{"id":48966675,"url":"https://github.com/ericspencer00/resilient","last_synced_at":"2026-05-06T07:05:45.235Z","repository":{"id":307400189,"uuid":"1029334883","full_name":"EricSpencer00/Resilient","owner":"EricSpencer00","description":"Rust-based, self-healing, formal verification based Programming Language","archived":false,"fork":false,"pushed_at":"2026-04-18T04:34:31.000Z","size":2339,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-18T04:40:22.719Z","etag":null,"topics":["programming-language"],"latest_commit_sha":null,"homepage":"http://ericspencer.us/Resilient/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EricSpencer00.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-07-30T22:18:06.000Z","updated_at":"2026-04-18T04:34:35.000Z","dependencies_parsed_at":"2025-07-31T04:23:03.427Z","dependency_job_id":"24853f24-5378-4028-b7a4-8e6ae9e90c4e","html_url":"https://github.com/EricSpencer00/Resilient","commit_stats":null,"previous_names":["ericspencer00/resilient"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/EricSpencer00/Resilient","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EricSpencer00%2FResilient","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EricSpencer00%2FResilient/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EricSpencer00%2FResilient/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EricSpencer00%2FResilient/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EricSpencer00","download_url":"https://codeload.github.com/EricSpencer00/Resilient/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EricSpencer00%2FResilient/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32110137,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-21T11:25:29.218Z","status":"ssl_error","status_checked_at":"2026-04-21T11:25:28.499Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["programming-language"],"created_at":"2026-04-18T04:34:16.918Z","updated_at":"2026-05-06T07:05:45.221Z","avatar_url":"https://github.com/EricSpencer00.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"docs/assets/images/logo-full-transparent.png\" alt=\"Resilient\" width=\"520\"\u003e\n\n### A statically-typed, compiled language built for code that *cannot fail.*\n\n*Self-healing live blocks. Z3-backed contracts. Signed certificates. `no_std` from the metal up.*\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-664bd3.svg?style=flat-square)](LICENSE)\n[![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-9b7ff0.svg?style=flat-square)](CONTRIBUTING.md)\n[![GitHub Issues](https://img.shields.io/github/issues/EricSpencer00/Resilient?style=flat-square\u0026color=664bd3)](https://github.com/EricSpencer00/Resilient/issues)\n[![Docs](https://img.shields.io/badge/docs-ericspencer.us%2FResilient-2d1f60.svg?style=flat-square)](https://ericspencer.us/Resilient/)\n\n[**πŸ“– Docs**](https://ericspencer.us/Resilient/) \u0026nbsp;Β·\u0026nbsp;\n[**πŸ› Playground**](https://ericspencer.us/Resilient/playground/) \u0026nbsp;Β·\u0026nbsp;\n[**πŸš€ Get Started**](https://ericspencer.us/Resilient/getting-started) \u0026nbsp;Β·\u0026nbsp;\n[**🧭 Philosophy**](https://ericspencer.us/Resilient/philosophy) \u0026nbsp;Β·\u0026nbsp;\n[**⚑ Performance**](https://ericspencer.us/Resilient/performance) \u0026nbsp;Β·\u0026nbsp;\n[**🧠 Memory Model**](https://ericspencer.us/Resilient/memory-model) \u0026nbsp;Β·\u0026nbsp;\n[**🩺 Examples**](https://github.com/EricSpencer00/Resilient-examples) \u0026nbsp;Β·\u0026nbsp;\n[**🀝 Contributing**](CONTRIBUTING.md)\n\n\u003c/div\u003e\n\n---\n\n\u003e **Resilient is open source under the MIT license β€” contributions from humans *and* AI agents are first-class.**\n\nResilient is a statically-typed compiled language for **safety-critical embedded systems** β€” Z3-verified function contracts (`requires` / `ensures`) discharged at compile time, a `#![no_std]` runtime that cross-compiles to Cortex-M and RISC-V bare metal, and self-healing `live { }` blocks that recover from transient hardware faults. Compare it to [Rust embedded](https://ericspencer.us/Resilient/compare/rust-vs-resilient), [Ada / SPARK](https://ericspencer.us/Resilient/compare/ada-spark-vs-resilient), and [MISRA C](https://ericspencer.us/Resilient/compare/misra-c-vs-resilient), or read the [DO-178C](https://ericspencer.us/Resilient/standards/do-178c), [ISO 26262](https://ericspencer.us/Resilient/standards/iso-26262), and [IEC 62304](https://ericspencer.us/Resilient/standards/iec-62304) standards mappings.