Spec-driven SDLC skills for AI coding agents — Claude Code, Cursor, Windsurf, Gemini CLI
Project description
AI-SDLC v2 — Spec-Driven Skills for AI Coding Agents
A lean, token-efficient Software Development Life Cycle for AI coding agents (Claude Code, Cursor, Windsurf, Gemini CLI). Six skills that make an agent work the way a senior engineer does: understand → decide → plan in verifiable steps → build with checks after every step → gate → ship.
Designed so that even a small model can execute reliably: the planning skill (run once, ideally with a strong model) removes every judgment call up front, and the execution skills are mechanical loops with hard stop conditions.
Design principles (what changed from v1)
| v1 problem | v2 fix |
|---|---|
| Huge token use | Skills are 4–10× smaller; artifacts have hard size budgets; every skill reads only the files it names — never "scan the codebase" |
| Implementation files full of code, impossible to review | Specs contain instructions + contracts (signatures, shapes, exact steps) — never code bodies. You review decisions and contracts, not walls of code |
| QA didn't catch bugs | Checks are defined at plan time (every task has a Verify command, every goal an acceptance check). QA just executes them — nothing left to a model's mood |
| Too many files per feature | One spec file per feature. Plan, decisions, tasks, and QA log all live in .sdlc/specs/<feature>.md |
| Features silently broke each other | /build runs the full test suite every 2 tasks (not only at the end); /qa treats any regression as an automatic FAIL |
| Style drift, copied bugs | Every task names a Pattern: file the new code must mirror; PROJECT.md carries ≤ 12 checkable convention rules |
| Black-box output | Every spec opens with What & why (plain-English story of the feature) and a Decisions section: what each component is, what was chosen, why, and what was rejected — written to pass the "12th-grader test", so you can explain the design to anyone |
Install
Copy the folders inside skills/ into your agent's skills directory at the project root:
| Agent / IDE | Path |
|---|---|
| Claude Code | .claude/skills/ |
| Cursor | .cursor/skills/ |
| Windsurf | .windsurf/skills/ |
| Gemini CLI | .gemini/skills/ |
The skills appear as slash commands: /sdlc-init, /roadmap, /spec, /build, /qa, /ship.
The flow
/sdlc-init one-time setup → .sdlc/PROJECT.md + STATE.md
│
/roadmap (optional) whole project → features → .sdlc/ROADMAP.md
│
/spec <feature> plan one feature → .sdlc/specs/<feature>.md
│ (research, decisions, tasks with contracts + verify commands)
/build <feature> implement task-by-task → code; verify gate after EVERY task,
│ full-suite checkpoint every 2 tasks
/qa <feature> mechanical gate → verdict appended to the spec;
│ failures become fix-tasks for /build
/ship <feature> safe commit → feature branch only, STATE.md updated
The /build → /qa → /build loop is the self-healing part: QA never fixes code, it appends F1, F2… fix-tasks to the spec, and /build executes them like any other task.
The six skills
| Skill | Does | Reads | Writes |
|---|---|---|---|
sdlc-init |
One-time project setup: stack, layout, commands, conventions, boundaries | manifests + a few source files, or PRD, or your answers | PROJECT.md, STATE.md |
roadmap |
Splits a PRD into ordered, shippable features (what + order, never how) | PROJECT.md, the PRD | ROADMAP.md |
spec |
Plans one feature: researches unknowns, records decisions, writes ≤ 8 tasks with Files / Pattern / Do / Verify |
PROJECT.md, STATE.md, only the files the feature touches | specs/<feature>.md |
build |
Executes the spec exactly: whitelist files, mirror patterns, verify after every task, checkpoint every 2 | PROJECT.md, the spec, only listed files | code + spec checkboxes |
qa |
Re-runs all verifies + acceptance checks + full suite + diff scan; PASS/FAIL verdict; failures → fix-tasks | PROJECT.md, the spec, the diff | QA log in the spec |
ship |
Branch guard, explicit staging, conventional commit from the spec, records update. Never pushes | the spec | git commit, STATE.md, ROADMAP.md |
Bonus: architecture-diagram — renders a self-contained HTML/SVG architecture diagram (unchanged from v1).
The .sdlc/ folder — 4 file types, that's all
.sdlc/
├── PROJECT.md # ≤ 80 lines: stack, layout, commands, conventions, boundaries
├── STATE.md # one table: feature | spec | status | shipped date (+ cross-feature notes)
├── ROADMAP.md # optional: ordered feature list for a whole project
└── specs/
└── <feature>.md # everything about one feature: goal, decisions, touches,
# tasks (with checkboxes = live progress), acceptance checks, QA log
A spec file looks like this (abridged):
# user-auth
Status: building
Goal: Email+password auth issuing JWT access/refresh tokens
Done when:
- POST /v1/auth/login returns tokens for valid credentials
- Protected routes return 401 without a valid token
## What & why — plain English
When someone signs up, we store their account with a scrambled (hashed) password —
we never keep the real one. When they log in, we check the password and hand back
two digital passes: a short-lived access token shown on every request, and a
longer-lived refresh token used to get a new pass when the old one expires.
