validation-contract
Use when authoring or normalising a specialist skill, or preparing to ship a feature or release — defines the seven evidence categories every specialist skill must declare against and provides the canonical Release Evidence Bundle template. The contract spine that turns scattered validation skills into a coherent ship-readiness check.
Best use case
validation-contract is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when authoring or normalising a specialist skill, or preparing to ship a feature or release — defines the seven evidence categories every specialist skill must declare against and provides the canonical Release Evidence Bundle template. The contract spine that turns scattered validation skills into a coherent ship-readiness check.
Teams using validation-contract should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/validation-contract/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How validation-contract Compares
| Feature / Agent | validation-contract | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when authoring or normalising a specialist skill, or preparing to ship a feature or release — defines the seven evidence categories every specialist skill must declare against and provides the canonical Release Evidence Bundle template. The contract spine that turns scattered validation skills into a coherent ship-readiness check.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Validation Contract Acknowledgement: Shared by Peter Bamuhigire, techguypeter.com, +256 784 464178. <!-- dual-compat-start --> ## Use When - Authoring a new specialist skill and deciding which validation evidence it should produce. - Normalising an older specialist skill against the current house style. - Preparing a feature or release for ship and assembling the Release Evidence Bundle. - Reviewing a PR that claims a feature is production-ready. ## Do Not Use When - The work is purely local, experimental, or explicitly throwaway with no path to production. - The skill being authored is a baseline, process, or pure index skill. Those do not declare evidence. - The task is unrelated to validation planning or shipping readiness. ## Required Inputs - The specialist skill or feature being validated, including its intended scope and risk tier. - Access to the repository's existing validation skills (`advanced-testing-strategy`, `vibe-security-skill`, `observability-monitoring`, etc.) as the source of category-specific "how to validate" content. - Awareness of the 14 canonical artifact templates in `skill-composition-standards/references/` so evidence rows can cite existing formats. ## Workflow - Identify whether the skill or feature in scope is specialist (declares evidence) or baseline/process (does not). - For specialist skills: map each artifact the skill produces to one of the seven evidence categories. - For releases: produce a Release Evidence Bundle that links concrete artifacts under each of the seven categories, using `N/A — <reason>` only where an entire category legitimately does not apply. - Cross-check risk tier guidance before permitting any `N/A` in high-risk releases. ## Quality Standards - Every specialist skill that produces validation evidence declares at least one evidence category with a concrete artifact reference. - Evidence declarations cite existing artifact templates where possible instead of inventing new formats. - Release Evidence Bundles never carry empty cells. Every cell links evidence or carries an `N/A — <reason>` line. ## Anti-Patterns - Declaring every category on every skill "just in case". This kills the signal. - Writing prose validation notes instead of linking concrete artifacts in a Release Evidence Bundle. - Permitting unjustified `N/A` on Correctness, Security, Data safety, Operability, or Release evidence in high-risk releases. - Treating the Release Evidence Bundle as a retrospective summary written after ship. It is produced before ship. ## Outputs - A specialist skill with a validated `## Evidence Produced` section declaring one or more of the seven categories. - A Release Evidence Bundle in the project's `docs/` tree linking evidence for every applicable category at ship time. - Clear `N/A — <reason>` annotations for non-applicable categories, with risk-tier-aware justification. ## References - [references/evidence-categories.md](references/evidence-categories.md): per-category definition, indicative contributing skills, and common artifact shapes. - [references/declaration-form.md](references/declaration-form.md): the `## Evidence Produced` table form, rules, and worked examples. - [references/release-evidence-bundle-template.md](references/release-evidence-bundle-template.md): the canonical fillable Release Evidence Bundle. - [references/integration-rollout.md](references/integration-rollout.md): audit trail of edits made to other skills during this skill's rollout. <!-- dual-compat-end --> ## The three repository-wide contracts The repository is held together by three contracts, each codified in a baseline skill: 1. **House-style contract** — every skill follows the same shape. Source: `skill-composition-standards`, Standard 1. 2. **Inputs/Outputs contract** — every skill declares the artifacts it consumes and produces. Source: `skill-composition-standards`, Standard 2. 