\n\n## Trust model\n\nResilient treats AI-written code as **untrusted input** to a trusted\nverifier β€” not as a participant in the proof. The compiler, Z3, and TLA+\nre-derive every safety claim from the typed AST; nothing the LLM asserts\nin a comment or message is taken at face value.\n\nIn short: the LLM is a *client* of the type system, not the prover.\n\n- **[STRUCTURAL_ENFORCEMENT.md](docs/STRUCTURAL_ENFORCEMENT.md)** β€”\n the boundary, what's structural, what's external, what we trust.\n- **[EXPRESSIBLE_INVALID_STATES.md](docs/EXPRESSIBLE_INVALID_STATES.md)** β€”\n the public registry of what Resilient *cannot yet* prevent\n structurally, with a closing ticket per gap.\n- **[VERIFICATION_LIMITS.md](docs/VERIFICATION_LIMITS.md)** β€”\n RES-202: where verification's guarantees end and real-world\n uncertainty begins.\n\nIf you've read a critique that says \"this is just self-consistency, not\nsafety,\" start with the first link.\n\n## Core Philosophy\n\nResilient is a statically-typed, compiled programming language designed from the ground up for extreme reliability in embedded and safety-critical systems. Its core philosophy is built on three pillars:\n\n### Resilience\nFailures are inevitable. Resilient treats them as expected events, not exceptions. The language provides built-in mechanisms for code to \"self-heal\" and continue execution, ensuring the system never enters a non-functional state.\n\n### Verifiability\nIt shouldn't just work; it must be provably correct. Resilient integrates concepts from formal methods to allow developers to define and verify system invariants at compile time.\n\n### Simplicity\nThe syntax is designed to be minimal and unambiguous, reducing the cognitive load on the developer and minimizing the surface area for bugs.\n\n## Target Applications\n\n- **Automotive**: Engine control units (ECUs), autonomous driving systems, braking systems.\n- **Aerospace**: Flight control systems, drone autopilots.\n- **Industrial Automation**: Robotic arms, safety controllers on manufacturing lines.\n- **Medical Devices**: Infusion pumps, monitoring equipment.\n\n## Safety Standards\n\nResilient is not a certified tool and does not claim DO-178C,\nISO 26262, or IEC 61508 conformance β€” tool qualification is a\nmulti-year effort that has not started. What the language does\nprovide is a set of features (formal contracts, re-verifiable\nSMT-LIB2 certificates, signed manifests, `static-only` heap\nenforcement, ASCII-only identifiers, deterministic execution)\nthat map directly to specific objectives in each standard and\nreduce the evidence burden on the integrator. See the\n[Certification and Safety Standards](https://ericspencer.us/Resilient/certification)\npage for the concrete objective-by-objective mapping and the\nhonest list of gaps.\n\n## Key Features\n\n### The \"Live\" Block: Self-Healing Code\n\nThe cornerstone of Resilient is the live block. Any code within a live block is supervised by the Resilient runtime. If a recoverable error occurs within this block, the runtime will not panic or halt. Instead, it will reset the state of the block to its last known-good state and re-execute it.\n\n```\n// Example of a live block that handles division by zero\nlive {\n let result = 100 / user_input;\n println(\"Result: \" + result);\n}\n```\n\n### Formal Methods Lite: Invariants with assert\n\nFor the MVP, we introduce a simple form of formal verification using an enhanced assert macro. These assertions define critical system invariantsβ€”conditions that must always be true.\n\n```\n// System invariant that must not be violated\nassert(fuel_level \u003e= 0, \"Fuel level cannot be negative\");\n```\n\n### Static Type Checking\n\nResilient includes static type checking to catch type errors before runtime. This helps prevent common errors and ensures more reliable code.\n\n```\n// Function with typed parameters\nfn calculate_velocity(float distance, float time) {\n return distance / time;\n}\n```\n\n### Improved Error Handling\n\nResilient provides detailed error messages and has sophisticated error recovery mechanisms, especially within live blocks.\n\n## Getting Started\n\nThe shipped CLI is **`rz`** β€” short for Resilient, matches the `.rz` source extension.\n\n### Install\n\nPick the path that matches what you have. Each leaves `rz` on `$PATH`.