pulseengine
diff --git a/‎AGENTS.md‎
Lines changed: 7 additions & 60 deletions b/‎AGENTS.md‎
Lines changed: 7 additions & 60 deletions
diff --git a/‎crates/spar-analysis/src/ai_ml/mod.rs‎
Lines changed: 275 additions & 0 deletions b/‎crates/spar-analysis/src/ai_ml/mod.rs‎
Lines changed: 275 additions & 0 deletions
@@ -9,8 +9,8 @@
 This project uses **Rivet** for SDLC artifact traceability.
 - Config: `rivet.yaml`
 - Schemas: common, dev, aspice, stpa, aadl
-- Artifacts: 221 across 3 types
-- Validation: `rivet validate` (current status: 21 errors)
+- Artifacts: 342 across 3 types
+- Validation: `rivet validate` (current status: pass)
 
 ## Available Commands
 
@@ -31,9 +31,9 @@ This project uses **Rivet** for SDLC artifact traceability.
 
 | Type | Count | Description |
 |------|------:|-------------|
-| `design-decision` | 46 | An architectural or design decision with rationale |
-| `feature` | 90 | A user-visible capability or feature |
-| `requirement` | 85 | A functional or non-functional requirement |
+| `design-decision` | 65 | An architectural or design decision with rationale |
+| `feature` | 103 | A user-visible capability or feature |
+| `requirement` | 174 | A functional or non-functional requirement |
 | `aadl-analysis-result` | 0 | Output of a spar analysis pass |
 | `aadl-component` | 0 | AADL component type or implementation imported from spar |
 | `aadl-flow` | 0 | End-to-end flow with latency bounds |
@@ -65,7 +65,7 @@ This project uses **Rivet** for SDLC artifact traceability.
 ## Working with Artifacts
 
 ### File Structure
-- Artifacts are stored as YAML files in: `artifacts`, `safety/stpa`, `safety/stpa/requirements.yaml`, `safety/stpa/architecture.yaml`, `safety/stpa/validation.yaml`
+- Artifacts are stored as YAML files in: `artifacts`, `safety/stpa`, `safety/stpa/requirements.yaml`, `safety/stpa/architecture.yaml`, `safety/stpa/validation.yaml`, `safety/stpa/solver-requirements.yaml`
 - Schema definitions: `schemas/` directory
 - Documents: `docs`
 
@@ -87,6 +87,7 @@ Use `rivet validate --format json` for machine-readable output.
 | `caused-by-uca` | Loss scenario is caused by an unsafe control action | `causes-scenario` |
 | `constrained-by` | Source is constrained by the target | `constrains` |
 | `constrains-controller` | Constraint applies to a specific controller | `controller-constrained-by` |
+| `contains` | Parent AADL component contains a child sub-component | `contained-by` |
 | `depends-on` | Source depends on target being completed first | `depended-on-by` |
 | `derives-from` | Source is derived from the target | `derived-into` |
 | `implements` | Source implements the target | `implemented-by` |
@@ -104,63 +105,9 @@ Use `rivet validate --format json` for machine-readable output.
 | `traces-to` | General traceability link between any two artifacts | `traced-from` |
 | `verifies` | Source verifies or validates the target | `verified-by` |
 
-## Verification Guide
-
-This project follows the PulseEngine Verification Guide for formal verification
-of generated code. See: https://pulseengine.eu/guides/VERIFICATION-GUIDE.md
-
-Key principles for agents:
-1. **Specification First** — get the `requires`/`ensures` right before proofs
-2. **Multiple Candidates** — generate 3-5 proof candidates before declaring intractable
-3. **Error Classification** — classify verifier errors explicitly before applying fixes
-4. **Feature Intersection** — code must compile as plain Rust AND pass Verus/Kani/Lean4
-5. **Multi-Track** — Verus (SMT/Z3), Lean4 (tactic proofs), Kani (bounded model checking)
-
-Verification tracks available:
-- **Verus**: `verus! { }` blocks with `requires`/`ensures`, 6-tier proof strategy
-- **Lean4**: Existing `proofs/` directory, `scheduling_verified.rs` extraction pattern
-- **Kani**: `#[kani::proof]` harnesses with `kani::any()` + `kani::assume()`
-- **Build-time**: `#[aadl(...)]` proc macros checking constants against AADL model
-
-Build systems:
-- **Cargo**: Development iteration (`cargo test`, `cargo kani`)
-- **Bazel**: CI/release with hermetic verification (`rules_verus`, `rules_lean`, `rules_wasm_component`)
-
-## Code Generation
-
-spar generates code from AADL models via `spar codegen`:
-
-```bash
-spar codegen --root Pkg::Sys.Impl --output ./generated --rivet *.aadl
-```
-
-Generated output includes:
-- WIT interfaces (component contracts)
-- Rust crate skeletons (implementation)
-- Bazel BUILD files (hermetic build + verification)
-- Three verification layers (build-time, test-time, formal proof)
-- rivet design documents with frontmatter
-- rivet verification artifacts
-
-The generated code targets the feature intersection of all verification
-tracks per the Verification Guide.
-
-## SysML v2 Integration
-
-SysML v2 requirements can be parsed and extracted into rivet:
-
-```bash
-spar sysml2 extract --requirements model.sysml --output reqs.yaml
-spar sysml2 lower model.sysml --output model.aadl
-```
-
-The full roundtrip: SysML v2 (requirements) → AADL (architecture) →
-Rust/WIT (code) → Tests/Proofs (evidence) → rivet (traceability).
-
 ## Conventions
 
 - Artifact IDs follow the pattern: PREFIX-NNN (e.g., REQ-001, FEAT-042)
 - Use `rivet add` to create artifacts (auto-generates next ID)
 - Always include traceability links when creating artifacts
 - Run `rivet validate` before committing
-- Reference the Verification Guide when generating or reviewing verified code
@@ -0,0 +1,275 @@
+//! AI/ML component analysis passes (Issue #91).
+//!
+//! Provides architecture-level safety analysis for AI/ML components using
+//! the `AI_ML` property set. Eight checks aligned with ISO/PAS 8800:
+//!
+//! | Pass                    | Severity | What it checks                                        |
+//! |-------------------------|----------|-------------------------------------------------------|
+//! | `ai_inference_deadline` | Error    | Inference latency fits within AADL deadline            |
+//! | `ai_fallback_coverage`  | Warning  | Every AI thread has Fallback_Strategy                  |
+//! | `ai_fallback_timing`    | Error    | Fallback latency fits within remaining deadline budget |
+//! | `ai_ood_coverage`       | Warning  | Confidence_Threshold requires OOD_Detection_Enabled    |
+//! | `ai_model_deployment`   | Error    | AI process bound to processor with sufficient compute  |
+//! | `ai_redundancy`         | Warning  | Redundant_Model fallback has second model on diff proc |
+//!
+//! Checks 7–8 from Issue #91 (drift monitoring, training provenance) were
+//! evaluated and dropped: they are documentation linting, not architecture
+//! analysis. If needed, extend `completeness.rs` or add a separate lint pass.
+
+use spar_hir_def::instance::SystemInstance;
+use spar_hir_def::item_tree::ComponentCategory;
+
+use crate::property_accessors::{
+    get_ai_ml_bool, get_ai_ml_string, get_confidence_threshold, get_fallback_latency,
+    get_inference_latency_range, get_processor_binding, get_timing_property, is_ai_ml_component,
+};
+use crate::{Analysis, AnalysisDiagnostic, Severity, component_path};
+
+/// AI/ML safety analysis — all eight checks in one pass.
+pub struct AiMlAnalysis;
+
+impl Analysis for AiMlAnalysis {
+    fn name(&self) -> &str {
+        "ai_ml"
+    }
+
+    fn analyze(&self, instance: &SystemInstance) -> Vec<AnalysisDiagnostic> {
+        let mut diags = Vec::new();
+
+        for (comp_idx, comp) in instance.all_components() {
+            let props = instance.properties_for(comp_idx);
+
+            if !is_ai_ml_component(props) {
+                continue;
+            }
+
+            let path = component_path(instance, comp_idx);
+
+            // Thread-level checks (inference, fallback, OOD)
+            if comp.category == ComponentCategory::Thread {
+                check_inference_deadline(props, &path, &mut diags);
+                check_fallback_coverage(props, &path, &comp.name, &mut diags);
+                check_fallback_timing(props, &path, &mut diags);
+                check_ood_coverage(props, &path, &comp.name, &mut diags);
+            }
+
+            // Process-level checks (model deployment)
+            if comp.category == ComponentCategory::Process {
+                check_model_deployment(props, &path, &comp.name, &mut diags);
+            }
+
+            // Redundancy check: thread or process with Redundant_Model fallback
+            check_redundancy(instance, comp_idx, props, &path, &comp.name, &mut diags);
+        }
+
+        diags
+    }
+}
+
+// ── Check 1: Inference deadline ────────────────────────────────────
+
+fn check_inference_deadline(
+    props: &spar_hir_def::properties::PropertyMap,
+    path: &[String],
+    diags: &mut Vec<AnalysisDiagnostic>,
+) {
+    let Some((_, worst_case_ps)) = get_inference_latency_range(props) else {
+        return;
+    };
+    let Some(deadline_ps) = get_timing_property(props, "Deadline") else {
+        // AI thread with inference latency but no deadline — flag it
+        diags.push(AnalysisDiagnostic {
+            severity: Severity::Warning,
+            message: "AI/ML thread has Inference_Latency but no Deadline property; \
+                      cannot verify timing safety"
+                .to_string(),
+            path: path.to_vec(),
+            analysis: "ai_ml".to_string(),
+        });
+        return;
+    };
+
+    if worst_case_ps > deadline_ps {
+        let worst_ms = worst_case_ps as f64 / 1_000_000_000.0;
+        let deadline_ms = deadline_ps as f64 / 1_000_000_000.0;
+        diags.push(AnalysisDiagnostic {
+            severity: Severity::Error,
+            message: format!(
+                "AI/ML inference worst-case latency ({worst_ms:.1} ms) exceeds \
+                 thread deadline ({deadline_ms:.1} ms)"
+            ),
+            path: path.to_vec(),
+            analysis: "ai_ml".to_string(),
+        });
+    }
+}
+
+// ── Check 2: Fallback coverage ─────────────────────────────────────
+
+fn check_fallback_coverage(
+    props: &spar_hir_def::properties::PropertyMap,
+    path: &[String],
+    name: &Name,
+    diags: &mut Vec<AnalysisDiagnostic>,
+) {
+    if get_ai_ml_string(props, "Fallback_Strategy").is_none() {
+        diags.push(AnalysisDiagnostic {
+            severity: Severity::Warning,
+            message: format!(
+                "AI/ML thread '{}' has no Fallback_Strategy defined; \
+                 ISO/PAS 8800 recommends fallback measures for AI elements",
+                name
+            ),
+            path: path.to_vec(),
+            analysis: "ai_ml".to_string(),
+        });
+    }
+}
+
+// ── Check 3: Fallback timing ───────────────────────────────────────
+
+fn check_fallback_timing(
+    props: &spar_hir_def::properties::PropertyMap,
+    path: &[String],
+    diags: &mut Vec<AnalysisDiagnostic>,
+) {
+    let Some(fallback_ps) = get_fallback_latency(props) else {
+        return;
+    };
+    let Some(deadline_ps) = get_timing_property(props, "Deadline") else {
+        return;
+    };
+    let Some((_, worst_inference_ps)) = get_inference_latency_range(props) else {
+        return;
+    };
+
+    // In worst case: inference runs to deadline, then fallback must complete.
+    // Total = worst_inference + fallback must fit in deadline.
+    // More precisely: if inference fails at worst case, the fallback must
+    // complete within the remaining budget.
+    let total_ps = worst_inference_ps.saturating_add(fallback_ps);
+    if total_ps > deadline_ps {
+        let total_ms = total_ps as f64 / 1_000_000_000.0;
+        let deadline_ms = deadline_ps as f64 / 1_000_000_000.0;
+        let fallback_ms = fallback_ps as f64 / 1_000_000_000.0;
+        diags.push(AnalysisDiagnostic {
+            severity: Severity::Error,
+            message: format!(
+                "AI/ML worst-case inference + fallback ({total_ms:.1} ms) exceeds \
+                 deadline ({deadline_ms:.1} ms); fallback latency is {fallback_ms:.1} ms"
+            ),
+            path: path.to_vec(),
+            analysis: "ai_ml".to_string(),
+        });
+    }
+}
+
+// ── Check 4: OOD detection coverage ────────────────────────────────
+
+fn check_ood_coverage(
+    props: &spar_hir_def::properties::PropertyMap,
+    path: &[String],
+    name: &Name,
+    diags: &mut Vec<AnalysisDiagnostic>,
+) {
+    // If a confidence threshold is set, OOD detection should be enabled
+    if get_confidence_threshold(props).is_some() {
+        let ood_enabled = get_ai_ml_bool(props, "OOD_Detection_Enabled").unwrap_or(false);
+        if !ood_enabled {
+            diags.push(AnalysisDiagnostic {
+                severity: Severity::Warning,
+                message: format!(
+                    "AI/ML thread '{}' has Confidence_Threshold but OOD_Detection_Enabled \
+                     is not set; out-of-distribution inputs may produce silently wrong results",
+                    name
+                ),
+                path: path.to_vec(),
+                analysis: "ai_ml".to_string(),
+            });
+        }
+    }
+}
+
+// ── Check 5: Model deployment ──────────────────────────────────────
+
+fn check_model_deployment(
+    props: &spar_hir_def::properties::PropertyMap,
+    path: &[String],
+    name: &Name,
+    diags: &mut Vec<AnalysisDiagnostic>,
+) {
+    // Every AI process should be bound to a processor
+    if get_ai_ml_string(props, "Model_Format").is_some() && get_processor_binding(props).is_none() {
+        diags.push(AnalysisDiagnostic {
+            severity: Severity::Error,
+            message: format!(
+                "AI/ML process '{}' has Model_Format but no Actual_Processor_Binding; \
+                 cannot verify compute capacity for inference",
+                name
+            ),
+            path: path.to_vec(),
+            analysis: "ai_ml".to_string(),
+        });
+    }
+}
+
+// ── Check 6: Redundancy ────────────────────────────────────────────
+
+fn check_redundancy(
+    instance: &SystemInstance,
+    comp_idx: ComponentInstanceIdx,
+    props: &spar_hir_def::properties::PropertyMap,
+    path: &[String],
+    name: &Name,
+    diags: &mut Vec<AnalysisDiagnostic>,
+) {
+    let Some(strategy) = get_ai_ml_string(props, "Fallback_Strategy") else {
+        return;
+    };
+    if !strategy.eq_ignore_ascii_case("Redundant_Model") {
+        return;
+    }
+
+    // Check that a sibling AI component exists on a different processor
+    let my_binding = get_processor_binding(props);
+    let parent = instance.component(comp_idx).parent;
+    let Some(parent_idx) = parent else { return };
+
+    let siblings = &instance.component(parent_idx).children;
+    let has_redundant_peer = siblings.iter().any(|&sib_idx| {
+        if sib_idx == comp_idx {
+            return false;
+        }
+        let sib_props = instance.properties_for(sib_idx);
+        if !is_ai_ml_component(sib_props) {
+            return false;
+        }
+        let sib_binding = get_processor_binding(sib_props);
+        // Must be on a different processor
+        match (&my_binding, &sib_binding) {
+            (Some(mine), Some(theirs)) => !mine.eq_ignore_ascii_case(theirs),
+            _ => false,
+        }
+    });
+
+    if !has_redundant_peer {
+        diags.push(AnalysisDiagnostic {
+            severity: Severity::Warning,
+            message: format!(
+                "AI/ML component '{}' uses Redundant_Model fallback but no sibling \
+                 AI component found on a different processor",
+                name
+            ),
+            path: path.to_vec(),
+            analysis: "ai_ml".to_string(),
+        });
+    }
+}
+
+// ── Private helpers ────────────────────────────────────────────────
+
+use spar_hir_def::instance::ComponentInstanceIdx;
+use spar_hir_def::name::Name;
+
+#[cfg(test)]
+mod tests;