Claude-skill-registry-data moai-alfred-spec-authoring

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry-data

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry-data "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/moai-alfred-spec-authoring" ~/.claude/skills/majiayu000-claude-skill-registry-data-moai-alfred-spec-authoring && rm -rf "$T"

manifest: data/moai-alfred-spec-authoring/SKILL.md

source content

SPEC Authoring Skill (Enterprise v4.0.0)

Level 1: Quick Reference

Core Capabilities

YAML Metadata Structure: 7 required + 9 optional fields for complete SPEC management
EARS Requirement Syntax: 5 patterns (Universal, Conditional, Unwanted Behavior, Stakeholder, Boundary)
Version Lifecycle: draft → active → deprecated → archived with state management
TAG Integration: SPEC→TEST→CODE→DOC traceability
Validation Checklist: 25+ pre-submission validation criteria

Quick SPEC Template

---
code: SPEC-001
title: Add User Authentication with JWT
status: draft
created_at: 2025-11-13
updated_at: 2025-11-13
priority: high
effort: 8
version: 1.0.0
epic: AUTH-01
domains:
  - backend
  - security
  - database
---

# SPEC-001: Add User Authentication with JWT

## Overview
Implement secure JWT-based user authentication with password hashing and token validation.

## Requirements

### REQ-001 (Universal)
SPEC: The authentication service SHALL validate JWT tokens using RS256 algorithm against the public key.

### REQ-002 (Conditional)
SPEC: If a JWT token has expired, then the authentication service SHALL reject the request and return HTTP 401.

### REQ-003 (Unwanted Behavior)
SPEC: The authentication service SHALL NOT accept JWT tokens signed with symmetric algorithms (HS256, HS384, HS512).

### REQ-004 (Stakeholder)
As an API consumer, I want to pass JWT tokens in the Authorization header so that my requests are authenticated.

### REQ-005 (Boundary Condition)
SPEC: The authentication service SHALL return HTTP 429 when a single IP attempts more than 10 failed authentications in 5 minutes.

## Unwanted Behaviors

### Security Constraints
- The system SHALL NOT store JWT secrets in source code
- The system SHALL NOT log JWT tokens or sensitive claims

### Performance Constraints
- The system SHALL NOT block on token validation (async pattern)
- The system SHALL NOT cache tokens indefinitely

## Acceptance Criteria
- [ ] All 5 REQ patterns implemented and tested
- [ ] Code coverage ≥85%
- [ ] Security scan passed (OWASP Top 10)
- [ ] Performance: JWT validation p99 latency ≤200ms

EARS Pattern Summary

Pattern	Syntax	Use Case
Universal	`The [System] SHALL [Action]`	Core system behavior
Conditional	`If [Condition], then [System] SHALL [Action]`	Conditional logic
Unwanted Behavior	`The [System] SHALL NOT [Action]`	Security constraints
Stakeholder	`As a [Role], I want [Feature] so that [Benefit]`	User stories
Boundary Condition	`[System] SHALL [Action] when [Condition]`	Edge cases

Level 2: Core Implementation

YAML Metadata Structure

7 Required Fields

---
# SPEC identifier (auto-generated)
code: SPEC-001

# SPEC title (descriptive, 50-80 chars)
title: Add User Authentication with JWT

# SPEC status (draft | active | deprecated | archived)
status: draft

# Creation timestamp (ISO 8601: YYYY-MM-DD)
created_at: 2025-11-13

# Last updated timestamp (ISO 8601: YYYY-MM-DD)
updated_at: 2025-11-13

# Business priority (critical | high | medium | low)
priority: high

# Estimated effort in story points (1-13 scale)
effort: 8
---

9 Optional Fields

# Version tracking (semantic versioning: major.minor.patch)
version: 1.0.0

# Deadline target date (ISO 8601: YYYY-MM-DD)
deadline: 2025-12-15

# Epic this SPEC belongs to (e.g., AUTH-01, ONBOARDING-02)
epic: AUTH-01

# Related SPEC codes (dependencies or conflicts)
depends_on:
  - SPEC-002
  - SPEC-003

# Affected domains (for routing to specialists)
domains:
  - backend
  - security
  - database

# Acceptance criteria complexity rating
acceptance_difficulty: high

# Rollback complexity rating (critical | high | medium | low)
rollback_risk: medium

# Risk assessment notes
risks: |
  - Security: JWT key rotation must be tested
  - Performance: Token validation on every request