\n\n#### One-liner (recommended)\n\nDownloads the latest release binary into `~/.rz/bin/rz` (no sudo needed):\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/EricSpencer00/Resilient/main/scripts/install.sh | bash\n```\n\nThen add `~/.rz/bin` to `PATH` (the script prints the exact line for your\nshell). For a system-wide install: `RZ_PREFIX=/usr/local sudo bash`.\nPin a version with `RZ_VERSION=v0.1.0 …`.\n\n#### Pre-built binaries\n\nGrab the archive matching your platform from the\n[releases page](https://github.com/EricSpencer00/Resilient/releases),\nextract `rz`, and put it on `PATH`:\n\n```bash\nTAG=v0.1.0 # see the releases page for the latest\nTARGET=aarch64-apple-darwin # or x86_64-apple-darwin / *-unknown-linux-gnu\ncurl -fSL \"https://github.com/EricSpencer00/Resilient/releases/download/${TAG}/rz-${TAG}-${TARGET}.tar.gz\" \\\n | tar xz -C /usr/local/bin\nrz --version\n```\n\n#### From source via cargo install\n\nIf you have Rust installed:\n\n```bash\ngit clone https://github.com/EricSpencer00/Resilient.git\ncd Resilient\ncargo install --path resilient\nrz --version\n```\n\nThis puts `rz` in `~/.cargo/bin/rz` (already on `PATH` if cargo is configured\nnormally). Add `--features z3` for SMT-backed verification (requires\n`brew install z3` or `apt-get install libz3-dev`).\n\n#### Docker (RES-203)\n\nA prebuilt image is published to GitHub Container Registry on every\ntagged release. Pull + run without installing Rust:\n\n```bash\ndocker run --rm ghcr.io/ericspencer00/resilient:latest --help\n\n# Run a source file by mounting it in:\ndocker run --rm -v \"$PWD\":/work -w /work \\\n ghcr.io/ericspencer00/resilient:latest resilient/examples/hello.rz\n```\n\nThe image is multi-arch (linux/amd64 + linux/arm64), built from `Dockerfile`\nat repo root. Ships with the `--features z3` build so the SMT-backed\nverifier works out of the box. Runs as an unprivileged `resilient` user\n(UID 1001) β€” mount working directories with matching permissions if you\nwant the binary to write certificates / artifacts back.\n\n### Hello, Resilient\n\n```bash\ncat \u003e hello.rz \u003c\u003c'EOF'\nfn main() {\n println(\"Hello, Resilient!\");\n return 0;\n}\nmain();\nEOF\n\nrz hello.rz\n# Hello, Resilient!\n```\n\n### Running an example\n\nThe repo's `resilient/examples/` directory has dozens of working programs:\n\n```bash\nrz resilient/examples/sensor_monitor.rz\n\n# With static type checking\nrz --typecheck resilient/examples/sensor_monitor.rz\n\n# With verification audit (shows static-vs-runtime contract coverage)\nrz --audit resilient/examples/sensor_monitor.rz\n```\n\nFor full mission-critical project demos β€” pacemaker, infusion pump, ABS\nbrake controller, traffic-light interlock, reactor coolant monitor, CAN\nbus parser β€” see the dedicated companion repo:\n\n➜ **[EricSpencer00/Resilient-examples](https://github.com/EricSpencer00/Resilient-examples)**\n\nEach project there is a small, runnable program with its own README\nexplaining the safety property, the language features it exercises,\nand the limitations or follow-up tickets.\n\n### Running the REPL\n\n```bash\nrz\n```\n\n### Building from source without installing\n\nIf you'd rather not install β€” typical contributor workflow:\n\n```bash\ncargo build --release --manifest-path resilient/Cargo.toml\n./resilient/target/release/rz resilient/examples/hello.rz\n```\n\n### SMT-backed verification (optional)\n\nResilient ships with a hand-rolled contract verifier that handles\nconstant folding, let-binding propagation, control-flow assumptions,\nand inter-procedural chaining. For contracts beyond that subset\n(e.g. universal tautologies like `x + 0 == x`), build with the\noptional `z3` feature to get full SMT-backed proofs:\n\n```bash\n# macOS: brew install z3\n# Linux: sudo apt-get install libz3-dev z3\nrz --audit prog.rz # requires the binary built with --features z3\n```\n\nThe audit report tags clauses proven by Z3 separately so users can\nsee what the SMT layer added.\n\n### Verification certificates (RES-071)\n\nOnce Z3 has discharged a contract obligation, you can ask the driver\nto dump the proof as an SMT-LIB2 file so a downstream consumer can\nre-verify it under their own solver β€” without trusting the Resilient\nbinary:\n\n```bash\nrz --emit-certificate ./certs resilient/examples/cert_demo.rz # requires --features z3 build\n```\n\nOne file is written per discharged obligation:\n`./certs/\u003cfn_name\u003e__\u003ckind\u003e__\u003cidx\u003e.smt2`. Each file is self-contained\n(declares every free variable, pins call-site bindings, asserts the\nnegated goal, ends with `(check-sat)`). Feed it to stock Z3:\n\n```bash\nz3 -smt2 ./certs/ident_round__decl__0.smt2\n# unsat ← the proof: negation is unsatisfiable, so the original holds\n```\n\nImplies `--typecheck`. Without `--features z3`, no certificates are\nemitted (the cheap folder isn't asked to produce them).\n\n#### Signed certificates (RES-194)\n\nPass `--sign-cert \u003cpath-to-ed25519-private-key.pem\u003e` alongside\n`--emit-certificate \u003cdir\u003e` to write a 64-byte Ed25519 signature to\n`\u003cdir\u003e/cert.sig`. The signed payload is the byte-for-byte\nconcatenation of the `.smt2` files in the directory (sorted by\nfilename, joined with `\\n`); the signature binds the certificate\nset to the signer's key.\n\n```bash\n# Sign during emit:\nrz -t --emit-certificate ./certs --sign-cert ~/.resilient-priv.pem src/main.rz\n\n# Verify against the binary's embedded public key:\nrz verify-cert ./certs\n\n# Or against a custom public key (e.g. a rotated / test key):\nrz verify-cert ./certs --pubkey ./trusted-pub.pem\n```\n\nExit codes from `verify-cert`: `0` = valid signature, `1` =\ntampered / wrong key, `2` = usage error (missing directory, etc.).\n\nThe committed public key lives at `resilient/src/cert_key.pem` and\nis baked into the binary via `include_str!`. Key management (the\ncorresponding private key + rotation) is a human concern β€” the\nsigning key is NOT committed. See the ticket's Notes for the\nrotation-follow-up plan.\n\nThe PEM format is a minimal `-----BEGIN ED25519 {PUBLIC,PRIVATE}\nKEY-----` envelope around 64 hex chars (32 raw bytes). A tiny\nhelper is provided inside the `cert_sign` module; external tools\nthat want to generate a compatible keypair can use any Ed25519\nlibrary and format the output identically.\n\n#### Certificate manifest (RES-195)\n\nEvery `--emit-certificate \u003cdir\u003e` run also writes a\n`manifest.json` index:\n\n```json\n{\n \"program\": \"fib.rz\",\n \"obligations\": [\n {\n \"fn\": \"fib\",\n \"kind\": \"ensures\",\n \"idx\": 0,\n \"cert\": \"fib__ensures__0.smt2\",\n \"sha256\": \"\u003c64 hex\u003e\",\n \"sig\": \"\u003c128 hex\u003e\"\n }\n ]\n}\n```\n\n- `sha256` is always present and always over the `.smt2` file's\n bytes β€” consumers can detect tampering without holding any\n cryptographic key.\n- `sig` is present only when `--sign-cert` was passed; it's an\n Ed25519 signature over THIS cert's bytes (not the batch). The\n top-level `cert.sig` from RES-194 still covers the whole\n payload β€” both are written on signed runs so either can be\n used for verification.\n\nThe `verify-all` subcommand re-checks every obligation:\n\n```bash\n# Fast cryptographic-only pass:\nrz verify-all ./certs\n\n# With a custom public key (for rotated / test keys):\nrz verify-all ./certs --pubkey ./trusted-pub.pem\n\n# Extra: re-run Z3 on each cert (if the `z3` binary is on PATH):\nrz verify-all ./certs --z3\n```\n\nOutput is a one-row-per-obligation table with `sha256`/`sig`/`z3`\ncolumns (`ok`, `FAIL`, `-` = skipped). Exit 0 iff every checked\ncell passes; exit 1 on any failure or missing file; exit 2 on\nusage errors. Without `--z3`, the column is skipped β€” the\ncryptographic checks alone are a strong regression signal.\n\n### Embedded runtime (RES-075 + RES-097 + RES-098)\n\nThe sibling `resilient-runtime/` crate carves out the value layer\n+ core ops in a `#![no_std]`-compatible form, ready for a\nCortex-M class MCU. RES-075 Phase A shipped the alloc-free\n`Value::Int`/`Value::Bool` types; RES-097 verified the\ncross-compile; RES-098 added an opt-in `alloc` feature for\n`Value::Float` (always available β€” stack-only) and `Value::String`\n(behind the feature).\n\n```bash\n# Host build, default features (alloc-free) β€” 11 unit tests\ncd resilient-runtime\ncargo build\ncargo test\n\n# Host build with alloc β€” 14 unit tests (adds Float + String coverage)\ncargo build --features alloc\ncargo test --features alloc\n```\n\n#### Verified cross-compile\n\n`resilient-runtime` builds for the `thumbv7em-none-eabihf` target\n(Cortex-M4F class MCU) in both feature configs:\n\n```bash\nrustup target add thumbv7em-none-eabihf\n\n# Default (alloc-free) β€” Cortex-M4F has native i64 instruction\n# support, no compiler_builtins shim needed.\ncargo build --target thumbv7em-none-eabihf\ncargo clippy --target thumbv7em-none-eabihf -- -D warnings\n\n# With --features alloc, embedded-alloc 0.5 is pulled in.\n# The lib does NOT pick a #[global_allocator] β€” that's the\n# binary's responsibility (LlffHeap from embedded-alloc is the\n# common choice for Cortex-M).\ncargo build --target thumbv7em-none-eabihf --features alloc\ncargo clippy --target thumbv7em-none-eabihf --features alloc -- -D warnings\n```\n\nEmbedded users wire the allocator in their binary's `main()`:\n\n```rust\nuse embedded_alloc::LlffHeap as Heap;\n#[global_allocator]\nstatic HEAP: Heap = Heap::empty();\n\nfn main() -\u003e ! {\n // initialize HEAP with a fixed-size memory pool, then use\n // resilient_runtime::Value::String / Float freely.\n loop {}\n}\n```\n\nThe `resilient/` crate is unaffected β€” it stays a single-crate\nproject; `resilient-runtime/` is a separate Cargo project alongside\nit. A future ticket can promote both to a workspace if there's a\nreal reason (shared profile config, cross-crate testing).\n\nSee [`resilient-runtime-cortex-m-demo/`](resilient-runtime-cortex-m-demo/)\nfor a buildable example that links the runtime with an\n`embedded-alloc` global allocator on Cortex-M4F (RES-101). Run\n`scripts/build_cortex_m_demo.sh` from the repo root to verify the\ncross-compile; the demo is a build check, not a runtime\ndemonstration.\n\n#### Sink abstraction for `println` (RES-180)\n\nThe runtime exposes a tiny `sink::Sink` trait β€” one method,\n`write_str(\u0026mut self, s: \u0026str) -\u003e Result\u003c(), SinkErr\u003e` β€” plus\na global `sink::println` / `sink::print` routed through the\ncurrently-installed sink. Users wire a sink once at program\nstart with `sink::set_sink(\u0026mut their_sink)`; subsequent\n`println` calls thread text through it. On embedded this is\ntypically a UART / semihosting / ring-buffer writer; for tests\na memory-backed `BufSink` captures output for assertions.\n\nOptional `std-sink` feature exports a `StdoutSink` convenience\ntype that forwards to `std::io::stdout()` for users who want\nthe old std-host behavior without rolling their own:\n\n```rust\nuse resilient_runtime::sink::{set_sink, StdoutSink};\nstatic mut STDOUT_SINK: StdoutSink = StdoutSink;\nfn main() {\n unsafe { set_sink(\u0026mut STDOUT_SINK); }\n resilient_runtime::sink::println(\"hello from the runtime\").unwrap();\n}\n```\n\nThe core Sink / print / println surface is always available\nβ€” no feature flag needed. `StdoutSink` sits behind `std-sink`\nbecause it pulls in `std`, which is incompatible with\n`no_std` embedded deployments.\n\nThread-safety: the global sink pointer is held in an\n`UnsafeCell` wrapped in a `Sync` newtype. Sound for embedded\nbare-metal (single-core / single-thread). Tests serialize\nvia a shared `SINK_TEST_LOCK` (same pattern as RES-150's RNG\nlock). Multi-threaded embedded use would need a\n`critical-section` crate or a `spin::Mutex` β€” left for a\nfollow-up when the use case appears.\n\n#### Code-size budget (RES-179)\n\nCI runs `cargo bloat` against the release Cortex-M4F demo on\nevery push + PR via the `size-gate` workflow. The gate fails\nif the `.text` section exceeds **64 KiB** (overridable via the\n`SIZE_BUDGET_KIB` env var in `.github/workflows/size_gate.yml`).\n\nCurrent measurement (release, `thumbv7em-none-eabihf`):\n\n| Section | Size | % of budget |\n| ------- | ---------- | ----------- |\n| `.text` | **2.3 KiB** (~2 355 bytes) | **3.6 %** |\n\nPlenty of headroom β€” the budget is deliberately generous per the\nticket Notes; tighten in a follow-up once we have a stable\nbaseline across releases. The top .text contributors today are\n`compiler_builtins::mem::memcpy` (~31 %), the demo's own `main`\n(~21 %), and `embedded_alloc`'s `dealloc` / `alloc` wrappers\n(~12 % / ~11 % respectively) β€” everything else is single-digit\nbytes.\n\nRun locally:\n\n```bash\nscripts/check_size_budget.sh # default 64 KiB\nSIZE_BUDGET_KIB=32 scripts/check_size_budget.sh # tighter budget\n```\n\nThe script prints `cargo bloat`'s top-20 symbol table either\nway, so a failing run attributes the regression without needing\nto re-run anything.\n\n#### `--features static-only` (RES-178)\n\nFor safety-critical projects that forbid dynamic allocation\nentirely, the runtime crate exposes a mutually-exclusive\n`static-only` feature. Under it, the reduced `Value` surface is:\n\n| feature flags | Value::Int | Value::Bool | Value::Float | Value::String |\n| ------------------------- | :--------: | :---------: | :----------: | :-----------: |\n| (default) | βœ… | βœ… | βœ… | βœ• |\n| `--features alloc` | βœ… | βœ… | βœ… | βœ… |\n| `--features static-only` | βœ… | βœ… | βœ… | βœ• |\n| `alloc + static-only` | *build fails: `compile_error!