chore(ci): fold manual model checking into formal verify

[ootakazuhiko]

概要

• model-checking-manual を formal-verify の workflow_dispatch に統合
• manual 実行で指定した TLA ファイルを formal-verify で利用可能に
• issue-1006 のワークフロー台帳/トリガー整理を更新

変更点

• formal-verify.yml の workflow_dispatch 実行時に tlaFile を反映
• workflow_dispatch の並行実行キーに tlaFile を加味
• model-checking-manual.yml を削除
• 関連ドキュメントを更新

確認

• 未実施（CI に委譲）

Refs #1006 #1160

[github-actions]

❓ Code Generation Drift Detection

Status:
Regeneration needed: No

---

Automated by AE-Framework Codegen

[ootakazuhiko]

Auto Update Branch

PR #1778 was behind base; triggered branch update.
If conflicts remain, manual resolution is required.

[github-actions]

❓ Code Generation Drift Detection

Status:
Regeneration needed: No

---

Automated by AE-Framework Codegen

[github-actions]

Quality Summary

• Adapters:

• Formal: n/a

• Replay: n/a

• Trace IDs:

[github-actions]

🔍 Verification Summary

• Traceability: 6 scenarios
  • Tests: 3 (50%)
  • Impl: 3 (50%)
  • Formal: 3 (50%)

Unlinked (top 5)

- Device registration publishes enough pre-keys and emits audit log (id: device-registration-publishes-enough-pre-keys-and-emits-audit-log) test:N/A impl:N/A formal:N/A - Invalid auth tag triggers audit violation for AES-GCM envelopes (id: invalid-auth-tag-triggers-audit-violation-for-aes-gcm-envelopes) test:N/A impl:N/A formal:N/A - Session rotation stays within forward secrecy thresholds (id: session-rotation-stays-within-forward-secrecy-thresholds) test:N/A impl:N/A formal:N/A

Linked examples (up to 3)

- Successful reservation (id: successful-reservation) test: [traceability/inventory.trace.test.ts](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/tests/traceability/inventory.trace.test.ts) impl: [domain/inventory.ts](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/src/domain/inventory.ts) formal: [tla+/Inventory.tla](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/specs/formal/tla+/Inventory.tla) - Prevent negative stock (id: prevent-negative-stock) test: [traceability/inventory.trace.test.ts](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/tests/traceability/inventory.trace.test.ts) impl: [domain/inventory.ts](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/src/domain/inventory.ts) formal: [tla+/Inventory.tla](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/specs/formal/tla+/Inventory.tla) - Idempotent by order id (id: idempotent-by-order-id) test: [traceability/inventory.trace.test.ts](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/tests/traceability/inventory.trace.test.ts) impl: [domain/inventory.ts](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/src/domain/inventory.ts) formal: [tla+/Inventory.tla](https://github.com/itdojp/ae-framework/blob/2a7181509909a60d20d28faae18567b51ca3eeb3/specs/formal/tla+/Inventory.tla)

Hit basis (tests/formal)

- Test hits: title=3 id=0 tag=0 - Formal hits: title=0 id=3 tag=0

- Model Check (TLC): 2/8 (25%) modules ok

Non-OK modules (top 5)

- KvOnce (log: artifacts/codex/KvOnce.tlc.log.txt) - KvOnceRefinement (log: artifacts/codex/KvOnceRefinement.tlc.log.txt) - KvOnceImpl (log: artifacts/codex/KvOnceImpl.tlc.log.txt) - KvOnce (log: artifacts/codex/KvOnce.tlc.log.txt) - KvOnceRefinement (log: artifacts/codex/KvOnceRefinement.tlc.log.txt)

- Alloy: detected 2 specs (execution skipped) - Contracts: schemas=true conditions=true machine=true - Contracts exec: parseIn=false pre=false post=false parseOut=false

[github-actions]

CodeX Artifacts Summary

• • Contract/E2E templates: 1 files (dir: tests/api/generated)
• • Tests: PBT files=122, BDD features=0
• • Formal specs: TLA=1, Alloy=1

[Copilot]

Pull request overview

This PR consolidates the manual model-checking workflow into the existing formal-verify GitHub Actions workflow, reducing workflow count and updating the Issue #1006 workflow inventory/docs accordingly.

