lemmafit 0.0.1 → 0.2.0

package/lib/download-dafny.js

@@ -0,0 +1,130 @@
+#!/usr/bin/env node
+/**
+ * Downloads Dafny binary for the current platform.
+ * Called during npm postinstall.
+ */
+
+const https = require('https');
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const os = require('os');
+
+const DAFNY_VERSION = '4.11.0';
+
+const PLATFORM_ASSETS = {
+  'darwin-arm64': `dafny-${DAFNY_VERSION}-arm64-macos-13.zip`,
+  'darwin-x64': `dafny-${DAFNY_VERSION}-x64-macos-13.zip`,
+  'linux-x64': `dafny-${DAFNY_VERSION}-x64-ubuntu-22.04.zip`,
+  'linux-arm64': `dafny-${DAFNY_VERSION}-arm64-ubuntu-22.04.zip`,
+  'win32-x64': `dafny-${DAFNY_VERSION}-x64-windows-2019.zip`,
+};
+
+function getPlatformKey() {
+  const platform = os.platform();
+  const arch = os.arch();
+  return `${platform}-${arch}`;
+}
+
+function download(url, dest) {
+  return new Promise((resolve, reject) => {
+    const file = fs.createWriteStream(dest);
+
+    const request = (url) => {
+      https.get(url, (response) => {
+        if (response.statusCode === 302 || response.statusCode === 301) {
+          // Follow redirect
+          request(response.headers.location);
+          return;
+        }
+
+        if (response.statusCode !== 200) {
+          reject(new Error(`Download failed: ${response.statusCode}`));
+          return;
+        }
+
+        const total = parseInt(response.headers['content-length'], 10);
+        let downloaded = 0;
+
+        response.on('data', (chunk) => {
+          downloaded += chunk.length;
+          const pct = total ? Math.round((downloaded / total) * 100) : '?';
+          process.stdout.write(`\rDownloading Dafny... ${pct}%`);
+        });
+
+        response.pipe(file);
+
+        file.on('finish', () => {
+          file.close();
+          console.log(' Done.');
+          resolve();
+        });
+      }).on('error', (err) => {
+        fs.unlink(dest, () => {});
+        reject(err);
+      });
+    };
+
+    request(url);
+  });
+}
+
+async function main() {
+  const platformKey = getPlatformKey();
+  const asset = PLATFORM_ASSETS[platformKey];
+
+  if (!asset) {
+    console.error(`Unsupported platform: ${platformKey}`);
+    console.error('Supported platforms:', Object.keys(PLATFORM_ASSETS).join(', '));
+    process.exit(1);
+  }
+
+  // Install to shared cache directory (~/.lemmafit/.dafny)
+  const cacheDir = path.join(os.homedir(), '.lemmafit');
+  const installDir = path.join(cacheDir, '.dafny');
+  const dafnyDir = path.join(installDir, 'dafny');
+  const dafnyBin = path.join(dafnyDir, 'dafny');
+  const versionFile = path.join(installDir, 'version');
+
+  // Check if correct version is already installed
+  if (fs.existsSync(dafnyBin) && fs.existsSync(versionFile)) {
+    const installed = fs.readFileSync(versionFile, 'utf8').trim();
+    if (installed === DAFNY_VERSION) {
+      console.log(`Dafny ${DAFNY_VERSION} already installed.`);
+      return;
+    }
+    console.log(`Dafny ${installed} -> ${DAFNY_VERSION}, upgrading...`);
+    fs.rmSync(dafnyDir, { recursive: true, force: true });
+  }
+
+  // Create install directory
+  fs.mkdirSync(installDir, { recursive: true });
+
+  // Download
+  const url = `https://github.com/dafny-lang/dafny/releases/download/v${DAFNY_VERSION}/${asset}`;
+  const zipPath = path.join(installDir, asset);
+
+  console.log(`Downloading Dafny ${DAFNY_VERSION} for ${platformKey}...`);
+  await download(url, zipPath);
+
+  // Extract
+  console.log('Extracting...');
+  execSync(`unzip -q -o "${zipPath}" -d "${installDir}"`, { stdio: 'inherit' });
+
+  // Clean up zip
+  fs.unlinkSync(zipPath);
+
+  // Make executable
+  if (os.platform() !== 'win32') {
+    fs.chmodSync(dafnyBin, '755');
+  }
+
+  fs.writeFileSync(versionFile, DAFNY_VERSION);
+  console.log(`Dafny ${DAFNY_VERSION} installed to ${dafnyDir}`);
+}
+
+main().catch((err) => {
+  console.error('Failed to download Dafny:', err.message);
+  console.error('You may need to install Dafny manually: https://github.com/dafny-lang/dafny/releases');
+  // Don't exit with error - allow npm install to continue
+});

