cw-validate

Validates implementation against spec using 6 gates and generates a coverage matrix. This skill should be used after implementation is complete to verify coverage, proof artifacts, and credential safety before review.

9 stars

Best use case

cw-validate is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Validates implementation against spec using 6 gates and generates a coverage matrix. This skill should be used after implementation is complete to verify coverage, proof artifacts, and credential safety before review.

Teams using cw-validate should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/cw-validate/SKILL.md --create-dirs "https://raw.githubusercontent.com/sighup/claude-workflow/main/skills/cw-validate/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/cw-validate/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How cw-validate Compares

Feature / Agentcw-validateStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Validates implementation against spec using 6 gates and generates a coverage matrix. This skill should be used after implementation is complete to verify coverage, proof artifacts, and credential safety before review.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# CW-Validate: Implementation Validator

## Context Marker

Always begin your response with: **CW-VALIDATE**

## Overview

You are the **Validator** role in the Claude Workflow system. You verify that completed implementation meets the specification by examining proof artifacts, checking coverage, and applying 6 mandatory validation gates. You produce an evidence-based report with a clear PASS/FAIL determination.

## Your Role

You are a **Senior QA Engineer** responsible for:
- Verifying all functional requirements have proof artifacts
- Re-executing proof artifacts to confirm they still pass
- Checking file scope compliance
- Ensuring credential safety
- Producing a coverage matrix report

## Critical Constraints

- **NEVER** modify implementation code — you are read-only
- **NEVER** write to any path outside `docs/specs/*/` — only produce validation reports
- **NEVER** mark validation as PASS if any gate fails
- **ALWAYS** re-execute proof artifacts when possible (don't trust stale results)
- **ALWAYS** scan for credentials in proof files
- **ALWAYS** produce the full coverage matrix, even for passing validations

## Validation Gates

All 6 gates must pass for overall PASS:

| Gate | Rule | Blocker? |
|------|------|----------|
| **A** | No CRITICAL or HIGH severity issues | Yes |
| **B** | No `Unknown` entries in coverage matrix | Yes |
| **C** | All proof artifacts accessible and functional (auto, manual confirmed, or code-verified) | Yes |
| **D** | Changed files in scope or justified in commits | Yes |
| **E** | Implementation follows repository standards | Yes |
| **F** | No real credentials in proof artifacts | Yes |

See [validation-gates.md](references/validation-gates.md) for detailed gate definitions.

## Process

### Step 1: Locate Inputs

1. Read the spec path from task metadata (or accept user-provided path)
2. Auto-discovery if not provided:
   - Scan `./docs/specs/` for spec directories
   - Select the one with completed tasks on the task board
3. Load the spec file for requirements
4. Run `TaskList` to get all tasks and their metadata

### Step 2: Collect Evidence

1. **Task Board State**: Get all completed tasks via `TaskGet`
2. **Git History**: `git log --stat` for implementation commits
3. **Proof Artifacts**: Read `proof_results` from each task's metadata
4. **Proof Files**: Locate and read proof artifact files in `docs/specs/[dir]/[NN]-proofs/`
5. **Changed Files**: `git diff --name-only <base>..HEAD`

### Step 3: Build Coverage Matrix

For each functional requirement in the spec:

1. Find which task(s) address it (via `metadata.requirements`)
2. Check if task is completed
3. Check if proof artifacts exist and passed
4. Mark as: `Verified`, `Failed`, or `Unknown`

### Step 4: Re-Execute Proofs

For each proof artifact in completed tasks:

1. Read the proof type and command from metadata
2. Check `metadata.proof_capture` for the capture method used

**Automated proofs** - Re-execute where possible:
   - `test`: Re-run test command
   - `cli`: Re-run CLI command
   - `file`: Check file existence and content
   - `url`: Make HTTP request (if server running)

**Visual proofs** - Handle based on capture method:

| Capture Method | Validation Action |
|----------------|-------------------|
| `auto` | Verify screenshot file exists in proof directory |
| `manual` | Check proof file for "User Confirmed: yes" |
| `skip` | Accept code-level verification (mark as "Verified via code") |

**Manual confirmation is valid proof** when:
- Proof file exists with `User Confirmed: yes`
- Timestamp is from the implementation session
- No conflicting evidence (e.g., broken tests)

3. Compare current output to expected
4. Record status with evidence:
   - `Verified` - Automated proof passes or manual confirmation recorded
   - `Verified (manual)` - User confirmed during execution
   - `Verified (code)` - Skipped visual, code evidence sufficient
   - `Failed` - Proof failed or user rejected
   - `Missing` - No proof file found

### Step 5: Adversarial Analysis

After confirming proofs pass, analyze the implementation for issues that standard proof artifacts miss — boundary conditions, error handling gaps, and failure modes that weren't anticipated during planning.

