Contract-driven testing: vera test command

[aallan]

Summary

Vera's contracts already define what each function requires and guarantees. The three-tier verification system already classifies which properties are proved (Tier 1) vs runtime-checked (Tier 3). A vera test command would close the loop by automatically exercising Tier 3 contracts with generated inputs.

Motivation

In traditional development, tests are a separate artefact maintained alongside code. In Vera, contracts ARE the specification — requires() defines the valid input space, ensures() defines expected behavior. Test management should fall out of the language design, not be bolted on.

What this enables

• Property-based test generation — requires() clauses define the input space; the compiler generates valid inputs automatically and checks ensures() at runtime
• Automatic coverage reporting — vera verify already reports Tier 1 (proved) vs Tier 3 (runtime) counts; vera test would exercise the Tier 3 contracts
• No separate test files for contract-covered properties — the contracts are the tests

Possible future extensions

• Cross-function scenario testing (call A then B then C, check end-to-end properties)
• Mutation testing (change the implementation, see if any contract breaks)
• Shrinking (minimize failing inputs, as in QuickCheck/Hypothesis)

Relationship to existing work

• Contracts and verification are complete (C4/C6)
• Runtime contract insertion is working (Tier 3 checks compile to WASM)
• vera verify --json already provides the tier breakdown (tier1_verified, tier3_runtime, total)

Roadmap

Fits naturally into C8 (end-to-end) or as a standalone phase.

[aallan]

Strategic framing: assistive vs autonomous workflows

An external analysis raised a useful distinction between two visions of LLM-native tooling:

Version A — Assistive. LLM helps a human write correct Vera code. The current diagnostics (structured JSON, counterexamples, rationale/fix/spec_ref) are already well-suited for this. A vera test command would give the human confidence that Tier 3 contracts are exercised.

Version B — Autonomous. LLM generates and self-corrects Vera code independently at scale. Here, contract-driven testing becomes strategically important: the LLM needs to run a repair loop (generate -> verify -> fix -> re-verify) and vera test would exercise the contracts that Z3 can't prove statically. Measuring repair convergence (steps-to-fix across error types) becomes a research question.

The contract-driven testing design should support both modes:

• For Version A: vera test exercises Tier 3 contracts with generated inputs and reports pass/fail in a human-readable format
• For Version B: JSON output mode (vera test --json) enables programmatic repair loops, and the requires() clauses define the input generation space automatically

This framing may inform design choices around output format, input generation strategy, and integration with the existing --json diagnostic protocol.

[aallan]

Dependencies:

• Related: vera fmt — canonical formatter #75 (vera fmt) — both are CLI tooling features in C8b
• Related: Remove unused hypothesis dependency #138 (hypothesis dependency) — if property-based testing is added to vera test, the hypothesis library (currently unused) could be leveraged for the implementation
• Related: Expand SMT decidable fragment (Tier 2 verification) #13 (expand SMT fragment) — contract-driven testing generates test cases from contracts; richer SMT support means richer test generation

[aallan]

Design alignment: This issue directly exemplifies Goal 5 (contracts as source of truth). If contracts are specifications, then testing should derive from contracts, not be a separate artifact.

Implementation guidance:

• Use requires() clauses to define the valid input space; generate constrained random or SMT-guided inputs
• Run the function and check ensures() postconditions at runtime
• For Tier 3 contracts specifically, this converts unverified to tested -- closing the verification gap
• The hypothesis dev dependency (Remove unused hypothesis dependency #138) is a natural backend for input generation
• Consider a --property mode that runs many inputs and a --boundary mode that targets constraint boundaries

[aallan]

MVP implementation complete on branch add-vera-test. PR incoming.

What shipped:

• vera test file.vera -- tests all public functions with Z3-generated inputs
• vera test --json file.vera -- JSON output for machine consumption
• vera test --trials N file.vera -- configurable trial count (default 100)
• vera test file.vera --fn name -- test a single function
• Tier classification: verified (Tier 1), tested (Tier 3), skipped (generic/unsupported)
• Z3-based input generation for Int, Nat, Bool parameters
• Boundary value seeding (0, 1, -1, etc.) before diversity loop
• 24 new tests (13 unit + 11 CLI)

Not in this MVP (future work):

• Float64 parameter support (Z3 Real != IEEE 754)
• String, Array, ADT parameter generation
• Hypothesis integration for complex types
• Mutation testing, shrinking, cross-function scenarios

[aallan]

Closed by #168 (v0.0.47). Remaining work tracked in follow-up issues (links incoming).

[aallan]

Follow-up issues for remaining vera test work:

• #169 Float64 and compound type input generation
• #170 hypothesis integration and advanced testing