Goal
Coordinate adoption of V&V techniques across all pulseengine production repositories so that every safety-critical project has the same baseline coverage and the certification story is consistent end-to-end.
Operating principle: overdo on testing rather than undercommit. Child issues are deliberately granular so per-repo agents can work them independently.
The four-gate pipeline (reference architecture)
Every production push should pass four gates before hardware:
- Pre-commit hooks — fast shift-left checks (rivet's 21-hook template is the reference)
- Bazel
test //... — hermetic test + proof gate
- GitHub Actions CI — Miri, sanitizers, proptest, fuzz smoke, differential, mutation, integration
- cargo-kiln verify-matrix — ASIL profile gate before release
Coverage matrix (current state)
| Technique |
Coverage today |
| Verus SMT |
kiln, rivet, sigil (partial) |
| Kani bounded MC |
kiln, rivet, z/gale, relay, meld, sigil, wohl (7 repos, 2000+ proofs) |
| Rocq theorem proving |
meld (28 files), synth (24), relay (5), z/gale (partial), loom (partial) |
| Lean 4 + Mathlib |
z/gale (2k lines), spar (592), relay (459), sigil (203) |
| Aeneas (Rust→Lean) |
Scaffolded in rules_lean; blocked on hermetic Charon (see pulseengine/rules_lean#1) |
| Loom Z3 translation validation |
pulseengine/loom (WASM optimizer, bespoke) |
| proptest |
17 repos |
| tokio-rs/loom concurrency |
thrum only (archived) |
| Miri |
rivet (in CI), kiln (tool-versioned) |
| Sanitizers (ASAN/TSAN/LSAN) |
z/gale (wired in .cargo/config.toml) |
| cargo-fuzz |
9 repos, 80+ targets |
| Differential testing |
loom, relay, rivet |
| Mutation testing (cargo-mutants) |
rivet (pre-commit) |
| criterion benchmarks |
9 repos |
| Rivet traceability |
13 repos with rivet.yaml |
Phases and child issues
Phase 1 — Stop bleeding (visibility / CI hygiene)
Phase 2 — Formal methods adoption
Phase 3a — tokio-rs/loom concurrency
Phase 3b — criterion benchmarks (regression gate)
Phase 3c — cargo-fuzz targets
Phase 3d — mutation testing generalization
Phase 4 — Cross-cutting (on rivet)
Phase 5 — Abstract interpretation (the third DO-333 technique class)
Three parallel MIRAI prototypes on different code styles (crypto, kernel, data-structure) to understand which property classes abstract interpretation catches on our actual code, followed by a strategic Charon-based value-analysis pass integrated into the hermetic toolchain.
Related (pre-existing)
Skipped (repos archived)
pulseengine/automator — GitHub CI + Verus adoption cannot be filed (archived, read-only)pulseengine/thrum — cargo-fuzz cannot be filed (archived). Note: thrum is currently the only repo using tokio-rs/loom; worth considering whether to unarchive if loom-permutation-checking is part of the V&V strategy long-term.
Success metric
Every production repo (kiln, loom, meld, relay, rivet, sigil, spar, synth, gale, wohl) passes all four gates with:
- pre-commit hook parity with rivet's 21-hook config
- Bazel
test //... green
- GitHub Actions CI green
- Rivet traceability validated
References
Analysis thread (internal): full V&V inventory across 30 workspaces, DO-332 / DO-333 applicability, cross-domain standards mapping (ISO 26262, IEC 61508, EN 50128, IEC 62304, ECSS-Q-ST-80C, IEC 60880).
Roster summary
Created: 29 issues (1 hub + 28 children) across 10 repos.
Skipped (archived): 3 issues (automator×2, thrum×1).
Goal
Coordinate adoption of V&V techniques across all pulseengine production repositories so that every safety-critical project has the same baseline coverage and the certification story is consistent end-to-end.
Operating principle: overdo on testing rather than undercommit. Child issues are deliberately granular so per-repo agents can work them independently.
The four-gate pipeline (reference architecture)
Every production push should pass four gates before hardware:
test //...— hermetic test + proof gateCoverage matrix (current state)
Phases and child issues
Phase 1 — Stop bleeding (visibility / CI hygiene)
.githooks/pre-commit.disabledautomator: add GitHub Actions CI(repo archived; skipped)Phase 2 — Formal methods adoption
automator: Verus contracts for orchestration state machine(repo archived; skipped)Phase 3a — tokio-rs/loom concurrency
Phase 3b — criterion benchmarks (regression gate)
Phase 3c — cargo-fuzz targets
thrum: cargo-fuzz targets for DB query/task protocol(repo archived; skipped)Phase 3d — mutation testing generalization
Phase 4 — Cross-cutting (on rivet)
rivet-validateas required pre-commit hook whereverrivet.yamlexistsrivet coveragePhase 5 — Abstract interpretation (the third DO-333 technique class)
Three parallel MIRAI prototypes on different code styles (crypto, kernel, data-structure) to understand which property classes abstract interpretation catches on our actual code, followed by a strategic Charon-based value-analysis pass integrated into the hermetic toolchain.
Related (pre-existing)
Skipped (repos archived)
pulseengine/automator— GitHub CI + Verus adoption cannot be filed (archived, read-only)pulseengine/thrum— cargo-fuzz cannot be filed (archived). Note: thrum is currently the only repo using tokio-rs/loom; worth considering whether to unarchive if loom-permutation-checking is part of the V&V strategy long-term.Success metric
Every production repo (kiln, loom, meld, relay, rivet, sigil, spar, synth, gale, wohl) passes all four gates with:
test //...greenReferences
Analysis thread (internal): full V&V inventory across 30 workspaces, DO-332 / DO-333 applicability, cross-domain standards mapping (ISO 26262, IEC 61508, EN 50128, IEC 62304, ECSS-Q-ST-80C, IEC 60880).
Roster summary
Created: 29 issues (1 hub + 28 children) across 10 repos.
Skipped (archived): 3 issues (automator×2, thrum×1).