lemmafit 0.0.1 → 0.2.0

package/cli/verify-hook.js

@@ -0,0 +1,221 @@
+#!/usr/bin/env node
+/**
+ * Claude Code PostToolUse hook for lemmafit.
+ *
+ * When Claude writes a .dfy file, this hook:
+ * 1. Requests verification from the daemon via Unix socket
+ * 2. Outputs result for Claude to see
+ *
+ * Hook receives JSON on stdin:
+ * {
+ *   "hook": "PostToolUse",
+ *   "tool_name": "Write",
+ *   "tool_input": { "file_path": "...", "content": "..." },
+ *   "tool_output": "..."
+ * }
+ */
+
+const path = require('path');
+const fs = require('fs');
+const { initLog, log } = require('../lib/log');
+const { requestDaemon } = require('../lib/daemon-client');
+
+async function readStdin() {
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(chunk);
+  }
+  return Buffer.concat(chunks).toString('utf8');
+}
+
+function findProjectRoot(filePath) {
+  let dir = path.dirname(filePath);
+  while (dir !== path.dirname(dir)) {
+    if (fs.existsSync(path.join(dir, 'lemmafit'))) {
+      return dir;
+    }
+    dir = path.dirname(dir);
+  }
+  return null;
+}
+
+function readStatus(projectDir) {
+  const statusPath = path.join(projectDir, 'lemmafit', '.vibe', 'status.json');
+  try {
+    return JSON.parse(fs.readFileSync(statusPath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function formatErrors(status) {
+  const lines = [];
+  for (const [file, fileStatus] of Object.entries(status.files || {})) {
+    for (const error of fileStatus.errors || []) {
+      lines.push(`  ${file}:${error.line}: ${error.message}`);
+    }
+  }
+  return lines.join('\n');
+}
+
+function formatWarnings(status) {
+  const lines = [];
+  for (const [file, fileStatus] of Object.entries(status.files || {})) {
+    for (const warning of fileStatus.warnings || []) {
+      lines.push(`  ${file}:${warning.line}: ${warning.message}`);
+    }
+  }
+  return lines.join('\n');
+}
+
+function formatAxioms(status) {
+  const axioms = status.axioms || [];
+  if (axioms.length === 0) return '';
+
+  const lines = axioms.map(a => `  ${a.file}:${a.line}: ${a.content}`);
+  return `\nAxioms (unproven assumptions):\n${lines.join('\n')}`;
+}
+
+function formatSpecQueue(status) {
+  const queue = status.specQueue;
+  if (!queue || queue.length === 0) return '';
+
+  const verified = queue.filter(c => c.verifiedAt).length;
+  const unverified = queue.length - verified;
+  const summary = [
+    unverified > 0 ? `${unverified} pending` : null,
+    verified > 0 ? `${verified} verified` : null,
+  ].filter(Boolean).join(', ');
+
+  const lines = ['', `Spec queue (${summary}):`];
+  for (const c of queue) {
+    const tag = c.verifiedAt ? ' [verified]' : '';
+    if (c.type === 'added') {
+      lines.push(`  +${c.line}: ${c.text}${tag}`);
+    } else if (c.type === 'removed') {
+      lines.push(`  - ${c.text}${tag}`);
+    }
+  }
+  return lines.join('\n');
+}
+
+async function main() {
+  const input = await readStdin();
+
+  let hookData;
+  try {
+    hookData = JSON.parse(input);
+  } catch {
+    process.exit(0);
+  }
+
+  const toolName = hookData.tool_name;
+  const filePath = hookData.tool_input?.file_path;
+
+  if ((toolName !== 'Write' && toolName !== 'Edit') || !filePath?.endsWith('.dfy')) {
+    process.exit(0);
+  }
+
+  const projectDir = findProjectRoot(filePath);
+  if (!projectDir) {
+    console.log(JSON.stringify({
+      systemMessage: '[lemmafit] verify-hook executed (no project found)',
+      hookSpecificOutput: { hookEventName: 'PostToolUse', additionalContext: 'Note: Not in a lemmafit project (no lemmafit directory found)' }
+    }));
+    process.exit(0);
+  }
+
+  initLog(projectDir);
