ワンクリックで
evaluate
Run the application and verify sprint contract criteria via API tests, Playwright interaction, and schema validation.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Run the application and verify sprint contract criteria via API tests, Playwright interaction, and schema validation.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Discover and map an existing codebase before planning or changing it.
Change the behavior of existing code — story-driven by default, or --issue N for a GitHub bug fix. Test-first, full verification, code review.
Use when a planned change touches persisted data shape — ORM models, migration files, schema definitions, serialized formats, or message contracts — in /change, /refactor, or /implement on an existing codebase. Routes schema changes through expand-contract and proves reversibility before any deploy.
Generate production code and tests for a story group using agent teams for parallel execution.
Refactor existing code for quality, performance, or maintainability. Enforces core quality principles with ratchet gate.
Generate test plan, test cases, test data fixtures, and Playwright E2E tests mapped to acceptance criteria.
| name | evaluate |
| description | Run the application and verify sprint contract criteria via API tests, Playwright interaction, and schema validation. |
| argument-hint | [group-id] |
| context | fork |
| agent | evaluator |
Verify that the implemented group meets all sprint contract criteria by running live checks against the application: API calls, Playwright browser interaction, and schema validation.
Ultracode tip: Leave ultracode off here (
/effort high). Evaluation is deterministic three-layer verification against a fixed contract — there is nothing to fan out.
/evaluate C
Evaluates group C's sprint contract. The group ID matches a node in specs/stories/dependency-graph.md and a file at sprint-contracts/{group}.json.
Before running /evaluate, verify:
sprint-contracts/{group}.json exists and is valid JSON.project-manifest.json exists with api_base_url, ui_base_url, and health_check fields.Read the stack-matched verification reference under .claude/skills/evaluate/references/ (see the References section below) for the rigor that applies to this project's stack, plus any custom assertion helpers.
Read sprint-contracts/{group}.json. The contract contains:
api_checks: list of HTTP endpoint checks.playwright_checks: list of browser interaction sequences.design_checks: list of visual and component checks (evaluated in Full mode only).architecture_checks.files_must_exist: list of file paths that must be present on disk.features: list of feature IDs this group satisfies.Read project-manifest.json. Extract:
api_base_url — base URL for all API checks (e.g., http://localhost:8000).ui_base_url — base URL for Playwright navigation (e.g., http://localhost:3000).health_check — path to the health endpoint (e.g., /health).Run a health check to confirm the application is live:
curl --retry 5 --retry-delay 3 -sf {api_base_url}{health_check}
If the health check fails after 5 retries, immediately record a FAIL with failure_layer: "docker" and stop. Do not proceed to API or Playwright checks. A broken stack is not a partial pass.
For each entry in api_checks:
Execute the request via Bash:
curl -s -w '\n%{http_code}' -X {method} {api_base_url}{path}
Include -H headers and -d body as specified in the check entry.
Parse the response: the last line is the HTTP status code; everything before it is the response body.
Verify status code matches expect.status. A mismatch is a FAIL for this check.
Verify the response body contains every string listed in expect.body_contains. A missing string is a FAIL for this check.
If the check entry contains a schema_ref field, validate the response body against the schema:
python3 -c "
import json, jsonschema, sys
body = json.loads(sys.stdin.read())
schema = json.load(open('specs/design/api-contracts.schema.json'))
ref = schema['{schema_ref}']
jsonschema.validate(body, ref)
print('schema valid')
" <<< '{response_body}'
A schema validation error is a FAIL for this check.
Record each check as PASS or FAIL with the actual vs. expected values.
Before reporting an API check as FAILED, read the server logs:
docker compose logs backend --tail=50 2>&1
Include the relevant error from the logs in the failure report. This gives the generator the actual stack trace, not just "got 500 instead of 200."
For each performance_checks entry in the contract:
# Measure response time
time_ms=$(curl -s -o /dev/null -w "%{time_total}" -X {method} {api_base_url}{endpoint} | awk '{printf "%.0f", $1 * 1000}')
If time_ms > max_response_time_ms, report as WARN (not BLOCK — performance is advisory unless critical).
Selector and assertion rules are single-sourced in .claude/skills/evaluate/references/playwright-patterns.md (the canonical Playwright reference, shared with /test). The rules below are a summary — defer to that file if they differ.
For each entry in playwright_checks:
Use Playwright MCP tools to execute the interaction sequence:
browser_navigate — navigate to a URL.browser_click — click an element (use getByRole, getByText, or getByLabel; never CSS selectors).browser_fill_form — fill form fields.browser_snapshot — capture the DOM snapshot for assertion.Execute each step in the order specified. Do not reorder or skip steps.
Verify each assertion listed in the check entry:
browser_navigate landed on the expected path.Use expect().toBeVisible() for visibility assertions. Never use waitForTimeout() — if an element is not immediately visible, the check fails.
