecondition(handler, subsystemName, precondition, fieldOwner) {
+  const out = [];
+  for (const ref of extractFieldRefs(precondition.expression)) {
+    const owner = findOwner(ref, fieldOwner);
+    if (!owner || owner === subsystemName)
+      continue;
+    out.push({
+      handler: handler.messageType,
+      subsystem: subsystemName,
+      readsFrom: ref,
+      ownedBy: owner,
+      expression: precondition.expression,
+      location: {
+        file: handler.location?.file ?? "",
+        line: precondition.location?.line ?? 0,
+        column: precondition.location?.column ?? 0
+      }
+    });
+  }
+  return out;
+}
+function checkPreconditionLocality(subsystems, handlers) {
+  const fieldOwner = buildFieldOwner(subsystems);
+  const handlerSubsystem = buildHandlerSubsystem(subsystems);
+  const violations = [];
+  for (const handler of handlers) {
+    const subsystemName = handlerSubsystem.get(handler.messageType);
+    if (!subsystemName)
+      continue;
+    for (const precondition of handler.preconditions ?? []) {
+      violations.push(...violationsForPrecondition(handler, subsystemName, precondition, fieldOwner));
+    }
+  }
+  return { valid: violations.length === 0, violations };
+}
+var init_precondition_locality = __esm(() => {
+  init_expression_validator();
+});
+
 // tools/verify/src/codegen/invariants.ts
 import { Node as Node3, Project as Project3 } from "ts-morph";
 
@@ -2657,234 +2961,10 @@ var __dirname = "/Users/AJT/projects/polly/tools/verify/src/runner";
 var init_docker = () => {};
 
 // tools/verify/src/cli.ts
+init_expression_validator();
 import * as fs4 from "node:fs";
 import * as path4 from "node:path";
 
-// tools/verify/src/analysis/expression-validator.ts
-var SIGNAL_VALUE_FIELD = /([a-zA-Z_]\w*)\.value\.([a-zA-Z_][\w.]*)/g;
-var SIGNAL_VALUE_BARE = /([a-zA-Z_]\w*)\.value\b(?!\.)/g;
-var STATE_DOT_FIELD = /state\.([a-zA-Z_][\w.]*)/g;
-var PAYLOAD_REF = /payload\.\w+/;
-function extractFieldRefs(expression) {
-  const refs = [];
-  for (const m of expression.matchAll(SIGNAL_VALUE_FIELD)) {
-    const prefix = m[1];
-    const suffix = m[2];
-    refs.push(`${prefix}.${suffix}`);
-  }
-  for (const m of expression.matchAll(SIGNAL_VALUE_BARE)) {
-    refs.push(m[1]);
-  }
-  for (const m of expression.matchAll(STATE_DOT_FIELD)) {
-    refs.push(m[1]);
-  }
-  return [...new Set(refs)];
-}
-function fieldInConfig(fieldRef, configKeys, stateConfig) {
-  if (configKeys.has(fieldRef))
-    return true;
-  const underscored = fieldRef.replace(/\./g, "_");
-  if (configKeys.has(underscored))
-    return true;
-  const dotted = fieldRef.replace(/_/g, ".");
-  if (configKeys.has(dotted))
-    return true;
-  if (stateConfig && fieldRef.endsWith(".length")) {
-    const parent = fieldRef.slice(0, -".length".length);
-    const parentEntry = resolveConfigEntry(parent, stateConfig);
-    if (parentEntry !== undefined && isArrayLike(parentEntry))
-      return true;
-  }
-  return false;
-}
-function resolveConfigEntry(fieldRef, stateConfig) {
-  if (fieldRef in stateConfig)
-    return stateConfig[fieldRef];
-  const underscored = fieldRef.replace(/\./g, "_");
-  if (underscored in stateConfig)
-    return stateConfig[underscored];
-  const dotted = fieldRef.replace(/_/g, ".");
-  if (dotted in stateConfig)
-    return stateConfig[dotted];
-  return;
-}
-function isArrayLike(configEntry) {
-  if (configEntry && typeof configEntry === "object") {
-    const obj = configEntry;
-    if (obj.type === "array")
-      return true;
-    if ("maxLength" in obj)
-      return true;
-    if ("maxSize" in obj)
-      return true;
-  }
-  return false;
-}
-function isNullable(configEntry) {
-  if (Array.isArray(configEntry)) {
-    return configEntry.includes(null);
-  }
-  if (configEntry && typeof configEntry === "object") {
-    const obj = configEntry;
-    if (obj.abstract === true)
-      return true;
-    if (Array.isArray(obj.values)) {
-      return obj.values.includes(null);
-    }
-  }
-  return false;
-}
-var UNSUPPORTED_METHODS = /\.(some|every|find|filter)\s*\(/;
-var OPTIONAL_CHAIN = /\?\./;