+  log('verify', `Write detected: ${filePath}`);
+
+  const lines = ['Verifying...'];
+  let status;
+
+  try {
+    const sockPath = path.join(projectDir, 'lemmafit', '.vibe', 'daemon.sock');
+    status = await requestDaemon(sockPath, { action: 'verify' });
+    log('verify', 'Used daemon (socket)');
+  } catch (err) {
+    log('verify', `Socket failed, falling back to direct: ${err.message}`);
+    const { Daemon } = require('../lib/daemon');
+    const daemon = new Daemon(projectDir);
+    await daemon.runOnce();
+    status = readStatus(projectDir);
+  }
+
+  if (!status) {
+    lines.push('Warning: Could not read verification status');
+    console.log(JSON.stringify({
+      systemMessage: '[lemmafit] verify-hook executed',
+      hookSpecificOutput: { hookEventName: 'PostToolUse', additionalContext: lines.join('\n') }
+    }));
+    process.exit(0);
+  }
+
+  if (status.state === 'verified') {
+    const axiomNote = (status.axioms?.length > 0)
+      ? ` (${status.axioms.length} axiom${status.axioms.length > 1 ? 's' : ''})`
+      : '';
+    log('verify', `Verified${axiomNote}`);
+    lines.push(`✓ Verified and compiled${axiomNote}`);
+    if (status.axioms?.length > 0) {
+      lines.push(formatAxioms(status));
+    }
+
+    // Stamp unverified spec queue items so Claude knows code compiled with them in scope
+    if (status.specQueue?.length > 0) {
+      const now = new Date().toISOString();
+      let stamped = 0;
+      for (const item of status.specQueue) {
+        if (!item.verifiedAt) {
+          item.verifiedAt = now;
+          stamped++;
+        }
+      }
+      if (stamped > 0) {
+        const statusPath = path.join(projectDir, 'lemmafit', '.vibe', 'status.json');
+        status.timestamp = new Date().toISOString();
+        fs.writeFileSync(statusPath, JSON.stringify(status, null, 2));
+        log('verify', `Stamped ${stamped} spec queue item(s) as verified`);
+      }
+    }
+  } else if (status.state === 'error') {
+    const errorCount = Object.values(status.files || {})
+      .reduce((sum, f) => sum + (f.errors?.length || 0), 0);
+    const warningCount = Object.values(status.files || {})
+      .reduce((sum, f) => sum + (f.warnings?.length || 0), 0);
+    if (errorCount === 0 && warningCount > 0) {
+      log('verify', `Verification passed, compilation blocked (${warningCount} warning(s))`);
+      lines.push(`⚠ Verification passed, compilation blocked (${warningCount} warning${warningCount !== 1 ? 's' : ''}):`);
+      lines.push(formatWarnings(status));
+    } else {
+      log('verify', `Failed with ${errorCount} error(s)`);
+      lines.push(`✗ Verification failed (${errorCount} error${errorCount !== 1 ? 's' : ''}):`);
+      lines.push(formatErrors(status));
+      if (warningCount > 0) {
+        lines.push(`\n⚠ Warnings (${warningCount}):`);
+        lines.push(formatWarnings(status));
+      }
+    }
+    if (status.compileError) {
+      lines.push(`\nCompilation error: ${status.compileError}`);
+    }
+  } else {
+    lines.push(`Status: ${status.state}`);
+  }
+
+  const specLine = formatSpecQueue(status);
+  if (specLine) {
+    lines.push(specLine);
+  }
+
+  console.log(JSON.stringify({
+    systemMessage: '[lemmafit] verify-hook executed',
+    hookSpecificOutput: { hookEventName: 'PostToolUse', additionalContext: lines.join('\n') }
+  }));
+}
+
+main().catch((err) => {
+  console.error('Hook error:', err.message);
+  process.exit(1);
+});

package/commands/guarantees.md

@@ -0,0 +1,138 @@
+# Generate Guarantees and Run Claimcheck
+
+You are generating human-readable guarantees from proven Dafny code and verifying them with claimcheck.
