Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

santosomar/program-to-tlaplus-spec-generator

Name: program-to-tlaplus-spec-generator
Author: santosomar

skills/verification/program-to-tlaplus-spec-generator/SKILL.md

npx skillsauth add santosomar/general-secure-coding-agent-skills program-to-tlaplus-spec-generator

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Program → TLA+ Spec Generator

TLA+ models state machines, not code. The translation isn't line-by-line — it's "what are the states, and what are the atomic transitions between them?" This is an abstraction exercise.

Step 1 — Identify the state

What persists between steps? That's your VARIABLES.

| Code construct | TLA+ variable | | ----------------------------- | ------------------------------------------------------------ | | Shared mutable state (locks, queues, counters) | Direct — queue, lock_holder | | Per-thread/process local state | A function: pc \in [Proc -> {"idle", "waiting", "cs"}] | | Network messages in flight | A set or bag: msgs \subseteq Message | | The program counter | A pc variable per process — where in the code each one is |

Do not model: pure function arguments, loop counters that don't cross await points, anything that's deterministic from the rest.

Step 2 — Identify atomic actions

An action is one indivisible step. In code, atomicity boundaries are:

Lock acquire → release: everything inside is one action (if no awaits inside)
Single CAS / atomic instruction: one action
Between await points / blocking calls: one action
A message send: one action; message receive: another action

Each action becomes a disjunct in Next:

Next == \/ Action1
        \/ Action2
        \/ \E p \in Proc : ProcessStep(p)

Step 3 — Write each action

ActionName ==
  /\ <guard — when is this enabled?>
  /\ <effect — primed variables>
  /\ UNCHANGED <<everything else>>

The UNCHANGED is not optional. TLA+ makes you say what doesn't change.

Worked example

Code (Go-ish, two goroutines, shared counter, broken):

var counter int
var mu sync.Mutex

func increment() {         // called by 2 goroutines
    tmp := counter         // ← read outside lock!
    mu.Lock()
    counter = tmp + 1
    mu.Unlock()
}

State: counter, mu (who holds it or NULL), pc[p] per process, tmp[p] per process (the local).

Atomicity: The read tmp := counter is its own action (no lock). The lock-write-unlock is one action (atomic under the lock).

TLA+:

---- MODULE Counter ----
EXTENDS Integers
CONSTANTS Proc
VARIABLES counter, mu, pc, tmp

Init ==
  /\ counter = 0
  /\ mu = "free"
  /\ pc = [p \in Proc |-> "start"]
  /\ tmp = [p \in Proc |-> 0]

Read(p) ==
  /\ pc[p] = "start"
  /\ tmp' = [tmp EXCEPT ![p] = counter]
  /\ pc' = [pc EXCEPT ![p] = "locked_write"]
  /\ UNCHANGED <<counter, mu>>

LockedWrite(p) ==
  /\ pc[p] = "locked_write"
  /\ mu = "free"                          \* guard: can acquire
  /\ mu' = "free"                         \* lock+write+unlock atomic → mu unchanged net
  /\ counter' = tmp[p] + 1
  /\ pc' = [pc EXCEPT ![p] = "done"]
  /\ UNCHANGED tmp

Next == \E p \in Proc : Read(p) \/ LockedWrite(p)

Inv == (\A p \in Proc : pc[p] = "done") => counter = Cardinality(Proc)
====

TLC finds: Inv violated. Trace: P1 reads (tmp=0), P2 reads (tmp=0), P1 writes (counter=1), P2 writes (counter=1). Two increments, counter=1. The read-outside-lock is the bug; TLA+ found it because Read and LockedWrite are separate actions.

What to abstract away

| Keep | Abstract away | | ------------------------------------- | --------------------------------------------------------- | | All shared state | Local variables that don't survive an atomic boundary | | Concurrency structure (who runs when) | Sequential business logic inside an atomic block | | Message contents that affect protocol | Message payloads that are just data | | Failure modes (crash, partition) | Performance, timing (unless you're proving real-time) |

TLC explores every interleaving. Every variable you keep multiplies the state space. → tlaplus-model-reduction if TLC runs out of memory.