package/lib/log.js

@@ -0,0 +1,32 @@
+/**
+ * Shared logger for lemmafit hooks and scripts.
+ * Appends timestamped lines to logs/lemmafit.log in the project root.
+ */
+
+const path = require('path');
+const fs = require('fs');
+
+let _logPath = null;
+
+function initLog(projectDir) {
+  const logsDir = path.join(projectDir, 'lemmafit', 'logs');
+  fs.mkdirSync(logsDir, { recursive: true });
+  _logPath = path.join(logsDir, 'lemmafit.log');
+}
+
+function log(source, message) {
+  if (!_logPath) return;
+  const ts = new Date().toISOString();
+  const line = `[${ts}] [${source}] ${message}\n`;
+  try {
+    fs.appendFileSync(_logPath, line);
+  } catch {
+    // Never let logging break the caller
+  }
+}
+
+function getLogPath() {
+  return _logPath;
+}
+
+module.exports = { initLog, log, getLogPath };

package/lib/spawn-claude.js

@@ -0,0 +1,51 @@
+/**
+ * Shared spawnClaude helper — runs `claude -p` as a subprocess.
+ *
+ * Used by both the daemon (WS relay commands) and the dashboard (vite plugin).
+ */
+
+const { spawn } = require('child_process');
+
+const ALLOWED_MODELS = new Set(['haiku', 'sonnet', 'opus']);
+const ALLOWED_EFFORTS = new Set(['low', 'medium', 'high']);
+const MAX_TURNS_LIMIT = 10;
+
+function spawnClaude(prompt, cwd, { model = 'haiku', maxTurns = 1, effort = 'low' } = {}) {
+  if (typeof prompt !== 'string' || prompt.length === 0) {
+    return Promise.reject(new Error('prompt must be a non-empty string'));
+  }
+  if (!ALLOWED_MODELS.has(model)) model = 'haiku';
+  if (!ALLOWED_EFFORTS.has(effort)) effort = 'low';
+  maxTurns = Math.max(1, Math.min(MAX_TURNS_LIMIT, parseInt(maxTurns, 10) || 1));
+
+  const args = ['-p', prompt, '--output-format', 'text', '--max-turns', String(maxTurns), '--tools', ''];
+  if (model) args.push('--model', model);
+  if (effort) args.push('--effort', effort);
+  return new Promise((resolve, reject) => {
+    const env = { ...process.env };
+    delete env.CLAUDECODE; // prevent nested-session detection
+    const proc = spawn('claude', args, {
+      cwd,
+      stdio: ['ignore', 'pipe', 'pipe'],
+      env,
+    });
+
+    let stdout = '';
+    let stderr = '';
+    proc.stdout.on('data', d => { stdout += d; });
+    proc.stderr.on('data', d => { stderr += d; });
+
+    proc.on('close', code => {
+      if (code !== 0) {
+        reject(new Error(stderr || `claude exited with code ${code}`));
+      } else {
+        resolve(stdout);
+      }
+    });
+    proc.on('error', err => {
+      reject(new Error(`Failed to spawn claude: ${err.message}. Is Claude Code installed?`));
+    });
+  });
+}
+
+module.exports = { spawnClaude };