+
+## Step 0: Make sure the state of the project is verified
+
+Check `lemmafit/.vibe/status.json` for the current verification status.
+
+## Step 1: Read project data
+
+Read these files:
+- `lemmafit/.vibe/claims.json` — extracted proof obligations from Dafny (predicates with conjuncts, lemmas with requires/ensures, functions with contracts, axioms)
+- `SPEC.yaml` — natural language requirements with spec entries
+- `lemmafit/dafny/Domain.dfy` — the Dafny source code
+- `lemmafit/.vibe/config.json` — project config (need `appCore` field for claimcheck domain)
+
+If `claims.json` doesn't exist, tell the user to run the daemon first (`npm run daemon` or `npm run dev`) so Dafny verification produces claims.
+
+## Step 2: Map claims to spec entries
+
+Analyze the claims from `claims.json` and map them to spec entries from `SPEC.yaml`.
+
+**How claims work:**
+- **Predicate conjuncts** (in `predicates[].conjuncts`) are invariant properties proven by the `StepPreservesInv` lemma. Each conjunct in the `Inv` predicate is a separate proven property.
+- **Lemma ensures** (in `lemmas[].ensures`) are standalone proven properties. The lemma name is in `lemmas[].name`.
+- **Function contracts** (in `functions[].requires` and `functions[].ensures`) are proven pre/postconditions.
+- **Axioms** (in `axioms[]`) are assumed, NOT proven — they represent the trust surface.
+
+**Mapping rules:**
+- A claim "covers" a spec entry if the Dafny expression proves the property described by that spec entry
+- One claim can cover multiple spec entries
+- Spec entries with `status: trusted` don't need covering claims
+- Spec entries with `verifiable: false` should be skipped
+- Identify **gaps**: spec entries with `status: verified` that have NO covering claim
+
+## Step 3: Write guarantees.json
+
+Write `lemmafit/.vibe/guarantees.json` with this format:
+
+```json
+{
+  "generatedAt": "<ISO timestamp>",
+  "guarantees": [
+    {
+      "specId": "spec-001",
+      "requirement": "<title from SPEC.yaml>",
+      "status": "proven",
+      "coveredBy": [
+        {
+          "claimId": "inv:<Module>.<Predicate>:<conjunctIndex>",
+          "type": "invariant-conjunct",
+          "expression": "<the Dafny expression>",
+          "lemmaName": "StepPreservesInv"
+        }
+      ],
+      "reasoning": "<why this claim covers this spec entry>"
+    }
+  ],
+  "gaps": [
+    {
+      "specId": "spec-005",
+      "requirement": "<title>",
+      "reason": "<why no claim covers this>"
+    }
+  ]
+}
+```
+
+For `lemmaName`:
+- Invariant conjuncts → `"StepPreservesInv"`
+- Lemma ensures → the lemma's name (e.g. `"UndoReversesLast"`)
+- Function contracts → the function's name
+
+## Step 4: Handle multi-lemma requirements
+
+If a single requirement is covered by **multiple** lemmas (e.g. an invariant conjunct AND a standalone lemma together prove one requirement), you must write a **new wrapper lemma** in the Dafny source that proves the full requirement in one place. The wrapper lemma should:
+- Have a name that clearly describes the requirement (e.g. `Guarantee_UniqueUpvotes`)
+- Call/use the individual lemmas as needed
+- Have an `ensures` clause that directly expresses the full natural-language requirement
+
+This is necessary because claimcheck needs exactly one lemma per requirement to verify faithfulness.
+
+Wait for the daemon to re-verify after writing any new lemmas before proceeding.
+
+## Step 5: Write claimcheck mapping
+
+Write `lemmafit/.vibe/claimcheck-mapping.json` — an array of `{ requirement, lemmaName, file }` objects derived from the guarantees. The `file` field is a **path relative to the mapping file** (i.e. relative to `lemmafit/.vibe/`).
