km-spec-driven-development 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,1873 @@
1
+ # Spec Driven Development (SDD)
2
+ ### AI-Assisted Development Methodology
3
+
4
+ > Based on the [TLC Spec-Driven Development](https://agent-skills.techleads.club/skills/tlc-spec-driven/) model.
5
+ > Version: 1.0.0 | Date: 2026-06-25
6
+
7
+ ---
8
+
9
+ ## Table of Contents
10
+
11
+ 1. [Methodology Overview](#1-methodology-overview)
12
+ 2. [`.specs/` Folder Structure](#2-specs-folder-structure)
13
+ 3. [File Descriptions](#3-file-descriptions)
14
+ 4. [Adaptive Workflow](#4-adaptive-workflow)
15
+ 5. [AI Development Harness](#5-ai-development-harness)
16
+ 6. [Context Loading Strategy](#6-context-loading-strategy)
17
+ 7. [Agent Execution Protocol](#7-agent-execution-protocol)
18
+ 8. [Sub-Agent Rules](#8-sub-agent-rules)
19
+ 9. [Traceability Model](#9-traceability-model)
20
+ 10. [Templates](#10-templates)
21
+ 11. [New Project Process](#11-new-project-process)
22
+ 12. [Existing Project Process](#12-existing-project-process)
23
+ 13. [Validation Gates](#13-validation-gates)
24
+ 14. [Commit Conventions](#14-commit-conventions)
25
+ 15. [Security and Quality Rules](#15-security-and-quality-rules)
26
+ 16. [Practical Feature Example](#16-practical-feature-example)
27
+ 17. [Tool-Specific Guidance](#17-tool-specific-guidance)
28
+
29
+ ---
30
+
31
+ ## 1. Methodology Overview
32
+
33
+ ### What is SDD?
34
+
35
+ Spec Driven Development (SDD) is a methodology for AI-assisted software development that creates a structured, persistent, and tool-independent contract between the codebase and any AI agent operating on it.
36
+
37
+ The core problem SDD solves: **AI agents lose context between sessions, invent details, duplicate work, and make undocumented decisions that are invisible to the next agent or human reviewing the code.**
38
+
39
+ SDD solves this by establishing a single source of truth in `.specs/` — a living documentation layer that any agent can read to understand what was built, why, how it should behave, and what comes next.
40
+
41
+ ### Core Principles
42
+
43
+ 1. **Complexity determines ceremony.** A bug fix in one file does not need the same overhead as a new authentication module. The process scales proportionally.
44
+ 2. **Every agent starts cold.** Each session, each tool, each sub-agent must be able to orient itself from the spec files alone — without relying on chat history.
45
+ 3. **No fabrication.** An agent must never invent APIs, file paths, function signatures, or behaviors. It reads what exists before it writes what is new.
46
+ 4. **Traceability is not optional.** Every implemented line should trace back to a requirement. Every decision should trace to a document.
47
+ 5. **STATE.md is the memory.** It is updated at the end of every session or after any relevant change. It is always loaded first.
48
+ 6. **Validate before closing.** A task is not done until validation evidence exists.
49
+
50
+ ### The Pipeline
51
+
52
+ ```
53
+ SPECIFY → DESIGN → TASKS → EXECUTE → VALIDATE → RECORD STATE
54
+ ```
55
+
56
+ The required phases are **Specify** and **Execute**. Design, Tasks, and the depth of each phase scale with complexity. The Record State phase is always mandatory — it is the mechanism that prevents context loss.
57
+
58
+ ---
59
+
60
+ ## 2. `.specs/` Folder Structure
61
+
62
+ The default structure keeps a clear separation between project context and codebase context, while avoiding excessive mandatory documentation.
63
+
64
+ ```
65
+ .specs/
66
+ ├── project/
67
+ │ ├── PROJECT.md # Vision, goals, users, constraints
68
+ │ ├── ROADMAP.md # Milestones, feature priority, planning
69
+ │ └── STATE.md # Persistent memory across sessions
70
+
71
+ ├── codebase/
72
+ │ └── CONVENTIONS.md # Technical context, architecture, structure, testing, integrations, concerns, and AI rules
73
+
74
+ ├── features/
75
+ │ └── [feature-name]/
76
+ │ ├── spec.md # Requirements, scope, acceptance criteria
77
+ │ ├── context.md # Background, prior decisions, related code
78
+ │ ├── design.md # Optional technical design for medium/large/complex features
79
+ │ └── tasks.md # Atomic tasks with traceability
80
+
81
+ └── quick/
82
+ └── [quick-task-name]/
83
+ ├── TASK.md # What to do and acceptance criteria
84
+ └── SUMMARY.md # What was done, files changed, outcome
85
+ ```
86
+
87
+ ### Default vs Optional Codebase Documentation
88
+
89
+ By default, the codebase has only one required technical document:
90
+
91
+ ```
92
+ .specs/codebase/CONVENTIONS.md
93
+ ```
94
+
95
+ This file consolidates what would otherwise be split into separate files such as `STACK.md`, `ARCHITECTURE.md`, `STRUCTURE.md`, `TESTING.md`, `INTEGRATIONS.md`, and `CONCERNS.md`.
96
+
97
+ If one section becomes too large or complex, it may be extracted later into an optional dedicated file:
98
+
99
+ ```
100
+ .specs/codebase/ARCHITECTURE.md
101
+ .specs/codebase/TESTING.md
102
+ .specs/codebase/INTEGRATIONS.md
103
+ .specs/codebase/CONCERNS.md
104
+ ```
105
+
106
+ These files are optional expansions. They are not generated by default and should only be created when they reduce complexity instead of adding ceremony.
107
+
108
+ ---
109
+
110
+ ## 3. File Descriptions
111
+
112
+ ### 3.1 `project/PROJECT.md`
113
+
114
+ **Purpose:** The north star. Defines what the project is, who it is for, what success looks like, and what constraints must never be violated.
115
+
116
+ **Created:** At project initialization (greenfield) or at first SDD adoption (brownfield).
117
+
118
+ **Updated:** Only when the project's fundamental direction changes. Not for individual features.
119
+
120
+ **Contains:**
121
+ - Project name, one-sentence description
122
+ - Problem being solved
123
+ - Target users/stakeholders
124
+ - Success criteria and KPIs
125
+ - Non-negotiable constraints (performance, security, compliance)
126
+ - Out-of-scope items
127
+ - Key terminology/glossary
128
+
129
+ ---
130
+
131
+ ### 3.2 `project/ROADMAP.md`
132
+
133
+ **Purpose:** Priority-ordered list of capabilities, milestones, and features. Gives agents a sense of what is planned and in what order.
134
+
135
+ **Created:** During project initialization.
136
+
137
+ **Updated:** When features are added, completed, reprioritized, or cancelled. Reflects current reality, not aspirational planning.
138
+
139
+ **Contains:**
140
+ - Milestones with target dates
141
+ - Feature list per milestone (with status: planned / in-progress / done / cancelled)
142
+ - Rationale for priority ordering
143
+ - Dependencies between features
144
+
145
+ ---
146
+
147
+ ### 3.3 `project/STATE.md`
148
+
149
+ **Purpose:** Persistent project memory. Bridges sessions so that the next agent or human picking up the work has full situational awareness without reading git history or chat logs.
150
+
151
+ **Created:** After the first working session.
152
+
153
+ **Updated:** At the end of every session and after any significant decision, blocker, or architectural choice.
154
+
155
+ **Contains:**
156
+ - Last task executed (with ID)
157
+ - Current task in progress (with ID)
158
+ - Suggested next steps
159
+ - Decisions made (with DEC-XXX IDs)
160
+ - Open blockers
161
+ - Pending items
162
+ - Deferred ideas
163
+ - Project preferences and conventions discovered during work
164
+ - Lessons learned
165
+ - Session log (date, summary, what changed)
166
+
167
+ > **Rule:** An AI must never end a session without updating STATE.md.
168
+
169
+ ---
170
+
171
+ ### 3.4 `codebase/CONVENTIONS.md`
172
+
173
+ **Purpose:** The technical operating manual for the project. It is the single required codebase document and contains the information agents need to work safely without creating multiple mandatory technical files.
174
+
175
+ **Created:** At project setup or during brownfield mapping.
176
+
177
+ **Updated:** Whenever the stack, architecture, folder structure, testing strategy, integrations, risks, or coding conventions change.
178
+
179
+ **Contains:**
180
+
181
+ #### 1. Technical Context
182
+
183
+ - Runtime and language versions
184
+ - Core frameworks and libraries
185
+ - Package manager and lockfile policy
186
+ - Database and data stores
187
+ - Build tools, bundlers, transpilers
188
+ - Deployment platform and CI/CD tools
189
+
190
+ #### 2. Architecture
191
+
192
+ - High-level system design
193
+ - Module/layer breakdown
194
+ - Data flow narratives
195
+ - Key architectural decisions
196
+ - Scaling and deployment model
197
+ - Monorepo vs. multi-repo structure if applicable
198
+
199
+ #### 3. Project Structure
200
+
201
+ - Annotated directory tree
202
+ - Rules for where new files go
203
+ - Co-location rules for tests, components, modules, and assets
204
+ - Generated vs. handwritten file boundaries
205
+
206
+ #### 4. Coding Standards
207
+
208
+ - Naming conventions
209
+ - Import ordering
210
+ - Error handling patterns
211
+ - Logging standards
212
+ - Comment policy
213
+ - Branch naming and PR conventions
214
+ - Environment variable patterns
215
+ - Feature flag conventions
216
+
217
+ #### 5. Testing
218
+
219
+ - Test types used: unit, integration, e2e, contract
220
+ - Test file naming and organization
221
+ - Mocking rules
222
+ - Fixtures and factories
223
+ - Commands to run validation gates
224
+ - Coverage and CI expectations
225
+
226
+ #### 6. Integrations
227
+
228
+ - External APIs and services
229
+ - SDKs in use and their configuration
230
+ - Webhook endpoints and event contracts
231
+ - Rate limits and retry policies
232
+ - Credentials management pattern
233
+ - Integration-specific risks
234
+
235
+ #### 7. Concerns
236
+
237
+ - Technical debt
238
+ - Known performance bottlenecks
239
+ - Security concerns
240
+ - Deprecated patterns still in use
241
+ - Areas with insufficient test coverage
242
+ - Fragile modules or files agents should modify carefully
243
+
244
+ #### 8. AI Rules
245
+
246
+ - Do not invent files, APIs, functions, or behavior.