package/package.json

@@ -1,9 +1,53 @@
 {
   "name": "lemmafit",
-  "version": "0.0.1",
-  "description": "Formal verification for web apps. Work in progress.",
+  "description": "Make agents prove that their code is correct.",
+  "author": "midspiral",
   "license": "MIT",
-  "main": "index.js",
-  "keywords": ["formal-verification", "dafny", "vibe-coding", "AI"],
-  "files": ["index.js"]
+  "homepage": "https://lemmafit.com",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/midspiral/lemmafit.git"
+  },
+  "keywords": [
+    "formal verification",
+    "claude",
+    "dafny",
+    "verified",
+    "proof"
+  ],
+  "version": "0.2.0",
+  "type": "commonjs",
+  "files": [
+    "cli/",
+    "lib/",
+    "docs/",
+    "skills/",
+    "commands/",
+    "kernels/",
+    "blank-template/"
+  ],
+  "bin": {
+    "lemmafit": "cli/lemmafit.js",
+    "lemmafit-daemon": "cli/daemon.js",
+    "lemmafit-verify-hook": "cli/verify-hook.js",
+    "lemmafit-context-hook": "cli/context-hook.js",
+    "lemmafit-download-dafny": "lib/download-dafny.js",
+    "lemmafit-sync": "cli/sync.js",
+    "lemmafit-session-hook": "cli/session-hook.js",
+    "lemmafit-generate-guarantees": "cli/generate-guarantees-md.js"
+  },
+  "scripts": {
+    "postinstall": "node ./cli/sync.js && node ./cli/download-dafny2js.js && node ./lib/download-dafny.js"
+  },
+  "dependencies": {
+    "claimcheck": "^0.2.0",
+    "js-yaml": "^4.1.1",
+    "ws": "^8.18.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
 }

package/skills/lemmafit-dafny/SKILL.md

@@ -0,0 +1,101 @@
+---
+name: lemmafit-dafny
+description: Dafny code patterns and reference for lemmafit apps. Use when writing or editing .dfy files, defining state machines (Model, Action, Inv, Init, Step), or when Dafny verification fails and you need to fix errors. Covers the AppCore module pattern and common mistakes.
+---
+
+# Lemmafit Dafny
+
+## When to Write Code in Dafny
+- ALL `verifiable:true` entries in the spec MUST be written in Dafny (do not write verifiable code directly in JavaScript or TypeSscript)
+
+## Dafny Pattern Example
+
+Given the `Replay` kernel, a simple counter app with inherited undo/redo could be written like this
+
+```dafny
+include "Replay.dfy"
+
+module CounterDomain refines Domain {
+  // The model is the state of your application
+  type Model = int
+
+  // Actions are the ways the state can change
+  datatype Action = Inc | Dec
+
+  // Invariant: what must always be true about the state
+  predicate Inv(m: Model) {
+    m >= 0
+  }
+
+  // Initial state
+  function Init(): Model {
+    0
+  }
+
+  // How actions transform the state
+  function Apply(m: Model, a: Action): Model {
+    match a
+    case Inc => m + 1
+    case Dec => m - 1
+  }
+
+  // Normalization: fix invalid states (called after Apply)
+  function Normalize(m: Model): Model {
+    if m < 0 then 0 else m
+  }
+
+  // Proof that Init satisfies the invariant
+  lemma InitSatisfiesInv()
+    ensures Inv(Init())
+  {
+  }
+
+  // Proof that every step preserves the invariant
+  lemma StepPreservesInv(m: Model, a: Action)
+    // requires Inv(m) is inherited and should not be repeated
+    ensures Inv(Normalize(Apply(m, a)))
+  {
+  }
+}
+
+module CounterKernel refines Kernel {
+  import D = CounterDomain
+}
+
+module AppCore {
+  import K = CounterKernel
+  import D = CounterDomain
+
+  function Init(): K.History { K.InitHistory() }
+
+  function Inc(): D.Action { D.Inc }
+  function Dec(): D.Action { D.Dec }
+
+  function Dispatch(h: K.History, a: D.Action): K.History requires K.HistInv(h) { K.Do(h, a) }
+  function Undo(h: K.History): K.History { K.Undo(h) }
+  function Redo(h: K.History): K.History { K.Redo(h) }
+
+  function Present(h: K.History): D.Model { h.present }
+  function CanUndo(h: K.History): bool { |h.past| > 0 }
+  function CanRedo(h: K.History): bool { |h.future| > 0 }
+}
+```
+
+
+## Common Mistakes to Avoid
+
+- It is an error to repeat inherited `requires` clauses.
+- It is OK to have `assume {:axiom} false` in _proofs_, temporarily, as the pieces are put together. Strive for zero such axioms eventually.
+- Nested pattern matching _is_ allowed, but needs to be properly parenthesized. Example (out of context):
+```
+function optimize(e: exp): exp
+{
+    match e
+    case EInt(v) => e
+    case EVar(x) => e
+    case EAdd(e1, e2) => (match (optimize(e1), optimize(e2))
+        case (EInt(0), e2) => e2
+        case (e1, EInt(0)) => e1
+        case (e1, e2) => EAdd(e1, e2))
+}
+```