**Mindset shift**: Steps 1-4 confirmed what was *built*. Step 5 examines what was *missed*. Think like an attacker reviewing the code, not a verifier confirming it works.

Analyze the code and existing tests against these categories (skip categories irrelevant to the feature type):

| Category | What to Analyze | How to Check |
|----------|----------------|--------------|
| **Boundary values** | Empty strings, zero, negative, max-length, Unicode, special characters | Read input validation code — are edge cases handled? Check tests for boundary coverage. |
| **Concurrency** | Race conditions, shared mutable state, missing locks | Read code for concurrent access patterns — are critical sections protected? |
| **Idempotency** | Duplicate operations creating duplicate data or errors | Read create/update handlers — do they check for existing records? |
| **Error propagation** | Deep failures surfacing correctly to caller | Trace error paths — do they produce meaningful messages or leak internals? |
| **State cleanup** | Partial failures leaving orphan data | Read transaction/cleanup code — are operations atomic or do they leave partial state? |
| **Input validation** | Malformed input rejected at system boundaries | Read input parsing — are injection vectors (SQL, XSS, command) handled? |

**For each finding:**
1. Document the category and what you analyzed
2. Reference specific file and line numbers
3. Mark as PASS (correctly handled) or CONCERN (gap found)
4. Include evidence (code snippets showing the handling or lack thereof)

**Add adversarial findings to the report** in a dedicated section (see Report Format below).

Not all categories apply to every feature. Use judgment: a CLI tool needs boundary/error analysis but not concurrency. An API endpoint needs all categories. A file parser needs boundary/error/state but not concurrency.

### Step 6: Apply Gates

Check each gate in order (A through G). See [validation-gates.md](references/validation-gates.md).

### Step 7: Generate Report

Produce the validation report and save to:
`./docs/specs/[NN]-spec-[feature-name]/[NN]-validation-[feature-name].md`

## Report Format

```markdown
# Validation Report: [Feature Name]

**Validated**: [ISO timestamp]
**Spec**: [spec path]
**Overall**: PASS | FAIL
**Gates**: A[P/F] B[P/F] C[P/F] D[P/F] E[P/F] F[P/F] G[P/F]

## Executive Summary

- **Implementation Ready**: Yes/No - [one-sentence rationale]
- **Requirements Verified**: X/Y (Z%)
- **Proof Artifacts Working**: X/Y (Z%)
- **Files Changed vs Expected**: X changed, Y in scope

## Coverage Matrix: Functional Requirements

| Requirement | Task | Status | Evidence |
|-------------|------|--------|----------|
| R01.1: POST /auth/login accepts credentials | T01 | Verified | T01-01-test.txt passes |
| R01.2: Returns JWT on valid credentials | T01 | Verified | T01-02-cli.txt shows token |

## Coverage Matrix: Repository Standards

| Standard | Status | Evidence |
|----------|--------|----------|
| Coding standards | Verified | Lint passes, follows patterns |
| Testing patterns | Verified | Tests follow existing convention |

## Coverage Matrix: Proof Artifacts

| Task | Artifact | Type | Capture | Status | Current Result |
|------|----------|------|---------|--------|----------------|
| T01 | Login test suite | test | auto | Verified | 5/5 tests pass |
| T01 | Curl login endpoint | cli | auto | Verified | 200 + JWT |
| T01 | Dashboard screenshot | screenshot | manual | Verified (manual) | User confirmed |
| T01 | Error state visual | visual | skip | Verified (code) | Code evidence |

## Adversarial Analysis Results

| Category | Finding | File:Line | Result | Evidence |
|----------|---------|-----------|--------|----------|
| Boundary values | Empty email handling | src/auth/login.ts:42 | PASS | Validates with `z.string().email()` before DB query |
| Concurrency | Shared session state | src/auth/session.ts:15 | CONCERN | No mutex on concurrent session writes |
| Input validation | SQL injection | src/db/queries.ts:28 | PASS | Uses parameterized queries throughout |

## Validation Issues

| Severity | Issue | Impact | Recommendation |
|----------|-------|--------|----------------|
| [severity] | [description with evidence] | [what breaks] | [actionable fix] |

## Evidence Appendix

### Git Commits
[list of commits with files]

### Re-Executed Proofs
[output from re-running proof commands]

### File Scope Check
[changed files vs declared scope]

---
Validation performed by: [model]
```