247
+ - Read existing code before modifying it.
248
+ - Follow existing project patterns.
249
+ - Do not refactor unrelated code.
250
+ - Keep changes small and reviewable.
251
+ - Validate before marking work as done.
252
+ - Update `.specs/project/STATE.md` at the end of the session.
253
+
254
+ > **Expansion rule:** If one section becomes too large, extract it into a dedicated optional file. For example, move the Architecture section to `.specs/codebase/ARCHITECTURE.md` only when that makes the project easier to understand.
255
+
256
+ ---
257
+
258
+ ### 3.5 `features/[name]/spec.md`
259
+
260
+ **Purpose:** Single source of truth for a feature's requirements, scope, and acceptance criteria. The primary document that drives all downstream work.
261
+
262
+ **Created:** When a feature is approved for development.
263
+
264
+ **Updated:** Only when requirements change (with change log).
265
+
266
+ **Contains:**
267
+ - Feature ID and title
268
+ - Linked requirements (REQ-XXX)
269
+ - User stories
270
+ - Acceptance criteria (testable, specific)
271
+ - Out-of-scope clarifications
272
+ - Open questions
273
+ - Change log
274
+
275
+ ---
276
+
277
+ ### 3.6 `features/[name]/context.md`
278
+
279
+ **Purpose:** Provides agents with the "why" and the surrounding codebase context so they can make good decisions without reading every file.
280
+
281
+ **Created:** When spec.md is created.
282
+
283
+ **Updated:** When context evolves during implementation.
284
+
285
+ **Contains:**
286
+ - Background and motivation
287
+ - Related existing features or modules
288
+ - Prior decisions that constrain this feature
289
+ - Files most likely to be impacted
290
+ - Patterns to follow (with code references)
291
+ - Anti-patterns to avoid
292
+
293
+ ---
294
+
295
+ ### 3.7 `features/[name]/design.md`
296
+
297
+ **Purpose:** Technical design for the feature. Translates requirements into an implementable structure.
298
+
299
+ **Created:** After spec.md, before tasks.md, for medium/large/complex features.
300
+
301
+ **Skipped for:** Quick tasks and simple features where the implementation path is obvious.
302
+
303
+ **Updated:** When design decisions change during implementation (with DEC-XXX entries).
304
+
305
+ **Contains:**
306
+ - Component and module breakdown
307
+ - Data models and schema changes
308
+ - API contracts (endpoints, request/response shapes)
309
+ - State management design
310
+ - Error states and edge case handling
311
+ - Performance considerations
312
+ - Security considerations
313
+ - Diagrams as needed
314
+
315
+ ---
316
+
317
+ ### 3.8 `features/[name]/tasks.md`
318
+
319
+ **Purpose:** The execution plan. Breaks design into atomic, verifiable, and potentially parallelizable tasks.
320
+
321
+ **Created:** After design.md, for medium/large/complex features.
322
+
323
+ **Skipped for:** Quick tasks. For medium features, tasks may be inlined in spec.md.
324
+
325
+ **Updated:** As tasks are completed (status updated), or when new tasks are discovered during execution.
326
+
327
+ **Contains:**
328
+ - Full task list with TASK-XXX IDs
329
+ - Dependencies between tasks
330
+ - Parallelization markers (`[P]`)
331
+ - Per-task: objective, files, steps, acceptance criteria, tests, validation gate, status
332
+
333
+ ---
334
+
335
+ ### 3.9 `quick/[name]/TASK.md`
336
+
337
+ **Purpose:** Scoped description of a small task — a bug fix, small adjustment, or refactor that doesn't justify a full feature spec.
338
+
339
+ **Created:** When a quick task is identified.
340
+
341
+ **Contains:**
342
+ - Task title and objective
343
+ - Files affected (max 3 for quick mode)
344
+ - Acceptance criteria
345
+ - Validation steps
346
+
347
+ ---
348
+
349
+ ### 3.10 `quick/[name]/SUMMARY.md`
350
+
351
+ **Purpose:** Post-execution record of what was done for the quick task.
352
+
353
+ **Created:** After the task is complete.
354
+
355
+ **Contains:**
356
+ - Files changed
357
+ - What was changed and why
358
+ - Tests run and result
359
+ - Deviations from the original task
360
+ - Any follow-up actions
361
+
362
+ ---
363
+
364
+ ## 4. Adaptive Workflow
365
+
366
+ ### The Six Phases
367
+
368
+ ```
369
+ 1. SPECIFY → Define scope, requirements, acceptance criteria
370
+ 2. DESIGN → Translate requirements into technical structure
371
+ 3. TASKS → Decompose into atomic, verifiable steps
372
+ 4. EXECUTE → Implement, following the harness protocol
373
+ 5. VALIDATE → Run all gates; verify acceptance criteria
374
+ 6. RECORD STATE → Update STATE.md with decisions, outcomes, next steps
375
+ ```
376
+
377
+ **Always required:** SPECIFY (even if minimal), EXECUTE, VALIDATE, RECORD STATE.
378
+ **Conditional:** DESIGN and TASKS scale with complexity.
379
+
380
+ ---
381
+
382
+ ### Complexity Tiers
383
+
384
+ #### Quick Task
385
+ **Profile:** Bug fix, copy change, config tweak. Affects ≤3 files. No ambiguity.
386
+
387
+ **Workflow:**
388
+ 1. Create `quick/[name]/TASK.md`
389
+ 2. Execute directly (no design doc needed)
390
+ 3. Run validation gates
391
+ 4. Create `quick/[name]/SUMMARY.md`
392
+ 5. Update `STATE.md`
393
+
394
+ **Ceremony level:** Minimal. Total overhead: ~5 minutes.
395
+
396
+ ---
397
+
398
+ #### Medium Feature
399
+ **Profile:** Clear functionality with defined inputs/outputs. Low ambiguity. Fewer than 3 existing dependencies impacted.
400
+
401
+ **Workflow:**
402
+ 1. Create `features/[name]/spec.md` with requirements and acceptance criteria
403
+ 2. Create `features/[name]/context.md` with relevant background
404
+ 3. Design inline inside spec.md or in brief `design.md` if needed
405
+ 4. Tasks inline in spec.md or a short `tasks.md`
406
+ 5. Execute with harness protocol
407
+ 6. Run all validation gates
408
+ 7. Update `STATE.md`
409
+
410
+ **Ceremony level:** Low-to-medium. Skip `design.md` if implementation path is clear.
411
+
412
+ ---
413
+
414
+ #### Large Feature
415
+ **Profile:** Multiple components. Touches existing architecture. Clear requirements but broad scope.
416
+
417
+ **Workflow:**
418
+ 1. Create `spec.md`, `context.md`
419
+ 2. Create `design.md` with full component breakdown, API contracts, data model
420
+ 3. Create `tasks.md` with TASK-XXX IDs, dependencies, parallelization markers
421
+ 4. Execute task by task, updating status in `tasks.md` as each completes
422
+ 5. Run validation gates per task and full suite at end
423
+ 6. Update `STATE.md`
424
+
425
+ **Ceremony level:** Full. Do not skip `design.md` or `tasks.md`.
426
+
427
+ ---
428
+
429
+ #### Complex Feature
430
+ **Profile:** New domain, high uncertainty, external integrations, technical risks, or research required.
431
+
432
+ **Workflow:**
433
+ 1. **Exploration phase:** Research before specifying. Use sub-agents for spikes.
434
+ 2. Create `spec.md` after exploration — not before
435
+ 3. Create `context.md` with extensive background and risk notes
436
+ 4. Create `design.md` with alternatives considered and DEC-XXX decisions recorded
437
+ 5. Create `tasks.md` with RISK-XXX markers on high-uncertainty tasks
438
+ 6. Review design before execution (checkpoint)
439
+ 7. Execute in phases — stop and respec if reality diverges significantly
440
+ 8. Run validation gates including security review
441
+ 9. UAT if applicable
442
+ 10. Update `STATE.md` with all decisions, learnings, and deferred items
443
+
444
+ **Ceremony level:** Maximum. Expect to iterate on `design.md` during implementation.
445
+
446
+ ---
447
+
448
+ ### Safety Valve Rule
449
+
450
+ > **Even when Tasks is skipped, Execute ALWAYS starts by listing atomic steps inline before writing any code. If listing reveals more than 5 steps or complex dependencies, STOP and create `tasks.md` first.**
451
+
452
+ ---
453
+
454
+ ## 5. AI Development Harness
455
+
456
+ The AI Development Harness is the operational contract between any AI agent and this repository. It defines exactly how an agent should orient, execute, validate, and hand off — regardless of which tool is being used.