-var NULL_COMPARISON = /(===?\s*null|!==?\s*null|null\s*===?|null\s*!==?)/;
-function checkUnmodeledFields(expression, configKeys, stateConfig, messageType, conditionType, location) {
-  const warnings = [];
-  const refs = extractFieldRefs(expression);
-  for (const ref of refs) {
-    if (!fieldInConfig(ref, configKeys, stateConfig)) {
-      warnings.push({
-        kind: "unmodeled_field",
-        message: `${conditionType}() in ${messageType} references unmodeled field '${ref}'`,
-        messageType,
-        conditionType,
-        expression,
-        location,
-        suggestion: `Add '${ref}' to state config or remove from ${conditionType}()`
-      });
-    }
-  }
-  return warnings;
-}
-function checkUnsupportedMethods(expression, configKeys, stateConfig, messageType, conditionType, location) {
-  const match = expression.match(UNSUPPORTED_METHODS);
-  if (!match)
-    return [];
-  const refs = extractFieldRefs(expression);
-  const allUnmodeled = refs.length > 0 && refs.every((r) => !fieldInConfig(r, configKeys, stateConfig));
-  if (allUnmodeled)
-    return [];
-  return [
-    {
-      kind: "unsupported_method",
-      message: `${conditionType}() in ${messageType} uses .${match[1]}() which cannot be translated to TLA+`,
-      messageType,
-      conditionType,
-      expression,
-      location,
-      suggestion: `Rewrite without .${match[1]}() or model the check as a boolean state field`
-    }
-  ];
-}
-function checkOptionalChaining(expression, messageType, conditionType, location) {
-  if (!OPTIONAL_CHAIN.test(expression))
-    return [];
-  return [
-    {
-      kind: "optional_chaining",
-      message: `${conditionType}() in ${messageType} uses optional chaining (?.)`,
-      messageType,
-      conditionType,
-      expression,
-      location,
-      suggestion: "Optional chaining translation is fragile — consider explicit null checks or restructuring"
-    }
-  ];
-}
-function checkNullComparisons(expression, stateConfig, configKeys, messageType, conditionType, location) {
-  if (!NULL_COMPARISON.test(expression))
-    return [];
-  const warnings = [];
-  const refs = extractFieldRefs(expression);
-  for (const ref of refs) {
-    if (!fieldInConfig(ref, configKeys, stateConfig))
-      continue;
-    const entry = resolveConfigEntry(ref, stateConfig);
-    if (entry !== undefined && !isNullable(entry)) {
-      warnings.push({
-        kind: "null_comparison",
-        message: `${conditionType}() in ${messageType} compares '${ref}' to null but field is not nullable`,
-        messageType,
-        conditionType,
-        expression,
-        location,
-        suggestion: `Add null to '${ref}' values in state config, or remove the null check`
-      });
-    }
-  }
-  return warnings;
-}
-var WEAK_NEGATION = /([a-zA-Z_][\w.]*(?:\.value\.[\w.]+|\.value\b|))?\s*!==?\s*("[^"]*"|'[^']*'|\d+|true|false|null)/;
-function checkWeakPostconditions(expression, handler, messageType, conditionType, location) {
-  if (conditionType !== "ensures")
-    return [];
-  const match = expression.match(WEAK_NEGATION);
-  if (!match)
-    return [];
-  const refs = extractFieldRefs(expression);
-  if (refs.length === 0)
-    return [];
-  for (const ref of refs) {
-    const underscoredRef = ref.replace(/\./g, "_");
-    const hasAssignment = handler.assignments.some((a) => a.field === ref || a.field === underscoredRef || a.field.replace(/_/g, ".") === ref);
-    if (hasAssignment) {
-      const assignment = handler.assignments.find((a) => a.field === ref || a.field === underscoredRef || a.field.replace(/_/g, ".") === ref);
-      const assignedValue = assignment ? JSON.stringify(assignment.value) : "<value>";
-      return [
-        {
-          kind: "weak_postcondition",
-          message: `ensures() in ${messageType} uses !== for '${ref}' which has a concrete assignment`,
-          messageType,
-          conditionType,
-          expression,
-          location,
-          suggestion: `Consider ensures(${ref} === ${assignedValue}) for a stronger postcondition`
-        }
-      ];
-    }
-  }
-  return [];
-}
-function validateExpressions(handlers, stateConfig) {