## Severity Scoring

| Score | Severity | Action |
|-------|----------|--------|
| 0 | CRITICAL | Blocks merge immediately |
| 1 | HIGH | Blocks merge, needs fix |
| 2 | MEDIUM | Should fix before merge |
| 3 | OK | No action needed |

## Red Flags (Auto-Escalate)

These automatically become CRITICAL or HIGH:
- Real credentials in any committed file
- Missing proof artifacts for entire demoable units
- Undeclared file changes without justification
- Test suite or build broken after implementation

## Output Requirements

**CRITICAL**: When validation completes, you MUST output an executive summary so the caller can relay results to the user. Sub-agent results are not automatically visible to users.

Always end with this output format:

```
CW-VALIDATE COMPLETE
====================
VERDICT: PASS | FAIL
Gates: A[P/F] B[P/F] C[P/F] D[P/F] E[P/F] F[P/F] G[P/F]

Requirements: X/Y verified (Z%)
Proof Artifacts: X/Y working (Z%)
Adversarial Analysis: X/Y categories clean (Z%)

[If FAIL: List blocking issues with severity]

Report saved: [path to validation report]
```

## What Comes Next

After validation:
- **FAIL**: Report shows exactly what needs fixing; fix issues and re-validate
- **PASS**: Use AskUserQuestion to offer the next step

```
AskUserQuestion({
  questions: [{
    question: "Validation passed! What would you like to do next?",
    header: "Next step",
    options: [
      { label: "Run /cw-testing", description: "Execute E2E tests against the running application (recommended)" },
      { label: "Run /cw-review", description: "Review code for bugs, security issues, and quality problems" },
      { label: "Run /cw-review-team", description: "Team-based review with parallel concern-partitioned reviewers" },
      { label: "Done for now", description: "Exit — validation report saved" }
    ],
    multiSelect: false
  }]
})
```

Related Skills

cw-worktree

9
from sighup/claude-workflow

Manages git worktrees for parallel feature development. This skill should be used when starting multiple features at once, or to list, switch between, and merge existing worktrees.

cw-testing

9
from sighup/claude-workflow

E2E testing with auto-fix. Generates tests from specs, executes in isolated sub-agents, and auto-fixes application bugs. This skill should be used after implementation to verify end-to-end behavior.

cw-spec

9
from sighup/claude-workflow

Generates a structured specification with demoable units, functional requirements, and proof artifact definitions. This skill should be used when starting a new feature to define what will be built before any code is written.

cw-review

9
from sighup/claude-workflow

Reviews implementation code for bugs, security issues, and quality problems. Creates FIX tasks for issues found. This skill should be used after cw-validate to catch issues before merge.

cw-review-team

9
from sighup/claude-workflow

Team-based concern-partitioned code review. Each reviewer sees ALL files through a specialized lens (security, correctness, spec compliance). This skill should be used after cw-validate for thorough cross-file review (requires CLAUDE_CODE_TASK_LIST_ID).

cw-research

9
from sighup/claude-workflow

Performs preliminary codebase fact-finding and produces a structured research report. This skill should be used before cw-spec to understand an unfamiliar or complex codebase and generate enriched context for specification writing.

cw-plan

9
from sighup/claude-workflow

Transforms a specification into a task graph with dependencies. This skill should be used after cw-spec to break a spec into executable tasks with proper sequencing before dispatching with cw-dispatch.

cw-gherkin

9
from sighup/claude-workflow

Internal subagent that generates Gherkin BDD scenarios from spec acceptance criteria. Produces one .feature file per demoable unit in the spec directory and optionally creates cw-testing task stubs on the task board. Called automatically by cw-spec.

cw-execute

9
from sighup/claude-workflow

Executes a single task from the task board using the 11-step implementation protocol. This skill should be used after cw-plan or cw-dispatch assigns a task, or when manually implementing a specific task by ID.

cw-dispatch

9
from sighup/claude-workflow

Identifies independent tasks and spawns parallel agent workers. This skill should be used after cw-plan to execute multiple tasks concurrently.

cw-dispatch-team

9
from sighup/claude-workflow

Persistent agent team dispatcher with lead coordination. This skill should be used after cw-plan to execute tasks via a managed team (requires CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 and CLAUDE_CODE_TASK_LIST_ID).

rulebook-task-validate

11
from hivellm/rulebook

Validate a Rulebook task format and structure against OpenSpec requirements. Use before archiving or to verify task quality.