+
+```json
+[
+  { "requirement": "Each user can only upvote once", "lemmaName": "Guarantee_UniqueUpvotes", "file": "../dafny/Domain.dfy" }
+]
+```
+
+Each requirement should map to exactly one lemma. If you wrote wrapper lemmas in step 4, use those.
+
+## Step 6: Run claimcheck
+
+Run `claimcheck-multi` to verify that each lemma faithfully expresses its requirement.
+
+**CRITICAL: claimcheck-multi MUST run in the background with output redirected to files.** It spawns `claude -p` as a subprocess, which will hang indefinitely if run in the foreground from a Claude Code session. Always use `&` and redirect stdout/stderr:
+
+```bash
+claimcheck-multi -m lemmafit/.vibe/claimcheck-mapping.json -d <appCore> --json --claude-code > lemmafit/.vibe/claimcheck.json 2> lemmafit/.vibe/claimcheck-err.log &
+```
+
+Replace `<appCore>` with the value from `lemmafit/.vibe/config.json`.
+
+No `--dfy` flag needed — `claimcheck-multi` resolves file paths from the `file` field in each mapping entry (relative to the mapping file).
+
+Wait for it to complete (poll with `cat lemmafit/.vibe/claimcheck.json` until it contains valid JSON), then read the results.
+
+## Step 7: Report and iterate
+
+Parse the claimcheck results and report:
+- **Confirmed** — the lemma faithfully expresses the requirement. No action needed.
+- **Disputed** — a discrepancy was found. Show the `discrepancy` text and `weakeningType` (tautology, weakened-postcondition, narrowed-scope, wrong-property).
+- **Error** — lemma not found in source. Check the lemmaName.
+
+**If any claims are disputed:** Suggest specific fixes to the Dafny code or the requirement text. If the user agrees, make the fixes, wait for re-verification, and re-run the guarantees process. 
+
+## Step 8: Ensure all files up to date
+
+Once iteration is complete, compare `claimcheck-mapping.json` with `guarantees.json` to ensure they contain equivalent information. If there's a discrepancy, trace back to the Dafny code to find which is most accurate. Adjust the relevant file accordingly and re-run `/guarantees` command. Once confirmed, report that the files are in sync.  
+
+## Step 9: Generate guarantees.md via the script
+
+Do this only after Step 9 confirms that `claimcheck-mapping.json` and `guarantees.json` are in sync.  
+
+Run the deterministic report generator:
+
+```bash
+npx lemmafit-generate-guarantees
+```
+
+This reads `lemmafit/.vibe/guarantees.json`, `lemmafit/.vibe/claimcheck.json`, and `SPEC.yaml` and writes `lemmafit/.vibe/guarantees.md`. Do NOT write this file manually — always use the script so the report matches the JSON exactly.
+
+Report to the user: "A report of your app's guarantees has been generated in lemmafit/reports/guarantees.md" 

package/docs/CLAUDE_INSTRUCTIONS.md

@@ -0,0 +1,137 @@
+# Lemmafit Project
+
+This project uses lemmafit to formally verify ALL logic in the codebase. You help users build web apps with mathematically verified state machines, business logic, and any other logic-based code.
+
+Before writing code, ask yourself: "Is any part of this code verifiable?" Verifiable means that it contains logic that CAN be written in Dafny. If the answer is "yes," write the code in Dafny. Do not write directly in JavaScript or Typescript, anything that can be verified.  
