| name | forge-trust-code |
| description | WHEN: Spec review is required after implementation. HARD-GATE: Spec-reviewer reads actual code, doesn't trust implementer report. Verify every claim. |
| type | rigid |
| version | 1.0.0 |
| preamble-tier | 2 |
| triggers | ["trust the spec reviewer","proceed after spec review","spec review approved"] |
| allowed-tools | ["Bash"] |
Do Not Trust The Report
Rule: Spec-reviewer must read actual code (diffs, files). Never trust implementer's self-review.
Anti-Pattern Preamble: Why Reviewers Trust Reports Over Code
| Rationalization | The Truth |
|---|
| "The commit message says it implements X, I'll trust that" | Commit messages are claims, not evidence. Read code to verify claims. |
| "Tests pass, so the requirements must be met" | Tests verify what was tested, not what was required. Spec may require Y; tests may only verify X. |
| "The implementer is experienced, I trust their judgment on spec compliance" | Trust is not verification. Experienced developers miss requirements all the time (spec ambiguity, forgotten edge cases). Verify anyway. |
| "The code looks clean and well-structured, the implementation must be correct" | Code quality is orthogonal to spec compliance. Beautiful code can violate requirements. Verify both. |
| "The PR review is already done, the code must be correct" | PR review verifies code quality, not spec compliance. Spec review is a separate gate. Do it. |
| "I understand the spec from the discussion, I don't need to read the code" | Understanding is not verification. Read actual code to see what was actually built. |
| "The staging environment works, the spec must be met" | Staging behavior is point-in-time. Verify code to ensure behavior is persistent, not accidental. |
| "No one filed a bug, so the implementation must be correct" | Absence of bug reports is not proof of correctness. You're testing early. Don't assume production feedback replaces review. |
| "I did a spot-check of key functions, that's sufficient" | Spot-checks miss edge cases, error handling, and integration points. Read all relevant code. |
| "The implementer said they checked the spec, so I don't need to" | Self-review is the weakest form of review. Verify independently. Always. |
Iron Law
SPEC REVIEWERS READ ACTUAL CODE — NEVER TRUST THE IMPLEMENTER'S REPORT. "IT WORKS" IS NOT EVIDENCE. VERIFIED OUTPUT IS EVIDENCE.
Red Flags — STOP
If you notice any of these, STOP and do not proceed:
- Reviewer is reading the implementer's summary instead of the diff — Summaries are curated. Diffs are reality. A reviewer who reads the summary only will miss what was omitted, not just what was changed. STOP. Open the actual diff before forming any opinion.
- Review consists of "looks good to me" or "LGTM" without citing spec sections — Approval without evidence of spec verification is not a review — it is an endorsement. STOP. Every review must cite which spec requirements were checked and how.
- Acceptance criteria checklist is unmarked but reviewer claims spec is met — Unchecked items are unverified items. STOP. Every acceptance criterion must have a explicit checked/not-checked status with evidence linking to code.
- Reviewer finds code clean and well-structured and infers correctness — Code quality is independent of spec compliance. Beautiful code frequently omits edge cases specified in the PRD. STOP. Run through the spec requirements line by line, regardless of code quality impression.
- Review is performed on a branch that has uncommitted changes — Uncommitted changes are invisible to the diff. Reviewing against partially complete code validates a state that will not be merged. STOP. Verify the branch is fully committed before beginning review.
- Error handling paths are not checked during review — Happy-path code is usually spec-compliant. Error paths are where spec requirements get silently dropped. STOP. For every spec requirement, verify both the success path and the failure/edge-case path in the code.
Detailed Workflow
Prepare for Review
- Input: PR with implementation, spec (from council), and acceptance criteria
- Action: Gather review materials
- Read the locked spec (from council gate) — know what was promised
- Read acceptance criteria — understand "done"
- Identify spec surfaces touched (API, DB, cache, events, UI, mobile)
- List files changed in PR (diffs)
- Output: Review context prepared
Spec-to-Code Mapping
- For each requirement in spec:
- Identify which file(s) implement it
- Open those files and read the code
- Do NOT rely on:
- Commit messages ("implements X")
- PR description ("adds Y")
- Function names ("configureX" doesn't prove it's actually configured)
- Test names ("testX passes" doesn't prove X is fully implemented)
- Do rely on:
- Actual code execution (what does the code actually do?)
- Data flow (where does data come from, where does it go?)
- Error handling (what happens if something fails?)
