Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From predicate
Defines normative specification and behavioral contracts using BCP 14 keywords. Useful for establishing invariants, permitted transitions, and forbidden states before implementation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/predicate:specThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Identify → Formalize → Verify → Record → Connect**
Identify → Formalize → Verify → Record → Connect
Verification Dual — symbolic path. SPEC produces the normative constraint artifacts that are checked by the symbolic half of the Verification Dual: every constraint this workflow formalizes becomes a deterministic evaluator target (a test invariant, a type-level proof obligation, or a model-checker input) that closes a condition on the symbolic path. Routed at the moment of specifying invariants and behavioral contracts (rules.md §5).
This workflow defines the C.O.R.E. Specification phase. The objective is to define high-density normative constraint vectors (behavioral contracts) that prune the phase-space of valid trajectories during code generation. Where /form describes the system's states and transitions (coalgebraic dynamics), /spec declares what MUST hold (modal specification) and translates these constraints into test invariants.
A model is a representation. A specification is a contract.
Models are descriptive — they map the state-space and operational dynamics. Specifications are normative — they declare invariants that must remain stable and transition conditions that are permitted. This distinction maps precisely to the behavior/specification duality formalized in SDMA §11 (Stone duality: coalgebraic dynamics ↔ modal specification).
Without explicit specifications, sequence walks rely on stochastic priors. Every corrective feedback loop caused by trajectory drift is the cost of a missing specification. SPEC minimizes this drift by establishing explicit, deterministic constraints before execution, translating them into executable test suites.
[!IMPORTANT] SPEC produces normative constraint artifacts — declarations of what a system MUST, SHOULD, MUST NOT, and MAY do. It is NOT structural modeling (that's
/form) and NOT implementation (that's/core); strategic planning and exploration are the standing Planning Invariants and Sketch Principle, not workflows you switch into. If you find yourself describing ontology without constraints, you're in/formterritory. If you find yourself evaluating approaches rather than declaring constraints, you've left SPEC for strategy.
Specifications use normative keywords as defined in BCP 14 (RFC 2119, RFC 8174):
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in specification documents produced by this workflow are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals.
This convention is not ceremonial — it is the single most effective mechanism for eliminating behavioral ambiguity. An agent client interpreting "the system must validate input" will treat it as a recommendation. An agent client interpreting "the system MUST validate input" treats it as a non-negotiable requirement.
Like /form, SPEC operates in two modes, determined by context:
Trigger: No existing system specified. The human requests a behavioral specification for a new domain.
Flow: Produce a new specification artifact from templates/SPEC.md, committed to docs/specs/.
Output: A complete specification with all template sections filled.
Trigger: An existing system, document, or implementation is specified.
Flow: Extract and formalize the normative constraints implicit in the system's design. Surface unwritten assumptions, missing invariants, and behavioral gaps.
Output: Either a standalone specification in docs/specs/ or annotations integrated into the target document (human's choice).
[!NOTE] Apply mode is where /spec often delivers the most value — surfacing the behavioral rules that everyone assumes but nobody has written down.
SPEC is notation-agnostic. The formalism scales with the system's criticality, mirroring how /form selects formalisms via the SDMA Decision Matrix (SDMA §6).
| System Criticality | Specification Notation | Verification Method |
|---|---|---|
| Low (internal tools, scripts) | Structured prose with explicit INVARIANT / MUST / MUST NOT blocks | Agent self-verification |
| Medium (libraries, APIs, protocols) | Alloy (structural constraints), TLA+ (behavioral/temporal) | LLM-integrated formal verification or model finder |
| High (cryptographic, safety-critical) | Full Alloy + TLA+ with proof obligations, optionally Lean/Coq proof | Dedicated model checker, proof assistant |
[!IMPORTANT] Verification is mandatory at every tier. A specification that hasn't been checked for internal consistency is not a specification — it's a wish list. The verification method scales with the notation, but verification itself is never optional.
Use these heuristics:
When in doubt, err toward more formalism. The cost of over-specifying is ceremony; the cost of under-specifying is implementation bugs.
Criticality is not the only axis. Many domains have established specification traditions with their own formats, conventions, and tooling. When a domain convention exists, prefer it over a generic notation — it carries decades of community-tested structure and will be more natural for both human reviewers and agents trained on that corpus.
Common domain-specific specification formats:
| Domain | Established Format | When to Use |
|---|---|---|
| Network protocols | IETF RFC format with ABNF grammars (RFC 5234) | Specifying wire formats, message sequences, state machines |
| APIs | OpenAPI / AsyncAPI | Specifying REST/event-driven API contracts |
| Data validation | JSON Schema / XML Schema | Specifying structural constraints on data interchange |
| Programming languages | EBNF grammars + operational/denotational semantics | Specifying syntax and evaluation rules |
| Requirements engineering | IEEE 830 / ISO/IEC/IEEE 29148 | Specifying system-level requirements for large projects |
| Cryptographic protocols | Formal security models (UC framework, game-based proofs) | Specifying security properties and adversary models |
These formats are not alternatives to the SPEC.md template — they complement it. The SPEC.md template captures the predicate-internal normative layer (invariants, transitions, forbidden states, verification tags). Domain-specific formats live inside the template's Formal Specification section, providing the domain-standard representation alongside the predicate-internal constraints.
[!TIP] If the domain has an established specification format, use it. The SPEC.md template's "Formal Specification" section is designed to host domain-standard notation. The constraint sections above it provide the pipeline-internal normative layer; the formal specification section provides the domain-standard layer.
Determine what needs constraining. Sources of normative constraints:
Create mode: Absorb the domain description, identify the behavioral boundaries.
