santosomar/invariant-inference
skills/verification/invariant-inference/SKILL.md
Infers likely loop invariants and function contracts by observing execution traces, synthesizing candidates, and checking them inductively. Use when a verifier rejects a loop because the invariant is missing or too weak, when a Daikon-style tool is needed, or before translating code to a verification language.
tools
Updated Apr 13, 2026
$ install --global
skillsauthnpx skillsauth add santosomar/general-secure-coding-agent-skills invariant-inferenceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 13, 2026, 4:40 AM48.8s1 file scanned
SKILL.md
- name:
- invariant-inference
- description:
- Infers likely loop invariants and function contracts by observing execution traces, synthesizing candidates, and checking them inductively. Use when a verifier rejects a loop because the invariant is missing or too weak, when a Daikon-style tool is needed, or before translating code to a verification language.
- license:
- Apache-2.0
- category:
- verification
- suite:
- general-secure-coding-agent-skills
- version:
- 0.3.0
- related:
- abstract-invariant-generator, python-to-dafny-translator
Invariant Inference
A loop invariant is what stays true every time you hit the loop head. Verifiers need it stated; programmers rarely state it. This skill guesses it from evidence.
Two routes to an invariant
| Route | How it works | Good at | Bad at |
| ------------------ | ----------------------------------------------------- | ------------------------------- | ------------------------------- |
| Dynamic (Daikon-style) | Run the code, record state at loop head, generalize patterns | Concrete relationships in traces | Generalization — might be coincidence |
| Static (template-based) | Guess invariants of form ax + by ≤ c, solve for a,b,c | Sound by construction | Limited to the template shapes |
Do both: dynamic finds candidates fast; static checks them.
Dynamic — the observe-and-generalize loop
- Instrument. At every loop head, dump all local variable values.
- Run on a bunch of inputs. The more diverse, the better.
- Mine patterns across the dumps. What's true at every observation?
- Filter for inductiveness. A pattern true by coincidence won't survive the inductive check.
Template library (what to look for in the dumps):
| Template | Example |
| --------------------------- | ------------------------------------ |
| Constant | n == 10 in every observation |
| Range | 0 <= i <= n |
| Linear relation | i + j == n, 2*i == k |
| Ordering | i < j, a[i] <= a[j] |
| Membership | x in {0, 1, 2} |
| Collection property | sorted(a[:i]), sum(a[:i]) == s |
| Implication | flag => (x > 0) |
Step-by-step
- Collect traces. Run with varied inputs; dump
(iter, locals)at loop head. - Enumerate candidates. For each template, instantiate with the observed variables. Keep any that hold on all traces.
- Prune coincidences. If
x == 5in every trace but your test inputs all hadn == 5— it's not invariant, it's your test bias. Varyn. - Check inductiveness. For each survivor
I: doesI ∧ guard ∧ body ⟹ I'? Use an SMT solver or just plug into the verifier. - Check sufficiency. Does
I ∧ ¬guard ⟹ postcondition? If not,Iis true but useless — you need a stronger one.
Worked example
Loop:
def find_max(a):
m = a[0]
i = 1
while i < len(a):
if a[i] > m:
m = a[i]
i += 1
return m # post: m == max(a)
Traces (input a = [3, 1, 4, 1, 5]):
| iter | i | m | a[:i] | | ---- | - | - | ----------- | | 0 | 1 | 3 | [3] | | 1 | 2 | 3 | [3, 1] | | 2 | 3 | 4 | [3, 1, 4] | | 3 | 4 | 4 | [3, 1, 4, 1]| | 4 | 5 | 5 | [3,1,4,1,5] |
Candidate patterns (mined):
1 <= i <= len(a)✓ all rowsm in a✓ all rowsm == max(a[:i])✓ all rows — this is the onem >= a[0]✓ all rows — true but weaker than the above
Inductive check on m == max(a[:i]):
- Init:
i=1, m=a[0]→max(a[:1]) = a[0] = m. ✓ - Preserved: Assume
m == max(a[:i]). Body setsm' = max(m, a[i])andi' = i+1. Thenm' = max(max(a[:i]), a[i]) = max(a[:i+1]) = max(a[:i']). ✓ - Sufficient: Exit when
i == len(a). Thenm == max(a[:len(a)]) == max(a). ✓
Invariant: 1 <= i <= len(a) ∧ m == max(a[:i]).
When dynamic fails
- Not enough trace diversity: All your inputs hit the same branch → you miss the invariant for the other branch. Fix: coverage-guided input generation.
- The invariant isn't in your template library:
a[i] * a[j] < n— nonlinear. →abstract-invariant-generatorwith a polynomial domain, or hand-write. - Ghost state needed: The invariant mentions a quantity the code doesn't compute (e.g., "the number of swaps so far"). Add a ghost variable.
Do not
- Do not trust a candidate that passes on traces but fails the inductive check. Traces are a finite sample. The inductive check is the proof.
- Do not stop at the first invariant that's inductive. Check it's sufficient for the postcondition.
trueis inductive; it proves nothing. - Do not over-fit.
i in {1, 2, 3, 4, 5}holds on your one trace — but the real invariant is1 <= i <= len(a). Prefer the most general candidate that survives.
Output format
## Candidates (from traces)
<template> : <instantiation> — held on <N>/<N> observations
## Inductive check
<candidate> — <✓ inductive | ✗ fails: <counterexample>>
## Sufficient for postcondition
<candidate> — <✓ | ✗ too weak, missing: <what>>
## Recommended invariant
<the winner — conjunction of surviving, sufficient, minimal candidates>
Related Skills
santosomar/verified-pseudocode-extractor
development
VerifiedTrustedCommunity
Extracts human-readable pseudocode from a verified formal artifact (Dafny, Lean, TLA+) while preserving the verified properties as annotations, so the proof-carrying logic can be reimplemented in a production language. Use when porting verified code to an unverified target, when documenting what a formal spec actually does, or when handing a verified algorithm to an implementer.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-spec-generator
development
VerifiedTrustedCommunity
Translates natural-language or pseudocode descriptions of concurrent and distributed systems into TLA+ specifications ready for the TLC model checker. Identifies state variables, actions, type invariants, safety properties, and liveness properties from the description. Use when formalizing a protocol, when the user describes a distributed algorithm to verify, when designing a consensus or locking scheme, or when starting formal verification of a concurrent system.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-model-reduction
testing
VerifiedTrustedCommunity
Reduces a TLA+ model so TLC can actually check it — shrinks constants, adds state constraints, abstracts data, or applies symmetry — when the state space is too large to enumerate. Use when TLC runs out of memory, when checking takes hours, or when a spec works at N=2 and you need confidence at larger scale.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-guided-code-repair
development
VerifiedTrustedCommunity
TLA+-specific instance of model-guided repair — reads a TLC error trace, identifies the enabling condition that should have been false, strengthens the corresponding action, and maps the fix to source code. Use when TLC reports an invariant violation or deadlock and you have the code-to-TLA+ mapping from extraction.
SKILL.mdUpdated Apr 13, 2026