457
+
458
+ The harness has five components:
459
+
460
+ 1. Context Loading Strategy (what to read and when)
461
+ 2. Knowledge Verification Chain (how to verify before writing)
462
+ 3. Execution Protocol (how to implement a task)
463
+ 4. Validation Protocol (what done actually means)
464
+ 5. Session Closure Protocol (how to leave the project in a clean state)
465
+
466
+ An agent that follows the harness never fabricates, never skips validation, and never leaves without updating STATE.md.
467
+
468
+ ---
469
+
470
+ ## 6. Context Loading Strategy
471
+
472
+ ### Always Load First (Base Context, ~15k tokens)
473
+
474
+ | File | Reason |
475
+ |------|--------|
476
+ | `.specs/project/STATE.md` | Situational awareness, last task, blockers |
477
+ | `.specs/project/PROJECT.md` | Goals, constraints, non-negotiables |
478
+ | `.specs/codebase/CONVENTIONS.md` | Rules that apply to every line of code |
479
+
480
+ Do not skip these. They are the minimum for any agent to operate safely.
481
+
482
+ ---
483
+
484
+ ### Load on Demand (Feature and Technical Context)
485
+
486
+ Load only when working on the relevant feature or area:
487
+
488
+ | File or Section | Load When |
489
+ |------|-----------|
490
+ | `features/[name]/spec.md` | Working on this feature |
491
+ | `features/[name]/context.md` | Need background on this feature |
492
+ | `features/[name]/design.md` | Need architecture decisions for this feature |
493
+ | `features/[name]/tasks.md` | Checking task status or picking next task |
494
+ | `codebase/CONVENTIONS.md` → Technical Context | Adding dependencies or checking compatibility |
495
+ | `codebase/CONVENTIONS.md` → Architecture | Making structural or cross-module changes |
496
+ | `codebase/CONVENTIONS.md` → Project Structure | Creating new files or directories |
497
+ | `codebase/CONVENTIONS.md` → Testing | Writing or updating tests |
498
+ | `codebase/CONVENTIONS.md` → Integrations | Working with external services |
499
+ | `codebase/CONVENTIONS.md` → Concerns | Touching known risk areas |
500
+
501
+ If an optional extracted file exists, such as `.specs/codebase/ARCHITECTURE.md`, load it only when the current task requires that specific context.
502
+
503
+ ---
504
+
505
+ ### Never Load Together
506
+
507
+ Avoid loading all feature specs simultaneously. Load only the feature being worked on. Do not load `ROADMAP.md` unless doing project planning — it adds tokens without aiding implementation.
508
+
509
+ ---
510
+
511
+ ### Context Budget Rules
512
+
513
+ | Budget | Action |
514
+ |--------|--------|
515
+ | Base load | ~15k tokens (always) |
516
+ | On-demand additions | Load only what the current task requires |
517
+ | Hard ceiling | Stay under 40k tokens for context |
518
+ | Reservation | Keep 160k+ tokens free for reasoning and output |
519
+
520
+ **Rule:** If context is approaching the ceiling, summarize completed work into STATE.md and start a fresh context window loading only base files plus the current task's files.
521
+
522
+ ---
523
+
524
+ ### Staleness Rule
525
+
526
+ Before using any cached information about a file, re-read the file. Never operate on a mental model of what a file contains — read it. If a file does not exist where expected, stop and investigate rather than proceeding with assumptions.
527
+
528
+ ---
529
+
530
+ ## 7. Agent Execution Protocol
531
+
532
+ ### Step 1: Orient
533
+
534
+ ```
535
+ 1. Read STATE.md → understand current project state
536
+ 2. Read PROJECT.md → recall constraints
537
+ 3. Read CONVENTIONS.md → recall code rules
538
+ 4. Read the task file (spec.md / TASK.md / tasks.md entry)
539
+ 5. Confirm: Does this task have all required information?
540
+ - If missing info → ask before proceeding
541
+ - If blocked by dependency → record in STATE.md and stop
542
+ ```
543
+
544
+ ---
545
+
546
+ ### Step 2: Verify Dependencies
547
+
548
+ ```
549
+ 1. Identify files this task will touch
550
+ 2. Read each file — do not assume content
551
+ 3. Verify that assumed APIs, functions, and types actually exist
552
+ 4. Check CONVENTIONS.md → Technical Context before using language, framework, library, or package-manager assumptions
553
+ 5. Check CONVENTIONS.md → Project Structure before creating or moving files
554
+ 6. Check CONVENTIONS.md → Testing before writing or changing tests
555
+ 7. Check CONVENTIONS.md → Integrations before touching external service calls
556
+ 8. Check CONVENTIONS.md → Concerns before modifying risky or fragile areas
557
+ ```
558
+
559
+ If optional extracted files exist, such as `.specs/codebase/TESTING.md` or `.specs/codebase/INTEGRATIONS.md`, read them only for tasks that require that specific context.
560
+
561
+ **Knowledge Verification Chain (strict order):**
562
+ 1. Read the actual source files in the codebase
563
+ 2. Read the project's spec docs
564
+ 3. Read the relevant sections of `CONVENTIONS.md`
565
+ 4. Read optional extracted codebase docs if they exist and are relevant
566
+ 5. Read library documentation if needed
567
+ 6. Search the web if necessary
568
+ 7. Flag as uncertain if still unresolved — never fabricate
569
+
570
+ ---
571
+
572
+ ### Step 3: Plan Inline
573
+
574
+ ```
575
+ Before writing code, list the atomic steps:
576
+ - Step 1: [file] [action]
577
+ - Step 2: [file] [action]
578
+ ...
579
+
580
+ If > 5 steps or complex dependencies → create tasks.md and stop for review.
581
+ If ≤ 5 steps → proceed.
582
+ ```
583
+
584
+ ---
585
+
586
+ ### Step 4: Implement
587
+
588
+ ```
589
+ 1. Implement only the scope of the current task — nothing more
590
+ 2. Follow CONVENTIONS.md for naming, structure, architecture, testing, integrations, and known concerns
591
+ 3. Use the Project Structure section in CONVENTIONS.md for file placement
592
+ 4. Use existing patterns — confirm them by reading code, not assuming
593
+ 5. Do not refactor unrelated code
594
+ 6. Do not introduce abstractions not required by this task
595
+ 7. Keep changes small and reviewable
596
+ ```
597
+
598
+ ---
599
+
600
+ ### Step 5: Validate
601
+
602
+ ```
603
+ 1. Run: build
604
+ 2. Run: lint
605
+ 3. Run: typecheck
606
+ 4. Run: tests (unit + integration relevant to changed code)
607
+ 5. Check: Do the changes satisfy the acceptance criteria in spec.md?
608
+ 6. Check: Are there regressions in adjacent features?
609
+ 7. If any gate fails → fix before marking task complete
610
+ ```
611
+
612
+ **Rule:** An agent must never mark a task as complete without recorded validation evidence.
613
+
614
+ ---
615
+
616
+ ### Step 6: Record
617
+
618
+ ```
619
+ 1. Update tasks.md:
620
+ - Set task status to DONE
621
+ - Record files changed
622
+ - Record test results
623
+
624
+ 2. Update STATE.md:
625
+ - Log the session (date, task completed, outcome)
626
+ - Record any decisions made (with DEC-XXX IDs)
627
+ - Record any deviations from the spec
628
+ - Record blockers encountered
629
+ - Set suggested next steps
630
+
631
+ 3. Commit with atomic message following commit conventions
632
+ ```
633
+
634
+ ---
635
+
636
+ ### Deviation Protocol
637
+
638
+ If implementation reveals that the spec is wrong, incomplete, or contradicts an existing constraint:
639
+
640
+ 1. **Stop.** Do not implement a workaround silently.
641
+ 2. Record the deviation in `STATE.md` under "Deviations".
642
+ 3. If the deviation is minor and resolution is obvious → resolve and document.
643
+ 4. If the deviation requires a decision → document the options and ask.
644
+ 5. Update `spec.md` or `design.md` to reflect any approved changes before continuing.
645
+
646
+ ---
647
+
648
+ ## 8. Sub-Agent Rules
649
+
650
+ ### When to Delegate to a Sub-Agent
651
+
652
+ | Scenario | Use Sub-Agent |
653
+ |----------|---------------|
654
+ | Technical research or library evaluation | Yes |
655
+ | Codebase mapping of an unfamiliar area | Yes |
656
+ | Independent task execution (parallelizable) | Yes |
657
+ | Security review | Yes |
658
+ | Test suite creation for a module | Yes |
659
+ | Architecture validation | Yes |
660
+ | Drafting a feature spec | Optional |
661
+ | Implementing the current focused task | No — keep in main agent |
662
+
663
+ ---
664
+
665
+ ### What to Pass to a Sub-Agent
666
+
667
+ A sub-agent receives a self-contained briefing. It must never rely on chat history or accumulated conversation context.