Do not

Do not translate line-by-line. A 10-line critical section under one lock is ONE action, not ten.
Do not forget UNCHANGED. Omitting it means "anything can happen to this variable" — you'll get spurious counterexamples.
Do not model infinite domains without bounding. counter \in Nat → TLC never finishes. Use counter \in 0..N in the .cfg.
Do not add fairness unless you're checking liveness. For safety (invariants), fairness is irrelevant and slows TLC.
Do not trust an Inv that passes without also checking you modeled the actions right. Sanity-check: does TLC find a state where pc[p] = "done" for all p? If not, your model never terminates and the invariant is vacuously true.

Output format

## State
VARIABLES <list> — <each maps to what code construct>

## Actions
<Action> — atomic because <lock region | CAS | between awaits>
...

## Spec
<TLA+ module>

## .cfg
<constants, invariants, state constraints for TLC>

## Abstractions made
<what you dropped and why it's sound to drop>

santosomar/program-to-tlaplus-spec-generator

skills/verification/program-to-tlaplus-spec-generator/SKILL.md

Extracts a TLA+ specification from concurrent or distributed code, modeling the state machine, actions, and fairness conditions for model checking with TLC. Use when verifying concurrency properties of production code, when designing a protocol and wanting to check it before implementation, or when the user has a race condition and needs to prove the fix.

development

Updated Apr 13, 2026

$ install --global

skillsauth

npx skillsauth add santosomar/general-secure-coding-agent-skills program-to-tlaplus-spec-generator

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 13, 2026, 4:40 AM60.2s1 file scanned

SKILL.md

name:: program-to-tlaplus-spec-generator
description:: Extracts a TLA+ specification from concurrent or distributed code, modeling the state machine, actions, and fairness conditions for model checking with TLC. Use when verifying concurrency properties of production code, when designing a protocol and wanting to check it before implementation, or when the user has a race condition and needs to prove the fix.
license:: Apache-2.0
category:: verification
suite:: general-secure-coding-agent-skills
version:: 0.3.0
related:: requirement-to-tlaplus-property-generator, tlaplus-model-reduction, smv-model-extractor

Program → TLA+ Spec Generator

TLA+ models state machines, not code. The translation isn't line-by-line — it's "what are the states, and what are the atomic transitions between them?" This is an abstraction exercise.

Step 1 — Identify the state

What persists between steps? That's your VARIABLES.

Do not model: pure function arguments, loop counters that don't cross await points, anything that's deterministic from the rest.

Step 2 — Identify atomic actions

An action is one indivisible step. In code, atomicity boundaries are:

Lock acquire → release: everything inside is one action (if no awaits inside)
Single CAS / atomic instruction: one action
Between await points / blocking calls: one action
A message send: one action; message receive: another action

Each action becomes a disjunct in Next:

Next == \/ Action1
        \/ Action2
        \/ \E p \in Proc : ProcessStep(p)

Step 3 — Write each action

ActionName ==
  /\ <guard — when is this enabled?>
  /\ <effect — primed variables>
  /\ UNCHANGED <<everything else>>

The UNCHANGED is not optional. TLA+ makes you say what doesn't change.

Worked example

Code (Go-ish, two goroutines, shared counter, broken):

var counter int
var mu sync.Mutex

func increment() {         // called by 2 goroutines
    tmp := counter         // ← read outside lock!
    mu.Lock()
    counter = tmp + 1
    mu.Unlock()
}

State: counter, mu (who holds it or NULL), pc[p] per process, tmp[p] per process (the local).

Atomicity: The read tmp := counter is its own action (no lock). The lock-write-unlock is one action (atomic under the lock).

