@shd101wyy/yo 0.1.31 → 0.1.33

package/.github/skills/yo-async-effects/async-effects-recipes.md

@@ -160,13 +160,13 @@ process_dir :: (fn(root: Path, ctx : WalkCtx) -> Impl(Future(unit, WalkCtx)))(
     stack := ArrayList(Path).new();
     { stack.push(root); };
 
-    while(runtime((stack.len() > usize(0))), {
+    while(stack.len() > usize(0), {
       cur := match(stack.pop(), .Some(p) => p, .None => return());
       entries := ctx.io.await(read_dir(cur, ctx.io), ctx.io);
       // process `entries`, push subdirectories to `stack`
       n := entries.len();
       i := usize(0);
-      while(runtime((i < n)), {
+      while(i < n, {
         match(entries.get(i),
           .None => (),
           .Some(e) => {

package/.github/skills/yo-core-patterns/core-patterns-cheatsheet.md

@@ -78,6 +78,30 @@ text := match(parsed,
 - Prefer combinators for straight-line transforms: `map`, `and_then`, `map_err`, `or_else`
 - Switch to `match(...)` when branches need different logic or side effects
 
+### Match destructuring: prefer curly `{field}`, avoid positional `_` padding
+
+For a variant with **2+ fields**, destructure by **name** with curly braces —
+name only the fields the arm uses. Do NOT count positions and pad with `_`.
+
+```rust
+// ✅ Curly — names only what you need; order-free; partial matches OK.
+//    Robust: adding a field to the variant later doesn't shift anything.
+match(v,
+  .FuncVal({ func_id }) => use(func_id),          // bind field `func_id`
+  .Struct({ id, name: n }) => use2(id, n),        // rename via `field: alias`
+  .EnumT({ id }) => use3(id),                     // ignore the other 6 fields
+  _ => ()
+)
+
+// ❌ Avoid — positional with many `_`; brittle and unreadable:
+//    .FuncVal(_, _, _, _, _, _, _, _, func_id) => …   // count the 8 _'s!
+```
+
+`{a}` = bind field `a`; `{a: x}` = rename to `x`; `{a: _}` = assert-exists-ignore.
+Empty `{}` and bare `{_}` are rejected. Spec: `tests/match_curly.test.yo`.
+(Full rules: `.github/instructions/yo-syntax.instructions.md` § Match
+destructuring forms.)
+
 ## Collections
 
 ```rust
@@ -303,7 +327,7 @@ node_eq :: (fn(a : Node, b : Node) -> bool)(
             true => {
               (i : usize) = usize(0);
               (ok : bool) = true;
-              while(runtime(((i < acs.len()) && ok)), {
+              while(((i < acs.len()) && ok), {
                 match(acs.get(i),
                   .Some(ac) => match(bcs.get(i),
                     .Some(bc) => { ok = recur(ac, bc); },

package/.github/skills/yo-syntax/syntax-cheatsheet.md

@@ -134,6 +134,7 @@ masked := ((A | B) | C);
 - **Audit public stdlib safety with `./yo-cli public-safe-report [path]`.** Flags every top-level public `fn(...)` whose params or return type expose `*(T)` outside an `extern(...)` block. Skips FFI-by-construction directories (`libc/`, `linux/`, `darwin/`, `cuda/`, `sys/`, `sync/`) and names that signal raw-pointer use by contract (`*_cstr`, `*_ptr`, `*_raw`, `raw_*`, `from_raw_parts`, `as_ptr`, `argv`, `argc`). Currently reports 0 findings on `./std` and `./yo-self`; keep it that way when adding new APIs.
 - **Extern "c" call sites require `unsafe(...)` even in pragma'd files.** `unsafe(memcpy(dst, src, n))`, `unsafe(strlen(s))`, etc. The pragma authorizes DECLARING the FFI symbol via `extern(...)` / `c_include(...)`; the wrap is the per-call audit marker so `yo unsafe-report` lines up with UB-capable lines. `asm(...)` and `extern(...)` / `c_include(...)` declarations themselves do NOT need a wrap (the keyword / declaration syntax is its own marker). See `plans/EXTERN_UNSAFE_WRAP.md`.