668
+
669
+ **Required input:**
670
+ ```
671
+ 1. Task description (exact scope, no ambiguity)
672
+ 2. Relevant spec files (spec.md, context.md, or design.md for the area)
673
+ 3. Relevant codebase docs (CONVENTIONS.md always; others on demand)
674
+ 4. Specific files to read or modify
675
+ 5. Acceptance criteria
676
+ 6. Test requirements
677
+ 7. What to return (see output format below)
678
+ ```
679
+
680
+ **Never pass:**
681
+ - Chat history
682
+ - Full project context when only feature context is needed
683
+ - Multiple unrelated tasks in one briefing
684
+
685
+ ---
686
+
687
+ ### Sub-Agent Output Format
688
+
689
+ Every sub-agent response must be structured as follows:
690
+
691
+ ```markdown
692
+ ## Sub-Agent Report
693
+
694
+ **Task ID:** TASK-XXX
695
+ **Agent Role:** [Research | Implementation | Security | Testing | Mapping]
696
+ **Status:** Complete | Partial | Blocked
697
+
698
+ ### Changed Files
699
+ - `path/to/file.ts` — [description of change]
700
+ - `path/to/test.spec.ts` — [description of change]
701
+
702
+ ### Tests Executed
703
+ - TEST-001: [test name] → PASSED | FAILED
704
+ - TEST-002: [test name] → PASSED | FAILED
705
+
706
+ ### Validation Result
707
+ - Build: PASS | FAIL
708
+ - Lint: PASS | FAIL
709
+ - Typecheck: PASS | FAIL
710
+ - Acceptance Criteria [REQ-XXX]: MET | NOT MET
711
+
712
+ ### Risks Found
713
+ - RISK-XXX: [description of risk]
714
+
715
+ ### Deviations from Specification
716
+ - [Description of deviation, if any]
717
+
718
+ ### Recommended Next Steps
719
+ 1. [Next action]
720
+ 2. [Next action]
721
+ ```
722
+
723
+ The orchestrating agent reads this report and decides whether to proceed, escalate, or re-task.
724
+
725
+ ---
726
+
727
+ ### Sub-Agent Isolation Rule
728
+
729
+ Sub-agents work on isolated scopes. Two sub-agents must never write to the same file simultaneously. The orchestrating agent is responsible for sequencing or merging conflicting changes.
730
+
731
+ For parallelizable tasks (marked `[P]` in `tasks.md`), confirm they touch disjoint files before running in parallel.
732
+
733
+ ---
734
+
735
+ ## 9. Traceability Model
736
+
737
+ ### ID Scheme
738
+
739
+ | ID Prefix | Entity | Example |
740
+ |-----------|--------|---------|
741
+ | `REQ-XXX` | Requirement | REQ-001 |
742
+ | `DEC-XXX` | Decision | DEC-001 |
743
+ | `TASK-XXX` | Task | TASK-001 |
744
+ | `TEST-XXX` | Test | TEST-001 |
745
+ | `RISK-XXX` | Risk | RISK-001 |
746
+
747
+ IDs are sequential and unique per project. Never reuse an ID, even after deletion.
748
+
749
+ ---
750
+
751
+ ### Traceability Chain
752
+
753
+ ```
754
+ Project Goal
755
+ └── REQ-XXX (requirement in spec.md)
756
+ └── TASK-XXX (task in tasks.md)
757
+ ├── TEST-XXX (test file or validation evidence)
758
+ ├── DEC-XXX (decision in design.md or STATE.md)
759
+ └── Commit (references TASK-XXX in message)
760
+ ```
761
+
762
+ Every task must reference the requirements it satisfies. Every test must reference the requirement or acceptance criterion it validates. Every decision must reference the context that prompted it.
763
+
764
+ ---
765
+
766
+ ### Traceability Rules
767
+
768
+ 1. No task is created without a parent requirement.
769
+ 2. No test is created without a parent task or requirement.
770
+ 3. No significant decision is made without a DEC-XXX entry.
771
+ 4. Commits reference TASK-XXX in the commit message.
772
+ 5. If a requirement changes, all dependent tasks, tests, and design notes must be reviewed and updated.
773
+
774
+ ---
775
+
776
+ ## 10. Templates
777
+
778
+ ### 10.1 `spec.md` Template
779
+
780
+ ```markdown
781
+ # [Feature Name] — Specification
782
+
783
+ **Feature ID:** FEAT-XXX
784
+ **Created:** YYYY-MM-DD
785
+ **Status:** Draft | Approved | In Progress | Complete
786
+ **Owner:** [team or person]
787
+
788
+ ## Overview
789
+
790
+ [1–3 sentence description of what this feature does and why it exists.]
791
+
792
+ ## Requirements
793
+
794
+ | ID | Description | Priority |
795
+ |----|-------------|----------|
796
+ | REQ-001 | [Requirement statement] | Must Have |
797
+ | REQ-002 | [Requirement statement] | Should Have |
798
+ | REQ-003 | [Requirement statement] | Nice to Have |
799
+
800
+ ## User Stories
801
+
802
+ - As a [user type], I want to [action] so that [benefit].
803
+ - As a [user type], I want to [action] so that [benefit].
804
+
805
+ ## Acceptance Criteria
806
+
807
+ - [ ] REQ-001: [Specific, testable criterion]
808
+ - [ ] REQ-002: [Specific, testable criterion]
809
+ - [ ] REQ-003: [Specific, testable criterion]
810
+
811
+ ## Out of Scope
812
+
813
+ - [Explicit exclusion]
814
+ - [Explicit exclusion]
815
+
816
+ ## Open Questions
817
+
818
+ - [ ] [Question] — Owner: [name] — Due: [date]
819
+
820
+ ## Change Log
821
+
822
+ | Date | Change | Author |
823
+ |------|--------|--------|
824
+ | YYYY-MM-DD | Initial draft | [name] |
825
+ ```
826
+
827
+ ---
828
+
829
+ ### 10.2 `design.md` Template
830
+
831
+ ```markdown
832
+ # [Feature Name] — Technical Design
833
+
834
+ **Feature ID:** FEAT-XXX
835
+ **Linked Spec:** spec.md
836
+ **Created:** YYYY-MM-DD
837
+ **Status:** Draft | Approved | Superseded
838
+
839
+ ## Overview
840
+
841
+ [Brief description of the technical approach.]
842
+
843
+ ## Components
844
+
845
+ ### [Component Name]
846
+
847
+ **Responsibility:** [What this component does]
848
+ **Location:** `src/path/to/component`
849
+ **Interface:**
850
+ ```typescript
851
+ // Describe the public interface
852
+ ```
853
+
854
+ ## Data Model
855
+
856
+ ### [Entity Name]
857
+
858
+ ```
859
+ Field | Type | Constraints | Notes
860
+ -------------|---------|-------------|------
861
+ id | uuid | PK, required |
862
+ name | string | max 255 |
863
+ created_at | datetime| required |
864
+ ```
865
+
866
+ ## API Contracts
867
+
868
+ ### `POST /api/[resource]`
869
+
870
+ **Request:**
871
+ ```json
872
+ {
873
+ "field": "type"
874
+ }
875
+ ```
876
+
877
+ **Response (200):**
878
+ ```json
879
+ {
880
+ "id": "uuid",
881
+ "field": "type"
882
+ }
883
+ ```
884
+
885
+ **Error states:**
886
+ - 400: [condition]
887
+ - 401: [condition]
888
+ - 409: [condition]
889
+
890
+ ## State Management
891
+
892
+ [Describe how state flows through the feature if applicable.]
893
+
894
+ ## Error Handling
895
+
896
+ | Error Condition | Behavior | User Feedback |
897
+ |----------------|----------|---------------|
898
+ | [condition] | [action] | [message] |
899
+
900
+ ## Performance Considerations
901
+
902
+ - [Note any N+1 risks, large queries, or caching needs]
903
+
904
+ ## Security Considerations
905
+
906
+ - [Note authentication, authorization, input validation concerns]
907
+
908
+ ## Decisions
909
+
910
+ | ID | Decision | Alternatives Considered | Rationale |
911
+ |----|----------|------------------------|-----------|
912
+ | DEC-001 | [Decision made] | [Alt A, Alt B] | [Why this choice] |
913
+
914
+ ## Change Log
915
+
916
+ | Date | Change | Author |
917
+ |------|--------|--------|
918
+ | YYYY-MM-DD | Initial draft | [name] |
919
+ ```
920
+
921
+ ---
922
+
923
+ ### 10.3 `tasks.md` Template
924
+
925
+ ```markdown
926
+ # [Feature Name] — Tasks
927
+
928
+ **Feature ID:** FEAT-XXX
929
+ **Linked Spec:** spec.md
930
+ **Linked Design:** design.md
931
+ **Created:** YYYY-MM-DD
932
+
933
+ ## Status Summary
934
+
935
+ | Status | Count |
936
+ |--------|-------|
937
+ | TODO | X |
938
+ | IN PROGRESS | X |
939
+ | DONE | X |
940
+ | BLOCKED | X |
941
+
942
+ ---
943
+
944
+ ## TASK-001 — [Task Title] [P]
945
+
946
+ > `[P]` marks a parallelizable task. Only valid when this task's files are disjoint from all currently running parallel tasks.