TLA+:

---- MODULE Counter ----
EXTENDS Integers
CONSTANTS Proc
VARIABLES counter, mu, pc, tmp

Init ==
  /\ counter = 0
  /\ mu = "free"
  /\ pc = [p \in Proc |-> "start"]
  /\ tmp = [p \in Proc |-> 0]

Read(p) ==
  /\ pc[p] = "start"
  /\ tmp' = [tmp EXCEPT ![p] = counter]
  /\ pc' = [pc EXCEPT ![p] = "locked_write"]
  /\ UNCHANGED <<counter, mu>>

LockedWrite(p) ==
  /\ pc[p] = "locked_write"
  /\ mu = "free"                          \* guard: can acquire
  /\ mu' = "free"                         \* lock+write+unlock atomic → mu unchanged net
  /\ counter' = tmp[p] + 1
  /\ pc' = [pc EXCEPT ![p] = "done"]
  /\ UNCHANGED tmp

Next == \E p \in Proc : Read(p) \/ LockedWrite(p)

Inv == (\A p \in Proc : pc[p] = "done") => counter = Cardinality(Proc)
====

What to abstract away

TLC explores every interleaving. Every variable you keep multiplies the state space. → tlaplus-model-reduction if TLC runs out of memory.

Do not

Do not translate line-by-line. A 10-line critical section under one lock is ONE action, not ten.
Do not forget UNCHANGED. Omitting it means "anything can happen to this variable" — you'll get spurious counterexamples.
Do not model infinite domains without bounding. counter \in Nat → TLC never finishes. Use counter \in 0..N in the .cfg.
Do not add fairness unless you're checking liveness. For safety (invariants), fairness is irrelevant and slows TLC.
Do not trust an Inv that passes without also checking you modeled the actions right. Sanity-check: does TLC find a state where pc[p] = "done" for all p? If not, your model never terminates and the invariant is vacuously true.

Output format

## State
VARIABLES <list> — <each maps to what code construct>

## Actions
<Action> — atomic because <lock region | CAS | between awaits>
...

## Spec
<TLA+ module>

## .cfg
<constants, invariants, state constraints for TLC>

## Abstractions made
<what you dropped and why it's sound to drop>

Related Skills

santosomar/verified-pseudocode-extractor

development

VerifiedTrustedCommunity

Extracts human-readable pseudocode from a verified formal artifact (Dafny, Lean, TLA+) while preserving the verified properties as annotations, so the proof-carrying logic can be reimplemented in a production language. Use when porting verified code to an unverified target, when documenting what a formal spec actually does, or when handing a verified algorithm to an implementer.

SKILL.mdUpdated Apr 13, 2026

santosomar/verified-pseudocode-extractor

santosomar/tlaplus-spec-generator

development

VerifiedTrustedCommunity

Translates natural-language or pseudocode descriptions of concurrent and distributed systems into TLA+ specifications ready for the TLC model checker. Identifies state variables, actions, type invariants, safety properties, and liveness properties from the description. Use when formalizing a protocol, when the user describes a distributed algorithm to verify, when designing a consensus or locking scheme, or when starting formal verification of a concurrent system.

SKILL.mdUpdated Apr 13, 2026

santosomar/tlaplus-spec-generator

santosomar/tlaplus-model-reduction

testing

VerifiedTrustedCommunity

Reduces a TLA+ model so TLC can actually check it — shrinks constants, adds state constraints, abstracts data, or applies symmetry — when the state space is too large to enumerate. Use when TLC runs out of memory, when checking takes hours, or when a spec works at N=2 and you need confidence at larger scale.

SKILL.mdUpdated Apr 13, 2026

santosomar/tlaplus-model-reduction

santosomar/tlaplus-guided-code-repair

development

VerifiedTrustedCommunity

TLA+-specific instance of model-guided repair — reads a TLC error trace, identifies the enabling condition that should have been false, strengthens the corresponding action, and maps the fix to source code. Use when TLC reports an invariant violation or deadlock and you have the code-to-TLA+ mapping from extraction.

SKILL.mdUpdated Apr 13, 2026

santosomar/tlaplus-guided-code-repair

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/santosomar/general-secure-coding-agent-skills.git

# Copy into Claude Code skills folder (global)
cp -r general-secure-coding-agent-skills/skills/verification/program-to-tlaplus-spec-generator ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

santosomar/general-secure-coding-agent-skills

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT