Use when designing state machines, verifying state transition logic, auditing existing state enums for impossible states or deadlocks, or when interactive-planning specs describe stateful behavior. Also use when user says "verify this state machine", "check for deadlocks", "tla", "formal verification", or "prove this design".
Formal verification of state machines using TLA+ model checking. Catches impossible states, deadlocks, and invariant violations that testing misses — because TLC explores every reachable state, not a sample.
/interactive-planning): Spec describes a state machine → generate TLA+ spec → verify before coding/tla-spec generate <source>Extract state machines and generate .tla + .cfg files.
Source types:
plan — read the current interactive-planning spec files for state machines<file-path> — extract from a Swift/TypeScript source file<description> — generate from a natural language descriptionSteps:
tla-verifier agent to generate .tla module and .cfg configdocs/tla/<machine-name>/Output structure:
docs/tla/<machine-name>/
<MachineName>.tla # TLA+ module
<MachineName>.cfg # TLC configuration
README.md # Human-readable state diagram + invariant list
/tla-spec verify [machine-name]Run TLC model checker against a generated spec.
Steps:
tlc or tla2tools.jar). If missing, install via brew install tlaplus or download jar.tla-verifier agent to run TLCExit conditions:
/tla-spec audit [path]Scan existing code for state machines, generate specs, verify them.
Steps:
tla-verifier agent to scan source files.tla for each detected machine/tla-spec drift [machine-name]Compare a planning-phase .tla spec against the implemented code.
Steps:
docs/tla/<machine-name>/When generating .tla files, follow these constraints:
balls, strikes, outs — not a single compound gameState)balls \in 0..3)strikes <= 2)INIT Init
NEXT Next
INVARIANT TypeInvariant
INVARIANT SafetyInvariant
When /interactive-planning produces specs that describe state machines:
digraph tla_gate {
"Spec written" -> "State machine detected?" [label="auto-scan"];
"State machine detected?" -> "Generate .tla" [label="yes"];
"State machine detected?" -> "Skip TLA" [label="no"];
"Generate .tla" -> "Run TLC";
"Run TLC" -> "Pass?" [label="results"];
"Pass?" -> "Proceed to implementation" [label="yes"];
"Pass?" -> "Fix spec, re-verify" [label="no"];
}
The skill checks spec files for these patterns:
TLC requires Java (already available on this machine).
# Option 1: Homebrew
brew install tlaplus
# Option 2: Direct jar download
curl -L -o /usr/local/lib/tla2tools.jar \
https://github.com/tlaplus/tlaplus/releases/latest/download/tla2tools.jar
alias tlc="java -jar /usr/local/lib/tla2tools.jar"
Input (Swift):
enum SessionPhase { case setup, loading, active, demo, error(String) }
// recordBall() → balls > 3 → walk
// recordStrike() → strikes > 2 → strikeout
// recordFoul() → strikes < 2 → increment, else no-op
Output (TLA+):
---- MODULE GameState ----
EXTENDS Integers
VARIABLES balls, strikes, outs, inning, isTop
TypeInvariant == balls \in 0..3 /\ strikes \in 0..2 /\ outs \in 0..2
/\ inning \in 1..9 /\ isTop \in BOOLEAN
Init == balls = 0 /\ strikes = 0 /\ outs = 0 /\ inning = 1 /\ isTop = TRUE
RecordBall ==
/\ balls < 3
/\ balls' = balls + 1
/\ UNCHANGED <<strikes, outs, inning, isTop>>
Walk ==
/\ balls = 3
/\ balls' = 0 /\ strikes' = 0
/\ UNCHANGED <<outs, inning, isTop>>
Next == RecordBall \/ Walk \/ RecordStrike \/ Strikeout \/ RecordFoul
====