947
+
948
+ **Objective:** [One sentence description of what this task achieves]
949
+
950
+ **Satisfies:** REQ-001, REQ-002
951
+
952
+ **Likely Files:**
953
+ - `src/path/to/file.ts` — [reason]
954
+ - `src/path/to/test.spec.ts` — [reason]
955
+
956
+ **Dependencies:** None | TASK-XXX must complete first
957
+
958
+ **Implementation Steps:**
959
+ 1. [Specific action]
960
+ 2. [Specific action]
961
+ 3. [Specific action]
962
+
963
+ **Acceptance Criteria:**
964
+ - [ ] [Testable criterion linked to spec]
965
+ - [ ] [Testable criterion linked to spec]
966
+
967
+ **Required Tests:**
968
+ - TEST-001: [Test description] — unit | integration | e2e
969
+
970
+ **Validation Gate:**
971
+ - [ ] Build passes
972
+ - [ ] Lint passes
973
+ - [ ] Typecheck passes
974
+ - [ ] TEST-001 passes
975
+ - [ ] Acceptance criteria verified manually
976
+
977
+ **Status:** TODO | IN PROGRESS | DONE | BLOCKED
978
+
979
+ **Notes:** [Deviations, blockers, discoveries during implementation]
980
+
981
+ ---
982
+
983
+ ## TASK-002 — [Task Title]
984
+
985
+ [Repeat structure above]
986
+ ```
987
+
988
+ ---
989
+
990
+ ### 10.4 `STATE.md` Template
991
+
992
+ ```markdown
993
+ # Project State
994
+
995
+ **Last Updated:** YYYY-MM-DD HH:MM
996
+ **Last Task Completed:** TASK-XXX — [brief description]
997
+ **Current Task:** TASK-XXX — [brief description]
998
+ **Project Phase:** [Setup | Active Development | Stabilization | Maintenance]
999
+
1000
+ ## Suggested Next Steps
1001
+
1002
+ 1. [TASK-XXX] [brief description]
1003
+ 2. [TASK-XXX] [brief description]
1004
+ 3. [Open question or decision needed]
1005
+
1006
+ ## Open Blockers
1007
+
1008
+ | ID | Description | Owner | Since |
1009
+ |----|-------------|-------|-------|
1010
+ | BLK-001 | [Description] | [owner] | YYYY-MM-DD |
1011
+
1012
+ ## Decisions Log
1013
+
1014
+ | ID | Date | Decision | Rationale | Impact |
1015
+ |----|------|----------|-----------|--------|
1016
+ | DEC-001 | YYYY-MM-DD | [Decision] | [Why] | [What it affects] |
1017
+
1018
+ ## Deviations from Specification
1019
+
1020
+ | Date | Task | Deviation | Resolution |
1021
+ |------|------|-----------|------------|
1022
+ | YYYY-MM-DD | TASK-XXX | [What changed] | [How resolved or deferred] |
1023
+
1024
+ ## Pending Items
1025
+
1026
+ - [ ] [Item] — [owner or context]
1027
+ - [ ] [Item] — [owner or context]
1028
+
1029
+ ## Deferred Ideas
1030
+
1031
+ - [Idea] — [deferred reason] — [potential future ticket]
1032
+
1033
+ ## Project Preferences Discovered
1034
+
1035
+ - [Convention or preference discovered during implementation]
1036
+ - [Tooling quirk or project-specific rule not in CONVENTIONS.md]
1037
+
1038
+ ## Lessons Learned
1039
+
1040
+ - [Lesson] — discovered during [TASK-XXX or context]
1041
+
1042
+ ## Session Log
1043
+
1044
+ | Date | Summary | Tasks Completed | Key Decisions |
1045
+ |------|---------|----------------|---------------|
1046
+ | YYYY-MM-DD | [What happened this session] | TASK-001, TASK-002 | DEC-001 |
1047
+ ```
1048
+
1049
+ ---
1050
+
1051
+ ### 10.5 `CONVENTIONS.md` Template
1052
+
1053
+ ````markdown
1054
+ # Codebase Conventions
1055
+
1056
+ ## 1. Technical Context
1057
+
1058
+ Describe the core technical context of the project.
1059
+
1060
+ - Language:
1061
+ - Runtime:
1062
+ - Framework:
1063
+ - Package manager:
1064
+ - Database:
1065
+ - Main libraries:
1066
+ - Build tools:
1067
+ - Deployment:
1068
+ - CI/CD:
1069
+
1070
+ ## 2. Architecture
1071
+
1072
+ Describe the general architecture, layers, modules, data flow, and important technical decisions.
1073
+
1074
+ ### Layers / Modules
1075
+
1076
+ -
1077
+
1078
+ ### Data Flow
1079
+
1080
+ -
1081
+
1082
+ ### Decisions
1083
+
1084
+ | ID | Decision | Rationale | Impact |
1085
+ |----|----------|-----------|--------|
1086
+ | DEC-001 | | | |
1087
+
1088
+ ## 3. Project Structure
1089
+
1090
+ Explain the project folder structure and where new files should be created.
1091
+
1092
+ ```txt
1093
+ src/
1094
+ ├── ...
1095
+ ```
1096
+
1097
+ ### File Placement Rules
1098
+
1099
+ - New API routes:
1100
+ - New components:
1101
+ - New services:
1102
+ - New tests:
1103
+ - New assets:
1104
+
1105
+ ## 4. Coding Standards
1106
+
1107
+ Define naming conventions, import organization, error handling, logging, environment variables, and coding style.
1108
+
1109
+ ### Naming
1110
+
1111
+ -
1112
+
1113
+ ### Imports
1114
+
1115
+ -
1116
+
1117
+ ### Error Handling
1118
+
1119
+ -
1120
+
1121
+ ### Logging
1122
+
1123
+ -
1124
+
1125
+ ### Environment Variables
1126
+
1127
+ -
1128
+
1129
+ ## 5. Testing
1130
+
1131
+ Describe how tests should be written, where they should live, which commands should be run, and which validation gates are required.
1132
+
1133
+ ### Test Types
1134
+
1135
+ - Unit:
1136
+ - Integration:
1137
+ - E2E:
1138
+
1139
+ ### Commands
1140
+
1141
+ ```bash
1142
+ # build
1143
+
1144
+ # lint
1145
+
1146
+ # typecheck
1147
+
1148
+ # test
1149
+ ```
1150
+
1151
+ ### Required Gates
1152
+
1153
+ - [ ] Build passes
1154
+ - [ ] Lint passes, if available
1155
+ - [ ] Typecheck passes, if available
1156
+ - [ ] Tests pass, if available
1157
+ - [ ] Acceptance criteria verified
1158
+
1159
+ ## 6. Integrations
1160
+
1161
+ List external services, APIs, SDKs, webhooks, authentication methods, and integration concerns.
1162
+
1163
+ | Service | Purpose | Auth | Notes |
1164
+ |---------|---------|------|-------|
1165
+ | | | | |
1166
+
1167
+ ## 7. Concerns
1168
+
1169
+ List technical risks, tech debt, fragile areas, limitations, and parts of the codebase that agents should modify carefully.
1170
+
1171
+ | ID | Area | Concern | Severity | Notes |
1172
+ |----|------|---------|----------|-------|
1173
+ | RISK-001 | | | | |
1174
+
1175
+ ## 8. AI Rules
1176
+
1177
+ - Do not invent files, APIs, functions, or behavior.
1178
+ - Read existing code before modifying it.
1179
+ - Follow existing project patterns.
1180
+ - Do not refactor unrelated code.
1181
+ - Keep changes small and reviewable.
1182
+ - Validate before marking work as done.
1183
+ - Update `.specs/project/STATE.md` at the end of the session.
1184
+
1185
+ ## Optional Expansion
1186
+
1187
+ If one section becomes too large, it may be extracted into a dedicated optional file, such as:
1188
+
1189
+ - `.specs/codebase/ARCHITECTURE.md`
1190
+ - `.specs/codebase/TESTING.md`
1191
+ - `.specs/codebase/INTEGRATIONS.md`
1192
+ - `.specs/codebase/CONCERNS.md`
1193
+
1194
+ These files are optional and should not be generated by default.
1195
+ ````
1196
+
1197
+ ---
1198
+
1199
+ ## 11. New Project Process
1200
+
1201
+ ### Step 1: Initialize Project Spec
1202
+
1203
+ Create the following files before writing any code:
1204
+
1205
+ ```
1206
+ .specs/project/PROJECT.md → Fill in vision, goals, users, constraints
1207
+ .specs/project/ROADMAP.md → List initial milestones and features
1208
+ .specs/project/STATE.md → Initialize with project phase and first tasks
1209
+ .specs/codebase/CONVENTIONS.md → Fill in technical context and development rules
1210
+ ```
1211
+
1212
+ Key questions to answer in `PROJECT.md`:
1213
+ - What problem does this project solve?
1214
+ - Who are the users?
1215
+ - What are the non-negotiable constraints?
1216
+ - What is explicitly out of scope?
1217
+ - What does success look like in 3 months? 12 months?
1218
+
1219
+ ---
1220
+
1221
+ ### Step 2: Define Codebase Conventions
1222
+
1223
+ Create `.specs/codebase/CONVENTIONS.md` before writing production code.
1224
+
1225
+ Fill in these sections:
1226
+
1227
+ 1. **Technical Context** — language, framework, runtime, package manager, database, infrastructure, and main tools.
1228
+ 2. **Architecture** — modules, layers, data flow, boundaries, and important technical decisions.
1229
+ 3. **Project Structure** — folder layout and rules for where new files should go.
1230
+ 4. **Coding Standards** — naming, imports, errors, logs, env vars, comments, and style.
1231
+ 5. **Testing** — test strategy, file placement, commands, gates, mocks, and coverage expectations.
1232
+ 6. **Integrations** — external services, APIs, SDKs, webhooks, auth, rate limits, and secrets pattern.
1233
+ 7. **Concerns** — risks, fragile areas, technical debt, limitations, and known gaps.
1234
+ 8. **AI Rules** — how agents must read, modify, validate, and record work.
1235
+
1236
+ ---
1237
+
1238
+ ### Step 3: Specify First Feature
1239
+
1240
+ Create `features/[first-feature]/spec.md` with requirements, user stories, and acceptance criteria.
1241
+
1242
+ Then follow the adaptive workflow based on the feature's complexity tier.
1243
+
1244
+ ---
1245
+
1246
+ ### Optional Expansion
1247
+
1248
+ Do not create separate codebase files by default. If one section of `CONVENTIONS.md` becomes too large, extract it into an optional dedicated file:
1249
+
1250
+ ```
1251
+ .specs/codebase/ARCHITECTURE.md
1252
+ .specs/codebase/TESTING.md
1253
+ .specs/codebase/INTEGRATIONS.md
1254
+ .specs/codebase/CONCERNS.md
1255
+ ```
1256
+
1257
+ Create these only when they reduce complexity.
1258
+
1259
+ ---
1260
+
1261
+ ### Greenfield Checklist
1262
+
1263
+ ```
1264
+ [ ] .specs/project/PROJECT.md created
1265
+ [ ] .specs/project/ROADMAP.md created
1266
+ [ ] .specs/project/STATE.md initialized
1267
+ [ ] .specs/codebase/CONVENTIONS.md created
1268
+ [ ] CONVENTIONS.md → Technical Context filled
1269
+ [ ] CONVENTIONS.md → Architecture filled
1270
+ [ ] CONVENTIONS.md → Project Structure filled
1271
+ [ ] CONVENTIONS.md → Testing filled
1272
+ [ ] CONVENTIONS.md → Integrations filled, if applicable
1273
+ [ ] CONVENTIONS.md → Concerns filled, if applicable
1274
+ [ ] First feature spec created
1275
+ [ ] Initial commit includes .specs/ folder
1276
+ ```
1277
+
1278
+ ---
1279
+
1280
+ ## 12. Existing Project Process
1281
+
1282
+ ### Step 1: Codebase Mapping
1283
+
1284
+ Before modifying anything in a brownfield project, an agent must map what exists. This is a read-only discovery phase.
1285
+
1286
+ The mapping should populate `.specs/codebase/CONVENTIONS.md` instead of creating several mandatory technical files.
1287
+
1288
+ **Mapping deliverables inside `CONVENTIONS.md`:**
1289
+
1290
+ | Section | Source of Truth |
1291
+ |------|----------------|
1292
+ | Technical Context | `package.json`, lockfiles, config files, runtime files |
1293
+ | Project Structure | Directory tree + file organization patterns |
1294
+ | Architecture | Entry points, routers, modules, services, data flow |
1295
+ | Coding Standards | Patterns found in existing code |
1296
+ | Testing | Test files, coverage config, CI config |
1297
+ | Integrations | External service calls, env vars, SDK usage |
1298
+ | Concerns | TODO comments, deprecated patterns, coverage gaps, fragile areas |
1299
+
1300
+ **Mapping process:**
1301
+ 1. Read package/config/lock files → populate Technical Context
1302
+ 2. Run directory tree scan → populate Project Structure
1303
+ 3. Read entry points, routers, main modules → populate Architecture
1304
+ 4. Read 10–15 representative source files → extract Coding Standards
1305
+ 5. Read test files and CI config → populate Testing
1306
+ 6. Grep for external service calls and env var usage → populate Integrations
1307
+ 7. Grep for TODO, FIXME, HACK, deprecated patterns, and dead code → populate Concerns
1308
+
1309
+ Do not start writing features until the relevant sections of `CONVENTIONS.md` are mapped.
1310
+
1311
+ ---
1312
+
1313
+ ### Step 2: Validate Mapping
1314
+
1315
+ After mapping, review `CONVENTIONS.md` for:
1316
+ - Contradictions: pattern A in one module, pattern B in another. Document both.
1317
+ - Gaps: areas with no clear convention. Add them to Concerns or Open Questions.
1318
+ - Risks: create RISK-XXX entries for anything that needs attention before new work.
1319
+
1320
+ If one mapped section becomes too large, extract it into an optional dedicated file and link it from `CONVENTIONS.md`.
1321
+
1322
+ ---
1323
+
1324
+ ### Step 3: Align on State
1325
+
1326
+ Create `.specs/project/STATE.md` with:
1327
+ - Current state of the project: what is working, what is broken
1328
+ - Known blockers
1329
+ - What the first feature/fix should be
1330
+ - Technical debt and risks summarized from `CONVENTIONS.md` → Concerns
1331
+
1332
+ ---
1333
+
1334
+ ### Step 4: Proceed with Feature Workflow
1335
+
1336
+ With mapping complete, treat subsequent work the same as greenfield — follow the adaptive workflow for each feature.
1337
+
1338
+ ---
1339
+
1340
+ ### Brownfield Checklist
1341
+
1342
+ ```
1343
+ [ ] CONVENTIONS.md → Technical Context mapped from existing code
1344
+ [ ] CONVENTIONS.md → Project Structure mapped from directory tree
1345
+ [ ] CONVENTIONS.md → Architecture mapped from module analysis
1346
+ [ ] CONVENTIONS.md → Coding Standards extracted from existing code patterns
1347
+ [ ] CONVENTIONS.md → Testing mapped from test files and CI config
1348
+ [ ] CONVENTIONS.md → Integrations mapped from external service usage, if applicable
1349
+ [ ] CONVENTIONS.md → Concerns populated with debt, risks, and gaps
1350
+ [ ] STATE.md initialized with project current state
1351
+ [ ] First task identified and scoped
1352
+ ```
1353
+
1354
+ ---
1355
+
1356
+ ## 13. Validation Gates
1357
+
1358
+ ### Gate Definitions
1359
+
1360
+ Every task must pass all applicable gates before being marked DONE.
1361
+
1362
+ | Gate | Description | Required |
1363
+ |------|-------------|----------|
1364
+ | **BUILD** | Project compiles without errors | Always |
1365
+ | **LINT** | Code passes all lint rules | Always |
1366
+ | **TYPECHECK** | Type errors: zero | Always (typed languages) |
1367
+ | **UNIT** | Unit tests for changed logic pass | Always |
1368
+ | **INTEGRATION** | Integration tests for affected paths pass | When paths are affected |
1369
+ | **E2E** | End-to-end scenarios pass | For user-facing features |
1370
+ | **ACCEPTANCE** | Acceptance criteria from spec.md verified | Always |
1371
+ | **MANUAL** | Manual test of the feature | For UI changes |
1372
+ | **SECURITY** | Security review passed | For auth, data, or external integration changes |
1373
+ | **REGRESSION** | Adjacent features unbroken | Always |
1374
+ | **COVERAGE** | Coverage thresholds maintained | Per `CONVENTIONS.md` → Testing rules |
1375
+
1376
+ ---
1377
+
1378
+ ### Gate Evidence Format
1379
+
1380
+ When recording validation in `tasks.md` or `STATE.md`:
1381
+
1382
+ ```
1383
+ Validation Evidence — TASK-XXX
1384
+ - Build: PASS (npm run build — 0 errors)
1385
+ - Lint: PASS (eslint — 0 warnings, 0 errors)
1386
+ - Typecheck: PASS (tsc — 0 errors)
1387
+ - Unit tests: PASS (23/23 — 0 failures)
1388
+ - Integration tests: PASS (7/7)
1389
+ - Acceptance: PASS — REQ-001 verified, REQ-002 verified
1390
+ - Regression: PASS — unrelated test suites unchanged
1391
+ ```
1392
+
1393
+ ---
1394
+
1395
+ ### Failure Protocol
1396
+
1397
+ If a gate fails:
1398
+ 1. Stop. Do not proceed to the next task.
1399
+ 2. Record the failure in `STATE.md` under Open Blockers.
1400
+ 3. Fix the root cause — do not suppress or work around it.
1401
+ 4. Re-run the failed gate and all gates after it.
1402
+ 5. Update task status and validation evidence.
1403
+
1404
+ ---
1405
+
1406
+ ## 14. Commit Conventions
1407
+
1408
+ ### Format
1409
+
1410
+ ```
1411
+ <type>(<scope>): <short description> [TASK-XXX]
1412
+
1413
+ [Optional body — what changed and why, not how]
1414
+
1415
+ [Optional footer — breaking changes, issue references]
1416
+ ```
1417
+
1418
+ ### Types
1419
+
1420
+ | Type | Use |
1421
+ |------|-----|
1422
+ | `feat` | New feature or capability |
1423
+ | `fix` | Bug fix |
1424
+ | `refactor` | Restructure without behavior change |
1425
+ | `test` | Adding or fixing tests |
1426
+ | `docs` | Documentation only |
1427
+ | `chore` | Build, tooling, dependency updates |
1428
+ | `perf` | Performance improvement |
1429
+ | `security` | Security fix |
1430
+ | `spec` | Changes to `.specs/` files only |
1431
+
1432
+ ### Rules
1433
+
1434
+ 1. One logical change per commit. Never bundle unrelated changes.
1435
+ 2. Every commit that implements a task must reference `TASK-XXX` in the message.
1436
+ 3. Breaking changes must be flagged in the footer: `BREAKING CHANGE: [description]`.
1437
+ 4. Commits to `.specs/` use type `spec`.
1438
+ 5. Never squash commits that contain TASK-XXX references — they are the traceability chain.
1439
+
1440
+ ### Examples
1441
+
1442
+ ```
1443
+ feat(auth): add JWT refresh token endpoint [TASK-004]
1444
+
1445
+ Implements the refresh token flow described in REQ-003.
1446
+ Tokens expire after 7 days and rotate on each use.
1447
+ ```
1448
+
1449
+ ```
1450
+ spec(user-profile): add design.md with API contract [TASK-003]
1451
+ ```
1452
+
1453
+ ```
1454
+ fix(orders): prevent duplicate submission on slow network [TASK-011]
1455
+
1456
+ Race condition in submit handler caused double inserts.
1457
+ Added optimistic lock using idempotency key.
1458
+ ```
1459
+
1460
+ ---
1461
+
1462
+ ## 15. Security and Quality Rules
1463
+
1464
+ ### Security Rules
1465
+
1466
+ 1. **No secrets in code.** All credentials use environment variables. Never hardcode tokens, passwords, or API keys.
1467
+ 2. **Validate all inputs at the boundary.** Never trust data arriving from users, external APIs, or message queues without schema validation.
1468
+ 3. **Sanitize before rendering.** Output encoding is required for any user-controlled data rendered in a UI.
1469
+ 4. **Authentication before authorization.** Never implement authorization logic without confirming the authentication layer is correct.
