santosomar/c-cpp-to-lean4-translator
skills/verification/c-cpp-to-lean4-translator/SKILL.md
Translates C/C++ into Lean 4 for interactive theorem proving — deep verification where automated tools fail. Use when Dafny's automation isn't enough, when proving mathematical properties of an algorithm, or when building a machine-checked proof for publication or certification.
tools
Updated Apr 13, 2026
$ install --global
skillsauthnpx skillsauth add santosomar/general-secure-coding-agent-skills c-cpp-to-lean4-translatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 13, 2026, 4:39 AM50.9s1 file scanned
SKILL.md
- name:
- c-cpp-to-lean4-translator
- description:
- Translates C/C++ into Lean 4 for interactive theorem proving — deep verification where automated tools fail. Use when Dafny's automation isn't enough, when proving mathematical properties of an algorithm, or when building a machine-checked proof for publication or certification.
- license:
- Apache-2.0
- category:
- verification
- suite:
- general-secure-coding-agent-skills
- version:
- 0.3.0
- related:
- python-to-lean4-translator, cpp-to-dafny-translator
C/C++ → Lean 4 Translator
Lean is for when you need a proof, not a check. Dafny asks an SMT solver "is this true?"; Lean asks you to construct the proof term. More work, more control, no timeouts.
When Lean over Dafny
| Situation | Why Lean |
| ----------------------------------------------------- | ----------------------------------------------------------- |
| SMT solver times out or returns unknown | You write the proof steps; no solver to time out |
| Proving mathematical properties (complexity bounds, algebraic laws) | Lean has Mathlib; Dafny has arithmetic |
| The proof itself is the artifact (paper, certification) | Lean proofs are inspectable; Dafny's are solver-internal |
| You need custom proof tactics | Lean is a tactic language; Dafny's hints are fixed |
The functional lift
Lean is purely functional. The translation path is: imperative C → functional model → proof about the model.
| C construct | Lean model |
| ----------------------------- | ---------------------------------------------------------------- |
| int32_t | Int32 (modular) or Int (unbounded) — same choice as Dafny |
| Loop with accumulator | Fold: xs.foldl f init — or structural recursion |
| Loop with early exit | Recursion with a sum type result: Option α or Except ε α |
| Mutable local var | Let-bind a new name each "mutation": let x₁ := ...; let x₂ := f x₁ |
| Array a[i] | a.get i with (h : i < a.size) proof, or a.get? i : Option α|
| Pointer into array | (a : Array α) × (i : Fin a.size) — a dependent pair |
| struct | structure — direct |
| malloc/pointer to object | Just the object. No heap in the pure fragment. |
The state monad escape hatch
If the imperative structure is too tangled to lift functionally, use StateM:
def impStep : StateM (Array Int) Unit := do
let a ← get
if h : 0 < a.size then
set (a.set ⟨0, h⟩ 42)
-- Reason about the result:
theorem impStep_sets_zero (a : Array Int) (h : 0 < a.size) :
(impStep.run a).2.get ⟨0, h⟩ = 42 := by simp [impStep, StateT.run]
But prefer the functional lift — proofs over folds are easier than proofs over monadic runs.
Worked example
C:
// Count elements equal to target
size_t count(const int* a, size_t n, int target) {
size_t c = 0;
for (size_t i = 0; i < n; ++i)
if (a[i] == target) ++c;
return c;
}
Lean — functional lift:
def count (a : List Int) (target : Int) : Nat :=
a.foldl (fun c x => if x = target then c + 1 else c) 0
-- Spec via List.countP from Mathlib
theorem count_eq_countP (a : List Int) (target : Int) :
count a target = a.countP (· = target) := by
induction a with
| nil => rfl
| cons x xs ih =>
simp only [count, List.foldl_cons, List.countP_cons]
split <;> simp [ih, count]
Notes:
Listinstead ofArray— easier induction. If you needArrayfor the performance story, prove onListand transport viaArray.toList.- The theorem connects our
countto Mathlib'scountP— once connected, all of Mathlib's lemmas aboutcountPapply to us for free. size_t→Nat(unbounded). If we cared aboutSIZE_MAX, we'd add a separate bound theorem.
Proof patterns you'll need
| Goal shape | Tactic |
| ----------------------------------- | --------------------------------------------------------- |
| Property of a fold | induction xs + unfold the fold one step |
| Property of recursion on Nat | induction n or Nat.rec |
| Array index in bounds | omega / simp_arith — or carry Fin n so it's by-type |
| Decidable equality case split | split after if / by_cases h : P |
| "Obvious" arithmetic | omega, ring, simp_arith |
| Reuse a library lemma | exact? / apply? — let Lean search Mathlib |
Do not
- Do not translate to Lean when Dafny would verify automatically. Lean proofs are manual labor; only pay for what you need.
- Do not state the theorem as "equals the C code." State it as "satisfies this mathematical property." The C is an implementation; the theorem is about the spec.
- Do not fight Lean's termination checker with
partial def.partialmeans "trust me" — you lose proofs-by-induction. Find the structural argument. - Do not reinvent Mathlib.
List.countP,List.Sorted,Nat.gcd— they exist, with lemma libraries. Connect to them.
Output format
## Functional model
<Lean def — the translated algorithm>
## Theorem
<what property this proves — connected to Mathlib where possible>
## Proof
<tactic script — or `sorry` placeholders with notes on what's left>
## Model fidelity
<where the Lean model diverges from the C: unbounded ints, List vs Array, etc.>
Related Skills
santosomar/verified-pseudocode-extractor
development
VerifiedTrustedCommunity
Extracts human-readable pseudocode from a verified formal artifact (Dafny, Lean, TLA+) while preserving the verified properties as annotations, so the proof-carrying logic can be reimplemented in a production language. Use when porting verified code to an unverified target, when documenting what a formal spec actually does, or when handing a verified algorithm to an implementer.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-spec-generator
development
VerifiedTrustedCommunity
Translates natural-language or pseudocode descriptions of concurrent and distributed systems into TLA+ specifications ready for the TLC model checker. Identifies state variables, actions, type invariants, safety properties, and liveness properties from the description. Use when formalizing a protocol, when the user describes a distributed algorithm to verify, when designing a consensus or locking scheme, or when starting formal verification of a concurrent system.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-model-reduction
testing
VerifiedTrustedCommunity
Reduces a TLA+ model so TLC can actually check it — shrinks constants, adds state constraints, abstracts data, or applies symmetry — when the state space is too large to enumerate. Use when TLC runs out of memory, when checking takes hours, or when a spec works at N=2 and you need confidence at larger scale.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-guided-code-repair
development
VerifiedTrustedCommunity
TLA+-specific instance of model-guided repair — reads a TLC error trace, identifies the enabling condition that should have been false, strengthens the corresponding action, and maps the fix to source code. Use when TLC reports an invariant violation or deadlock and you have the code-to-TLA+ mapping from extraction.
SKILL.mdUpdated Apr 13, 2026