outlinedriven/design-by-contract
skills/design-by-contract/SKILL.md
Design-by-Contract (DbC) development. Use when implementing with formal preconditions, postconditions, and invariants across any language.
$ install --global
skillsauthnpx skillsauth add outlinedriven/odin-codex-plugin design-by-contractInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 4, 2026, 5:46 AM120.2s3 files scanned
SKILL.md
- name:
- design-by-contract
- description:
- Design-by-Contract (DbC) development. Use when implementing with formal preconditions, postconditions, and invariants across any language.
Design-by-Contract development
Contracts (PRE/POST/INV) define behavioral specification -- design from requirements before code exists. Formalized as Hoare Triples: {P} C {Q} where P=precondition, C=code, Q=postcondition.
Modern insight (2025): DbC complements LLM-generated code by serving as safety guardrails -- contracts clarify intent and prevent AI from breaking integrations. Spec-driven development (2025) positions contracts as "executable specifications."
See libraries for language-specific contract tools. See examples for brief contract patterns per language.
Verification Hierarchy
Use compile-time verification before runtime contracts. If a property can be verified statically, do NOT add a runtime contract.
Static Assertions (compile-time) > Test/Debug Contracts > Runtime Contracts
| Property | Static | Test | Debug | Runtime |
|----------|--------|------|-------|---------|
| Type size/alignment | static_assert | - | - | - |
| Null/type safety | Type checker | - | - | - |
| Exhaustiveness | Pattern match | - | - | - |
| Expensive O(n)+ | - | test_ensures | - | - |
| Internal invariants | - | - | debug_invariant | - |
| Public API input | - | - | - | requires |
| External/untrusted | - | - | - | Always required |
When to Apply
- Public API boundaries -- callers need clear contracts
- Complex state invariants -- balance >= 0, capacity limits
- Financial/business rule enforcement -- regulatory compliance
- Untrusted external data -- always validate at boundaries
- Multi-component integration points -- service contracts
- AI-generated code -- contracts serve as guardrails for LLM output
When NOT to Apply
- Internal helpers with obvious behavior
- Simple getters/setters, trivial pure functions
- Performance-critical hot paths (runtime contract overhead)
- Prototyping -- contracts add ceremony
- When the type system already enforces the property (prefer static)
Anti-patterns
- Contracts duplicating type system: If types enforce it, don't add a runtime check
- Runtime checks for compile-time properties: Wrong verification level
- Contracts without violation tests: Untested contracts are untrusted
- Contract fatigue: Decorating everything -- focus on boundaries and invariants
- Postconditions restating implementation:
ensures(result == x - y)forsubtract(x, y)adds nothing - Forgetting old() semantics: Postconditions often need the pre-state value
- Ignoring contract inheritance: Preconditions weaken in subtypes (contravariance), postconditions strengthen (covariance) -- Liskov Substitution Principle
Contract Inheritance Rules
- Preconditions: Can be weakened (loosened) in subtypes -- accept more
- Postconditions: Can be strengthened (tightened) in subtypes -- guarantee more
- Invariants: Strengthened in subtypes; never weakened
- This enforces Liskov Substitution automatically.
DbC vs Defensive Programming (decision guidance)
| Approach | Philosophy | When | |----------|-----------|------| | Defensive | Don't trust caller; always check | Unknown callers, legacy APIs, untrusted input | | DbC | Clear contract; caller handles pre, method handles post | Internal APIs, well-scoped teams, correctness-critical | | Hybrid | Defensive at boundary; DbC internally | Best practice for modern systems |
Contract Formalization
Operation: withdraw(amount)
Preconditions:
PRE-1: amount > 0
PRE-2: amount <= balance
PRE-3: account.status == Active
Postconditions:
POST-1: balance == old(balance) - amount
POST-2: result == amount
Invariants:
INV-1: balance >= 0
Workflow (language-neutral)
- PLAN -- Extract PRE/POST/INV from requirements. Formalize each with ID and description.
- CREATE -- Enforce contracts at the appropriate verification level per the hierarchy: static proof, test assertion, debug check, or runtime guard. Reserve runtime contracts for public API boundaries and untrusted input.
- VERIFY -- Run static analysis and build. Contracts must compile and lint.
- TEST -- Write violation tests proving contracts catch bad inputs. Every PRE/POST/INV has a test.
Constitutional Rules (Non-Negotiable)
- CREATE All Contracts: Implement every PRE, POST, INV from plan at the appropriate verification level per the hierarchy
- Enforcement Enabled: Runtime contracts, where used, must be active (not compiled out or disabled)
- Violations Caught: Tests prove contracts work -- static contracts verified by type checker, runtime contracts by violation tests
- Documentation: Each contract traces to requirement
Exit Codes
| Code | Meaning | |------|---------| | 0 | All contracts enforced and tested | | 1 | Precondition violation in production code | | 2 | Postcondition violation in production code | | 3 | Invariant violation in production code | | 11 | Contract library not installed | | 13 | Runtime assertions disabled | | 14 | Contract lint failed |
Related Skills
outlinedriven/tidy
testing
VerifiedTrustedCommunity
ODIN's compress-operations dispatcher under the Compressor/Extender role. Invoke on "tidy", "clean up", "tidy this file/memory/workspace/git/docs", or when active context (current file, diff, stack, memory directory) has structural rot to resolve before touching behavior. Detects target domain from context and routes to the sibling skill. Requires explicit target or clear active-context signal — do not invoke speculatively.
12SKILL.mdUpdated May 7, 2026
outlinedriven/taste
development
VerifiedTrustedCommunity
Cross-domain taste skill — apply distinctive judgment to any artifact (prose, code, design, decisions) instead of converging to AI defaults. Two modes — `audit` (judge work against the two-sided charter and portable anchors) and `anchor` (load register before producing). Auto-detects by phrasing; override via `/taste audit | anchor`. Trigger on "is this slop?", "overkill?", "elegant?", "taste-test this".
12SKILL.mdUpdated May 4, 2026
outlinedriven/strict-validation-setup
tools
VerifiedTrustedCommunity
One-shot bootstrap of strict-mode tooling per ecosystem plus per-task GOALS.md scaffolding so an agentic loop can self-verify. Writes typechecker/linter/schema-validator config for TS (strict + noUncheckedIndexedAccess + exactOptionalPropertyTypes), Python (Pyright strict, Ruff strict), Rust (Clippy deny-correctness), Go (golangci-lint with staticcheck), OCaml (dune --release); establishes `.agent-tasks/<id>/GOALS.md` per-task convention distinct from project-stable AGENTS.md. C++/Java/Kotlin and framework specifics (Spring Boot, Nest, React-strict) are out of scope. Trigger on new project bootstrap, agentic-task setup, "make this self-verifying", "set the loop's goal", "scaffold goals for this issue". Pairs with `llm-self-loop` runtime.
12SKILL.mdUpdated May 4, 2026
outlinedriven/setup-pre-commit
tools
VerifiedTrustedCommunity
Install git pre-commit hooks via the project's hook tool — Husky+lint-staged (JS), pre-commit (Python/OCaml), lefthook (Go), cargo-husky (Rust). Use when the user wants commit-time formatting, linting, type-checking, or test gates. Detects ecosystem first.
12SKILL.mdUpdated May 4, 2026