Built-in nat_add / nat_sub_sat / nat_mul to eliminate the Nat round-trip dance

[aallan]

Vera version: vera 0.0.138
Origin: Friction surfaced while writing terminal Tetris on Vera 0.0.138.

Problem

Programs maintaining Nat counters (Tetris had a "lines cleared" counter) can't add two Nats without a five-line round-trip:

let @Int = nat_to_int(@Nat.1) + nat_to_int(@Nat.0);
let @Nat = match int_to_nat(@Int.0) {
  Some(@Nat) -> @Nat.0,
  None -> 0    -- unreachable for Nat+Nat, but the compiler can't see that
};

Five lines and an unreachable arm to add two non-negative integers. Most painful gap by frequency.

Proposed (revised after design review)

Two new total built-ins:

• nat_add(@Nat, @Nat) -> @Nat — addition. Result is provably >= 0, so totality is direct.
• nat_mul(@Nat, @Nat) -> @Nat — multiplication. Same.

Both are total (no preconditions, no error path) and the verifier discharges totality directly via the Nat refinement.

Rejected: saturating nat_sub_sat

The friction document proposed a third built-in, nat_sub_sat(@Nat, @Nat) -> @Nat, with saturating semantics (clamp to 0 on underflow). Rejected on design-principle grounds:

Design anchor

Vera's design principles (DESIGN.md) commit to:

5. Contracts as the source of truth. Every function declares what it requires and guarantees. The compiler verifies statically where possible.

and in the technical-decisions table:

Refinement types — { @T | predicate } checked by Z3 — Encode value-level constraints in the type system; rejected statically or at runtime.

The whole point of the Nat refinement is that any narrowing from Int carries a non-negativity obligation that has to be discharged — currently via the explicit int_to_nat match. A saturating nat_sub_sat papers over that obligation by silently losing data on underflow. That trades a writer-visible signal for a runtime-invisible one and inverts the contract-as-source-of-truth principle: the contract no longer reflects what actually happens at runtime when the precondition is violated.

This also runs against principle 2. Explicitness over convenience ("All state changes declared. ... No implicit behaviour") — saturating subtraction is implicit data loss.

Where the right fix lives

#552 generalises the @Nat invariant check to all binding sites — once that lands, narrowing into a @Nat-typed let binding becomes obligation-checked statically (rather than requiring the explicit int_to_nat match), and the @Nat - @Nat case can be reduced to a thin compile-time check. That preserves the obligation's visibility while removing the boilerplate.

If a real driver emerges for nat_sub specifically (rather than for all narrowing positions), it should be a nat_sub_checked(@Nat, @Nat) -> @Option<Nat> — total, signal-preserving — not a saturating variant.

Verification

Both proposed built-ins are total — the verifier discharges totality via the Nat refinement at codegen time.

Origin

Friction document from terminal Tetris experiment; reframed after design review against Vera's refinement-type principle.

[aallan]

Closing as redundant — empirically tested.

After hard re-evaluation against DESIGN.md principles, this proposal is solving a documentation gap, not a language gap. Tested on current main:

public fn add_nats(@Nat, @Nat -> @Nat)
  requires(true) ensures(true) effects(pure)
{
  @Nat.0 + @Nat.1
}

$ vera verify add_nats.vera
OK: add_nats.vera
Verification: 4 verified (Tier 1)

$ vera run add_nats.vera     # via main wrapper
3 + 5 = 8

Nat + Nat -> Nat works directly today, type-checks, verifies at Tier 1, and runs. Same for Nat * Nat -> Nat. Bidirectional Int <: Nat subtyping (the mechanism that makes this work) is already implemented in the type checker.

For Nat - Nat -> Nat, the design-aligned form takes a precondition:

fn sub_nats(@Nat, @Nat -> @Nat)
  requires(@Nat.0 <= @Nat.1)   -- caller proves no underflow
  ensures(true)
  effects(pure)
{ @Nat.1 - @Nat.0 }

That works at Tier 1 too. The precondition is the visible underflow obligation refinement types are designed to expose — DESIGN.md principle 5 ("Contracts as the source of truth"); a saturating nat_sub_sat would paper over it.

Why the friction-doc author hit this

The five-line int_to_nat round-trip exists when the writer doesn't know about Int <: Nat narrowing — which is exactly what #607 tracks ("bidirectional Int <: Nat subtyping is implemented in the type checker but not surfaced in user-facing docs — agents discover it by surprise"). This issue is a manifestation of #607's documentation gap, not a separate stdlib request.

Design anchor for the rejection

DESIGN.md principle 6. Constrained expressiveness:

Fewer valid programs means fewer opportunities for the model to be wrong.

Adding nat_add / nat_mul as built-ins creates a second valid spelling for what + and * already do. That violates principle 6 and principle 3 ("One canonical form. Every construct has exactly one textual representation"). The canonical form is + / *; a domain-specific built-in alongside them is a non-canonical alternative.

Where the real fix lives

#607 — document Int <: Nat subtyping in user-facing materials so agents stop hand-rolling the round-trip. That's the single intervention that closes this friction class.