requirement-validator

What this skill does

# Requirement Validator Skill

Validates pseudo-code specifications across 6 critical dimensions with customizable checks per tech stack and severity levels.

## What This Skill Does

Validates pseudo-code specifications to catch missing details before implementation:

```
VALIDATION REPORT

✓ PASSED CHECKS
  ✓ Error codes defined
  ✓ Security requirements specified
  ✓ Timeouts included

✗ CRITICAL ISSUES (Must Fix)
  - No rate limiting on public endpoint

⚠ HIGH WARNINGS (Should Fix)
  - Token refresh concurrency not handled

📋 MEDIUM (Nice to Have)
  - Consider adding request tracing
```

Key features:
- **6 dimensions**: Security, completeness, error handling, data handling, performance, edge cases
- **Severity levels**: CRITICAL (must fix), HIGH (should fix), MEDIUM (nice to have)
- **Tech-stack aware**: Validation rules customized for detected tech stack
- **Actionable**: Each issue includes explanation and suggested fix

## When to Use

- Before implementing—catch issues early
- Reviewing specifications from team members
- Quality gate for specification release
- Validating pseudo-code across all dimensions

## 6 Validation Dimensions

### 1. Security

Checks for authentication, authorization, data protection, and attack prevention.

**Questions:**
- Is authentication specified? (type, providers, tokens)
- Is authorization (access control) defined?
- Input validation mentioned?
- Rate limiting specified?
- Sensitive data encryption required?
- Secure communication (HTTPS)?
- Secure cookie settings?

**CRITICAL issues:**
- No authentication for sensitive operations
- SQL/command injection vulnerability
- Plaintext secrets or PII
- No authorization checks
- Missing rate limiting on public endpoints

**HIGH issues:**
- Weak hashing algorithms
- Overly broad permissions
- Missing input sanitization
- No CSRF protection

**Customization by tech stack:**

**Node.js/Next.js:**
- Check for CORS configuration
- Check for helmet/security middleware
- JWT secret management

**Python/Django:**
- Check for CSRF middleware
- Check for permission classes
- Password validation rules

**Go:**
- Check for middleware chain
- Check for goroutine safety
- Context timeout usage

### 2. Completeness

Checks that all required parameters and details are specified.

**Questions:**
- All function parameters named and valued?
- Data types clear or implied?
- Constraints documented? (max length, valid values)
- Data provenance clear? (where does it come from)
- File paths mentioned?
- External dependencies called out?
- Tech stack context clear?

**CRITICAL issues:**
- Key parameters missing
- Vague requirements ("make it secure")
- No data types for complex objects
- Missing timeouts

**HIGH issues:**
- Constraints not documented
- File paths not specified
- Dependencies unclear

### 3. Error Handling

Checks that all error scenarios have defined handling with status codes.

**Questions:**
- Error codes defined for each scenario? (400, 401, 403, 404, 500, 503)
- Every error path covered?
- Retry strategies specified?
- Fallback behavior defined?
- Error logging enabled?
- Timeout scenarios handled?
- Rate limit exceeded handling specified?

**CRITICAL issues:**
- No error codes defined
- Silent failures
- Missing auth failure handling (no 401)
- Missing authorization failure handling (no 403)
- Unhandled exceptions

**HIGH issues:**
- Inconsistent error codes
- No retry logic for transient failures
- No timeout handling
- Inadequate logging

### 4. Data Handling

Checks how data flows through the system and is protected.

**Questions:**
- Data source clear? (user input, database, cache, API)
- Validation strategy specified?
- Storage location mentioned?
- Data lifecycle clear? (retention, deletion)
- Sensitive data handling? (PII, passwords, tokens)
- Safe serialization? (prevent XXE, injection)
- Concurrency considered? (race conditions)

**CRITICAL issues:**
- No data validation
- Sensitive data in logs
- Unencrypted sensitive data
- Injection vulnerability
- Unencrypted storage of PII

**HIGH issues:**
- Data lifetime not specified
- Missing encryption in transit
- No input sanitization
- Concurrent modification not handled

### 5. Performance

Checks for scalability, resource management, and optimization.