 - **Slice-flowability rule:** a function returning a slice-bearing type (`Slice(T)`, `str`, a struct wrapping a Slice, ...) must root the returned value in caller-owned storage (a `ref`-bound parameter, any non-`ref` parameter, a `comptime`/literal source, or a flowable projection chain). `(fn() -> Option(Slice(i32)))({ arr := ArrayList(i32).new(); arr.as_slice() })` is rejected; `(fn(ref(arr) : ArrayList(i32)) -> Option(Slice(i32)))(arr.as_slice())` is accepted. See `plans/SLICE_FLOWABILITY.md`.
+- **Return-slot modifier placement: on the LABEL, not the type.** In a _labeled_ return slot, a `ref`/`comptime` modifier attaches to the label, mirroring the parameter convention (`ref(name) : T`). Valid: `-> ref(T)` and `-> comptime(T)` (unlabeled — modifier on the sole type), `-> (ref(name) : T)`, `-> (comptime(name) : T)`. **Rejected:** `-> (name : ref(T))`, `-> (name : comptime(T))` (modifier on the type when labeled), and `-> (ref(name) : ref(T))` (double-ref — "pick one"). Enforced at function-type eval in `src/evaluator/types/function.ts` (and the yo-self port).
 - **Signed-integer overflow is defined (wrap-around).** Yo passes `-fwrapv` to clang/gcc/zig by default so `x + i32(1)` on `i32(MAX)` wraps to `i32(MIN)` instead of UB. Opt-out: `--cflags='-fno-wrapv'`.
 - **`// SAFETY:` comment convention.** Every non-obvious `unsafe(...)` site in stdlib should have a `// SAFETY:` comment in the previous ~8 lines explaining the contract. `yo unsafe-report` picks them up and shows them inline under each finding.
 - **User-facing memory-safety guide:** `docs/en-US/MEMORY_SAFETY.md` (English) and `docs/zh-CN/MEMORY_SAFETY.md` (Chinese). Refer users there instead of `plans/MEMORY_SAFETY.md` (which is the design document — not shipped via npm).
@@ -506,6 +507,46 @@ test("Async test", {
 - `comptime_assert(condition)` — compile-time assertion
 - `comptime_expect_error(expr)` — verify code produces a compile error
 
+## Design-by-contract clauses
+
+`plans/FORMAL_VERIFICATION.md` Phase 0. No SMT verifier yet — these
+lower to runtime `assert(...)` (runtime fns) or `comptime_assert(...)`
+(comptime fns, returning `comptime(T)`).
+
+```rust
+// requires/ensures are SIGNATURE clauses, after params and where(...).
+// ENFORCED order: forall, params, where, requires, ensures — a clause
+// out of order is a syntax error ("X appears after Y").
+divide :: (fn(x : i32, y : i32, requires(y != i32(0)), ensures(result == (x / y))) -> i32)(
+  x / y
+);
+
+// Inside ensures: `result` = return value, old(expr) = entry-time value.
+increment :: (fn(ref(n) : i32, ensures(n == (old(n) + i32(1)))) -> unit)({ n = (n + i32(1)); });
+
+// invariant(...) must be the FIRST statement of a while body.
+// NOTE: do NOT wrap the condition in runtime(...) — while conditions are
+// runtime by default, so `while(runtime(i < n), …)` is redundant; use `while(i < n, …)`.
+while(i < n, {
+  invariant(i <= n, acc >= i32(0));
+  i = (i + i32(1)); acc = (acc + i);
+});
+
+// ghost binding vs ghost function (SEPARATE builtins):
+ghost(snap := (a + b));
+is_pos :: ghost_fn((fn(x : i32) -> bool)(x > i32(0)));
+```
+
+- One `requires(...)` and one `ensures(...)` max per signature; put
+  multiple predicates inside the single call: `requires(a, b)`. Two
+  `requires(...)` clauses, or a zero-arg `requires()`, is a syntax error.
+- `result` is a wrapper-bound local (NOT a reserved word) — it coexists
+  with `result` used as an ordinary variable name elsewhere.
+- `pragma(Pragma.NoContracts);` erases contracts; `pragma(Pragma.Verify);`
+  parses but warns "verify mode not implemented".
+- `std/spec/` exposes refinement aliases (`NonZero`, `Bounded`,
+  `Positive`, …) — Phase 0 they are plain aliases for the base type.
+
 ## Common pitfalls
 
 ### `&&` short-circuit with `match`/`cond` on RHS causes C codegen scope bug