+
+## How It Works
+
+1. Users describe an app or individual features in natural language
+2. You write Dafny specifications in `dafny/` directory
+3. Verification and compilation happen automatically (you'll see the results)
+4. The React app in `src/` uses the verified API
+
+## Key Files
+
+- `SPEC.yaml` - Natural language requirements (source of truth for all specs)
+- `lemmafit/dafny/*.dfy` - Dafny specifications (all logic should be written in Dafny)
+- `src/dafny/app.ts` - Auto-generated TypeScript API (do not edit directly)
+- `src/App.tsx` - React app that uses the verified API
+- `lemmafit/.vibe/status.json` - Current verification status
+- `lemmafit/.vibe/logic-surface.json` - Logic interface/API
+- `lemmafit/.vibe/modules.json` - Multi-module configuration (optional, see below)
+
+## Multi-Module Projects
+
+By default, lemmafit uses a single Dafny module with the Replay kernel pattern (Domain.dfy → app.ts). For projects that need multiple independent verified modules, create `lemmafit/.vibe/modules.json`:
+
+```json
+[
+  {
+    "entry": "lemmafit/dafny/Workflow.dfy",
+    "appCore": "Workflow",
+    "outputName": "Workflow",
+    "jsonApi": true
+  },
+  {
+    "entry": "lemmafit/dafny/Validation.dfy",
+    "appCore": "Validation",
+    "outputName": "Validation",
+    "jsonApi": true,
+    "nullOptions": true,
+    "target": "node"
+  }
+]
+```
+
+When `modules.json` exists:
+- Each module is compiled independently to `src/dafny/{outputName}.cjs` and `src/dafny/{outputName}.ts`
+- Each module is its own AppCore (no separate AppCore module needed)
+- `jsonApi: true` enables full JSON marshalling (plain types in/out, no Dafny runtime types)
+- `nullOptions: true` maps `Option<T>` to `T | null` at the boundary
+- `target` sets the dafny2js compilation target (default: `"client"`). Valid values: `"client"` (browser/React), `"node"` (Node.js, uses `fs.readFileSync`), `"inline"` (universal, inlines .cjs code), `"deno"` (Deno adapter), `"cloudflare"` (Cloudflare Workers adapter)
+- Modules don't know about each other — write a thin TypeScript glue file to connect them
+- The glue file is unverified but should be minimal and auditable
+- Prefer returning result types with verified error messages over boolean predicates — the UI can display them directly without duplicating logic
+
+## Available Skills
+
+ - `lemmafit-dafny`: Load this skill before writing or editing .dfy files
+ - `lemmafit-proofs`: Load this skill before writing or editing lemmas
+ - `lemmafit-react-pattern`: Load this skill before writing React 
+ - `lemmafit-spec`: Load this skill when user asks to add or edit feature, and before writing or editing the spec.yaml file 
+
+If you try to read any of these files and they are missing, alert the user. 
+
+## WORKFLOW
+Follow these steps in order every time the user asks for a feature or change that involves any logic.
+
+Step-by-step development workflow for building apps and features with lemmafit. Use when the user asks for a new feature, describes functionality, or when spec changes need to be addressed. Covers the full loop from spec.yaml to verified React code.
+
+Report in the chat which step you are on as you move through the steps.
+
+## Step 0: Check for pending spec changes
+
+Read `.vibe/status.json`. If `specQueue` has items, address those first before doing anything else. Each item is a requirement that was added/changed/removed in SPEC.yaml but not yet reflected in Dafny code.
+
+## Step 1: Write SPEC.yaml entries
+Load lemmafit-spec skill before writing or editing the spec.yaml
+
+Translate the user's request into structured entries in `SPEC.yaml`. A hook runs automatically after you write SPEC.yaml — it diffs your changes and creates a spec queue. You'll see the pending items in the output.
+
+## Step 2: Write Dafny specifications
+Load lemmafit-dafny skill before writing or editing any Dafny.
+
+Write `.dfy` files in `lemmafit/dafny/` that formalize the verifiable spec entries. 
+
+A hook runs automatically after you write any `.dfy` file — it verifies and compiles immediately. You must wait for a response from the daemon before moving forward. The response will be one of two:
+- `✓ Verified and compiled` — success, spec queue auto-cleared, wrappers regenerated (`src/dafny/app.ts` or per-module `src/dafny/{name}.ts`)
+- `✗ Verification failed` — fix the errors shown and write the file again
+
+Do not move to the next step until verification passes (verified and compiled).