`* |\n\n`static-only` is an assertion, not an enabler: setting it makes\nany attempt to add a heap-bearing Value variant without\nfeature-gating it fail the build. The existing\n`#[cfg(feature = \"alloc\")]` gates around `Value::String` (and\ntheir future cousins for Array/Map when those land here) already\nprovide structural enforcement; `static-only` adds the intent\ncontract + the explicit mutex.\n\n```bash\ncd resilient-runtime\n# Alloc-free build (same as default β€” feature is assertive).\ncargo build --features static-only\ncargo test --features static-only # 13 tests\n# Prove the mutex:\ncargo build --features \"alloc static-only\" # compile_error!\n```\n\nThe `resilient/` CLI crate is NOT built with `static-only` β€” the\ncompiler itself needs alloc. The feature is runtime-only.\n\n#### Cortex-M0 / M0+ / M1 thumbv6m (RES-177)\n\nThe Armv6-M lower-end (Cortex-M0 class, e.g. RP2040's dual-M0+\ncores or STM32F0) is the watch target for \"did anything pull\nin a dep that assumes M4F-only features?\" β€” no FPU, no 32-bit\natomics, no DSP extensions. The runtime today uses **no\natomics** anywhere (RES-141's telemetry counters live in the\n`resilient` CLI binary, not in `resilient-runtime`), so the\nticket's `#[cfg(target_has_atomic = \"32\")]` gating isn't\ntriggered today; the CI gate will catch any future regression\nthe moment a dep tries to pull in `AtomicU32`.\n\n```bash\nrustup target add thumbv6m-none-eabi\ncd resilient-runtime\ncargo build --target thumbv6m-none-eabi\ncargo build --target thumbv6m-none-eabi --features alloc\ncargo clippy --target thumbv6m-none-eabi -- -D warnings\n```\n\n`scripts/build_cortex_m0.sh` is the one-shot equivalent. The\n`alloc` feature builds clean (embedded-alloc + linked_list_allocator\n+ critical-section's M0 single-core backend all link). `Value::Float(f64)`\nalso compiles (soft-float via libgcc), but floats are slow on M0\nβ€” the ISA has no FPU, so every float op is a runtime library call.\nAvoid floats on M0 when you can; stick to `Value::Int(i64)`.\n\n#### RISC-V rv32imac (RES-176)\n\nThe runtime also cross-compiles to\n`riscv32imac-unknown-none-elf` β€” the baseline ISA for HiFive,\nGD32V, and ESP32-C3 class chips. Both the default (alloc-free)\nand `alloc` feature sets build clean, and `embedded-alloc`'s\n`linked_list_allocator` backend works on RISC-V without target\noverrides.\n\n```bash\nrustup target add riscv32imac-unknown-none-elf\ncd resilient-runtime\ncargo build --target riscv32imac-unknown-none-elf\ncargo build --target riscv32imac-unknown-none-elf --features alloc\ncargo clippy --target riscv32imac-unknown-none-elf -- -D warnings\n```\n\nRun `scripts/build_riscv32.sh` from the repo root to execute all\nthree steps in one shot. CI gates the RISC-V build via the\n`embedded` workflow (`.github/workflows/embedded.yml`) alongside\nthe Cortex-M job.\n\nThere's no separate RISC-V demo crate yet β€” one embedded demo\n(RES-101's Cortex-M4F) is enough to exercise the `#[global_allocator]`\nwiring; adding a second target would multiply maintenance for\nzero new coverage.\n\n### Available Examples\n\nAll in `resilient/examples/`. Each ships with a `.expected.txt`\nsidecar so the smoke tests can verify they still produce the\ndocumented output.\n\n- `hello.rz` β€” `println(\"Hello, world!\");`\n- `minimal.rz` β€” smallest working program with a top-level return\n- `int_math.rz` β€” arithmetic + integer operators\n- `sensor_monitor.rz` β€” `live { }` block reading a synthetic sensor\n- `self_healing.rz` β€” recovery after a transient error inside a live block\n- `nested_array_demo.rz` β€” multi-dimensional array indexing/assignment\n- `cert_demo.rz` β€” minimal program whose contract Z3 can discharge,\n used by `--emit-certificate` (RES-071)\n- `imports_demo/` β€” multi-file import resolution\n- `file_io_demo.rz` β€” round-trip through `file_read` / `file_write`\n (RES-143)\n\n**Safety considerations for `file_read` / `file_write` (RES-143):**\nthe CLI has ambient filesystem authority and these builtins inherit\nit with no sandboxing. Run untrusted Resilient programs inside a\nchroot or container if you care about what they can touch. The\n`resilient-runtime` sibling crate (used by embedded targets) has no\nbuiltins table and therefore no file I/O surface β€” it stays\nno_std-clean.