| name | review:compliance |
| description | Validates business requirements compliance - generates OpenAPI specs, creates contract tests, and ensures acceptance criteria alignment |
Compliance Validation
Overview
The compliance skill acts as a quality architect that enforces test coverage for acceptance criteria before commits, and validates API compliance:
- Validating acceptance criteria from active story and enforcing quality gates (Phase 0 - NEW)
- Generating OpenAPI specs from TypeScript Lambda handlers
- Creating contract tests from OpenAPI schemas
- Analyzing test coverage gaps and generating missing tests
- Extracting acceptance criteria from PRDs and validating implementation (Legacy mode)
When to use:
- After implementing new API endpoints
- Before releasing features to production
- When coverage reports show gaps
- When updating business requirements
- During API design reviews
Quick Start
/compliance
/compliance --api admin
/compliance --phase openapi
/compliance --phase contract
/compliance --phase coverage
/compliance --phase acceptance
/compliance --help
Workflow
The skill executes in five phases. Phase 0 runs first as a pre-commit quality gate:
Phase 0: AC Validation (Quality Gates)
↓
Active Story → Extract/Generate ACs → Link to Tests → Validate P0=100% → Block if Gaps
↓
Phase 1-4 (API Compliance - Optional)
↓
OpenAPI Generation → Contract Tests → Coverage Analysis → PRD Validation
↓ ↓ ↓ ↓
docs/api/*.yaml **/__tests__/ Missing tests Compliance report
Phase 0 is the primary mode - it enforces quality standards before commits.
Phases 1-4 are optional - run when working with APIs or legacy PRD validation.
Phase 0: AC Validation (Quality Architect Mode)
Purpose: Enforce test coverage for acceptance criteria before commits. Acts as a quality gate that blocks commits when P0 ACs aren't fully tested.
See: @references/quality-architect-mode.md for detailed guide
Process:
- Read active story from
$AGENT_DOCS_DIR/active-story.yaml
- Extract or generate acceptance criteria (from story body or title + NFRs)
- Search codebase for implementation (keyword-based Grep)
- Search test files for AC coverage (keyword + similarity scoring)
- Calculate per-AC coverage from Jest reports
- Identify gaps (untested P0 ACs)
- Generate BDD-style test stubs for gaps
- Validate quality gates (P0 = 100% tested)
- Block commit if P0 not met, display compliance summary if passed
Example:
/gh:commit
/compliance --phase 0
Output:
.claude/compliance/acceptance-criteria.json - AC data structure with evidence
.claude/compliance/story-{issueNumber}-compliance.md - Quality gate report
{module}/__tests__/ac-{id}.test.ts - Generated test stubs (for P0 gaps)
When to use:
- Automatically called by
/gh:commit before creating commits
- Manually run to check compliance status
- After implementing features to verify test coverage
- Before creating PRs to ensure quality gates pass
Quality Gates:
- P0 (Must Have): 100% test coverage required - blocks commits
- P1 (Should Have): 80% recommended - warns but allows commits
- P2 (Could Have): 50% recommended - informational only
AC Generation Strategy:
- Parse from story.body if "## Acceptance Criteria" section exists
- Generate from title if no ACs in body (fallback)
- Augment with NFRs always (performance, security, reliability)
Test Linking Strategy:
- Extract keywords from AC description (remove stop words)
- Search test files:
Grep(keywords, glob: **/__tests__/**/*.test.ts)
- Read test files and extract describe/it blocks
- Calculate Jaccard similarity between AC keywords and test names
- Link if similarity ≥ 70% (configurable threshold)
Test Stub Generation:
- Infer module from story context or AC keywords
- Generate BDD-style tests with Arrange-Act-Assert structure
- Include TODO comments with implementation guidance
- Performance tests include timing assertions
- Security tests include auth validation
- Add FIXME placeholders for actual assertions
Phase 1: OpenAPI Spec Generation
Purpose: Generate machine-readable API specifications from TypeScript Lambda code.
See: @references/openapi-generation.md for detailed guide
Process:
- Analyze Lambda TypeScript handlers (Read lambda/*/index.ts)
- Extract route patterns, HTTP methods, request/response types
- Convert TypeScript types to JSON Schema
- Generate OpenAPI 3.0 YAML documents
- Validate specs with swagger-parser
Example:
/compliance --phase openapi --api admin
Output:
docs/api/{api}-openapi.yaml - OpenAPI 3.0 specification
- Validation report (errors, warnings)
When to use:
- New API endpoints added
- Request/response schemas changed
- API documentation needed
Phase 2: Contract Test Generation
Purpose: Generate automated tests that validate API contracts against OpenAPI specs.
See: @references/contract-testing.md for detailed guide
Process:
- Read OpenAPI spec from Phase 1
- Extract paths, methods, request/response schemas
- Generate Jest test suites with Ajv schema validation
- Create tests for success, client errors, server errors
- Mock API Gateway events and AWS services
Example:
/compliance --phase contract --api admin
Output:
lambda/{api}/__tests__/contract.test.ts - Jest test suite
- Test execution report (pass/fail counts)
When to use:
- After generating OpenAPI specs
- Before deploying API changes
- When adding new endpoints
Phase 3: Test Coverage Analysis
Purpose: Identify untested code paths and generate missing tests.
