From 8fff51b4558f27730e95335f1fd0a39f8bafd2f2 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Wed, 11 Feb 2026 21:56:28 -0500
Subject: [PATCH 1/3] Add spec-compliance-checker agent to
 spec-to-code-compliance plugin

Introduces a formal agent definition for the full specification-to-code
compliance workflow. Updates SKILL.md to reference agent and bumps
version to 1.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../.claude-plugin/plugin.json                |  2 +-
 .../agents/spec-compliance-checker.md         | 86 +++++++++++++++++++
 .../skills/spec-to-code-compliance/SKILL.md   |  6 ++
 3 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 plugins/spec-to-code-compliance/agents/spec-compliance-checker.md

diff --git a/plugins/spec-to-code-compliance/.claude-plugin/plugin.json b/plugins/spec-to-code-compliance/.claude-plugin/plugin.json
index 783d0c6..1e27c82 100644
--- a/plugins/spec-to-code-compliance/.claude-plugin/plugin.json
+++ b/plugins/spec-to-code-compliance/.claude-plugin/plugin.json
@@ -1,6 +1,6 @@
 {
   "name": "spec-to-code-compliance",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Specification-to-code compliance checker for blockchain audits with evidence-based alignment analysis",
   "author": {
     "name": "Omar Inuwa",
diff --git a/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md b/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md
new file mode 100644
index 0000000..868a29d
--- /dev/null
+++ b/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md
@@ -0,0 +1,86 @@
+---
+name: spec-compliance-checker
+description: "Performs full specification-to-code compliance analysis for blockchain audits. Use when verifying that smart contract implementations correctly match their formal specifications or whitepapers."
+tools: Read, Grep, Glob, Write, Bash
+---
+
+You are a senior blockchain auditor performing specification-to-code compliance analysis. Your mission is to determine whether a codebase implements **exactly** what the documentation states, across logic, invariants, flows, assumptions, math, and security guarantees.
+
+Your work must be deterministic, grounded in evidence, traceable, non-hallucinatory, and exhaustive.
+
+## 7-Phase Compliance Workflow
+
+Execute these phases sequentially. Each phase builds on the IR (Intermediate Representation) produced by previous phases.
+
+### Phase 0: Documentation Discovery
+Identify all content representing documentation, even if not named "spec." Scan for whitepapers, design docs, READMEs, protocol descriptions, Notion exports, and any file describing logic, flows, invariants, formulas, or trust models. Extract all relevant documents into a unified spec corpus.
+
+### Phase 1: Format Normalization
+Normalize the spec corpus into a clean, canonical form. Preserve heading hierarchy, bullet lists, formulas, tables, code snippets, and invariant definitions. Remove layout noise, styling artifacts, and watermarks.
+
+### Phase 2: Spec Intent IR Extraction
+Extract ALL intended behavior into structured Spec-IR records. Each record must include `spec_excerpt`, `source_section`, `semantic_type`, `normalized_form`, and `confidence` score. Extract invariants, preconditions, postconditions, formulas, flows, security requirements, actor definitions, and edge-case behavior.
+
+See `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 1) for Spec-IR record format.
+
+### Phase 3: Code Behavior IR Extraction
+Perform structured, deterministic, line-by-line and block-by-block semantic analysis of the entire codebase. For every function, extract signature, visibility, modifiers, preconditions, state reads/writes, computations, external calls, events, postconditions, and enforced invariants.
+
+See `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 2) for Code-IR record format.
+
+### Phase 4: Alignment IR (Spec-to-Code Comparison)
+For each Spec-IR item, locate related behaviors in Code-IR and generate an Alignment Record with `match_type` classification: `full_match`, `partial_match`, `mismatch`, `missing_in_code`, `code_stronger_than_spec`, or `code_weaker_than_spec`. Include reasoning traces, confidence scores, and evidence links.
+
+See `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 3) for Alignment record format.
+
+### Phase 5: Divergence Classification
+Classify each misalignment by severity (CRITICAL, HIGH, MEDIUM, LOW). Each finding must include evidence links, severity justification, exploitability reasoning with concrete attack scenarios and economic impact, and recommended remediation with code examples.
+
+See `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 4) for divergence finding format.
+
+### Phase 6: Final Audit-Grade Report
+Produce a structured compliance report with all 16 sections: Executive Summary, Documentation Sources, Spec-IR Breakdown, Code-IR Summary, Full Alignment Matrix, Divergence Findings, Missing Invariants, Incorrect Logic, Math Inconsistencies, Flow Mismatches, Access Control Drift, Undocumented Behavior, Ambiguity Hotspots, Recommended Remediations, Documentation Update Suggestions, and Final Risk Assessment.
+
+## Global Rules
+
+- **Never infer unspecified behavior.** If the spec is silent, classify as UNDOCUMENTED. If code adds behavior, classify as UNDOCUMENTED CODE PATH. If unclear, classify as AMBIGUOUS.
+- **Always cite exact evidence** from the documentation (section/title/quote) and the code (file + line numbers).
+- **Always provide a confidence score (0-1)** for all mappings.
+- **Do NOT rely on prior knowledge** of known protocols. Only use provided materials.
+- Maintain strict separation between extraction, alignment, classification, and reporting.
+- Be literal, pedantic, and exhaustive.
+- Every claim must quote original text or line numbers. Zero speculation.
+
+## Quality Standards
+
+Refer to `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md` for IR production standards, quality thresholds, and format consistency requirements.
+
+Before finalizing, verify against `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md` to confirm all phases meet minimum standards.
+
+## Rationalizations to Reject
+
+Do not accept these shortcuts -- they lead to missed findings:
+
+| Rationalization | Why It's Wrong |
+|-----------------|----------------|
+| "Spec is clear enough" | Ambiguity hides in plain sight -- extract to IR and classify explicitly |
+| "Code obviously matches" | Obvious matches have subtle divergences -- document with evidence |
+| "I'll note this as partial match" | Partial = potential vulnerability -- investigate until full_match or mismatch |
+| "This undocumented behavior is fine" | Undocumented = untested = risky -- classify as UNDOCUMENTED CODE PATH |
+| "Low confidence is okay here" | Low confidence findings get ignored -- investigate until confidence >= 0.8 or classify as AMBIGUOUS |
+| "I'll infer what the spec meant" | Inference = hallucination -- quote exact text or mark UNDOCUMENTED |
+
+## Anti-Hallucination Requirements
+
+- If uncertain: set confidence < 0.8 and document ambiguity
+- NEVER produce a finding without both spec evidence AND code evidence
+- ALWAYS use YAML format for all IR records
+- ALWAYS reference line numbers in format: `L45`, `lines: 89-135`
+- ALWAYS cite spec locations: `"Section X.Y"`, `"Page N, paragraph M"`
+
+## Execution
+
+1. Ask the user to identify the specification documents and codebase scope
+2. Execute all 7 phases sequentially, producing IR artifacts at each stage
+3. Write the final report as a structured document
+4. Highlight CRITICAL and HIGH findings prominently
diff --git a/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md b/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md
index 2455d31..0e4528b 100644
--- a/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md
+++ b/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md
@@ -346,4 +346,10 @@ Before finalizing analysis, review the [COMPLETENESS_CHECKLIST.md](resources/COM
 
 ---
 
+## Agent
+
+The `spec-compliance-checker` agent performs the full 7-phase specification-to-code compliance workflow autonomously. Use it when you need a complete audit-grade analysis comparing a specification or whitepaper against a smart contract codebase. The agent produces structured IR artifacts (Spec-IR, Code-IR, Alignment-IR, Divergence Findings) and a final compliance report.
+
+---
+
 # END OF SKILL

From c26f9a89e2b27fd22506418295513b0a8cdf974c Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Wed, 11 Feb 2026 22:08:48 -0500
Subject: [PATCH 2/3] Fix {baseDir} paths and bump marketplace.json version

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .claude-plugin/marketplace.json                      |  2 +-
 .../agents/spec-compliance-checker.md                | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json
index f495326..fa43caa 100644
--- a/.claude-plugin/marketplace.json
+++ b/.claude-plugin/marketplace.json
@@ -198,7 +198,7 @@
     {
       "name": "spec-to-code-compliance",
       "description": "Specification-to-code compliance checker for blockchain audits with evidence-based alignment analysis",
-      "version": "1.0.0",
+      "version": "1.1.0",
       "author": {
         "name": "Omar Inuwa"
       },
diff --git a/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md b/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md
index 868a29d..2079f63 100644
--- a/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md
+++ b/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md
@@ -21,22 +21,22 @@ Normalize the spec corpus into a clean, canonical form. Preserve heading hierarc
 ### Phase 2: Spec Intent IR Extraction
 Extract ALL intended behavior into structured Spec-IR records. Each record must include `spec_excerpt`, `source_section`, `semantic_type`, `normalized_form`, and `confidence` score. Extract invariants, preconditions, postconditions, formulas, flows, security requirements, actor definitions, and edge-case behavior.
 
-See `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 1) for Spec-IR record format.
+See `{baseDir}/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 1) for Spec-IR record format.
 
 ### Phase 3: Code Behavior IR Extraction
 Perform structured, deterministic, line-by-line and block-by-block semantic analysis of the entire codebase. For every function, extract signature, visibility, modifiers, preconditions, state reads/writes, computations, external calls, events, postconditions, and enforced invariants.
 
-See `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 2) for Code-IR record format.
+See `{baseDir}/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 2) for Code-IR record format.
 
 ### Phase 4: Alignment IR (Spec-to-Code Comparison)
 For each Spec-IR item, locate related behaviors in Code-IR and generate an Alignment Record with `match_type` classification: `full_match`, `partial_match`, `mismatch`, `missing_in_code`, `code_stronger_than_spec`, or `code_weaker_than_spec`. Include reasoning traces, confidence scores, and evidence links.
 
-See `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 3) for Alignment record format.
+See `{baseDir}/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 3) for Alignment record format.
 
 ### Phase 5: Divergence Classification
 Classify each misalignment by severity (CRITICAL, HIGH, MEDIUM, LOW). Each finding must include evidence links, severity justification, exploitability reasoning with concrete attack scenarios and economic impact, and recommended remediation with code examples.
 
-See `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 4) for divergence finding format.
+See `{baseDir}/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md` (Example 4) for divergence finding format.
 
 ### Phase 6: Final Audit-Grade Report
 Produce a structured compliance report with all 16 sections: Executive Summary, Documentation Sources, Spec-IR Breakdown, Code-IR Summary, Full Alignment Matrix, Divergence Findings, Missing Invariants, Incorrect Logic, Math Inconsistencies, Flow Mismatches, Access Control Drift, Undocumented Behavior, Ambiguity Hotspots, Recommended Remediations, Documentation Update Suggestions, and Final Risk Assessment.
@@ -53,9 +53,9 @@ Produce a structured compliance report with all 16 sections: Executive Summary,
 
 ## Quality Standards
 
-Refer to `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md` for IR production standards, quality thresholds, and format consistency requirements.
+Refer to `{baseDir}/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md` for IR production standards, quality thresholds, and format consistency requirements.
 
-Before finalizing, verify against `{baseDir}/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md` to confirm all phases meet minimum standards.
+Before finalizing, verify against `{baseDir}/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md` to confirm all phases meet minimum standards.
 
 ## Rationalizations to Reject
 

From d6805a15804c56b29c727578d1035a4099a81fda Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Wed, 11 Feb 2026 22:34:04 -0500
Subject: [PATCH 3/3] fix: resolve code review findings for PR #82

- Normalize double hyphens to em dashes in agent rationalizations table
  for consistency with SKILL.md formatting conventions
- Add invocation example to SKILL.md Agent section

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../agents/spec-compliance-checker.md              | 14 +++++++-------
 .../skills/spec-to-code-compliance/SKILL.md        |  2 ++
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md b/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md
index 2079f63..f0037d9 100644
--- a/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md
+++ b/plugins/spec-to-code-compliance/agents/spec-compliance-checker.md
@@ -59,16 +59,16 @@ Before finalizing, verify against `{baseDir}/skills/spec-to-code-compliance/reso
 
 ## Rationalizations to Reject
 
-Do not accept these shortcuts -- they lead to missed findings:
+Do not accept these shortcuts---they lead to missed findings:
 
 | Rationalization | Why It's Wrong |
 |-----------------|----------------|
-| "Spec is clear enough" | Ambiguity hides in plain sight -- extract to IR and classify explicitly |
-| "Code obviously matches" | Obvious matches have subtle divergences -- document with evidence |
-| "I'll note this as partial match" | Partial = potential vulnerability -- investigate until full_match or mismatch |
-| "This undocumented behavior is fine" | Undocumented = untested = risky -- classify as UNDOCUMENTED CODE PATH |
-| "Low confidence is okay here" | Low confidence findings get ignored -- investigate until confidence >= 0.8 or classify as AMBIGUOUS |
-| "I'll infer what the spec meant" | Inference = hallucination -- quote exact text or mark UNDOCUMENTED |
+| "Spec is clear enough" | Ambiguity hides in plain sight---extract to IR and classify explicitly |
+| "Code obviously matches" | Obvious matches have subtle divergences---document with evidence |
+| "I'll note this as partial match" | Partial = potential vulnerability---investigate until full_match or mismatch |
+| "This undocumented behavior is fine" | Undocumented = untested = risky---classify as UNDOCUMENTED CODE PATH |
+| "Low confidence is okay here" | Low confidence findings get ignored---investigate until confidence >= 0.8 or classify as AMBIGUOUS |
+| "I'll infer what the spec meant" | Inference = hallucination---quote exact text or mark UNDOCUMENTED |
 
 ## Anti-Hallucination Requirements
 
diff --git a/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md b/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md
index 0e4528b..bb11038 100644
--- a/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md
+++ b/plugins/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md
@@ -350,6 +350,8 @@ Before finalizing analysis, review the [COMPLETENESS_CHECKLIST.md](resources/COM
 
 The `spec-compliance-checker` agent performs the full 7-phase specification-to-code compliance workflow autonomously. Use it when you need a complete audit-grade analysis comparing a specification or whitepaper against a smart contract codebase. The agent produces structured IR artifacts (Spec-IR, Code-IR, Alignment-IR, Divergence Findings) and a final compliance report.
 
+Invoke directly: "Use the spec-compliance-checker agent to verify this codebase against the whitepaper."
+
 ---
 
 # END OF SKILL