**Questions:**
- Timeouts specified? (API calls, queries, operations)
- Caching strategy defined?
- Database queries optimized?
- Scalability considered? (10x load)
- Rate limits specified?
- Resource usage bounded? (memory, CPU)
- Pagination used for large datasets?

**CRITICAL issues:**
- No timeout specified (can hang indefinitely)
- Unbounded loops or recursion
- No rate limiting on expensive operations

**HIGH issues:**
- Inefficient queries (full table scans)
- Missing caching
- Unbounded result sets
- No pagination

### 6. Edge Cases

Checks for boundary conditions and failure modes.

**Questions:**
- Concurrent requests handled?
- External service downtime handled?
- Network failures considered?
- Partial failures handled?
- Boundary conditions checked? (empty, zero, max)
- Resource cleanup specified?
- Recovery specified?
- Retryable operations idempotent?

**CRITICAL issues:**
- Race condition causes corruption
- No handling for service downtime
- Partial failures crash system

**HIGH issues:**
- Concurrency not considered
- No idempotency for retries
- Boundary conditions untested (empty, zero, max)
- Resource leaks on failure

## Tech Stack Customization

Validation rules adapted per tech stack:

### Node.js/Next.js-Specific
- Check for route handler error boundaries
- Check for middleware chain completeness
- Database connection pooling
- Async/await error handling

### Python/Django-Specific
- Check for middleware registration
- Check for decorator usage (login_required, permission_required)
- ORM query optimization
- Signal handler cleanup

### Go-Specific
- Check for error unwrapping (errors.Is, errors.As)
- Goroutine cleanup (WaitGroup, context cancellation)
- Channel close semantics
- Defer block cleanup

### Rust-Specific
- Check for Result/Option handling
- Check for lifetime annotations
- Check for mutex deadlock prevention
- Check for panic handling

## Severity Guidelines

### CRITICAL (Must Fix)
- Security vulnerabilities (injection, auth bypass, data breach)
- System crashes or infinite loops
- Race conditions causing data corruption
- Missing required functionality
- Prevents production deployment

### HIGH (Should Fix)
- Important edge cases not handled
- Incomplete implementations
- Performance issues
- Security best practices violated
- Should fix before deployment, but not blocking

### MEDIUM (Nice to Have)
- Optimizations
- Observability improvements
- Unlikely edge cases
- Code quality suggestions
- Can defer to future iterations

## Non-Applicable Checks

Some checks don't apply to all specifications. Handle gracefully:

```
Security: [SKIPPED - not a security-sensitive operation]
  Reasoning: This is data formatting, not authentication

Performance: [SKIPPED - batch operation, not real-time]
  Reasoning: Specification doesn't require response time guarantees
```

## Validation Report Format

```
PSEUDO-CODE VALIDATION REPORT
═══════════════════════════════════════════════════════════════

✓ PASSED CHECKS
  ✓ Check description here
  ✓ Another passed check
  [... list all passed checks ...]

✗ CRITICAL ISSUES (Must Fix)
  Issue Title
    Problem: [Explanation of what's wrong]
    Impact: [Why this matters]
    Fix: [Specific recommendation]

⚠ HIGH WARNINGS (Should Fix)
  Warning Title
    Problem: [What's missing or incorrect]
    Impact: [Consequence if not fixed]
    Fix: [Suggested improvement]

📋 MEDIUM (Nice to Have)
  Suggestion Title
    Why: [Why this would improve the spec]
    How: [Suggested approach]

═══════════════════════════════════════════════════════════════
DIMENSION SUMMARY

  Security:     ✓ PASSED (5/5 checks)
  Completeness: ⚠ 1 ISSUE (4/5 checks)
  Error Hdlg:   ✓ PASSED (6/6 checks)
  Data Hdlg:    ✓ P