1470
+ 5. **Least privilege.** Database roles, IAM policies, and service accounts must request only the permissions they need.
1471
+ 6. **Dependency audit.** Before adding a dependency, check for known CVEs. After adding an external service or SDK, document it in `CONVENTIONS.md` → Integrations.
1472
+ 7. **Security gate on:** any change to authentication, session management, data access, payment flows, or external integrations.
1473
+ 8. **Never log sensitive data.** Passwords, tokens, PII, and financial data must never appear in logs.
1474
+
1475
+ ---
1476
+
1477
+ ### Quality Rules
1478
+
1479
+ 1. **No dead code in production.** Remove commented-out code, unused imports, and orphaned functions before committing.
1480
+ 2. **No magic values.** Constants must be named and defined centrally.
1481
+ 3. **Error messages are observable.** Every error must include enough context for debugging without leaking internal structure to end users.
1482
+ 4. **Tests are not optional.** No logic without a test. If it cannot be tested, document why in `CONVENTIONS.md` → Concerns.
1483
+ 5. **Dependencies must be justified.** Adding a library requires updating `CONVENTIONS.md` → Technical Context with the reason.
1484
+ 6. **Breaking changes are flagged.** Any change to a public API, data contract, or shared module must be flagged before implementation.
1485
+ 7. **No overengineering.** Three similar lines is better than a premature abstraction. Optimize when the need is real, not hypothetical.
1486
+ 8. **Documentation stays alive.** `.specs/` files must be updated when the code they describe changes. Stale specs are worse than no specs.
1487
+
1488
+ ---
1489
+
1490
+ ### AI-Specific Quality Rules
1491
+
1492
+ 1. **Never invent.** If an API, function, or file's existence is uncertain, read the source before assuming it exists.
1493
+ 2. **No silent scope creep.** Implement exactly what the task specifies. Record anything discovered out-of-scope in STATE.md for a future task.
1494
+ 3. **No silent decisions.** Every choice between two implementation approaches must be recorded as a DEC-XXX entry.
1495
+ 4. **No fabricated validation.** Gate checks must actually be run. Do not write "tests pass" without running them.
1496
+ 5. **Context revalidation.** When resuming after a session break, re-read STATE.md before taking any action.
1497
+
1498
+ ---
1499
+
1500
+ ## 16. Practical Feature Example
1501
+
1502
+ ### Feature: "User Email Notifications"
1503
+
1504
+ This example demonstrates the full SDD workflow for a medium-complexity feature.
1505
+
1506
+ ---
1507
+
1508
+ #### Step 1: Specify
1509
+
1510
+ **File:** `.specs/features/email-notifications/spec.md`
1511
+
1512
+ ```markdown
1513
+ # Email Notifications — Specification
1514
+
1515
+ **Feature ID:** FEAT-003
1516
+ **Created:** 2026-06-25
1517
+ **Status:** Approved
1518
+
1519
+ ## Overview
1520
+ Allow users to receive email notifications when their order status changes.
1521
+
1522
+ ## Requirements
1523
+
1524
+ | ID | Description | Priority |
1525
+ |----|-------------|----------|
1526
+ | REQ-010 | System sends email when order moves to "shipped" status | Must Have |
1527
+ | REQ-011 | System sends email when order moves to "delivered" status | Must Have |
1528
+ | REQ-012 | User can opt out of email notifications per order | Should Have |
1529
+ | REQ-013 | Emails render correctly on mobile | Should Have |
1530
+
1531
+ ## Acceptance Criteria
1532
+ - [ ] REQ-010: Creating a shipment record triggers a "shipped" email to the order owner
1533
+ - [ ] REQ-011: Marking an order delivered triggers a "delivered" email
1534
+ - [ ] REQ-012: Users with notifications_enabled=false receive no emails
1535
+ - [ ] REQ-013: Email template passes mobile rendering check
1536
+
1537
+ ## Out of Scope
1538
+ - Push notifications
1539
+ - SMS notifications
1540
+ - Notification preferences beyond per-order opt-out
1541
+ ```
1542
+
1543
+ ---
1544
+
1545
+ #### Step 2: Add Context
1546
+
1547
+ **File:** `.specs/features/email-notifications/context.md`
1548
+
1549
+ ```markdown
1550
+ # Email Notifications — Context
1551
+
1552
+ ## Background
1553
+ Orders currently update status with no user feedback. Users are complaining in
1554
+ support tickets. This feature closes the most common support request.
1555
+
1556
+ ## Related Code
1557
+ - `src/services/order.service.ts` — `updateStatus()` is where triggers belong
1558
+ - `src/models/order.model.ts` — Order schema, contains user_id and status
1559
+ - `src/services/user.service.ts` — `findById()` returns user email
1560
+
1561
+ ## Prior Decisions
1562
+ - DEC-005: We use SendGrid for transactional email (see `CONVENTIONS.md` → Integrations)
1563
+ - DEC-006: Email templates are stored in `src/templates/email/`
1564
+
1565
+ ## Patterns to Follow
1566
+ - See `src/services/payment.service.ts` for how async side effects are triggered
1567
+ - See `src/templates/email/receipt.html` for template structure
1568
+
1569
+ ## Known Risks
1570
+ - RISK-007: SendGrid rate limit is 100/min on free tier — may be hit under load
1571
+ ```
1572
+
1573
+ ---
1574
+
1575
+ #### Step 3: Design (brief, medium feature)
1576
+
1577
+ **File:** `.specs/features/email-notifications/design.md`
1578
+
1579
+ ```markdown
1580
+ # Email Notifications — Design
1581
+
1582
+ ## Approach
1583
+ Add a notification trigger inside `order.service.ts` `updateStatus()`.
1584
+ Use the existing SendGrid integration documented in `CONVENTIONS.md` → Integrations.
1585
+
1586
+ ## Components
1587
+
1588
+ ### EmailNotificationService
1589
+ `src/services/email-notification.service.ts`
1590
+ - `sendShippedEmail(orderId: string): Promise<void>`
1591
+ - `sendDeliveredEmail(orderId: string): Promise<void>`
1592
+ - Reads order and user from DB, checks opt-out flag, sends via SendGrid
1593
+
1594
+ ### Email Templates
1595
+ - `src/templates/email/order-shipped.html`
1596
+ - `src/templates/email/order-delivered.html`
1597
+
1598
+ ## Decision
1599
+ | ID | Decision | Rationale |
1600
+ |----|----------|-----------|
1601
+ | DEC-012 | Trigger synchronously in updateStatus() | Low volume; async queue not justified yet |
1602
+ | DEC-013 | Reuse existing SendGrid service class | Consistency; no new dependency |
1603
+ ```
1604
+
1605
+ ---
1606
+
1607
+ #### Step 4: Tasks
1608
+
1609
+ **File:** `.specs/features/email-notifications/tasks.md`
1610
+
1611
+ ```markdown
1612
+ # Email Notifications — Tasks
1613
+
1614
+ ## TASK-020 — Create EmailNotificationService [P]
1615
+
1616
+ **Satisfies:** REQ-010, REQ-011, REQ-012
1617
+ **Files:** `src/services/email-notification.service.ts`, `src/services/__tests__/email-notification.service.spec.ts`
1618
+ **Dependencies:** None
1619
+
1620
+ **Steps:**
1621
+ 1. Create service file at `src/services/email-notification.service.ts`
1622
+ 2. Implement `sendShippedEmail` and `sendDeliveredEmail`
1623
+ 3. Check `notifications_enabled` flag before sending
1624
+ 4. Write unit tests with mocked SendGrid
1625
+
1626
+ **Acceptance Criteria:**
1627
+ - [ ] sendShippedEmail calls SendGrid with correct template and recipient
1628
+ - [ ] sendDeliveredEmail calls SendGrid with correct template and recipient
1629
+ - [ ] No email sent when notifications_enabled is false
1630
+
1631
+ **Status:** TODO
1632
+
1633
+ ---
1634
+
1635
+ ## TASK-021 — Create Email Templates [P]
1636
+
1637
+ **Satisfies:** REQ-010, REQ-011, REQ-013
1638
+ **Files:** `src/templates/email/order-shipped.html`, `src/templates/email/order-delivered.html`
1639
+ **Dependencies:** None
1640
+
1641
+ **Steps:**
1642
+ 1. Copy structure from `src/templates/email/receipt.html`
1643
+ 2. Create shipped template with order details
1644
+ 3. Create delivered template with order details
1645
+ 4. Use responsive table layout for mobile compatibility
1646
+
1647
+ **Acceptance Criteria:**
1648
+ - [ ] Templates render with correct order data
1649
+ - [ ] Templates pass basic mobile breakpoint check
1650
+
1651
+ **Status:** TODO
1652
+
1653
+ ---
1654
+
1655
+ ## TASK-022 — Wire Triggers in OrderService
1656
+
1657
+ **Satisfies:** REQ-010, REQ-011
1658
+ **Files:** `src/services/order.service.ts`, `src/services/__tests__/order.service.spec.ts`
1659
+ **Dependencies:** TASK-020
1660
+
1661
+ **Steps:**
1662
+ 1. Import EmailNotificationService into order.service.ts
1663
+ 2. Call sendShippedEmail when status changes to "shipped"
1664
+ 3. Call sendDeliveredEmail when status changes to "delivered"
1665
+ 4. Update order.service tests to verify trigger calls
1666
+
1667
+ **Acceptance Criteria:**
1668
+ - [ ] Status change to "shipped" calls sendShippedEmail
1669
+ - [ ] Status change to "delivered" calls sendDeliveredEmail
1670
+ - [ ] No email triggered for other status changes
1671
+
1672
+ **Status:** TODO
1673
+ ```
1674
+
1675
+ ---
1676
+
1677
+ #### Step 5: Execute
1678
+
1679
+ Agent runs TASK-020 and TASK-021 in parallel (they are marked `[P]` and touch disjoint files), then TASK-022 sequentially.