Changes:

• Fold model-checking-manual functionality into formal-verify.yml’s workflow_dispatch (incl. selectable TLA file usage).
• Adjust workflow_dispatch concurrency grouping to account for additional inputs.
• Remove model-checking-manual.yml and update Issue #1006 workflow trigger/inventory documentation.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
.github/workflows/formal-verify.yml	Adds dispatch-time TLA file selection and updates concurrency grouping to support the consolidation.
.github/workflows/model-checking-manual.yml	Deletes the standalone manual model-checking workflow after consolidation.
docs/notes/issue-1006-workflow-triggers.md	Updates trigger counts and removes references to the deleted workflow.
docs/notes/issue-1006-workflow-trigger-profiles.md	Updates trigger profiles/counts to reflect the removed workflow.
docs/notes/issue-1006-workflow-overlap-candidates.md	Updates formal verification trigger mapping and removes the deleted workflow from overlap candidates.
docs/notes/issue-1006-workflow-inventory.md	Updates workflow inventory counts and removes the deleted workflow from the list/prefix counts.
docs/notes/issue-1006-ci-consolidation-draft.md	Records the consolidation as a low-risk move in the CI consolidation draft.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

CI Status Snapshot (2026-01-25T14:02:01.510Z)

• chore(ci): fold manual model checking into formal verify #1778 chore(ci): fold manual model checking into formal verify | ✅24 ❌1 ⏳0 ⏭️31 | review:NONE | mergeable:MERGEABLE
  • failed: gate

[github-actions]

❓ Code Generation Drift Detection

Status:
Regeneration needed: No

---

Automated by AE-Framework Codegen

[github-actions]

🔍 Verification Summary

• Traceability: 6 scenarios
  • Tests: 3 (50%)
  • Impl: 3 (50%)
  • Formal: 3 (50%)

Unlinked (top 5)

- Device registration publishes enough pre-keys and emits audit log (id: device-registration-publishes-enough-pre-keys-and-emits-audit-log) test:N/A impl:N/A formal:N/A - Invalid auth tag triggers audit violation for AES-GCM envelopes (id: invalid-auth-tag-triggers-audit-violation-for-aes-gcm-envelopes) test:N/A impl:N/A formal:N/A - Session rotation stays within forward secrecy thresholds (id: session-rotation-stays-within-forward-secrecy-thresholds) test:N/A impl:N/A formal:N/A

Linked examples (up to 3)

- Successful reservation (id: successful-reservation) test: [traceability/inventory.trace.test.ts](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/tests/traceability/inventory.trace.test.ts) impl: [domain/inventory.ts](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/src/domain/inventory.ts) formal: [tla+/Inventory.tla](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/specs/formal/tla+/Inventory.tla) - Prevent negative stock (id: prevent-negative-stock) test: [traceability/inventory.trace.test.ts](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/tests/traceability/inventory.trace.test.ts) impl: [domain/inventory.ts](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/src/domain/inventory.ts) formal: [tla+/Inventory.tla](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/specs/formal/tla+/Inventory.tla) - Idempotent by order id (id: idempotent-by-order-id) test: [traceability/inventory.trace.test.ts](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/tests/traceability/inventory.trace.test.ts) impl: [domain/inventory.ts](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/src/domain/inventory.ts) formal: [tla+/Inventory.tla](https://github.com/itdojp/ae-framework/blob/00881c191a52413005a955453e7549a8585e16d0/specs/formal/tla+/Inventory.tla)

Hit basis (tests/formal)

- Test hits: title=3 id=0 tag=0 - Formal hits: title=0 id=3 tag=0

- Model Check (TLC): 2/8 (25%) modules ok

Non-OK modules (top 5)

- KvOnce (log: artifacts/codex/KvOnce.tlc.log.txt) - KvOnceRefinement (log: artifacts/codex/KvOnceRefinement.tlc.log.txt) - KvOnceImpl (log: artifacts/codex/KvOnceImpl.tlc.log.txt) - KvOnce (log: artifacts/codex/KvOnce.tlc.log.txt) - KvOnceRefinement (log: artifacts/codex/KvOnceRefinement.tlc.log.txt)

- Alloy: detected 2 specs (execution skipped) - Contracts: schemas=true conditions=true machine=true - Contracts exec: parseIn=false pre=false post=false parseOut=false

[github-actions]

CodeX Artifacts Summary

• • Contract/E2E templates: 1 files (dir: tests/api/generated)
• • Tests: PBT files=122, BDD features=0
• • Formal specs: TLA=1, Alloy=1

[ootakazuhiko]

Copilotレビュー対応を反映しました。

• docs/notes/issue-1006-workflow-triggers.md の workflow_dispatch 見出し数を 30 に修正
• docs/notes/issue-1006-workflow-overlap-candidates.md の formal-verify トリガー表記から push(tags) を削除
• formal-verify.yml の workflow_dispatch concurrency キーに engine と tlaFile を加味

main 取り込み済みでコンフリクトは解消しています。