Design by Contract Cookbook

This subsection is the canonical v0.34.7 guide for Nitpick's Design by Contract (DbC) and final-safety-net surfaces. It supersedes older scattered notes in guide/functions/design_by_contract.md, guide/verification/03_contracts.md, and the DbC portions of guide/advanced_features/verification.md where those pages are shorter or stale.

The v0.34.x cycle locked the shipped behavior of the failsafe family and DbC family:

• failsafe endpoint hardening and !!! dispatch
• exit scope rules for main and failsafe
• requires and ensures contract obligations
• the result pseudo-variable inside ensures
• loop invariant obligations
• hard prove proof directives
• CTFE-driven assert_static
• limit<Rules> compile-time diagnostics and runtime failsafe checks

Chapters

1. Requires — preconditions, caller obligations, contradiction checks, and where to place boundary assumptions.
2. Ensures — postconditions, the result pseudo-variable, downstream propagation, and result-scope diagnostics.
3. Invariants — loop entry/back-edge obligations, purity rules, and --debug-contracts runtime checks.
4. Prove — hard compile-time proof obligations, Z3 outcomes, --debug-z3, and ARIA-073/074 diagnostics.
5. assert_static — CTFE assertions, runtime fallback, built-in macro compatibility, and ARIA-075.
6. limit — Rules definitions, compile-time ARIA-076 failures, runtime assignment checks, and failsafe code 49.
7. Failsafe workflow — main, failsafe, exit, !!!, and the v0.34.x error-code table.
8. Z3 cookbook — solver-friendly code, reports, debug dumps, counterexamples, and when to prefer runtime fallback.

Quick mental model

• Put requires on the inputs a function needs.
• Put ensures on facts callers may rely on after success.
• Use result only inside ensures clauses.
• Put invariant on loop facts that must hold before the first iteration and after each back-edge.
• Use prove(expr); when failure to prove must stop compilation.
• Use assert_static expr; when a proven fact should erase, but a dynamic fact may keep a runtime guard.
• Use limit<Rules> at boundaries to give both Z3 and runtime code a named range contract.
• Keep failsafe boring: it receives an unrecoverable code and exits.

Validation snapshot (v0.34.7)

• Compiler non-K CTest at v0.34.6: 158/158.
• K core tests: 201/201.
• K proofs: 14/14.
• v0.34.x DbC/failsafe bug regressions: bug675–bug712.
• DbC diagnostic codes emitted by this cycle: ARIA-068 through ARIA-076.
• ARIA-077 remains de-reserved at cycle close.