1680
+
1681
+ ---
1682
+
1683
+ #### Step 6: Validate
1684
+
1685
+ ```
1686
+ TASK-022 Validation Evidence:
1687
+ - Build: PASS
1688
+ - Lint: PASS
1689
+ - Typecheck: PASS
1690
+ - Unit tests: PASS (41/41)
1691
+ - Acceptance REQ-010: PASS — shipped trigger confirmed in test
1692
+ - Acceptance REQ-011: PASS — delivered trigger confirmed in test
1693
+ - Acceptance REQ-012: PASS — opt-out flag blocks send confirmed in test
1694
+ - Regression: PASS — order.service existing tests unchanged
1695
+ ```
1696
+
1697
+ ---
1698
+
1699
+ #### Step 7: Record State
1700
+
1701
+ **Update to `STATE.md`:**
1702
+
1703
+ ```markdown
1704
+ ## Session Log
1705
+ | 2026-06-25 | Implemented FEAT-003 email notifications | TASK-020, TASK-021, TASK-022 | DEC-012, DEC-013 |
1706
+
1707
+ ## Last Task Completed
1708
+ TASK-022 — Wire email notification triggers in OrderService
1709
+
1710
+ ## Suggested Next Steps
1711
+ 1. TASK-023 (if created): Manual QA of email rendering on mobile
1712
+ 2. Monitor RISK-007 (SendGrid rate limit) after deploy
1713
+
1714
+ ## Decisions Log
1715
+ | DEC-012 | 2026-06-25 | Trigger synchronously in updateStatus() | Low volume; queue not justified | order.service.ts |
1716
+ | DEC-013 | 2026-06-25 | Reuse existing SendGrid service | Consistency | email-notification.service.ts |
1717
+ ```
1718
+
1719
+ ---
1720
+
1721
+ ## 17. Tool-Specific Guidance
1722
+
1723
+ ### General Principle
1724
+
1725
+ The `.specs/` structure is tool-independent. It works as a plain text contract that any agent can read. The adaptations below are operational tips — not requirements.
1726
+
1727
+ ---
1728
+
1729
+ ### Claude Code
1730
+
1731
+ **Strengths:** Long context window, multi-file edits, built-in tool use for running tests and reading files.
1732
+
1733
+ **Usage pattern:**
1734
+ 1. Start each session: `Read .specs/project/STATE.md`
1735
+ 2. Load feature context: `Read .specs/features/[name]/spec.md` and `context.md`
1736
+ 3. Use `CLAUDE.md` to point to the harness: add a line pointing to this `SDD.md`
1737
+ 4. Use Claude Code's task system to track TASK-XXX progress
1738
+ 5. Use `Bash` tool to run validation gates and capture evidence
1739
+ 6. End each session: update `STATE.md` before closing
1740
+
1741
+ **CLAUDE.md suggestion:**
1742
+ ```markdown
1743
+ # Development Guide
1744
+ This project uses Spec Driven Development. See `SDD.md` for the full methodology.
1745
+
1746
+ Always start a session by reading `.specs/project/STATE.md`.
1747
+ All work follows the AI Development Harness in `SDD.md` Section 7.
1748
+ ```
1749
+
1750
+ ---
1751
+
1752
+ ### OpenAI Codex / ChatGPT with Code Interpreter
1753
+
1754
+ **Strengths:** Strong reasoning, good at spec analysis and plan generation.
1755
+
1756
+ **Usage pattern:**
1757
+ 1. Paste the content of `STATE.md`, `spec.md`, and `context.md` at the start of the prompt
1758
+ 2. Request one task at a time — Codex works best with focused, bounded scope
1759
+ 3. Ask Codex to return output in the sub-agent report format (Section 8)
1760
+ 4. Manually apply changes and run gates — Codex does not run tests natively in all modes
1761
+
1762
+ **Limitation:** Cannot read files directly. Must paste context. Keep pasted context under 8k tokens.
1763
+
1764
+ ---
1765
+
1766
+ ### Cursor
1767
+
1768
+ **Strengths:** IDE integration, inline suggestions, `@` file references, `.cursorrules` support.
1769
+
1770
+ **Usage pattern:**
1771
+ 1. Add `.cursorrules` pointing to key spec files:
1772
+ ```
1773
+ Always read .specs/project/STATE.md before suggesting changes.
1774
+ Follow conventions in .specs/codebase/CONVENTIONS.md.
1775
+ Reference the current feature spec before generating code.
1776
+ ```
1777
+ 2. Use `@file` references in prompts: `@.specs/features/email-notifications/spec.md`
1778
+ 3. Use Cursor's Composer for multi-file tasks (TASK-XXX scope)
1779
+ 4. After Composer runs, manually update `tasks.md` and `STATE.md`
1780
+
1781
+ **Limitation:** Does not natively run tests. Use terminal to run validation gates.
1782
+
1783
+ ---
1784
+
1785
+ ### GitHub Copilot
1786
+
1787
+ **Strengths:** Autocomplete, inline suggestions, Copilot Chat for bounded Q&A.
1788
+
1789
+ **Usage pattern:**
1790
+ 1. Use Copilot Chat with explicit file context: "Given `spec.md` [paste], implement `sendShippedEmail`"
1791
+ 2. Use `@workspace` in Copilot Chat to reference the full codebase (when available)
1792
+ 3. Copilot is best for filling in implementation detail after design is done in `design.md`
1793
+ 4. Manually validate and update `tasks.md` — Copilot does not maintain state
1794
+
1795
+ **Limitation:** No persistent memory. Must re-establish context per chat session.
1796
+
1797
+ ---
1798
+
1799
+ ### CLI Agents (LangChain, AutoGPT, custom harnesses)
1800
+
1801
+ **Strengths:** Automation, multi-step execution, tool use, scriptable.
1802
+
1803
+ **Usage pattern:**
1804
+ 1. At agent startup, inject: `STATE.md`, `PROJECT.md`, `CONVENTIONS.md`
1805
+ 2. Pass the current `tasks.md` as the work queue
1806
+ 3. Configure the agent to output sub-agent reports (Section 8 format)
1807
+ 4. Use file write tools to update `tasks.md` status fields after each task
1808
+ 5. Use file write tools to append to `STATE.md` session log at end of run
1809
+
1810
+ **Key configuration:**
1811
+ ```yaml
1812
+ context_files:
1813
+ - .specs/project/STATE.md
1814
+ - .specs/project/PROJECT.md
1815
+ - .specs/codebase/CONVENTIONS.md
1816
+
1817
+ task_source: .specs/features/[name]/tasks.md
1818
+
1819
+ on_task_complete:
1820
+ - update: tasks.md (set status=DONE, add evidence)
1821
+ - append: STATE.md (session log entry)
1822
+
1823
+ output_format: sub-agent-report
1824
+ ```
1825
+
1826
+ ---
1827
+
1828
+ ### Specialized Sub-Agents
1829
+
1830
+ When delegating to specialized sub-agents (security reviewer, test writer, architecture validator), provide:
1831
+
1832
+ 1. The sub-agent's specific spec section — not the whole project
1833
+ 2. The sub-agent report format (Section 8) as the expected output
1834
+ 3. Explicit scope boundaries: what files to read, what files to write, what not to touch
1835
+
1836
+ The orchestrating agent is responsible for integrating the sub-agent's output back into `tasks.md` and `STATE.md`.
1837
+
1838
+ ---
1839
+
1840
+ ## Final Recommendations
1841
+
1842
+ ### Start lean, grow as needed
1843
+
1844
+ Do not create every `.specs/` file before writing any code. For a quick task, `quick/[name]/TASK.md` is sufficient. For a new medium feature, start with `spec.md` and `context.md`. Add `design.md` and `tasks.md` when the complexity warrants it.
1845
+
1846
+ ### STATE.md is the most important file
1847
+
1848
+ Every agent must read it first and update it last. A well-maintained `STATE.md` means any agent — or any human — can pick up the project in under 5 minutes. A neglected `STATE.md` means the next session starts from zero.
1849
+
1850
+ ### Trust the traceability chain
1851
+
1852
+ When requirements change, follow the chain: update `spec.md`, then `design.md`, then `tasks.md`, then the code. Never update code and forget to update the spec. The spec is the contract — the code is the execution.
1853
+
1854
+ ### Keep validation evidence
1855
+
1856
+ The most common failure mode in AI-assisted development is a task marked DONE that was never actually validated. Recording gate evidence in `tasks.md` makes this impossible to fake and easy to audit.
1857
+
1858
+ ### Commit atomically
1859
+
1860
+ One task, one commit. The commit message references the TASK-XXX. This creates a permanent audit trail between decisions, specs, and code that survives team changes, tool changes, and time.
1861
+
1862
+ ### Revisit CONVENTIONS.md → Concerns
1863
+
1864
+ Technical debt and known risks accumulate silently. The Concerns section in `CONVENTIONS.md` is only useful if it is read before touching risky areas and updated when new concerns are found. Build the habit of reading it at the start of any session involving complex or legacy code.
1865
+
1866
+ ### This SDD is a living document
1867
+
1868
+ Update `SDD.md` itself when the team finds patterns that work better, when tools change, or when new complexity tiers emerge. The methodology should evolve with the project — not constrain it.
1869
+
1870
+ ---
1871
+
1872
+ *SDD v1.0.0 — Built on the TLC Spec Driven Development model.*
1873
+ *Tool-independent. Complexity-adaptive. AI-native.*