Contractual Choreography Synthesis

Updated 15 February 2026

Contractual Choreography Synthesis is an algorithmic process that constructs a well-formed global interaction model from individual contracts.
It leverages formal approaches such as session types, automata theory, process calculi, and Petri nets to capture both value-independent and value-constrained behaviors.
Advanced synthesis algorithms guarantee correctness properties like deadlock-freedom, soundness, completeness, and maximal permissiveness for robust distributed systems.

Contractual choreography synthesis is the algorithmic construction of a well-formed global description (a choreography) of multiparty interactions from a set of individual contracts or process-level specifications. This process ensures that the synthesized choreography embodies the obligations, choices, and progress guarantees of all advertised end-point contracts, such that projection recovers the original contracts and implementations are protected against adversary behaviors. Approaches span session-type theory, automata-theoretic constructions, process calculi, and Petri nets, capturing both value-independent and value-constrained (asserted) behavior (Lange et al., 2012, Lange et al., 2013, Basile et al., 2014, Basile et al., 2019, Gheri et al., 2022, Bartoletti et al., 2012). The following sections survey foundational models, key synthesis rules and algorithms, formal correctness, extensions for contract flexibility and value assertions, tool support, and example applications.

1. Fundamental Formalisms for Contractual Choreography

Several foundational theories underpin contractual choreography synthesis:

Multiparty Session Types (MPST): Session types describe communication behavior as types. Local session types specify the message-sending/receiving obligations of individual roles; a choreography (global session type) provides a compact, global interaction pattern among all participants (Lange et al., 2012).
Behavioral Contracts and CO₂ Calculus: Participants advertise contracts describing their obligations and requirements; choreography synthesis proceeds when obligations and expectations are mutually compatible (Lange et al., 2013).
Contract Automata (MSCA): Interaction behavior is modeled as automata whose labels and transitions capture offers, requests, and matches. Choreography is realized as the composition of communicating finite-state machines (CFSMs) projected from contract automata (Basile et al., 2014, Basile et al., 2019).
Choreography Automata with Assertions: Choreography automata are finite-state automata extended with assertional contracts on value flows, supporting value-dependent conditions and selective participation (Gheri et al., 2022).
Lending Petri Nets: Choreographic behavior is modeled via a generalized Petri net framework, featuring "lending places" to enable safe execution on credit, with contracts grounded in propositional contract logic (PCL) (Bartoletti et al., 2012).

These formalisms enable precise description of contract behavior, projection and synthesis mechanisms, and machine-checked guarantees of deadlock-freedom and compliance.

2. Synthesis Algorithms and Typing/Inference Rules

Synthesis algorithms reconstruct a global choreography (or compatible end-point implementations) from collections of local contracts, employing typing or inference systems appropriate to the chosen formalism.

Session Type-Based Synthesis: The core judgment $C; S_1,\dots,S_n \vdash G$ $C; S_{1}, \dots, S_{n} ⊢ G$ relates a set of local session types $S_i$ $S_{i}$ and a communication context $C$ $C$ to a synthesized global type $G$ $G$ . The principal inference rules are:
- [T-End]: All endpoints at termination, $C; \text{end}, \dots, \text{end} \vdash \text{end}$ .
- [T-Comm]: Matched send/receive prefixes, producing the global prefix $p \to q : \ell; G$ .
- [T-Branch]: Branching choice is distributed over participants, forming $p \to q : \{ \ell_k : G_k \}_{k \in K}$ (Lange et al., 2012).
- This recursive decomposition ensures that each communication/branching in the global type corresponds to a uniquely matched local behavior.
Automata-Theoretic Synthesis: Given $n$ $n$ contract automata (or MSCAs) of rank $1$, their synchronous product forms a joint automaton of rank $n$ $n$ . Only runs consisting exclusively of match-actions qualify for choreography. The key synthesis steps:
1. Product Construction: Build $\mathcal{A} = \mathcal{A}_1 \otimes \cdots \otimes \mathcal{A}_n$ .
2. Controller Extraction: Restrict to match-transitions and prune unreachable states, yielding the most-permissive controller (MPC).
3. Branching Condition: Enforces independence—matching actions must be uniformly enabled from all states agreeing on the sender's state (Basile et al., 2014, Basile et al., 2019).
4. CFSM Projection: Each participant's local machine is constructed by projecting global match-actions onto the appropriate send/receive events for channels.
Abstract Parametric Synthesis: Choreography and orchestration synthesis are unified under a fixed-point/iterate-and-prune algorithm, parameterized by two predicates governing pruning/forbidding transitions. Correctness is ensured via monotonicity and least fixpoint construction (Basile et al., 2019).
Choreography Automata with Assertions: Projections include guard conditions on data values, inductively merging and minimizing guarded transitions using symbolic reasoning over the assertions. History sensitivity and temporal satisfiability are established before synthesis (Gheri et al., 2022).
Petri Net Synthesis from Contract Logic: Each contract is compiled to an LPN, then composed via net glue operations. The structure of transitions and lending places ensures that agreement in PCL logic corresponds precisely to global net termination in honored markings (Bartoletti et al., 2012).