See: @references/coverage-analysis.md for detailed guide
Process:
- Run Jest with --coverage flag
- Parse coverage reports (lcov, json)
- Identify functions/branches below threshold
- Generate test cases (happy path, errors, edge cases)
- Mock AWS SDK services (Cognito, S3, DynamoDB)
Example:
/compliance --phase coverage --lambda admin
Output:
lambda/{api}/__tests__/index.test.ts - Generated unit tests
- Coverage report with before/after percentages
- List of remaining gaps
When to use:
- Coverage below threshold (70-90%)
- New Lambda functions added
- Before production deployment
Phase 4: Acceptance Criteria Validation
Purpose: Ensure implementation meets documented business requirements.
See: @references/acceptance-criteria.md for detailed guide
Process:
- Parse PRDs for acceptance criteria sections
- Extract individual criteria (Must Have P0, Should Have P1)
- Search codebase for implementation (Grep, Glob)
- Calculate compliance percentage
- Generate actionable compliance report
Example:
/compliance --phase acceptance --prd PRD-ADMIN-API.md
Output:
docs/compliance-report.md - Compliance status and gaps
- GitHub issues for missing criteria (optional)
When to use:
- Before feature release
- During requirement reviews
- When PRDs are updated
Configuration
The skill reads settings from config.yaml:
openapi:
enabled: true
output_dir: "docs/api"
validate: true
apis:
- name: admin
path: lambda/admin/index.ts
- name: referral
path: lambda/referral/index.ts
contract:
enabled: true
output_pattern: "lambda/{api}/__tests__/contract.test.ts"
coverage:
enabled: true
thresholds:
lambda: 80
infrastructure: 70
acceptance:
enabled: true
sources:
- docs/archive/root/PRD-*.md
Customize:
yq e '.openapi.apis += {"name": "auth", "path": "lambda/auth/index.ts"}' -i config.yaml
yq e '.coverage.thresholds.lambda = 90' -i config.yaml
yq e '.contract.enabled = false' -i config.yaml
Usage Examples
Example 1: Full Compliance Scan
/compliance
Example 2: Single API Validation
/compliance --api admin
Example 3: Phase-Specific Execution
/compliance --phase openapi
/compliance --phase coverage
Expected Artifacts
After running /compliance, these files are created or updated:
OpenAPI Specifications:
docs/api/
├── admin-openapi.yaml # Admin API (8 endpoints)
├── referrals-openapi.yaml # Referral API (6 endpoints)
└── auth-edge-openapi.yaml # Lambda@Edge auth (3 endpoints)
Contract Tests:
lambda/admin/__tests__/
└── contract.test.ts # 48 schema validation tests
lambda/referral/__tests__/
└── contract.test.ts # 36 schema validation tests
Unit Tests:
lambda/admin/__tests__/
└── index.test.ts # Generated unit tests (coverage gaps)
Reports:
docs/
└── compliance-report.md # Compliance status, gaps, recommendations
Integration
With other skills:
/gh:commit - Reference compliance artifacts in commit messages
/mr - Include compliance report in PR descriptions
/code-review - Validate specs and tests before review
With CI/CD: see @references/examples.md for workflow integration.
Troubleshooting
Issue: OpenAPI generation fails with "Cannot find route handlers"
- Check: Lambda handler uses API Gateway proxy format
- Fix: Ensure handler exports routes with
httpMethod and path properties
- See: @references/openapi-generation.md for supported patterns
Issue: Contract tests fail with schema validation errors
- Check: OpenAPI spec matches actual response structure
- Fix: Regenerate spec or update TypeScript types
- Debug: Add
console.log(JSON.stringify(response, null, 2)) to Lambda handler
Issue: Coverage analysis shows 0% coverage
- Check: Jest configured correctly (
jest.config.js)
- Fix: Run
npm test -- --coverage manually to verify
- See: @references/coverage-analysis.md for Jest setup
Issue: Acceptance criteria extraction finds 0 criteria
- Check: PRD uses supported headings ("## Acceptance Criteria", "Must Have (P0)")
- Fix: Update PRD format or adjust
acceptance.sources in config.yaml
- See: @references/acceptance-criteria.md for supported patterns
Issue: Compliance report shows false negatives
- Check: Search patterns in
acceptance-criteria.md are accurate
- Fix: Adjust Grep patterns to match implementation style
- Debug: Run searches manually to verify results
Best Practices
1. Run compliance before PRs
- Catches missing tests early
- Ensures API contracts are documented
- Validates business requirements
2. Keep OpenAPI specs in sync
- Regenerate specs after API changes
- Version specs alongside code
- Use specs for API documentation
3. Treat contract tests as regression tests
- Run on every commit (via CI/CD)
- Block PRs if schemas break
- Update tests when specs change
4. Address coverage gaps incrementally
- Focus on critical paths first (auth, data mutations)
- Aim for 80%+ on Lambdas, 70%+ on infrastructure
- Document why uncovered code is acceptable (if any)
5. Link compliance reports to GitHub issues
- Create issues for missing criteria
- Reference issues in PRs
- Track compliance over time
Advanced Usage
Custom API patterns:
openapi:
apis:
- name: custom
path: lambda/custom/index.ts
base_path: /api/v2/custom
auth: cognito
Override thresholds:
/compliance --phase coverage --threshold 90
Generate specific test types:
/compliance --phase contract --scenarios success,client_errors
Multi-PRD validation:
/compliance --phase acceptance --prd "docs/archive/root/PRD-*.md"
Resources
- OpenAPI Generation Guide: @references/openapi-generation.md
- Contract Testing Guide: @references/contract-testing.md
- Coverage Analysis Guide: @references/coverage-analysis.md
- Acceptance Criteria Guide: @references/acceptance-criteria.md
- Example Workflows: @references/examples.md
- Configuration: config.yaml
- Architecture: @references/architecture.md
- Validation: @references/validation.md