Validate Blueprint Compliance
Check codebase against documented specs, patterns, anti-patterns, and architectural decisions.
Invoked by: /blueprint:validate
Principles
- Parallel scanning: Batch Grep calls by validation category.
- Progressive disclosure: For large result sets, summarize first, drill down on request.
- Severity-based: Rank findings by impact (Critical > High > Medium > Low).
- Non-destructive: Report only, never auto-fix without explicit request.
TOOL USAGE: You MUST invoke the AskUserQuestion tool for scope selection if not specified.
When you see JSON examples in this skill, they are parameters for the AskUserQuestion tool - invoke it, don't output the JSON as text or rephrase as plain text questions.
Process
FIRST ACTION: Enter plan mode by calling the EnterPlanMode tool. This enables proper interactive questioning.
Step 1: Check Prerequisites
Required files (at least one):
docs/specs/- Spec compliance (tech-stack.md, product.md, boundaries.md)docs/adrs/*.md- ADR compliance (discovered via globbing)patterns/bad/anti-patterns.md- Anti-pattern checkspatterns/good/- Pattern compliance (optional)
If none exist: "No Blueprint structure found. Run /blueprint:onboard first."
Step 2: Scope Selection
If scope not provided in command, use AskUserQuestion:
{
"questions": [{
"question": "What should I validate?",
"header": "Scope",
"options": [
{"label": "All source (Recommended)", "description": "Validate entire codebase excluding node_modules, dist, build"},
{"label": "Recent changes", "description": "Only files modified in last commit or uncommitted"},
{"label": "Specific directory", "description": "I'll specify a path to validate"}
],
"multiSelect": false
}]
}
Response handling:
- "All source" → Validate src/, lib/, etc. excluding node_modules, dist, build
- "Recent changes" → Use
git diff --name-onlyto get changed files - "Specific directory" → Ask: "Which directory?" (plain text follow-up)
- "Other" → Use their text as directory path
Step 3: Load Validation Rules
From Specs
Tech Stack (docs/specs/tech-stack.md):
- Extract declared Runtime, Framework, Database, Auth technologies
- Extract expected commands (install, dev, test, lint)
Product (docs/specs/product.md):
- Extract Quality Standards commands
- Extract Success Metrics for tracking
Features (docs/specs/features/):
- Glob
docs/specs/features/*.mdto find all feature specs - For each feature spec, extract from frontmatter: status, module path, related ADRs
- Track: Active, Planned, Deprecated features
- Graceful fallback: If frontmatter fields are missing, skip that check and note "incomplete spec" in report
Non-Functional Requirements (docs/specs/non-functional/):
- Glob
docs/specs/non-functional/*.mdto find all NFR files - Extract metrics and targets for validation
- Categories: performance, security, scalability, reliability
Boundaries (docs/specs/boundaries.md):
- Extract "Always Do" rules as required compliance checks
- Extract "Never Do" rules as violation searches
- Extract "Ask First" items as warnings when detected
From Patterns
- Anti-patterns: Parse
##sections frompatterns/bad/anti-patterns.mdfor searchable patterns - Good patterns: Extract key elements from
patterns/good/*files
From ADRs
- ADRs: Extract enforceable rules (chosen dependencies, mandated patterns, banned alternatives)
Step 4: Scan Codebase
Tool Preferences:
- File reading: Use Claude's Read tool (not
cat) - File finding: Use Claude's Glob tool (not
findorls) - Content search: Use Claude's Grep tool (not
greporrg)
Performance Constraints:
- Batch size: Maximum 5-8 parallel Grep calls at once
- Result limits: Use
head_limit: 20per search to avoid context overflow - Progressive disclosure: If total issues > 50, present summary by category first, then offer to drill down
- Large codebases: For repos with >500 source files, validate one category at a time
Search using parallel Grep calls grouped by validation category. Stream findings as discovered.
Spec Compliance Scans
Tech Stack Validation:
- Read
package.json(or equivalent:requirements.txt,go.mod,Cargo.toml, etc.) - Compare against declared tech in
docs/specs/tech-stack.md - Flag: undeclared dependencies, version mismatches, missing declared tech
Feature Coverage:
- Glob
docs/specs/features/*.mdto find all feature specs - For each feature spec:
- Verify declared module path exists (e.g.,
src/auth/) - Check for corresponding test files in the module
- Verify status matches reality (Active features should have code)
- Check module path contains implementation
- Verify related ADRs are still Active (glob
docs/adrs/*.mdand check frontmatter)
- Verify declared module path exists (e.g.,
- Flag: features with no apparent implementation, orphaned modules not in features/
Boundary Violations:
- For each "Never Do" rule, search for violations (secrets, disabled auth, etc.)
- For "Always Do" rules, verify compliance (e.g., ADR comments exist, quality commands configured)
- For "Ask First" items, warn if detected without documentation
Pattern and ADR Scans
Run pattern and ADR scans in parallel with spec scans.
Step 5: Report Findings
Present findings ranked by severity:
| Severity | Description |
|---|---|
| Critical | Security vulnerabilities, data loss, boundary "Never Do" violations |
| High | Tech stack mismatches, missing capabilities, performance issues |
| Medium | Code smells, pattern inconsistencies, undeclared dependencies |
| Low | Style preferences, minor drift |
Report format:
## Blueprint Validation Report
### Spec Compliance
**Tech Stack:**
- [✓] Runtime: Node.js 20 matches declared
- [✗] Framework: Declared Express, found Fastify in package.json
- [!] Undeclared: lodash (not in tech-stack.md)
**Feature Coverage:**
| Feature | Spec Status | Module | Evidence |
|---------|-------------|--------|----------|
| User Auth | Active | src/auth/ | ✓ Module exists, 5 test files |
| Data Export | Planned | src/export/ | ? Module exists, no tests |
| Analytics | Active | src/analytics/ | ✗ Module missing |
**Orphaned Modules** (code without feature specs):
- src/legacy/ - Not documented in features/
**Boundary Compliance:**
- [✓] ADR references found in code (15 occurrences)
- [✗] "Never Do" violation: hardcoded secret in config.ts:42
- [!] "Ask First" detected: New dependency 'axios' added without ADR
### Pattern Violations
1. **[Anti-pattern name]** (Critical)
- Location: file:line
- Fix: [recommendation]
### ADR Compliance
- [✓] ADR-001: PostgreSQL - using pg driver as specified
- [✗] ADR-003: Repository pattern - direct DB calls found in handlers/
### Summary
- Critical: [N] | High: [N] | Medium: [N] | Low: [N]
- Spec compliance: [N]/[total] checks passed
- Pattern compliance: [N]/[total] patterns followed
Step 6: Surface Undocumented Patterns
Note any consistent code patterns (repeated 3+ times) not yet captured in patterns/good/.
Also flag significant code/features not documented in any spec (potential spec drift).
After Validation
- Spec drift found: Suggest updating specs or creating ADRs for undocumented changes
- Tech stack mismatch: Suggest
/blueprint:decideto document the actual choice - Missing capabilities: Flag for product review - is this intentional or missing?
- Boundary violations: Highlight critical issues requiring immediate attention
- Undocumented patterns found: Suggest
/blueprint:good-pattern - No violations: Confirm codebase consistency with specs
Examples
/blueprint:validate→ Full validation (specs + patterns + ADRs)/blueprint:validate specs→ Focus on spec compliance only/blueprint:validate features→ Focus on feature coverage- "Check if code matches our specs" → Spec compliance check
- "Validate the auth module" → Scoped to
src/auth/ - "Check for anti-patterns" → Focus on anti-pattern violations
- "Are we following our tech stack?" → Tech stack compliance check
- "Check feature coverage" → Verify features have implementations
- "Find orphaned code" → Identify modules without feature specs