Implement Tier 2 verification (Z3-guided with hints from assert/lemma)

[aallan]

The verification specification (spec/06-contracts.md) describes three verification tiers. Tiers 1 and 3 are implemented. Tier 2 is specified but not implemented in the reference compiler.

What Tier 2 covers: Extends the decidable fragment by allowing Z3 to use hints from assert statements (treated as axioms for subsequent verification conditions) and lemma functions — pure functions with Unit bodies whose contracts establish facts for the verifier (see spec section 6.6).

Current behaviour: All contracts that Z3 cannot prove statically fall directly to Tier 3 (runtime check with a warning). The vera verify --json output never reports tier2_hints.

Expected behaviour after this issue:

• assert(expr) statements in function bodies are passed as axioms to Z3 when verifying subsequent contracts
• Calls to lemma functions cause the lemma postcondition to be assumed as an axiom
• vera verify --json reports tier2_hints count

Spec references: sections 6.3.2, 6.4.3, 6.6, 6.8

[aallan]

Cross-ref: aallan/vera-bench#14 proposes strengthening postconditions on benchmark problems to catch slot-swap bugs. Some of these stronger contracts may need Tier 2 hints to verify — Tier 1 (automatic Z3) may not be sufficient for relational postconditions like GCD correctness.

[aallan]

Concrete data from VeraBench postcondition strengthening (vera-bench#14)

We just strengthened postconditions on 7 benchmark problems. The results show exactly where Tier 1 hits its limits and where Tier 2 would help:

Z3 proves at Tier 1 (no hints needed)

Problem	Postcondition	Notes
multiply(a,b)	result == a * b	Inductive proof over repeated addition
div_natural(a,b)	result * b <= a	Division invariant
sum_to_n(n)	result >= n	Weak bound, but still useful
gcd(a,b)	result <= a || b > 0	Weak bound on GCD

Z3 cannot prove at Tier 1

Problem	Attempted postcondition	Why it fails
power(base,exp)	result >= 1	Z3 can't prove base * power(base, exp-1) >= 1 inductively — needs to know recursive call returns >= 1
gcd(a,b)	a % result == 0	Modular arithmetic with recursion — beyond decidable fragment

Falls to Tier 3 (effect handlers)

Problem	Postcondition	Notes
counter()	result == 3	State handler body outside decidable fragment
state_double(x)	result == x * 2	Same — handle[State<Int>] blocks SMT translation
state_max(n)	result == n	Same

What Tier 2 would unlock

The power(base, exp) case is interesting — result >= 1 is true for all Nat inputs but Z3 can't prove it without a lemma establishing that the recursive call returns >= 1. A Tier 2 assert or lemma hint could bridge this gap:

-- Tier 2 hint: recursive result is always >= 1
assert(power(@Nat.1, @Nat.0 - 1) >= 1)

This is exactly the class of problem Tier 2 is designed for — properties that are true but need an inductive hint for the solver.

The State handler cases (Tier 3) would likely stay at Tier 3 even with Tier 2, since the fundamental issue is that effect handlers are outside the SMT translation entirely.

[aallan]

Tracked in compiler / spec limitation tables

This issue is referenced as an open limitation in: spec/06-contracts.md § 6.9 Limitations.

When closing this issue, please update those references too — the limitation tables in vera/README.md and the spec chapters don't get the same regular hygiene pass as KNOWN_ISSUES.md, so it's easy for them to drift behind reality.

[aallan]

Spec-update reminder for when this is fixed

When Tier 2 (Z3-guided) verification lands, the PR that closes this issue must clear out the NYI callouts spread across the spec. Sites in spec/06-contracts.md:

• §6.3.2 — the > **Status: Not yet implemented.** block above the Tier 2 list (currently around line 149).
• §6.3.3 (forall description, currently around line 178) — the sentence "reaches the decidable fragment only via Tier 2 (Z3-guided), which is not yet implemented" needs to be reframed to past tense. The follow-on "At present every forall falls to Tier 3" claim becomes false.
• §6.3.3 (exists description, currently around line 196) — symmetric reword needed.
• §6.4.1 Tier 2 VCs description (currently around line 235) — "with hints, not yet implemented — [Implement Tier 2 verification (Z3-guided with hints from assert/lemma) #427]" should become an active description.
• §6.6 Lemma functions (currently around line 290) — > **Status: Not yet implemented.** block above the lemma example.
• §6.8 Tier table (currently around line 337) — row 2 says "Extended ... [not yet implemented]"; remove the bracket.
• §6.9 Limitations table — first row "Tier 2 verification ... is specified in §6.3.2 and §6.6 but not implemented". Delete.

Added 2026-05-11 as part of #650.