package/skills/lemmafit-post-react-audit/SKILL.md

@@ -0,0 +1,46 @@
+---
+name: lemmafit-post-react-audit
+description: Audit workflow for lemmafit apps after React. Runs after writing React code to catch logic that slipped through. Performs audit and labels findings by severity and iterates until only minor findings remain.
+---
+
+# Lemmafit Post React Audit
+
+
+## Audit: Logic-in-JS-post
+
+Check whether any effect-free logic required for the current build phase is found written directly in JavaScript or TypeScript instead of Dafny.
+
+### What to check
+
+1. **State derivations in React** — Any computed value derived from state (filtering, sorting, calculations, conditional logic) that is not exposed through `Api.Present` or a Dafny function. These belong in Dafny.
+2. **Validation in JS** — Input validation, constraint checks, or boundary enforcement done in React hooks or components instead of Dafny predicates.
+3. **Business rules in event handlers** — Pure conditional guards on dispatching (e.g., "only allow X if Y" where Y is derivable from model state) that aren't enforced by Dafny preconditions or exposed as predicates. Exclude effect-gating logic (e.g., "only call Stripe API if active") — that belongs in JS.
+4. **Formatting with logic** — Display formatting that encodes business rules (e.g., color based on threshold, status text based on state) rather than pure cosmetic formatting.
+5. **Duplicated logic** — Logic that exists in Dafny and is available via API but is re-implemented in JS (even partially), creating a consistency risk.
+6. **Utils with hidden logic** — Utility functions in `src/utils` that contain domain logic rather than pure display helpers.
+
+## Severity Labels
+
+Label each finding with one of:
+
+| Severity | Meaning | Action |
+|---|---|---|
+| `critical` | Effect-free logic in JS that could produce wrong behavior if it diverges from Dafny, or logic duplicated between JS and Dafny | Must move to Dafny before shipping |
+| `moderate` | Effect-free logic in JS that should be a Dafny function or predicate but isn't yet causing a correctness risk | Should move to Dafny |
+| `minor` | Borderline case where JS logic is arguably pure formatting, or a trivial derivation not worth a Dafny round-trip | Can keep in JS, document why |
+
+## Output Format
+
+Present findings as a numbered list with severity tag and file location:
+
+```
+## Logic-in-JS Post-React Audit
+
+1. [critical] src/hooks/useSubscription.ts:42 — computes prorated refund in JS, duplicates Dafny proration logic
+2. [moderate] src/components/PlanCard.tsx:18 — derives "canUpgrade" from state fields, should be a Dafny predicate
+3. [minor] src/utils/format.ts:10 — date formatting, pure display (OK)
+```
+
+## Pass Criteria
+
+The audit passes when there are **zero critical and zero moderate findings**. If any remain, move the logic to Dafny (back to Step 2), re-verify, then re-run this audit.