+
+## Step 3: Check Dafny against SPEC.yaml
+Always keep SPEC.yaml and Dafny in sync — if you change one, update the other. 
+
+## Step 4: Write proofs
+Load the lemmafit-proofs skill before writing any lemmas.
+
+## Step 5: Run Pre-React Audits
+Load the lemmafit-audits skill before proceeding. 
+
+Run 2 audits:
+**Proof Strength Audit**: Check the strength of the actual proofs against the specs. Any gaps? Any weak proofs?
+**Logic-in-Js Audit**: Is there any logic that the app or feature will require (for this build phase) that is not being implemented in Dafny? 
+
+Label each finding as `minor`, `moderate`, or `critical`. 
+
+Iterate on Steps 4 and 5 until audit returns only minor findings. 
+
+## Step 6: Write React code
+Load lemmafit-react-pattern skill before writing React code. 
+
+Only after verification passes. The auto-generated API is at `src/dafny/app.ts` (single-module) or `src/dafny/{name}.ts` (multi-module). Never edit generated files.
+
+- Create hooks in `src/hooks/` that wrap `Api.Init`, `Api.Dispatch`, `Api.Present`
+- Create components in `src/components/` that receive data/callbacks via props
+- Keep `App.tsx` as a thin composition root
+
+Never re-implement logic in React that already exists in the verified API.
+
+## Step 7: Run Post-React Audit
+Load the lemmafit-post-react-audit skill
+
+Ensure that effect-free logic is implemented primarity in Dafny rather than directly in JavaScript/TypeScript. 
+
+## Step 8: Verify guarantees
+
+After proofs are solid and React is wired, check that claims actually cover the spec requirements. Ask the user if they want to run `/guarantees` command to generate a report. If they say yes, run the command. 
+
+## Step 9: Iterate
+
+If the user asks for changes, start by editing SPEC.yaml (Step #1), then move through each step again until full loop is complete. 
+
+
+
+
+

package/kernels/Replay.dfy

@@ -0,0 +1,147 @@
+abstract module {:compile false} Domain {
+  type Model
+  type Action
+
+  ghost predicate Inv(m: Model)
+
+  function Init(): Model
+  function Apply(m: Model, a: Action): Model
+    requires Inv(m)
+  function Normalize(m: Model): Model
+
+  lemma InitSatisfiesInv()
+    ensures Inv(Init())
+
+  lemma StepPreservesInv(m: Model, a: Action)
+    requires Inv(m)
+    ensures Inv(Normalize(Apply(m,a)))
+}
+
+abstract module {:compile false} Kernel {
+  import D : Domain
+
+  function Step(m: D.Model, a: D.Action): D.Model
+  requires D.Inv(m)
+  {
+    D.Normalize(D.Apply(m, a))
+  }
+
+  function InitHistory(): History {
+    History([], D.Init(), [])
+  }
+
+  datatype History =
+    History(past: seq<D.Model>, present: D.Model, future: seq<D.Model>)
+
+  function Do(h: History, a: D.Action): History
+  requires D.Inv(h.present)
+  {
+    History(h.past + [h.present], Step(h.present, a), [])
+  }
+
+  // Apply action without recording to history (for live preview during drag)
+  function Preview(h: History, a: D.Action): History
+  requires D.Inv(h.present)
+  {
+    History(h.past, Step(h.present, a), h.future)
+  }
+
+  // Commit current state, recording baseline to history (for end of drag)
+  function CommitFrom(h: History, baseline: D.Model): History {
+    History(h.past + [baseline], h.present, [])
+  }
+
+  function Undo(h: History): History {
+    if |h.past| == 0 then h
+    else
+      var i := |h.past| - 1;
+      History(h.past[..i], h.past[i], [h.present] + h.future)
+  }
+
+  function Redo(h: History): History {
+    if |h.future| == 0 then h
+    else
+      History(h.past + [h.present], h.future[0], h.future[1..])
