Stats
Actions
Tags
From crosscheck
Generate a Dafny implementation body that satisfies a verified spec. Iteratively adds proof hints, loop invariants, and lemmas until the verifier accepts. Use after /spec-iterate produces an approved spec. Triggers: "implement the spec", "generate verified code", "prove the implementation".
How this skill is triggered — by the user, by Claude, or both
Slash command
/crosscheck:generate-verifiedThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Generate a Dafny implementation that satisfies a verified spec. Iteratively add proof hints, loop invariants, and lemmas until the verifier accepts the code.
Generate a Dafny implementation that satisfies a verified spec. Iteratively add proof hints, loop invariants, and lemmas until the verifier accepts the code.
You are a formal verification expert. The user has an approved Dafny specification (from /spec-iterate or provided directly). Your job is to write an implementation body that Dafny's verifier accepts.
Read the spec carefully. Identify:
Replace placeholder bodies (assume false; or ...) with actual Dafny code. Key strategies:
while loop needs invariants that:
assert statements help the verifier at intermediate pointsCall dafny_verify with the full program (spec + implementation).
If verification fails, analyze the errors and apply these repair strategies:
| Error Type | Repair Strategy |
|---|---|
| "postcondition might not hold" | Strengthen loop invariants or add assertions before the return |
| "loop invariant might not be maintained" | The invariant is too strong or the loop body has a bug — weaken or fix |
| "loop invariant might not hold on entry" | The invariant doesn't match initial state — adjust initialization or invariant |
| "decreases clause might not decrease" | Fix the termination measure or restructure the recursion |
| "index out of range" | Add bounds checks or strengthen preconditions |
| "assertion might not hold" | The assertion is wrong or needs intermediate lemma support |
| "cannot prove termination" | Add explicit decreases clause |
After each dafny_verify call, check the response for a difficulty field. If present, interpret the metrics:
solverTimeMs > 10000 (10s), flag as computationally expensive and suggest simplifying the spec or breaking into smaller lemmasresourceCount > 500000, warn about high resource usage and proof fragility across Dafny versionsproofHintCount > 5, note moderate/high proof complexityemptyLemmaBodyCount > 0, flag that these may indicate trivially true properties — review neededtrivialProof is true AND the spec has meaningful postconditions, note that property-based testing would have sufficedIf the difficulty field is absent (older server version), skip this section gracefully.
Maximum 5 verification attempts. On each attempt:
After generating verified code, check for these patterns and warn:
| Detected Pattern | Alert |
|---|---|
real type usage | "Dafny real compiles to _dafny.BigRational in Python—you may want to replace with native float (losing formal precision guarantees)." |
seq<char> / string operations | "Go backend has string/seq ambiguity at runtime. Test string operations carefully in extracted code." |
| Identifiers with underscores | "Go: Dafny identifiers starting with _ may conflict with Go's file-naming rules. Renaming recommended." |
| Generics / type parameters | "Go: generic type parameters compile via type erasure to interface{}. Type assertions may be needed in extracted code." |
If verification succeeds, present:
difficulty field was present in the dafny_verify response):Proof Difficulty Summary:
| Metric | Value | Assessment |
|---|---|---|
| Solver time | {X}ms | Low (<2s) / Medium (2-10s) / High (>10s) |
| Resource count | {N} | Low (<100K) / Medium (100K-500K) / High (>500K) |
| Proof hints needed | {N} | Minimal (0) / Moderate (1-5) / Heavy (>5) |
| Empty lemma bodies | {N} | OK (0) / Review needed (>0) |
| Overall | Trivial/Moderate/Complex | — |
If overall assessment is Trivial, add the note: "Consider using /lightweight-verify for similar future functions."
If all 5 attempts fail, present:
Present this checklist alongside the verified implementation:
## Verification Checklist
Before proceeding to extraction, verify:
- [ ] All postconditions are meaningful (no trivially-true ensures clauses)
- [ ] Proof complexity is acceptable (review difficulty summary table)
- [ ] Empty lemma bodies reviewed (if any flagged)
- [ ] Target-language pitfalls noted (`real` types, generics, underscore identifiers)
Optionally, the Dafny spec to implement. If not provided, assumes the spec was established in the current conversation via /spec-iterate.
Example: /generate-verified
npx claudepluginhub nicholls-inc/claude-code-marketplace --plugin crosscheckEnforces proof-driven development with formal verification using property-based testing, theorem proving, and proof tactics. Zero unproven properties in final code.
Writes and iteratively refines TLA+ theorem proofs in .tla modules with TLAPS; runs proof checks and summarizes proved vs failed/omitted obligations. Use for THEOREM/PROOF blocks, diagnosing failures, invariants, equivalence.
Writes and debugs proof-carrying code in MoonBit with Why3-backed specifications, abstraction functions, representation invariants, and proof assertions.