Record each check as PASS or FAIL with a description of what was asserted and what was found.
Skip this layer entirely in Lean mode (the design-critic runs once at group end instead).
In Full mode, delegate to the design-critic agent:
design_checks entries from the sprint contract.ui_base_url.Record the design-critic's verdicts as-is. Do not override them.
For each path listed in architecture_checks.files_must_exist:
This check does not require Docker to be running.
The validator is not security-complete without this layer. Run it in Full and Lean modes — every mode runs the security gate.
security-reviewer agent against the group's changed files (run it concurrently with Layers 1–2 when possible — it does not need the app running).specs/reviews/security-verdict.json ({ pass, block_severities, summary, findings[] }). Read it.contract.security_checks.block_severities if present, else the default ["critical", "high"].severity is in the blocking set (equivalently, security-verdict.json#pass === false). Medium/low findings are WARN/INFO — record them, do not fail on them.security-verdict.json is missing, treat that as a FAIL with failure_layer: "security" and reason "security-reviewer did not produce a verdict" — a missing scan is not a pass.This layer does not require Docker. It is independent of the app being reachable.
After all checks complete, update features.json for every feature ID listed in the sprint contract's features array:
passes: true if all checks for that feature passed, false otherwise.last_evaluated: current timestamp in ISO 8601 format.failure_reason: null if passing; otherwise a human-readable description of the first failure (e.g., "GET /users/1 returned 404, expected 200").failure_layer: null if passing; otherwise one of "api", "playwright", "design", "unit_test", "docker", "security".Do not remove existing fields from features.json. Merge the updates into the existing structure.
Only update evaluation state fields: passes, last_evaluated, failure_reason, and failure_layer. Preserve immutable feature identity/specification fields such as id, category, story, group, description, and steps.
Write the full evaluation report to specs/reviews/evaluator-report.md:
# Evaluator Report — Group {group}
Date: {ISO 8601 timestamp}
VERDICT: PASS | FAIL
## API Checks
- [PASS] POST /users → 201 ✓
- [FAIL] GET /users/1 → expected 200, got 404
- [PASS] DELETE /users/1 → 204 ✓
## Playwright Checks
- [PASS] Upload page renders ✓
- [FAIL] Submit button not clickable
- [PASS] Success message visible after form submit ✓
## Design Checks
- [PASS] Button uses primary color token ✓
- [SKIP] Design checks skipped (Lean mode)
## Architecture Checks
- [PASS] All expected files exist ✓
- [FAIL] Missing: src/repository/user-repository.ts
## Security Gate
- [FAIL] VULN-001 (high): SQL injection in src/api/users.ts:47
- block: 1, warn: 2, info: 0 → gate FAIL
## Features Updated
- F001: PASS
- F002: FAIL (api: GET /users/1 expected 200, got 404)
- F003: PASS
The overall VERDICT is PASS only if every check across all layers passes and the security gate passes (security-verdict.json#pass === true). A single FAIL in any layer — including an open BLOCK (critical/high) security finding — produces a FAIL verdict.
| Mode | Layer 1 (API) | Layer 2 (Playwright) | Layer 3 (Design) | Layer 4 (Security) |
|---|---|---|---|---|
| Full | Run | Run | Run | Run |
| Lean | Run | Run | Skip | Run |
Determine the current execution mode from project-manifest.json field execution.default_mode (full/lean), or the --mode override when invoked under /auto or /build. Default to Full if absent. Note: this is distinct from verification.mode (docker/local/stub), which controls how the app is reached — do not confuse the two.
getByRole, getByText, getByLabel). CSS selectors break with minor UI changes and are not permitted.failure_layer: "docker" and stop. Do not attempt workarounds or partial evaluations.The evaluation reference pack (read by the evaluator and design-critic agents) lives under .claude/skills/evaluate/references/:
| File | Contents |
|---|---|
references/contract-schema.json | Sprint contract JSON schema |
references/scoring-rubric.md | Design scoring rubric (4 criteria, weights, exemplars) |
references/scoring-examples.md | Calibration anchors (score 5, 7, 9) — read before scoring |
references/playwright-patterns.md | Selector patterns and assertion patterns for Layer 2 (canonical Playwright reference, shared with /test) |
references/verify-python.md | Deep Python verification rigor (pytest/mypy/ruff, traceback parsing, FastAPI/async) — load when the backend is Python |
references/verify-react.md | Deep React/TS verification rigor (build/tsc/vitest, browser/console/hydration signals) — load when the frontend is React/TS |
These rules are non-negotiable. Deviation invalidates the evaluation.
status: 200 and you get 201, that is a FAIL.specs/reviews/security-verdict.json#pass is false (any critical/high finding). A functional pass with an open BLOCK vulnerability is still a FAIL. The security-guidance plugin is advisory and does not satisfy this gate — the security-reviewer agent does.