+  }
+
+  lemma DoPreservesInv(h: History, a: D.Action)
+    requires D.Inv(h.present)
+    ensures  D.Inv(Do(h, a).present)
+  {
+    D.StepPreservesInv(h.present, a);
+  }
+
+  ghost predicate HistInv(h: History) {
+    (forall i | 0 <= i < |h.past| :: D.Inv(h.past[i])) &&
+    D.Inv(h.present) &&
+    (forall j | 0 <= j < |h.future| :: D.Inv(h.future[j]))
+  }
+
+  lemma InitHistorySatisfiesInv()
+    ensures HistInv(InitHistory())
+  {
+    D.InitSatisfiesInv();
+  }
+
+  lemma UndoPreservesHistInv(h: History)
+    requires HistInv(h)
+    ensures  HistInv(Undo(h))
+  {
+  }
+
+  lemma RedoPreservesHistInv(h: History)
+    requires HistInv(h)
+    ensures  HistInv(Redo(h))
+  {
+  }
+
+  lemma DoPreservesHistInv(h: History, a: D.Action)
+    requires HistInv(h)
+    ensures  HistInv(Do(h, a))
+  {
+    D.StepPreservesInv(h.present, a);
+  }
+
+  lemma PreviewPreservesHistInv(h: History, a: D.Action)
+    requires HistInv(h)
+    ensures  HistInv(Preview(h, a))
+  {
+    D.StepPreservesInv(h.present, a);
+  }
+
+  lemma CommitFromPreservesHistInv(h: History, baseline: D.Model)
+    requires HistInv(h)
+    requires D.Inv(baseline)
+    ensures  HistInv(CommitFrom(h, baseline))
+  {
+  }
+
+  // proxy for linear undo: after a new action, there is no redo branch
+  lemma DoHasNoRedoBranch(h: History, a: D.Action)
+  requires HistInv(h)
+  ensures Redo(Do(h, a)) == Do(h, a)
+  {
+  }
+  // round-tripping properties
+  lemma UndoRedoRoundTrip(h: History)
+  requires |h.past| > 0
+  ensures Redo(Undo(h)) == h
+  {
+  }
+  lemma RedoUndoRoundTrip(h: History)
+  requires |h.future| > 0
+  ensures Undo(Redo(h)) == h
+  {
+  }
+  // idempotence at boundaries
+  lemma UndoAtBeginningIsNoOp(h: History)
+  requires |h.past| == 0
+  ensures Undo(h) == h
+  {
+  }
+  lemma RedoAtEndIsNoOp(h: History)
+  requires |h.future| == 0
+  ensures Redo(h) == h
+  {
+  }
+}

package/lib/daemon-client.js

@@ -0,0 +1,54 @@
+/**
+ * Unix domain socket client for communicating with the lemmafit daemon.
+ * Used by verify-hook and spec-hook to request verification/spec processing
+ * without polling status.json.
+ */
+
+const net = require('net');
+
+function requestDaemon(sockPath, message, timeoutMs = 60000) {
+  return new Promise((resolve, reject) => {
+    const client = net.createConnection(sockPath);
+    const chunks = [];
+    let settled = false;
+
+    const timeout = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        client.destroy();
+        reject(new Error(`Timed out after ${timeoutMs}ms waiting for daemon response`));
+      }
+    }, timeoutMs);
+    timeout.unref();
+
+    client.on('connect', () => {
+      client.write(JSON.stringify(message) + '\n');
+    });
+
+    client.on('data', (chunk) => {
+      chunks.push(chunk);
+    });
+
+    client.on('end', () => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timeout);
+      client.destroy();
+      try {
+        const data = Buffer.concat(chunks).toString('utf8').trim();
+        resolve(JSON.parse(data));
+      } catch (err) {
+        reject(new Error(`Invalid response from daemon: ${err.message}`));
+      }
+    });
+
+    client.on('error', (err) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timeout);
+      reject(new Error(`Cannot connect to daemon: ${err.message}`));
+    });
+  });
+}
+
+module.exports = { requestDaemon };