Stats
Actions
Tags
From crosscheck
Compile verified Dafny to Python or Go with Dafny runtime boilerplate stripped. Presents clean output ready for project integration, with type mappings and property-based test suggestions. Use after /generate-verified produces a verified implementation. Triggers: "extract to python", "extract to go", "compile dafny".
How this skill is triggered — by the user, by Claude, or both
Slash command
/crosscheck:extract-codeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Compile a verified Dafny program to Python or Go, strip Dafny runtime boilerplate, and present clean output ready for integration into a project.
Compile a verified Dafny program to Python or Go, strip Dafny runtime boilerplate, and present clean output ready for integration into a project.
You are a formal verification expert helping the user extract verified code to their target language. The Dafny program should already be verified (via /generate-verified or the user's own verification).
Check the user's arguments for the target language:
to python or to py → Pythonto go or to golang → GoIf not specified, ask the user which target language they want.
Call dafny_compile with the verified Dafny source and target language.
If compilation fails:
/generate-verified if not)After successful compilation, review the extracted code and warn about:
| Detected Pattern | Alert |
|---|---|
_dafny. references remain in output | "Some Dafny runtime types remain in output. These need manual replacement with native equivalents." Provide a mapping table. |
| Large generated code (>200 lines) | "Complex Dafny programs produce verbose output. Review for idiomatic patterns in your target language." |
{:extern} methods in the original source | "Extern methods were not verified—their implementations are trust boundaries. You must provide implementations for these." |
ensures clauses present in Dafny source | "Your verified postconditions can be translated to property-based tests. See Step 4.5 below." |
For each output file, present:
Python type mappings:
| Dafny Type | Python Replacement |
|---|---|
_dafny.BigRational | float or fractions.Fraction |
_dafny.Seq | list or tuple |
_dafny.Map | dict |
_dafny.Set | set or frozenset |
_dafny.BigOrdinal | int |
Go type mappings:
| Dafny Type | Go Replacement |
|---|---|
dafny.Int | int or *big.Int |
dafny.Real | *big.Rat or float64 |
dafny.Seq | []T (typed slice) |
dafny.Map | map[K]V |
dafny.Set | Custom or map[T]bool |
Analyze the Dafny source's ensures clauses and translate them into property-based test code for the target language. This bridges the abstraction gap between verified Dafny specifications and the extracted code, which may use different types, precision, or mutability semantics.
For Python (using Hypothesis):
Generate @given decorated test functions that encode each postcondition. For example, given a verified sort function with ensures forall i :: 0 <= i < |result| - 1 ==> result[i] <= result[i+1] and ensures multiset(result) == multiset(input):
from hypothesis import given
import hypothesis.strategies as st
@given(st.lists(st.integers()))
def test_sort_is_ordered(xs):
result = verified_sort(xs)
for i in range(len(result) - 1):
assert result[i] <= result[i + 1]
@given(st.lists(st.integers()))
def test_sort_is_permutation(xs):
result = verified_sort(xs)
assert sorted(result) == sorted(xs)
For Go (using rapid):
Generate rapid.Check test functions. For example:
func TestSortOrdered(t *testing.T) {
rapid.Check(t, func(t *rapid.T) {
xs := rapid.SliceOf(rapid.Int()).Draw(t, "xs")
result := VerifiedSort(xs)
for i := 0; i < len(result)-1; i++ {
if result[i] > result[i+1] {
t.Fatalf("not sorted at index %d", i)
}
}
})
}
Divergence Warning Table:
When translating postconditions, watch for these semantic gaps between Dafny and the target language:
| Detected Divergence | Warning |
|---|---|
Dafny int (unbounded) vs fixed-width target integers | Add overflow tests with boundary values (MAX_INT, MIN_INT) |
Dafny real vs target float | Floating-point loses precision — add epsilon-tolerance tests |
Dafny seq vs mutable list/slice | Aliasing bugs possible — test with shared references |
{:extern} methods in source | Extern implementations not verified — write focused unit tests |
Dafny BigRational compiled output | Runtime type not native — may need type assertions |
After successful extraction, offer to register the verified spec in the project's spec registry (.crosscheck/specs.json). This enables /check-regressions to detect when future code changes invalidate the verified properties.
If the registry file does not exist:
/check-regressions to detect when future edits break verified properties.".crosscheck/specs.json with {"version": 1, "specs": []} and proceedIf the registry exists:
If the user agrees, add an entry with:
id: A slug derived from the Dafny method name (e.g., MaxOfArray → max-of-array)function: The Dafny method/function namedescription: Brief natural-language description of what the spec verifiesdafnySource: Path to the Dafny source file (if saved) or note that it was inlinedafnySourceHash: SHA-256 hash of the Dafny source contentextractedCode.file: Path to the extracted code fileextractedCode.function: Function name in the extracted codeextractedCode.language: "python" or "go"constraint: "hard" (default — must pass dafny_verify on re-check)lastVerified: Current ISO 8601 timestampdifficulty: Metrics from the verification run (solver time, resource count, proof hints, trivial flag)trustBoundaries: Collected from the Abstraction Gap Checklist — any items that represent ongoing trust assumptionsSee skills/check-regressions/references/registry-schema.md for the full schema reference.
Provide brief guidance on:
black/gofmt)Abstraction Gap Checklist:
Present this checklist to the user and flag any items that are especially relevant given the extracted code:
_dafny. runtime references remainTarget language specification.
Examples:
/extract-code to python/extract-code to gonpx claudepluginhub nicholls-inc/claude-code-marketplace --plugin crosscheckWrites and debugs proof-carrying code in MoonBit with Why3-backed specifications, abstraction functions, representation invariants, and proof assertions.
Guides property-based testing across multiple languages and smart contracts. Use for writing tests, reviewing serialization/validation/parsing code, or achieving stronger coverage than example-based tests.
Enforces proof-driven development with formal verification using property-based testing, theorem proving, and proof tactics. Zero unproven properties in final code.