Deep Code Review (Line-by-Line)
For each requirement:
-
Read the implementation code (not tests, not comments)
Example: Spec says "API must reject requests without auth header"
Code review: Find the auth middleware. Read it. Does it actually
check for the header? Does it reject if missing? Does it reject
with correct HTTP status? Verify each detail.
-
Verify data flow
Example: Spec says "User data is encrypted in DB"
Code review: Find the DB write code. Is encryption applied
before write? Find the read code. Is decryption applied after read?
Verify both directions.
-
Check error handling
Example: Spec says "If external API fails, retry with exponential backoff"
Code review: Find the API call. Is there a try-catch? What's the
catch block doing? Is it retrying? Is backoff implemented?
Is retry count bounded? Verify all parts.
-
Verify edge cases
Example: Spec says "Support users with 0, 1, or 100 groups"
Code review: Find the group-handling code. Does it work with 0 groups?
With 1? With 100? Are there array index assumptions? Off-by-one errors?
Verify each edge case mentioned in spec.
-
Check integration points
Example: Spec says "Cache is invalidated when data changes"
Code review: Find all places data can change. Is cache invalidated
in every path? Or just one? Verify complete coverage.
Verify Against Acceptance Criteria
Document Gaps
If code does NOT match spec:
-
For each gap, document:
- Spec requirement (exact quote)
- What code actually does (exact quote + line numbers)
- Why gap exists (misunderstanding? Known limitation? Bug?)
- Impact (does it break acceptance criteria?)
-
Output options:
- If gap is critical: REQUEST CHANGES (implementer must fix)
- If gap is minor: COMMENT (request clarification or improvement)
- If gap is acceptable (spec ambiguity): APPROVE with notes
Verify Test Coverage
Do NOT assume tests are correct. Verify test code.
Final Verification
Before approving, complete checklist:
Edge Cases & Fallback Paths
Case 1: Code Is Hard to Understand (Complex Logic, Unclear)
- Symptom: "I read the function 3 times and still don't understand what it does"
- Do NOT: Assume it's correct, ask implementer
- Action:
- Trace through code with a concrete example (input → step 1 → step 2 → output)
- If still unclear: add comment requests (code must be reviewable)
- Request: "Add comments explaining algorithm" or "Simplify this logic"
- Don't approve until you understand it
Case 2: Code Doesn't Match PR Description
- Symptom: PR says "adds feature X" but code does feature Y or has no feature at all
- Do NOT: Trust the description, verify the code
- Action:
- Read code (what does it actually do?)
- If code implements something different: request changes
- If code is incomplete: request changes
- Sync PR description with code, or revert
Case 3: Requirement Touches Multiple Files (Complex Implementation)
- Symptom: "Auth requirement is implemented across 5 files (middleware, handler, util, test, config)"
- Do NOT: Spot-check one or two files
- Action:
- Map requirement to all files it touches
- Read code in all 5 files
- Verify they work together correctly
- Test integration (not just individual file correctness)
Case 4: Spec Requirement Is Ambiguous
- Symptom: Spec says "validate user input" but doesn't say exactly what validation
- Do NOT: Assume implementer guessed correctly
- Action:
- Identify the ambiguity
- Read code (what validation was chosen?)
- Ask: "Is this validation sufficient?" (escalate if unsure)
- Or: "Spec should clarify this, please update"
- Document assumption in code review
Case 5: Test Passes but Code Looks Wrong
- Symptom: Function to add numbers: "function add(a, b) { return a + 1 }" — test passes
- Do NOT: Trust the test, investigate
- Action:
- Read test code (what is it actually testing?)
- If test is wrong: request test fix
- If code is wrong: request code fix
- Verify test actually exercises the code path you're reviewing
Case 6: Code Implements More Than Required (Gold-Plating)
- Symptom: Spec says "add basic search", code implements full-featured search with analytics
- Do NOT: Approve just because it's better
- Action:
- Verify required functionality is correct (basic search works)
- Flag extra code: "Out of scope, remove or file separate task"
- Extra scope can hide bugs (more code = more risk)
- Enforce scope boundaries
Code Review Checklist
Before approving PR, verify:
Additional Edge Cases
Edge Case 1: Code Reviewer Is Unavailable (Vacation, Context Transfer Lag, No SME)
Situation: Spec-reviewer who understands the requirements is unavailable to review code.
Example: Spec-reviewer on vacation for 2 weeks; new reviewer unfamiliar with the locked spec; security reviewer unavailable but code touches auth.
Do NOT: Merge code without spec review, or do review without understanding the spec.