\n\n### Debugging\n\n`--dump-tokens \u003cfile\u003e` prints the lexer's token stream β€” one\n`line:col Kind(\"lexeme\")` per line, ending with `Eof` β€” and\nexits. Useful when a parser error points at a mystery token and\nyou want to see what the scanner actually emitted, without\nediting source (RES-112). Mutually exclusive with `--lsp`.\n\n```sh\nrz --dump-tokens resilient/examples/hello.rz\n# 2:1 Function(\"fn\")\n# 2:4 Identifier(\"main\")(\"main\")\n# 2:8 LeftParen(\"(\")\n# ...\n# 6:1 Eof(\"\")\n```\n\n`--dump-chunks \u003cfile\u003e` compiles the program to VM bytecode and\nprints a human-readable disassembly of every chunk β€” `main` plus\neach user function β€” with constants, per-op offset/line/opname\ncolumns, and absolute jump targets (RES-173). The output reflects\nthe RES-172 peephole pass, so what you see is what runs.\n\n```sh\nrz --dump-chunks resilient/examples/hello.rz\n# === main ===\n# constants:\n# const[0] = \"Hello, Resilient world!\"\n# code:\n# 0000 L2 Const 0 ; const[0] = \"Hello, Resilient world!\"\n# 0001 L2 Call 0 ; -\u003e println\n# 0002 L2 Return\n```\n\nMutually exclusive with `--dump-tokens` and `--lsp`. The output\nformat is stable β€” external tools are welcome to parse it; the\ndisassembler module comment documents the exact column contract.\n\n### Formatter\n\n`rz fmt \u003cfile\u003e` pretty-prints a Resilient source file in\ncanonical style (4-space indent, brace-on-same-line, contracts\nindented under the function signature). By default it prints to\nstdout; pass `--in-place` to overwrite the file.\n\n```bash\nrz fmt resilient/examples/hello.rz # print to stdout\nrz fmt --in-place src/main.rz # overwrite\n```\n\nThe formatter refuses to touch input with parse errors (exits 1).\nIt is a structural round-trip β€” comments are not preserved today;\nonly run it on code you're willing to re-attach comments to by\nhand. See [Tooling Reference](https://ericspencer.us/Resilient/tooling#formatter)\nfor the full contract.\n\n### REPL Commands\n\n- `help` - Show help message\n- `exit` - Exit the REPL\n- `clear` - Clear the screen\n- `examples` - Show example code snippets\n- `typecheck` - Toggle type checking\n\n### Randomness (RES-150)\n\nThe `random_int(lo, hi)` and `random_float()` builtins are backed\nby **SplitMix64**, a tiny deterministic PRNG. The seed is either\npinned with `--seed \u003cu64\u003e` (for reproducible runs) or derived from\nthe monotonic clock at startup and echoed to stderr as\n`seed=\u003cN\u003e` so a failing run can be replayed verbatim.\n\n**These are NOT cryptographic.** Do not use `random_*` for key\nmaterial, session tokens, salts, nonces, or anything an attacker\ncould exploit if guessed. SplitMix64 is chosen for determinism and\nsmall code size (β‰ˆ15 LOC, zero dependencies), not unpredictability.\nWhen the language grows a cryptographic-grade primitive it will\nlive under a separate name with the appropriate guarantees.\n\n## Editor \u0026 IDE Support\n\n### Visual Studio Code\n\nInstall the [Resilient extension](https://marketplace.visualstudio.com/items?itemName=fromamerica.resilient-vscode) from the VS Code Marketplace for syntax highlighting, diagnostics, hover information, go-to-definition, and one-click file execution.\n\n\\`\\`\\`bash\n# Or install from command line:\ncode --install-extension fromamerica.resilient-vscode\n\\`\\`\\`\n\n**Features:**\n- Syntax highlighting with TextMate grammar\n- Real-time diagnostics (parse errors, type errors, contract violations)\n- Language server protocol (LSP) support: hover types, completion, go-to-definition, find references\n- One-click \"Run Resilient File\" button\n\n**Setup:** The extension auto-detects the \\`rz\\` binary on \\`$PATH\\`. If \\`rz\\` is elsewhere, configure \\`resilient.serverPath\\` in settings.\n\n### GitHub Syntax Highlighting\n\n\\`.rz\\` files are recognized and highlighted on GitHub as of the [Resilient registration in Linguist](https://github.com/github-linguist/linguist). The VS Code extension grammar powers the coloring.\n\n### Other Editors\n\nResilient supports LSP, so any editor with LSP client support (Vim, Neovim, Emacs, Sublime, etc.) can integrate the language server:\n\n\\`\\`\\`bash\n# Start the LSP server:\nrz --lsp\n\n# Then point your editor's LSP client to this process.