3. **Evidence contract** — every specialist skill declares which of seven fixed validation categories its artifacts contribute to, and every release produces a Release Evidence Bundle. Source: this skill. The three contracts stack. A skill that meets Standard 1 but skips Standard 2 or 3 is not repository-grade. ## The seven evidence categories | # | Category | What the evidence proves | |---|----------|--------------------------| | 1 | **Correctness** | Behaviour matches spec; tests cover risk surface; contracts hold. | | 2 | **Security** | Threat model exists; scans clean; secrets handled; auth/authorisation verified. | | 3 | **Data safety** | Schema integrity; migration safety; backup, retention, and PII handling. | | 4 | **Performance** | Budgets met; load profile understood; query plans acceptable. | | 5 | **Operability** | SLOs defined; runbook exists; observability wired; rollback plan ready. | | 6 | **UX quality** | Accessibility pass; design audit; content/UX-writing review; AI slop check. | | 7 | **Release evidence** | Change record; migration plan; rollout/rollback log; post-deploy verification. | The taxonomy is closed. Adding an eighth category requires editing this skill, not silently extending it elsewhere. Full definitions and indicative contributing skills live in [references/evidence-categories.md](references/evidence-categories.md). ## Declaration mechanic Specialist skills add a `## Evidence Produced` section to their `SKILL.md`, between `## Outputs` and `## References`: ```markdown ## Evidence Produced | Category | Artifact | Format | Example | |----------|----------|--------|---------| | Security | Threat model | Markdown doc per `skill-composition-standards/references/threat-model-template.md` | `docs/security/threat-model-checkout.md` | | Operability | Runbook | Markdown doc per `skill-composition-standards/references/runbook-template.md` | `docs/runbooks/payment-failures.md` | ``` ### Rules - A specialist skill that produces validation evidence **MUST** declare at least one row. - Each row's `Category` value **MUST** be one of the seven canonical names (case-sensitive). - Each row's `Format` field **MUST** reference an existing template or define its own format inline in the same `SKILL.md`. - A specialist skill **MAY** contribute to multiple categories. - Baseline skills, process skills, and pure index/orchestration skills **MUST NOT** declare. Worked examples live in [references/declaration-form.md](references/declaration-form.md). ## Specialist vs exempt skills A skill is "specialist" for the purposes of this contract when it: - Produces concrete project artifacts (code patterns, schemas, configs, documents). - Is loaded for a specific domain or platform problem rather than as a baseline frame. Skills exempt from declaring (non-exhaustive): - `world-class-engineering`, `skill-composition-standards`, `validation-contract` itself. - `system-architecture-design`, `engineering-management-system`, `git-collaboration-workflow`. - `feature-planning`, `spec-architect`. - All `superpowers:*` skills. When a skill straddles the line, the default is **declare**. False positives are cheaper than silent omissions. ## The Release Evidence Bundle When a feature or release is ready to ship, the reviewer produces a single fillable document — the Release Evidence Bundle — that links to the concrete artifacts satisfying each of the seven categories. - **Template:** [references/release-evidence-bundle-template.md](references/release-evidence-bundle-template.md). - **`N/A` semantics:** permitted **only with a reason on the same line**. An empty cell is not acceptable. - **Risk tier guidance:** - **Low risk** — internal tools, docs, non-user-facing scripts. Typical bundle has 3-4 categories live. - **Medium risk** — user-facing feature, single-tenant. All 7 categories addressed; some may be `N/A` with reason. - **High risk** — multi-tenant data, payments, auth, external APIs, AI features. All 7 categories live; no `N/A` permitted on Correctness, Security, Data safety, Operability, or Release evidence. ## Strictness - The contract uses **MUST**, **MAY**, **MUST NOT** in the RFC 2119 sense. - Mechanical enforcement is **out of scope** for this skill. It lands separately as a CI contract-gate hook that will: - parse `## Evidence Produced` tables and warn on missing or invalid categories. - parse Release Evidence Bundles and warn on empty cells or unjustified `N/A`. - Authoring with binding language now means the CI hook is a parser and CI integration only, not a policy debate. ## Integration with existing skills The rollout in [references/integration-rollout.md](references/integration-rollout.md) lists every edit made to other skills when this skill was introduced. Future edits that touch this contract should update that file. ## Companion Skills - `skill-composition-standards` — Standards 1 and 2. Load this before `validation-contract`. - `world-class-engineering` — repository production-readiness bar. This contract makes the evidence of meeting that bar a first-class artifact. - Category-specific skills — the source of truth for *how* to validate within each category (see [references/evidence-categories.md](references/evidence-categories.md)).