-  const warnings = [];
-  let validCount = 0;
-  const configKeys = new Set(Object.keys(stateConfig));
-  for (const handler of handlers) {
-    const conditions = [
-      ...handler.preconditions.map((c) => ({
-        cond: c,
-        type: "requires"
-      })),
-      ...handler.postconditions.map((c) => ({
-        cond: c,
-        type: "ensures"
-      }))
-    ];
-    for (const { cond, type } of conditions) {
-      const refs = extractFieldRefs(cond.expression);
-      const isPayloadOnly = refs.length === 0 && PAYLOAD_REF.test(cond.expression);
-      const loc = {
-        file: handler.location.file,
-        line: cond.location.line,
-        column: cond.location.column
-      };
-      const condWarnings = [];
-      if (!isPayloadOnly) {
-        condWarnings.push(...checkUnmodeledFields(cond.expression, configKeys, stateConfig, handler.messageType, type, loc));
-      }
-      condWarnings.push(...checkUnsupportedMethods(cond.expression, configKeys, stateConfig, handler.messageType, type, loc));
-      condWarnings.push(...checkOptionalChaining(cond.expression, handler.messageType, type, loc));
-      condWarnings.push(...checkNullComparisons(cond.expression, stateConfig, configKeys, handler.messageType, type, loc));
-      condWarnings.push(...checkWeakPostconditions(cond.expression, handler, handler.messageType, type, loc));
-      if (condWarnings.length === 0) {
-        validCount++;
-      } else {
-        warnings.push(...condWarnings);
-      }
-    }
-  }
-  return { warnings, validCount, warnCount: warnings.length };
-}
-
 // tools/verify/src/config/types.ts
 function isAdapterConfig(config) {
   return "adapter" in config;
@@ -7476,7 +7556,7 @@ async function runMonolithicVerification(config, analysis) {
 async function runSubsystemVerification(config, analysis) {
   const subsystems = config.subsystems;
   const subsystemNames = Object.keys(subsystems);
-  console.log(color(`\uD83D\uDCE6 Subsystem-scoped verification (${subsystemNames.length} subsystems)
+  console.log(color(`Subsystem-scoped verification (${subsystemNames.length} subsystems)
 `, COLORS.blue));
   const { checkNonInterference: checkNonInterference2 } = await Promise.resolve().then(() => exports_non_interference);
   const interference = checkNonInterference2(subsystems, analysis.handlers);
@@ -7493,6 +7573,24 @@ async function runSubsystemVerification(config, analysis) {
     console.log(color("   Compositional verification may not be sound. Consider restructuring subsystem boundaries.", COLORS.yellow));
     console.log();
   }
+  const { checkPreconditionLocality: checkPreconditionLocality2 } = await Promise.resolve().then(() => (init_precondition_locality(), exports_precondition_locality));
+  const locality = checkPreconditionLocality2(subsystems, analysis.handlers);
+  if (locality.valid) {
+    console.log(color("✓ Precondition locality: verified (no cross-subsystem requires() reads)", COLORS.green));
+    console.log();
+  } else {
+    console.log(color(`⚠️  Precondition-locality violations detected:
+`, COLORS.yellow));
+    for (const v of locality.violations) {
+      console.log(color(`   • Handler "${v.handler}" (${v.subsystem}) requires "${v.readsFrom}" owned by "${v.ownedBy}"`, COLORS.yellow));
+      console.log(color(`     ${v.expression}`, COLORS.gray));
+    }
+    console.log();
+    console.log(color("   Compositional verification of these subsystems cannot satisfy the precondition;", COLORS.yellow));
+    console.log(color("   the handler's ensures() postcondition will not be evaluated. Consider restructuring", COLORS.yellow));
+    console.log(color("   subsystems to keep preconditions local.", COLORS.yellow));
+    console.log();
+  }
   const assignedHandlers = new Set(Object.values(subsystems).flatMap((s) => s.handlers));
   const unassigned = analysis.messageTypes.filter((mt) => !assignedHandlers.has(mt));
   if (unassigned.length > 0) {
@@ -7819,4 +7917,4 @@ main().catch((error) => {
   process.exit(1);
 });
 
-//# debugId=17E54E7016FB5CE064756E2164756E21
+//# debugId=E1FA1E90DBF1B2F664756E2164756E21