\n\\`\\`\\`\n\nSee [docs/lsp.md](docs/lsp.md) for editor-specific setup instructions.\n\n## Performance\n\nRun `cargo bench --manifest-path resilient/Cargo.toml` to benchmark the\ntree-walker interpreter on three representative workloads (recursive\n`fib(25)`, bubble-sort, and string concatenation). Results are saved to\n`resilient/target/criterion/`; a captured baseline lives at\n[`benchmarks/baseline.txt`](benchmarks/baseline.txt).\n\n## Syntax Requirements\n\nSee the [SYNTAX.md](SYNTAX.md) file for detailed syntax requirements and examples. Key points:\n\n- Function parameters carry explicit types; zero-parameter functions use `fn name()`\n- Static variables maintain state between function calls\n- Live blocks provide self-healing capabilities\n- Assertions validate system invariants\n\n## Project Status\n\nActive development happens one ticket at a time. See [ROADMAP.md](ROADMAP.md)\nfor the goalpost ladder and [GitHub Issues (closed)](https://github.com/EricSpencer00/Resilient/issues?q=is%3Aissue+is%3Aclosed) for\nthe full ledger. Each commit of the form `RES-NNN: summary` closes one ticket.\n\n### What works today\n\n- Functions (with and without parameters), forward references\n- `let` and `static let` bindings, reassignment\n- Arithmetic, comparison, logical, bitwise, and shift operators\n- Prefix `!` and `-`\n- Hex (`0xFF`) and binary (`0b1010`) integer literals with `_` separators\n- Block `/* */` and line `//` comments\n- `if` / `else`, `while` (with runaway guard)\n- `live { }` self-healing blocks with retry\n- `assert(cond, msg)` with operand values in the error\n- Built-ins: `println`, `print`, `len`, `abs`, `min`, `max`, `sqrt`,\n `pow`, `floor`, `ceil`\n- Clean `line:col:` error diagnostics\n- 50+ passing tests covering lexer, parser, typechecker, interpreter,\n and example programs (golden file sidecars in `resilient/examples/`)\n- Zero panic paths in the parser or lexer β€” every error is recoverable\n\n### Performance (RES-106)\n\nA representative workload: fib(25), 242,785 recursive calls,\non Apple M1 Max. See `benchmarks/RESULTS.md` for the full\ntable including Python/Node/Lua/Ruby and the bench scripts.\n\n| backend | fib(25) median | vs interp |\n|--------------------------|----------------|-----------|\n| Resilient (interp) | 406.7 ms | 1Γ— |\n| Resilient (VM, RES-082) | 33.7 ms | 12Γ— |\n| Resilient (JIT, RES-106) | **2.8 ms** | **145Γ—** |\n| Rust (native -O) | 2.0 ms | 204Γ— |\n\nThe Cranelift JIT (`--features jit --jit`) is **~12Γ— faster\nthan the bytecode VM** and within **~1.4Γ—** of native Rust on\nthis workload, beating Lua (7.1 ms), Python 3 (32.5 ms),\nNode.js (62.8 ms), and Ruby (71.2 ms). Compile time is\nincluded in the measurement (amortized across the ~242k\ncalls); for one-shot arithmetic the VM is the right backend.\n\n### What's next\n\n- G4 (full source spans with snippets / carets)\n- G5 (replace hand-rolled lexer with `logos`)\n- G6 (one canonical AST, retire the unwired `parser.rs`)\n- G7 (real type checker: inference, unification, exhaustiveness)\n- G8–G10 (function contracts, symbolic assert, live-block invariants)\n- G11+ (stdlib, structs, pattern matching, cranelift backend, LSP,\n `no_std`, self-hosting)\n\n### Self-hosting progress (G20)\n\nG20 is a long arc. The first milestone is a Resilient program\nthat can lex Resilient source.\n\n- **RES-196** β€” [`self-host/lex.rs`](./self-host/lex.rs): a byte-\n level lexer for a restricted subset of the language, written\n in Resilient itself. Recognizes identifiers, integer + string\n literals, the `fn` / `let` / `return` / `if` / `else` / `while` /\n `true` / `false` keywords, single-char punctuation,\n single-char operators, the two-char comparison / logical\n operators, and `//` line comments. Whitespace-skipping with\n line / column tracking.\n\n Run it: `./self-host/run.sh` (diffs output against\n [`self-host/hello.tokens.txt`](./self-host/hello.tokens.txt)).\n\n Not in CI β€” informative only until the self-hosted toolchain\n becomes load-bearing. See the source file's top-comment for\n the feature gaps (multiline strings, block comments, `live`\n contracts, float / bytes literals) and the parser workarounds\n the prototype needed to land today.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericspencer00%2Fresilient","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fericspencer00%2Fresilient","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericspencer00%2Fresilient/lists"}