package/skills/lemmafit-pre-react-audits/SKILL.md

@@ -0,0 +1,67 @@
+---
+name: lemmafit-pre-react-audits
+description: Audit workflow for lemmafit apps before React. Run before writing React code to catch proof gaps and unverified logic. Performs two audits — Proof Strength (are proofs complete and tight?) and Logic-in-JS (is any logic missing from Dafny?). Labels findings by severity and iterates until only minor findings remain.
+---
+
+# Lemmafit Audits
+
+Run both audits below in order. Report findings in a structured table. Iterate with the lemmafit-proofs skill (Step 4) until only minor findings remain.
+
+## Audit 1: Proof Strength Audit
+
+Check the strength of every proof in the Dafny codebase against the corresponding SPEC.yaml entries.
+
+### What to check
+
+1. **Missing lemmas** — Every `verifiable: true` entry in SPEC.yaml with `type: postcondition` must have a corresponding lemma with a matching `ensures` clause. Invariant-only coverage is not sufficient for postcondition entries.
+2. **Weak postconditions** — Are `ensures` clauses as strong as the property stated in SPEC.yaml? A proof that verifies but proves less than the spec claims is a gap. Look for postconditions that are trivially true or weaker than the stated property.
+3. **Axiom debt** — Flag every `assume {:axiom}` statement. Each one is unverified trust. Check whether a real proof is feasible.
+4. **Invariant tightness** — Every code guard or clamp (e.g., `if x > MAX then MAX else x`) must have a matching bound in `Inv` at full strength (e.g., `0 <= x <= MAX`). Loose invariants hide bugs.
+5. **Missing biconditionals** — For every "if X then Y" lemma, check whether the converse "if not X then not Y" is also proven (or document why it's unnecessary).
+6. **Composition gaps** — If two features interact, is there a lemma proving their combined properties? Implicit composition is a proof gap.
+7. **Normalize reliance** — Check if `StepPreservesInv` only holds because of `Normalize`. If removing `Normalize` would break the proof, flag it — the `Apply` function should ideally preserve the invariant on its own for each action.
+8. **Input validation** — Every trust-boundary datatype should have a `Valid_*` predicate, and `Step` should `requires Valid_*(input)` for external inputs. Missing validation predicates are gaps.
+
+## Audit 2: Logic-in-JS
+
+Check whether any effect-free logic required for the current build phase is expected to be implemented in JavaScript/TypeScript directly instead of Dafny.
+
+### What to check
+
+1. **State derivations in React** — Any computed value derived from state (filtering, sorting, calculations, conditional logic) that is not exposed through `Api.Present` or a Dafny function. These belong in Dafny.
+2. **Validation in JS** — Input validation, constraint checks, or boundary enforcement done in React hooks or components instead of Dafny predicates.
+3. **Business rules in event handlers** — Pure conditional guards on dispatching (e.g., "only allow X if Y" where Y is derivable from model state) that aren't enforced by Dafny preconditions or exposed as predicates. Exclude effect-gating logic (e.g., "only call Stripe API if active") — that belongs in JS.
+4. **Formatting with logic** — Display formatting that encodes business rules (e.g., color based on threshold, status text based on state) rather than pure cosmetic formatting.
+5. **Duplicated logic** — Logic that exists in Dafny but is re-implemented in JS (even partially), creating a consistency risk.
+6. **Utils with hidden logic** — Utility functions that contain domain logic rather than pure display helpers.
+
+## Severity Labels
+
+Label each finding with one of:
+
+| Severity | Meaning | Action |
+|---|---|---|
+| `critical` | Unverified logic that could produce wrong behavior, or a SPEC.yaml postcondition with no corresponding proof | Must fix before proceeding to React |
+| `moderate` | Weak proof that verifies but doesn't fully cover the spec property, or JS logic that should move to Dafny | Should fix before proceeding |
+| `minor` | Style issue, missing biconditional for an edge case, or axiom with clear justification | Can proceed, fix later |
+
+## Output Format
+
+Present findings as a numbered list grouped by audit, with severity tag:
+
+```
+## Proof Strength Audit
+
+1. [critical] spec-003 "Total weight is sum of sets" — no lemma found, only covered by Inv
+2. [moderate] StepPreservesInv — only holds due to Normalize for AddSet action
+3. [minor] UndoRedoRoundTrip — missing biconditional (converse not meaningful here)
+
+## Logic-in-JS Audit
+
+1. [critical] src/hooks/useWorkout.ts:24 — filters completed sets using JS logic, should be a Dafny function
+2. [minor] src/utils/format.ts:10 — date formatting, pure display (OK)
+```
+
+## Pass Criteria
+
+The audit passes when there are **zero critical and zero moderate findings**. If any critical or moderate findings remain, return to Step 4 (proofs) to address them, then re-run audits.

