santosomar/traceability-matrix-generator
skills/requirements/traceability-matrix-generator/SKILL.md
Builds a bidirectional traceability matrix linking requirements to design elements, code, and tests — so every requirement traces forward to its implementation and every test traces back to its justification. Use for compliance audits, when answering why a piece of code exists, or when checking that nothing was built without a reason.
development
Updated Apr 13, 2026
$ install --global
skillsauthnpx skillsauth add santosomar/general-secure-coding-agent-skills traceability-matrix-generatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 13, 2026, 4:31 AM111.3s1 file scanned
SKILL.md
- name:
- traceability-matrix-generator
- description:
- Builds a bidirectional traceability matrix linking requirements to design elements, code, and tests — so every requirement traces forward to its implementation and every test traces back to its justification. Use for compliance audits, when answering why a piece of code exists, or when checking that nothing was built without a reason.
- license:
- Apache-2.0
- category:
- requirements
- suite:
- general-secure-coding-agent-skills
- version:
- 0.3.0
- related:
- req-to-test, coverage-enhancer
Traceability Matrix Generator
Traceability answers two questions: "What implements this requirement?" (forward) and "Why does this code exist?" (backward). The matrix is the answer in table form.
The chain
Requirement ──► Design element ──► Code ──► Test
▲ │
└─────────────────────────────────────────┘
(test verifies req)
Every link is a traceable edge. Gaps are rows with empty cells.
Matrix structure
| Req ID | Requirement (brief) | Design | Code | Test | Status |
| ------ | ------------------- | ------ | ---- | ---- | ------ |
| REQ-1.1 | Rate limit: 100/min/user | RateLimiter component | middleware/ratelimit.py | test_ratelimit_100_per_min | ✓ |
| REQ-1.2 | Return 429 on limit | — | ratelimit.py:L45 | test_ratelimit_returns_429 | ✓ |
| REQ-2.1 | Audit all writes | AuditLogger | audit.py | — | ⚠ No test |
| REQ-3.4 | Support IPv6 | — | — | — | ❌ Gap |
Building it — forward trace
- Enumerate requirements. Every MUST/SHOULD with an ID. Decompose compounds — one row per atomic claim.
- For each requirement, find code. →
requirement-coverage-checkertechniques: grep for IDs, grep for domain terms, structural search. - For each code location, find tests. What tests exercise this code? Coverage tools (
pytest --cov) tell you which tests hit which lines. - Fill the matrix. One row per requirement, cells for each link in the chain.
Building it — backward trace (orphan detection)
Forward trace finds unimplemented requirements. Backward trace finds unrequired code:
- Enumerate code units (functions, endpoints, modules).
- For each: what requirement justifies this? If none — it's either:
- Implicitly required (infrastructure — logging, config loading). Fine.
- Speculatively built (YAGNI violation). Consider removing.
- Undocumented requirement. The code is right, the spec is incomplete — add the requirement.
Trace strength
| Trace type | Strength | Maintenance cost |
| ----------------------------------- | -------- | ----------------------------- |
| Explicit ID in code/test | Strong | Low — grep finds it |
| @covers("REQ-1.1") decorator | Strong | Low — machine-checkable |
| Mention in docstring | Medium | Medium — can drift |
| Structural match (inferred) | Weak | High — re-derive every audit |
For auditable systems: use explicit IDs. # REQ-1.1 in the code, @pytest.mark.req("1.1") on the test. Then the matrix is a grep, not an archaeology dig.
Worked example — generating from a tagged codebase
Convention in this codebase: tests carry @pytest.mark.req("X.Y"); code has # REQ-X.Y comments.
# middleware/ratelimit.py
# REQ-1.1, REQ-1.2
@app.middleware("http")
async def ratelimit(request, call_next):
...
# tests/test_ratelimit.py
@pytest.mark.req("1.1")
def test_ratelimit_allows_100_per_minute(): ...
@pytest.mark.req("1.2")
def test_ratelimit_returns_429_on_excess(): ...