Related Skills
web-app-security-audit
Use when auditing a PHP/JavaScript/HTML web application for security vulnerabilities. Covers configuration, authentication, authorization, input validation, XSS, API security, HTTP headers, and dependency scanning. Produces a severity-rated audit...
vibe-security-skill
Use when designing or reviewing security for a web application, API, or multi-tenant SaaS — produces threat model, abuse case list, auth/authz matrix, and secret handling plan; covers OWASP Top 10 2025 and the AI-code-generation blind spots. Neighbours — api-design-first owns auth model fields, deployment-release-engineering owns secret rotation choreography, ai-security and llm-security own model-specific threats.
network-security
Use when designing, hardening, or auditing network-layer security for self-managed Debian/Ubuntu SaaS infrastructure — firewalls (nftables/UFW), WAF (ModSecurity + OWASP CRS), VPN (WireGuard, OpenVPN, IPsec), TLS/PKI ops, IDS/IPS (Suricata, Fail2ban), zero-trust, SSH hardening, DDoS mitigation, DNS security. Complements web-app-security-audit (app layer) and cicd-devsecops (secrets/CI).
linux-security-hardening
Use when hardening a Debian/Ubuntu server — user/group/sudo hardening, file permission audits, PAM password policy + MFA, AppArmor mandatory access control, auditd system call logging, kernel sysctl hardening, file integrity monitoring (AIDE), rootkit detection (rkhunter/chkrootkit), unattended security patching, GRUB + UEFI + LUKS boot security, and CIS benchmark compliance.
dpia-generator
Generate a Data Protection Impact Assessment (DPIA), Uganda DPPA 2019-compliant. Use when producing or reviewing a data protection impact assessment, a privacy impact assessment, when uganda-dppa-compliance flags [DPIA-REQUIRED], or when processing large-scale or sensitive personal data for a new feature.
code-safety-scanner
Scan any codebase for 14 critical safety issues across security vulnerabilities, server stability (500 errors), and payment misconfigurations. Use when auditing code before deployment, reviewing AI-generated code for production readiness, or...
world-class-engineering
Use when designing, building, reviewing, or upgrading production software systems that must be secure, performant, maintainable, scalable, and user-centered. Apply before writing specs, code, architecture, APIs, databases, mobile apps, SaaS platforms, or ERP systems.
update-Codex-documentation
Update project documentation files (README.md, PROJECT_BRIEF.md, TECH_STACK.md, ARCHITECTURE.md, docs/API.md, docs/DATABASE.md, AGENTS.md, docs/plans/NEXT_FEATURES.md) when significant changes occur. MANDATORY at end of each work session to...
skill-writing
Use when creating or upgrading skills in this repository. Covers repository-specific frontmatter rules, progressive disclosure, reference-file strategy, validation, and the quality bar required for production-grade engineering skills.
skill-safety-audit
Scan new or updated skills for unsafe or malicious instructions (unknown tools, external installers, credential harvesting) before accepting them into the repository.
skill-composition-standards
Use when authoring a new skill, normalising an older skill, or reviewing a skill PR — defines the repository-wide house style (frontmatter, decision rules, anti-patterns, references), the output contracts each baseline-skill type must produce, and the input contracts each specialist skill must declare. This is the enforcement spine that makes the repository compose as a system, not a library of linked documents.
sdlc-documentation
Use when producing, reviewing, or consolidating SDLC documentation across planning, requirements, design, testing, deployment, user rollout, post-deployment, and maintenance phases. Load absorbed SDLC phase references as needed.