package/skills/lemmafit-proofs/SKILL.md

@@ -0,0 +1,24 @@
+---
+name: lemmafit-proofs
+description: Proof-maximizing workflow for writing Dafny lemmas, postconditions, and invariants. Load this skill before writing any lemmas, ensures clauses, or when deciding between axioms and lemmas. Covers postcondition-first development, scaffolding, biconditional completeness, and input validation patterns.
+---
+
+# Lemmafit Proofs
+
+## Proof-Maximizing Workflow
+
+1. **Postconditions first** — Write `ensures` clauses before function bodies. The postcondition is the contract; the body is the implementation. This forces you to think about what a function guarantees before how it works.
+
+2. **Scaffold before proving** — Create lemma signatures with empty bodies (`lemma Foo() ensures P() {}`) so the Claims panel tracks them as "scaffolded". Fill in proofs afterward. This ensures no claim is forgotten.
+
+3. **Biconditional completeness** — For every "if X then Y" claim, also prove "if not X then not Y" (or document why the converse is unnecessary). One-directional implications leave blind spots.
+
+4. **Input validation predicates** — Every trust-boundary datatype gets a `Valid_*` predicate (e.g., `predicate Valid_SetWeight(w: int) { w > 0 && w <= 1000 }`). The `Step` function should `requires Valid_*(input)` for external inputs.
+
+5. **Invariant tightness** — Every code guard or clamp (e.g., `if x > MAX then MAX else x`) should have a matching bound in `Inv` at full strength (e.g., `0 <= x <= MAX`). Loose invariants hide bugs.
+
+6. **Standalone lemmas for compositions** — Don't rely on implicit composition. If feature A and feature B interact, write a lemma proving their combined properties explicitly (e.g., `lemma UndoRedoRoundTrip`).
+
+7. **Prefer lemmas over axioms** — `[verified]` = lemma with proof body, `[assumed]` = axiom with justification comment. Every axiom is technical debt. When you add an axiom, add a comment explaining why a proof is infeasible and what would need to change to prove it.
+
+8. **Prove application-specific lemmas beyond the general requirements** — For the step `Apply` function, you should prove something specific for each action. Prove strong properties about your program, both generic and domain-specific. *Example*: proving the Replay kernel `StepPreservesInv` (after Normalization) is a weak property. Try to prove that applying more specific actions results in desired properties (e.g. Inv even without Normalization)

package/skills/lemmafit-react-pattern/SKILL.md

@@ -0,0 +1,62 @@
+---
+name: lemmafit-react-pattern
+description: React integration pattern for lemmafit verified apps. Use when building React components that consume the verified Dafny API, wiring up state with Api.Init/Dispatch/Present, or creating new UI for a lemmafit app.
+---
+
+# React Pattern for Lemmafit
+
+- Use the auto-generated TypeScript API from `src/dafny/app.ts` (never edit `app.ts` directly) 
+- For any code that touches logic, check if it has been written in Dafny already and is available in the API
+- Do not re-write logic in React that already exists in Dafny/API
+
+## Modularity
+
+Build modular React apps — never put everything in a single `App.tsx`. Organize `src/` by the same layers used in SPEC.yaml:
+
+```
+src/
+├── dafny/app.ts        # Auto-generated verified API (DO NOT EDIT)
+├── hooks/              # State layer — custom hooks that wrap the verified API
+│   └── useAppState.ts  # Calls Api.Init, Api.Dispatch, Api.Present
+├── components/         # Presentation layer — pure UI components
+│   ├── WorkoutForm.tsx
+│   └── SetList.tsx
+├── utils/              # Utils layer — formatters, parsers, constants
+│   └── format.ts
+├── App.tsx             # Root — composes hooks + components, no logic
+└── main.tsx            # Entry point
+```
+
+### Layer rules
+
+- **Logic** (`dafny/`) — All business logic lives in Dafny. The React side never re-implements or duplicates what the verified API provides.
+- **State** (`hooks/`) — Custom hooks are the *only* place that calls `Api.Init`, `Api.Dispatch`, and `Api.Present`. Components never import from `dafny/` directly.
+- **Presentation** (`components/`) — Pure components that receive data and callbacks via props. No direct API calls, no `useState` for domain state.
+- **Utils** (`utils/`) — Display helpers like formatters and constants. No side effects, no state.
+- **Root** (`App.tsx`) — Wires hooks to components. Should be short — if it's growing, extract a component or hook.
+
+### Why this matters
+- Verified logic stays in one place (Dafny) — the React layer is just plumbing
+- Components are testable and reusable without the verified API
+- When the Dafny model changes, only `hooks/` needs updating — components stay stable
+
+## Standard Pattern
+
+```tsx
+import * as Api from './dafny/app';
+
+function App() {
+  const [state, setState] = useState(() => Api.Init());
+
+  const inc = () => setState(Api.Dispatch(state, Api.Inc()));
+  const value = Api.Present(state);
+
+  return <button onClick={inc}>{value}</button>;
+}
+```
+
+## Key Rules
+- Always initialize state with `Api.Init()`
+- Dispatch actions through `Api.Dispatch(state, action)`
+- Read display values through `Api.Present(state)`
+- Never modify state directly — all transitions go through the verified Step function