Matrix generation (scripted):
import re, ast, pathlib
reqs = load_requirements("spec.md") # {id: text}
code_traces = {} # {req_id: [file:line, ...]}
test_traces = {} # {req_id: [test_name, ...]}
for f in pathlib.Path("src").rglob("*.py"):
for lineno, line in enumerate(f.read_text().splitlines(), 1):
for rid in re.findall(r"REQ-(\d+\.\d+)", line):
code_traces.setdefault(rid, []).append(f"{f}:{lineno}")
for f in pathlib.Path("tests").rglob("*.py"):
tree = ast.parse(f.read_text())
for node in ast.walk(tree):
if isinstance(node, ast.FunctionDef):
for dec in node.decorator_list:
# match @pytest.mark.req("X.Y")
if (isinstance(dec, ast.Call) and ast.unparse(dec.func) == "pytest.mark.req"):
rid = dec.args[0].value
test_traces.setdefault(rid, []).append(f"{f.name}::{node.name}")
# Emit matrix
for rid, text in reqs.items():
code = code_traces.get(rid, [])
tests = test_traces.get(rid, [])
status = "✓" if code and tests else ("⚠" if code else "❌")
print(f"| {rid} | {text[:40]} | {', '.join(code) or '—'} | {', '.join(tests) or '—'} | {status} |")
Mechanical, reproducible, runs in CI.
Do not
- Do not build the matrix once and let it rot. If it's not regenerated on every commit, it's fiction by month two. Script it, run it in CI.
- Do not trace to whole files.
auth.pyimplements 30 requirements — that's not a trace, that's a guess. Trace to functions or regions. - Do not count inferred traces as equal to explicit ones. If you had to read the code to figure out it implements REQ-1.1, the next auditor will too. Add the tag.
- Do not ignore backward orphans. Unrequired code is either dead (remove it) or under-specified (add the requirement). Both are actionable.
Output format
## Matrix
| Req ID | Requirement | Design | Code | Test | Status |
| ------ | ----------- | ------ | ---- | ---- | ------ |
## Gaps (forward — unimplemented)
| Req ID | Missing | Action |
| ------ | ------- | ------ |
## Orphans (backward — unjustified code)
| Code | Classification | Action |
| ---- | -------------- | ------ |
| <func> | Implicit infra | None — expected |
| <func> | Undocumented req | Add REQ-X.Y to spec |
| <func> | Speculative | Consider removal |
## Trace strength
Explicit (tagged): <N> Inferred: <M> — lower M by tagging
## Regeneration
<command to rebuild this matrix — goes in CI>
Related Skills
santosomar/verified-pseudocode-extractor
development
VerifiedTrustedCommunity
Extracts human-readable pseudocode from a verified formal artifact (Dafny, Lean, TLA+) while preserving the verified properties as annotations, so the proof-carrying logic can be reimplemented in a production language. Use when porting verified code to an unverified target, when documenting what a formal spec actually does, or when handing a verified algorithm to an implementer.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-spec-generator
development
VerifiedTrustedCommunity
Translates natural-language or pseudocode descriptions of concurrent and distributed systems into TLA+ specifications ready for the TLC model checker. Identifies state variables, actions, type invariants, safety properties, and liveness properties from the description. Use when formalizing a protocol, when the user describes a distributed algorithm to verify, when designing a consensus or locking scheme, or when starting formal verification of a concurrent system.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-model-reduction
testing
VerifiedTrustedCommunity
Reduces a TLA+ model so TLC can actually check it — shrinks constants, adds state constraints, abstracts data, or applies symmetry — when the state space is too large to enumerate. Use when TLC runs out of memory, when checking takes hours, or when a spec works at N=2 and you need confidence at larger scale.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-guided-code-repair
development
VerifiedTrustedCommunity
TLA+-specific instance of model-guided repair — reads a TLC error trace, identifies the enabling condition that should have been false, strengthens the corresponding action, and maps the fix to source code. Use when TLC reports an invariant violation or deadlock and you have the code-to-TLA+ mapping from extraction.
SKILL.mdUpdated Apr 13, 2026