# Custom tags for filtering/searching
tags:
  - authentication
  - security
  - jwt
  - users

EARS Requirement Syntax

Pattern 1: Universal (Always True)

Syntax:

SPEC: The [System] SHALL [Action]

Example:

SPEC-001-REQ-001: The authentication service SHALL validate
all JWT tokens using RS256 algorithm against the public key.

Related TEST:
- test_valid_jwt_with_rs256_signature
- test_invalid_jwt_with_wrong_algorithm

Pattern 2: Conditional (If-Then)

Syntax:

SPEC: If [Condition], then the [System] SHALL [Action]

Example:

SPEC-001-REQ-002: If a JWT token has expired,
then the authentication service SHALL reject the request
and return HTTP 401 Unauthorized with error code TOKEN_EXPIRED.

Related TEST:
- test_expired_token_returns_401
- test_expired_token_error_message

Pattern 3: Unwanted Behavior (Negative Requirement)

Syntax:

SPEC: The [System] SHALL NOT [Action]

Example:

SPEC-001-REQ-003: The authentication service SHALL NOT
accept JWT tokens signed with symmetric algorithms (HS256, HS384, HS512)
in a production environment.

Related TEST:
- test_reject_hs256_signed_token
- test_reject_hs384_signed_token
- test_reject_hs512_signed_token

Pattern 4: Stakeholder (User Role-Specific)

Syntax:

SPEC: As a [User Role], I want [Feature] so that [Benefit]

Example:

SPEC-001-REQ-004: As an API consumer,
I want to pass JWT tokens in the Authorization header
so that my requests are authenticated without exposing tokens.

Related TEST:
- test_jwt_from_authorization_header
- test_jwt_in_query_param_rejected
- test_malformed_authorization_header

Pattern 5: Boundary Condition (Edge Cases)

Syntax:

SPEC: [System] SHALL [Action] when [Boundary Condition]

Example:

SPEC-001-REQ-005: The authentication service SHALL return
HTTP 429 Too Many Requests when a single IP address
attempts more than 10 failed authentication attempts within 5 minutes.

Related TEST:
- test_rate_limit_after_10_failures
- test_rate_limit_window_5_minutes
- test_rate_limit_by_ip_address

Level 3: Advanced Features

Version Lifecycle Management

Lifecycle States

DRAFT → ACTIVE → DEPRECATED → ARCHIVED
  ↓                  ↓
Under Review    Stable, In Use
  ↓                  ↓
Changes Expected    Changes Require
Feedback Pending    Major Version Bump

State Transitions

DRAFT → ACTIVE:

All acceptance criteria defined
At least 2 reviewers approved
No critical open issues
```
version
```
bumped to 1.0.0
Status change commit created

ACTIVE → DEPRECATED:

Marked with deprecation reason
Migration path documented
Replacement SPEC linked
30-day notice period
Status change commit created

DEPRECATED → ARCHIVED:

No active code references
All dependent SPECs archived
Historical record maintained
No further changes allowed
Archive commit created

Unwanted Behaviors Section

Critical security and quality constraints that MUST be tested:

unwanted_behaviors:
  security:
    - The system SHALL NOT store JWT secrets in source code
    - The system SHALL NOT log JWT tokens or sensitive claims
    - The system SHALL NOT accept mixed algorithm tokens

  performance:
    - The system SHALL NOT block on token validation (async pattern)
    - The system SHALL NOT cache tokens indefinitely

  reliability:
    - The system SHALL NOT fail authentication if secondary cache is down
    - The system SHALL NOT accept malformed JSON Web Tokens

  data_integrity:
    - The system SHALL NOT modify token claims during validation
    - The system SHALL NOT accept tokens from untrusted issuers

Each Unwanted Behavior requires:

Test case verifying non-occurrence
Security scanning (where applicable)
Performance profiling (where applicable)

TAG Integration for Traceability

TAG Structure (SPEC→TEST→CODE→DOC)

      ↓
      ↓
      ↓

TAG Placement Rules

SPEC Document:

---
# SPEC-001: Feature Name
---

Test File:

def test_requirement_001():
    """Test SPEC-001 REQ-001 universal pattern."""
    pass

Implementation:

def authenticate_user(token: str) -> bool:
    """Validate JWT token per SPEC-001."""
    pass

Documentation:

## Authentication Flow
Per SPEC-001, the system SHALL validate all JWT tokens...

Level 4: Reference & Integration

Pre-Submission Validation Checklist

Metadata Validation

```
code
```
field filled (SPEC-XXX format)
```
title
```
is descriptive (50-80 characters)
```
status
```
is one of: draft | active | deprecated | archived
```
created_at
```
is ISO 8601 format (YYYY-MM-DD)
```
updated_at
```
matches actual update date
```
priority
```
is one of: critical | high | medium | low
```
effort
```
is between 1-13 (story points)

Requirement Syntax

At least 3 REQ patterns used (Universal, Conditional, Unwanted)
Each REQ follows EARS syntax strictly
Requirements are specific and testable
No ambiguous language ("should", "may", "might")
All REQs are actionable (have test cases)

Unwanted Behaviors

Security constraints listed (if applicable)
Performance constraints listed (if applicable)
Reliability constraints listed (if applicable)
Data integrity constraints listed (if applicable)
Each Unwanted Behavior has a test approach

Acceptance Criteria

All 5 EARS patterns implemented
All Unwanted Behaviors testable
Code coverage target ≥85% specified
Security scan type specified
Performance baseline defined (if applicable)

Final Review

No TODO or placeholder text
All links are valid (internal and external)
Formatting is consistent (markdown syntax)
No confidential information exposed
Ready for team review

Common Pitfalls & Anti-Patterns

Anti-Pattern 1: Ambiguous Requirements

Bad:

SPEC-001-REQ-001: The system should authenticate users quickly.

Good:

SPEC-001-REQ-001: The authentication service SHALL validate JWT tokens
and return a response within 50ms on average,
with p99 latency not exceeding 200ms.

Anti-Pattern 2: Vague Acceptance Criteria

Bad:

- The feature should work
- Tests should pass
- No obvious bugs

Good:

- [ ] All 12 test cases pass (unit + integration)
- [ ] Code coverage ≥85% (src/auth/validate.py)
- [ ] Security scan: OWASP Top 10 coverage complete
- [ ] Performance: JWT validation p99 latency ≤200ms

Anti-Pattern 3: Missing Unwanted Behaviors

Bad:

# (No unwanted_behaviors section)

Good:

unwanted_behaviors:
  security:
    - The system SHALL NOT store plaintext passwords
    - The system SHALL NOT log authentication tokens

When to Use

Automatic Triggers:

```
/alfred:1-plan
```
command execution
SPEC document creation requests
Requirements clarification discussions
Feature planning sessions
Change request handling

Manual Invocation:

SPEC template guidance
Metadata field clarification
EARS syntax validation
Version management questions
TAG traceability setup

Related Skills

```
moai-alfred-best-practices
```
- TRUST 5 principles for SPEC authoring
```
moai-alfred-spec-validation
```
- Automated SPEC validation
```
moai-foundation-specs
```
- SPEC lifecycle management
```
moai-foundation-trust
```
- Security and compliance principles
```
moai-alfred-workflow
```
- SPEC creation workflows

TRUST Principles Applied

Test First: All requirements include test cases and validation criteria Readable: Clear EARS syntax with unambiguous language Unified: Consistent structure across all SPEC documents Secured: Unwanted Behaviors section with security constraints Traceable: TAG integration for complete requirement traceability

Enterprise v4.0 Compliance: Progressive disclosure with comprehensive EARS syntax, validation checklists, and lifecycle management. Last Updated: 2025-11-13
Dependencies: YAML metadata format, EARS specification, TAG system See Also: examples.md for detailed SPEC examples