Action:
- If primary reviewer unavailable but others exist:
- Briefing: spend 30 min explaining locked spec to alternate reviewer
- Alternate reviewer reads spec, then reads code
- Review proceeds normally
- If no qualified reviewer available:
- Escalate as NEEDS_CONTEXT (reviewer unavailable, code blocked)
- Wait for reviewer return or find SME
- If code touches sensitive area (auth, payments, compliance):
- Do NOT merge without spec review
- Escalate; wait for appropriate reviewer
- Record in brain: when spec-review was delayed, who did it, any context gaps
Edge Case 2: Code Changes After Approval (Re-Approval Required)
Situation: Reviewer approves code. Then implementer adds more commits. Code is different from what was approved.
Example: Code review approves PR. Developer adds "one more optimization" commit. PR now has different implementation than what was reviewed.
Do NOT: Merge code that differs from reviewed code, even if "just one more commit"
Action:
- Detect: compare commit hash from approval vs. current HEAD
- If current code differs:
- Option A (preferred): Revert non-approved changes, re-review
- Option B: Re-review from scratch (may be faster if many changes)
- Implementer and reviewer sync:
- Spec-reviewer re-reads spec
- Spec-reviewer re-reads all code (not just diff)
- Re-approve or request changes
- Only merge after final approval
- Record in brain: what changed, why, who approved final version
Edge Case 3: Security Review Needed but No Security Reviewer Available
Situation: Code touches security-sensitive areas (auth, payments, encryption, compliance) but no security SME is available.
Example: Code implements OAuth2 flow; security team is fully staffed on incident response; no one can review for 3 days.
Do NOT: Merge security code without security review, even if timeline pressure exists
Action:
- Identify: does this code need security review?
- Auth, crypto, permission checks, financial transactions, PII handling → YES
- Database connection, cache warming, logging → probably NO
- If security review needed:
- Wait for security reviewer to become available
- Or: escalate to dreamer for timeline trade-off
- If waiting is not possible (deadline hard):
- Escalate as NEEDS_COORDINATION (security review unavailable, code blocked)
- Dreamer decides: delay merge or proceed with risk
- If proceeding with risk: document risk in brain (what was not reviewed, why, potential impact)
- Create follow-up task: "Post-merge security review when reviewer available"
Output: CODE VERIFIED (spec met, implementation correct, all reviews complete) or SPEC GAPS FOUND (implementer must fix before merge) or NEEDS_CONTEXT (reviewer unavailable, spec review incomplete)
Edge Case 4: Code Implements More Than the Spec (Over-Delivery)
Symptom: Spec requires feature X. Code delivers X plus an unsolicited admin panel, a new API endpoint, and a database migration. The extra work is well-written, but the spec did not ask for it.
Do NOT: Accept over-delivery silently. Extra code is extra surface area, extra risk, extra review burden.
Action:
- Identify every code change that does not map to a spec requirement — list them explicitly
- Flag each as an unspecified addition: "SPEC GAP:
admin/routes.ts and the /admin/dashboard endpoint have no corresponding spec requirement"
- Do not approve the extras on the grounds that they seem useful — scope decisions belong to Council, not implementation
- Return to implementer: remove the extras OR raise a new PRD for them
- Escalation: DONE_WITH_CONCERNS if dreamer explicitly accepts the extras; SPEC_GAPS_FOUND if extras are not acknowledged
Edge Case 5: Spec and Code Agree, But Both Are Wrong (Spec Defect)
Symptom: Code implements exactly what the spec says. But the spec itself has a bug: it says DELETE /users/:id should return 200 with the deleted user's body, but REST convention and the existing API contract define 204 No Content for deletes.
Do NOT: Approve the code because it matches the spec. Spec defects become product bugs.
Action:
- When reviewing, cross-check spec requirements against the existing
contract-api-rest brain decisions and industry conventions
- If the spec conflicts with an existing brain decision (e.g., D011 defines delete behavior), flag the spec defect explicitly
- Do not approve code that implements a spec that contradicts a locked brain decision
- Return the spec defect to the dreamer: "Code is correct per spec, but spec conflicts with D011. One of them must change."
- Escalation: NEEDS_COORDINATION — the spec defect must be corrected before code review continues
Checklist
Before claiming code verified:
Next Step After Trust Review
After spec compliance is confirmed:
- The reviewer has verified the diff matches the spec — but this confirms what was written, not what the code does at runtime.
- Invoke
forge-verification — runs actual commands (test suite, curl, integration checks) to confirm the implementation behaves correctly in execution.
- Do not mark the implementation ready for eval or PR without
forge-verification passing.
Post-Implementation Checklist