Any protected page simply refuses visitors without a valid pass.
## Decisions
- **JWT tokens** — a JWT is a signed digital pass the server can verify without a
database lookup. Chose: 15-min access token + rotating 7-day refresh token.
Why: servers don't have to remember who is logged in, so the app scales by just
adding more servers. Rejected: cookie sessions — they need shared session
storage, which complicates scaling.
- **bcrypt (cost 12)** — a slow-by-design password scrambler, so stolen data is
useless to attackers. Why: the battle-tested standard. Rejected: argon2 —
slightly stronger but adds a native dependency our stack doesn't need.
## Touches
- Edits: src/main.py (register router)
- Mirrors: src/routes/items.py, src/services/items.py
- Risk: shared error handler in src/exceptions.py
## Tasks
### [x] T1 — User model + migration
Files: CREATE src/models/user.py, CREATE migrations/…
Pattern: src/models/item.py
Do:
- Table users: id UUID pk, email unique not-null, password_hash str, created_at
- Migration with upgrade + downgrade
Verify: `uv run alembic upgrade head` → applies cleanly
### [ ] T2 — Auth service
Files: CREATE src/services/auth.py
Pattern: src/services/items.py
Do:
- register(email, password) -> User — reject duplicate email with ConflictError
- login(email, password) -> TokenPair(access: str, refresh: str)
- Hash with bcrypt cost 12; never log passwords
Verify: `uv run pytest tests/auth -q` → pass
## Acceptance checks
- [ ] `curl -s -X POST :8000/v1/auth/login -d '{…}'` → 200 with access + refresh tokens
- [ ] `curl -s :8000/v1/items` (no token) → 401
## QA log
### QA 2026-07-12 — PASS
Task verifies: 5/5 · Acceptance: 3/3 · Suite: 42 passed · Regressions: 0
Try it:
1. Run `uv run uvicorn src.main:app`, POST /v1/auth/register with {"email":"test@example.com","password":"Pass123!"}
2. Expect 201 and a user id; then login with the same credentials → 200 with two tokens
Notice: an implementer needs no other document, a reviewer reads Decisions + contracts in minutes, the checkboxes are resumable progress state, and QA's checklist was fixed the moment the spec was written.
Why this works with small models
- Judgment happens once, at spec time. Use your best model for
/spec. After that,/buildand/qaare deterministic loops — pick task, read 2–3 listed files, follow exact bullets, run a command, check a box. - Whitelists instead of freedom. A task's
Files:list is a hard boundary; needing another file is a stop-and-report, not an improvisation. - Patterns instead of taste. "Mirror
src/services/items.py" keeps style consistent without describing style. - Verification is a command, not an opinion. Every task and every acceptance criterion is proven by running something and comparing output.
- Tiny context. PROJECT.md ≤ 80 lines, one spec per feature, skills that forbid whole-codebase scans — the model's window stays small and focused.
Roadmap for this kit
- pip / npm installer that copies skills into the right folder per agent and scaffolds
.sdlc/ - Optional CI hook: run
/qachecks headlessly on pull requests
Related prior art: github/spec-kit.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ai_sdlc_kit-0.1.0.tar.gz.
File metadata
- Download URL: ai_sdlc_kit-0.1.0.tar.gz
- Upload date:
- Size: 20.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.7 {"installer":{"name":"uv","version":"0.10.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bb9219f46b88ac2323b51cf21998c9e8c328576d0f63dc84f3ec60a4e7068bef
|
|
| MD5 |
769b4e6a84b2e73332b8899a49cb4f47
|
|
| BLAKE2b-256 |
4f187998e8c729ed2230c33b46a24876be23a8b5f21477b1c4667aae93a37e48
|
File details
Details for the file ai_sdlc_kit-0.1.0-py3-none-any.whl.
File metadata
- Download URL: ai_sdlc_kit-0.1.0-py3-none-any.whl
- Upload date:
- Size: 26.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.7 {"installer":{"name":"uv","version":"0.10.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bc82906b70cbc770453a67a247427980c5b10c03068cb6ed396716ffe5323326
|
|
| MD5 |
97afa223aa7eb34963870e9362a88415
|
|
| BLAKE2b-256 |
5008c1b31fa2ba58bed2c8bb04e173e57984f21a7259a3ca675d3333805e06d6
|