Apply mode: Read the target system thoroughly. Identify every implicit invariant, every assumed pre-condition, every unwritten "this should never happen."
Express constraints using the notation appropriate to the system's criticality tier.
All tiers require:
no_empty_completion, session_required_for_spawn)VERIFIED tag indicating its verification status (populated in VERIFY).Tier 2+ additionally requires:
[!IMPORTANT] HALT after FORMALIZE. Present the specification to the human before verification. Wrong constraints verified are worse than unverified correct constraints — challenge the constraints before investing in verification.
Verify the specification at the appropriate level. Verification has three sub-tiers:
Tag each constraint with its verification result:
VERIFIED: proof — formally proven (Lean, Coq, exhaustive model check)VERIFIED: machine — machine-checked for consistency (Alloy Analyzer, TLC)VERIFIED: agent-check — agent self-verification (weakest guarantee)UNVERIFIED — not yet verified, with rationale for deferral[!CAUTION] Do NOT mark a constraint as
VERIFIED: machinewhen it was actuallyVERIFIED: agent-check. The distinction matters — downstream consumers rely on the tag to know where the specification's guarantees have teeth and where they have only aspiration.
Commit the specification artifact.
Create mode:
templates/SPEC.mddocs/specs/<domain-name>.mdApply mode:
docs/specs/, or integrate findings into the target document (human's choice)templates/SPEC.md with the Target System field populated[!IMPORTANT] Template discipline. Create mode documents MUST use
templates/SPEC.md. Ad hoc formats are a protocol violation.
Link the specification constraints to execution-level verification targets:
docs/specs/ — the spec constrains the form's state space./core regulates state against them./form revision.IDENTIFY ──→ FORMALIZE (constraints identified)
└─→ ABORT (nothing worth specifying)
FORMALIZE ──→ VERIFY (human approves constraints)
└─→ IDENTIFY (wrong scope — need to reframe)
VERIFY ──→ RECORD (spec passes verification)
└─→ FORMALIZE (verification failures require revision)
RECORD ──→ CONNECT (artifact committed)
CONNECT ──→ DONE (context linked)
You MUST stop and await human input at:
docs/
└── specs/
└── <domain-name>.md # specification artifact
Specification filenames should be descriptive of the domain being constrained, not the formalism used. Example: docs/specs/identity-protocol.md, not docs/specs/alloy-spec-1.md.
Specifications are living artifacts. Rot prevention uses existing pipeline infrastructure:
/form's CONNECT step)/core discovers spec is wrong → empirical invalidation: emit an ESCALATION block and HALT for the human to choose the response (re-frame, dialectic, or descope), per the same Strategic Escalation invariantexplore → frame → /form → /spec → /core
(ambient dispositions) (what) (must) (do)
↑ ↓
└─ cross-reference ─┘
Exploring and framing are standing dispositions — the Sketch Principle and the Planning Invariants — not workflows you switch into. SPEC can be invoked standalone or from within any other workflow. A specification produced while exploring informs the strategy that follows; one produced during /core validates implementation decisions. The specification is a normative tool available at any point.
Where it fits:
/form: The natural position. The form defines the ontology; the spec constrains it. Execution then operates within those constraints./form: Valid. Not every system needs a formal model, but many need behavioral contracts. /spec can be invoked with inline type declarations instead of model references./core: Valid. If /core discovers undocumented behavioral requirements, invoking /spec mid-execution captures them as normative artifacts rather than ad hoc code comments.If a sketch exists for the current workstream:
The sketch captures the specification journey; the spec document captures the normative outcome.
VERIFICATION_MANDATORY: Every constraint must carry a VERIFIED tag. Untagged constraints are protocol violations. Deferred verification is acceptable with explicit rationale; silent omission is not.
NORMATIVE_NOT_DESCRIPTIVE: If you're describing structure without declaring what must hold, you're modeling, not specifying. Every statement in a specification should use normative language (BCP 14 keywords).
TYPED_CONSTRAINTS: Constraints MUST reference typed entities. "The system should be reliable" is not a constraint. "Service uptime MUST NOT fall below 99.9% over any rolling 30-day window" is.
FORMALISM_SCALES: Use the simplest formalism that provides adequate verification. Don't force Alloy on a config validation check. Don't use prose for a cryptographic protocol.
HALT_ON_CONTRADICTION: If verification reveals contradictions between constraints, you are FORBIDDEN from proceeding to RECORD. Surface to human.
TEST_INVARIANT_MAPPING: Every normative constraint MUST map to an executable test invariant in the verification suite. Sourcing code edits without compiling the corresponding test invariant is forbidden.
| Violation | Why It's Wrong |
|---|---|
Constraints without VERIFIED tags | Downstream consumers can't distinguish rigor levels |
VERIFIED: machine on an agent-checked constraint | Misrepresents the verification guarantee |
| Untyped normative claims | Aspirations masquerading as constraints |
| Specification without normative keywords | Descriptions masquerading as specifications |
| Modifying spec without committing | Breaks changelog; decision history is lost |
| Proceeding to RECORD with unresolved contradictions | Incoherent spec cascades into incoherent implementation |
| Constraints without explicit test invariant mapping | Implementation loses its deterministic verification validator |
npx claudepluginhub nrdxp/predicate --plugin predicateAuthors structured specifications (NLSpec) via multi-AI research and consensus gathering. Useful for complex requirement definition.
Distills any intent input (brain dump, PRD, email, transcript) into a canonical SPEC.md kernel and companion files. Useful when a user says create, validate, or update a spec.
Guides structured conversations to build Allium specifications, scoping boundaries, eliciting requirements, and abstracting domain behavior without implementation details.