package/skills/lemmafit-spec/SKILL.md

@@ -0,0 +1,71 @@
+---
+name: lemmafit-spec
+description: Lemmafit development workflow for managing SPEC.yaml and Dafny specifications. Use when the user describes a new feature, asks to add or update features or specs, or when spec changes need to be addressed. Handles SPEC.yaml entries, Dafny code sync, and spec queue processing. Follow these instructions whenever your workflow touches the spec.yaml file
+---
+
+# Lemmafit Spec
+
+## Instructions
+1. When the user describes an app, a requirement, or a new feature, add entries to SPEC.yaml first
+2. Then write Dafny specs that formalize entries where `verifiable: true`
+3. Mark UI-only or non-provable entries as `verifiable: false, status: trusted`
+4. Keep SPEC.yaml in sync with Dafny code — if you change one, update the other
+5. When the user edits SPEC.yaml directly, you will be notified via the daemon — update code to match
+
+## RULES YOU MUST FOLLOW
+- ALL logic-related and state machine entries must be set as `verifiable: true`
+- ONLY EXCEPTIONS: API calls, parsing, and any other external effect
+
+## Checking for Spec Changes
+At the start of every conversation, read `.vibe/status.json`. If `specQueue` has items, these are spec changes that haven't been addressed yet. Each item has a type (`added` or `removed`) and the text. Added items include a line number in the current SPEC.yaml. Update Dafny code and/or React code to reflect these requirements before doing anything else.
+
+The queue auto-clears when you write `.dfy` files and verification passes. For trusted-only changes, writing SPEC.yaml with updated tags will also clear the queue.
+
+Prove strong properties about your program, both generic and domain-specific. 
+**Example**: proving the Replay kernel `StepPreservesInv` (after Normalization) is a weak property. Try to prove that applying more specific actions results in desired properties (e.g. Inv even without Normalization)
+
+Every SPEC.yaml entry with type: postcondition and verifiable: true MUST have a corresponding lemma in Dafny with an ensures clause that matches the property field. Invariant-only proofs are NOT sufficient for postcondition entries.
+
+### Format
+SPEC.yaml is a structured YAML file with an `entries` list. Each entry has:
+- `id` — unique spec ID (e.g. `spec-001`)
+- `req_id` — linked requirement ID (or `null`)
+- `title` — human-readable description of the property
+- `group` — logical grouping (e.g. Business Logic, Presentation, Data, Utils)
+- `layer` — architecture layer (`logic`, `presentation`, `state`, `data`, `utils`)
+- `type` — property type (`invariant`, `postcondition`, `precondition`, `datatype`, `function`, `constraint`)
+- `property` — formal property expression. **MUST be quoted** if it contains special characters (`:`, `>`, `!`, `#`, `{`, `}`, `[`, `]`, `,`, `&`, `*`, `?`, `|`, `-`, `=`). When in doubt, always quote with double quotes.
+- `module` — target Dafny module (or `null` for non-verifiable)
+- `depends_on` — list of spec IDs this entry depends on
+- `verifiable` — whether this can be proven in Dafny 
+- `guarantee_type` — `verified`, `assumed`, or `trusted`
+- `state` - `DRAFT`, `ADDRESSED`, `null`- only use `addressed` if the corresponding Dafny module or property have been verified. Use null for `verifiable: false`
+
+### Example
+```yaml
+entries:
+  - id: spec-001
+    req_id: null
+    title: The counter value is always non-negative
+    group: Business Logic
+    layer: logic
+    type: invariant
+    property: "model.value >= 0"
+    module: AppCore
+    depends_on: []
+    verifiable: true
+    status: verified
+  - id: spec-002
+    req_id: null
+    title: The increment button displays the current count
+    group: Presentation
+    layer: presentation
+    type: invariant
+    property: "display == Present(state).value"
+    module: null
+    depends_on: []
+    verifiable: false
+    guarantee_type: trusted
+    state: null
+```
+ 

package/index.js

@@ -1,5 +0,0 @@
-// index.js
-module.exports = () => {
-    throw new Error("This package is just a stub placeholder. Lemmafit is coming soon.");
-  };
-