Expand SMT decidable fragment (Tier 2 verification)

[aallan]

Audit Finding

Currently 10 of 13 example programs fall to Tier 3 (runtime check fallback) because the SMT translation layer only handles the decidable QF_LIA + Boolean fragment. Programs involving recursion, pattern matching, generics, quantifiers, or effect operations cannot be statically verified.

What falls to Tier 3 today

• Recursion — factorial, mutual_recursion, list_ops
• Pattern matching — match expressions in function bodies
• Generics — forall type parameters
• Quantifiers — forall/exists in contracts
• Effect operations — custom effect handlers

What Tier 2 would add

• Inductive proofs for recursive functions (using decreases clauses)
• Match arm translation to Z3 (case analysis)
• Generic instantiation at verification time
• Bounded quantifier support

Roadmap

Incremental across C6-C8. The Tier 3 fallback with runtime checks is the correct architecture for now — this issue tracks expanding what can be statically verified.

[aallan]

Progress update (v0.0.24): The original issue noted 10 of 13 examples falling to Tier 3. Current state with 14 examples:

• 10 of 14 examples are fully Tier 1 (all contracts statically verified): absolute_value, closures, effect_handler, hello_world, modules, pattern_matching, quantifiers, refinement_types, safe_divide (9 fully verified), plus the module example
• 4 of 14 have some Tier 3 contracts: factorial (1/3), generics (2/8), increment (1/2), list_ops (3/6)

The remaining Tier 3 contracts are primarily: decreases clauses (#45), old/new state expressions (#70), and generic function contracts (#20). Significant improvement from the original assessment.

[aallan]

Dependencies:

• Blocks: Decreases clause termination verification #45 (decreases clause termination verification) — the SMT solver needs to be able to translate decreases expressions to Z3 before termination proofs can work
• Related: Nested constructor pattern codegen #131 (nested constructor patterns) — expanding the decidable fragment to include match expressions would enable Tier 1 verification of pattern-matching functions (currently all Tier 3)
• Related: Register Diverge as built-in effect #136 (Diverge effect) — Diverge registration is a precursor; once registered, the verifier can distinguish functions that must prove termination from those that declare non-termination

[aallan]

Design alignment: Core to the project mission -- serves Goal 1 (checkability) and Goal 5 (contracts as source of truth). With 10/13 examples falling to Tier 3, the verification system delivers limited static guarantees today. Expanding the SMT fragment means more contracts are proven at compile time, directly increasing the value of writing contracts.

Implementation guidance (prioritize by impact):

• Match-arm translation to Z3 (ITE chains) would graduate the most examples -- each match arm becomes an if-then-else in the Z3 encoding
• Recursive function unrolling with bounded depth handles factorial/list_ops patterns
• Quantifier instantiation (forall/exists) can use Z3's native quantifier support with pattern triggers
• Each extension follows the established pattern in SmtContext.translate_expr(): return a Z3 expression for supported constructs, None for unsupported
• Also serves Goal 6 (constrained expressiveness) -- verified contracts reject more incorrect programs at compile time