// Validate that an approved spec is internally consistent and that current code/infra matches it (drift detection)
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | spec-validate |
| description | Validate that an approved spec is internally consistent and that current code/infra matches it (drift detection) |
| context | fork |
| allowed-tools | Read(*) Glob(*) Grep(*) Bash(terraform plan:*, kubectl diff:*, promtool check:*, promtool query:*, git status:*, git log:*) |
Frontmatter notes:
context: fork— validator runs without prior conversation bias (clean evaluation)allowed-tools— read-only file access plus narrow Bash allowlist for drift detection commands across Terraform, Kubernetes, Prometheus, and Git. No Write/Edit (validators never modify state).
Two modes:
/spec-validate <feature-name> # internal consistency
/spec-validate <feature-name> --drift # drift detection
/spec-validate <feature-name> --all # both
.claude/specs/<feature-name>/spec-validator available--drift: domain tooling installed (terraform, kubectl, promtool, etc.)For each requirement (R1, R2, ...) in requirements.md:
design.md that addresses ittasks.md that implements itFor each task in tasks.md:
Each task must:
Flag tasks that are vague ("set up the thing", "configure stuff") or too large ("implement entire module").
Cross-check spec against .claude/steering/*.md:
Spec: payment-vpc-pci
Coverage:
Requirements: 7 / 7 covered
Design elements: 12 / 12 have tasks
Orphan tasks: 0
Atomicity:
✓ All 8 tasks reference specific paths
✓ All 8 tasks have acceptance criteria
Steering compliance:
✓ tech.md: AWS provider ~> 5.0 matches
✓ structure.md: naming follows <env>-<region>-<resource>
⚠ product.md: PCI requirement requires KMS CMK — not in design.md
Result: 1 warning, 0 errors. Address PCI/KMS in design before proceeding.
Parse tasks.md to extract files/resources that should exist post-implementation.
Terraform:
terraform plan -refresh-only -no-color > /tmp/drift.txt
Parse output. Any "drift" entries = divergence from last apply. Compare to design.md to determine: was this intentional and not specced, or unauthorized?
Kubernetes:
kubectl get -f manifests/ -o yaml > /tmp/actual.yaml
diff -u manifests/ /tmp/actual.yaml
Observability (Prometheus):
promtool query instant http://prometheus:9090 '<sli-query-from-slo.md>'
Confirm SLI is being measured as defined. Confirm alerts are firing as designed.
Drift detected:
- aws_security_group.allow_ssh: port 22 added (not in spec)
- aws_iam_role.payment: tag "Owner" missing
Suggested actions:
1. Update spec (legitimate change): edit design.md, re-approve, add to tasks.md
2. Revert state (unauthorized change): apply spec to bring back to compliance
3. Accept drift: append exception to spec with rationale
/spec-validate --all --format=json returns machine-readable output for CI gates:
# .github/workflows/spec-check.yml
- name: Validate specs
run: |
claude /spec-validate $(ls .claude/specs/) --all --format=json | tee report.json
if jq -e '.errors > 0' report.json; then exit 1; fi