3. Conditions for Correctness: Compatibility, Agreement, and Well-Formedness

Successful choreography synthesis is contingent on a set of formal constraints:

Compatibility/Duality: At every step, communications must have exactly one sender/receiver, and choices must be globally agreed. No two participants may attempt to send/receive the same label to a third party simultaneously. Race-freedom and orphan-message-freedom are enforced syntactically (Lange et al., 2012).
Agreement: Especially in automata-theoretic and Petri net approaches, the composition must admit a strong agreement, meaning every request/offer is matched in some run, and every "payoff" is attainable without pending obligations (Basile et al., 2014, Bartoletti et al., 2012).
Branching Condition: Choices that are locally made must be globally visible, ensuring that concurrent branches commute appropriately and that no participant is left unable to distinguish or act upon the branch (Basile et al., 2014, Basile et al., 2019, Gheri et al., 2022).
Well-Formedness and Projectability: The synthesized global specification must be uniquely projectable onto each participant, avoiding choice-ambiguity and deadlock. Deterministic projection onto endpoint automata is guaranteed only if well-sequenced, well-branched, and (where present) temporally satisfiable (Lange et al., 2012, Gheri et al., 2022).
Honesty and Culpability: In contract-based models, each process must remain honest (able to meet its obligations or advertise accordingly) to ensure fidelity and progress. Culpability analysis detects violations, enabling participant exclusion at runtime without compromising progress (Lange et al., 2013).

4. Extensions for Value-Dependent Protocols and Flexibility

Advanced models extend classic choreography synthesis by supporting contracts with data assertions and selective participation:

Value-Dependent Assertions: Choreography automata and their projections can embed assertions constraining the values exchanged. Guards are maintained throughout projection, ensuring that local implementations statically and dynamically enforce the intended behavioral contracts. Temporal satisfiability ensures at every state some outgoing action is possible under the conjunction of all gathered assertions (Gheri et al., 2022).
Selective Participation: Well-branchedness allows participants to act in only a proper subset of behaviorally possible branches, provided they are fully informed—directly or indirectly—of the branch taken. Coinductive rules ensure knowledge is propagated through communication where necessary (Gheri et al., 2022).
Lending Discipline and Protection against Adversaries: Lending Petri nets formalize the notion of acting "on credit," permitting progress even when certain obligations are not yet met, provided they are eventually honored. This supports robust composition and compositional verification: refining one contract does not invalidate global properties so long as refinement preserves the local agreement (Bartoletti et al., 2012).

5. Correctness Properties: Soundness, Completeness, and Progress

Soundness and completeness theorems rigorously establish the connection between local contracts, global choreography, and their projections:

Soundness: If the synthesis judgment derives a global choreography $G$ from given local contracts, then $G$ is well-formed and projects exactly to the contracts supplied (Lange et al., 2012, Lange et al., 2013, Gheri et al., 2022).
Completeness: Any well-formed, projectable global choreography has local projections that, when used as input to the synthesis procedure, reconstruct the original global choreography (Lange et al., 2012).
Fidelity/Session Safety: No process can perform an action not prescribed by the contract or choreography. The system guarantees type safety at runtime (Lange et al., 2013, Gheri et al., 2022).
Global Progress and Deadlock-Freedom: Given honest participants, the synthesized choreography guarantees that progress is always possible, i.e., reduction can always proceed unless all components are in a terminal state (Lange et al., 2013, Basile et al., 2014, Gheri et al., 2022).
Maximal Permissiveness and Refinement: Synthesis via abstract parametric algorithms yields controllers that are maximally permissive, i.e., least-restrictive, while ensuring non-blocking, safety, and controllability. Choreography synthesis is an abstraction of orchestration synthesis, and all are refinements of the most permissive controller (Basile et al., 2019).

6. Illustrative Applications and Implementations

Realistic protocols and system architectures described in the surveyed literature demonstrate contractual choreography synthesis:

Online Wallet Protocol with Contracts: A multiparty protocol with value-dependent authorizations, retries, and payments, encoded as an asserted choreography automaton; local CFSMs with embedded guards are projected and mechanistically compiled to type-safe TypeScript APIs. Deadlock-freedom and contract adherence are ensured by construction (Gheri et al., 2022).
Three-Kid Toy Swap: Both the automata-theoretic and Petri-net-based models reconstruct the global choreography of three children swapping toys, ensuring agreement (all receive what they want) and enforcing liveness/protection properties (Basile et al., 2014, Bartoletti et al., 2012).
Hotel-Booking Choreography: A five-principal MSCA encoding a client-broker-hotel protocol with necessary (uncontrollable) actions; choreography synthesis proceeds by controller extraction, with safe, branching-satisfying automata generated (Basile et al., 2019).
Tool Support: The FMCAT tool implements choreography (and orchestration) synthesis for MSCAs, scaling to tens of thousands of states, with optimizations including on-the-fly pruning and partial-order reductions (Basile et al., 2019).

The application scope encompasses service-oriented architectures, distributed API synthesis for web applications, and formal protocols requiring protection against adversarial or non-conforming participants.

7. Theoretical and Practical Significance

Contractual choreography synthesis rigorously bridges local contract design and global protocol implementation. The surveyed frameworks enable:

Systematic construction of deadlock-free, type-safe multiparty communication protocols from independently specified contracts.
Integration of logical/automata-theoretic reasoning with process calculi, accounting for value-dependent behaviors, concurrency, and selective participation.
Compositional reasoning and refinement, supporting robust protocol evolution and implementation.
Mechanized synthesis of verified APIs and runtime enforcement of contracts, supporting correctness-by-construction principles in distributed programming.

Significant theoretical advances include characterization theorems—notably, the equivalence of global agreement and weak net termination in PCL/LPNs; bisimulation theorems linking choreography automata and projected endpoint CFSMs; and refinement and maximal permissiveness properties of synthesis algorithms (Bartoletti et al., 2012, Basile et al., 2014, Basile et al., 2019, Gheri et al., 2022).

Because these methods offer strict correctness, protection guarantees, and implementation-level synthesis, contractual choreography synthesis continues to be a foundation for trustworthy distributed systems research and engineering.