specsync 2.3.0

Bidirectional spec-to-code validation — language-agnostic, blazing fast
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214

---
title: Spec Format
layout: default
nav_order: 2
---

# Spec Format
{: .no_toc }

Specs are markdown files (`*.spec.md`) with YAML frontmatter, placed in your specs directory (default: `specs/`).
{: .fs-6 .fw-300 }

<details open markdown="block">
  <summary>Table of contents</summary>
  {: .text-delta }
1. TOC
{:toc}
</details>

---

## Frontmatter

```yaml
---
module: auth
version: 3
status: stable
files:
  - src/auth/service.ts
  - src/auth/middleware.ts
db_tables:
  - users
  - sessions
depends_on:
  - specs/database/database.spec.md
---
```

### Required Fields

| Field | Type | Description |
|:------|:-----|:------------|
| `module` | `string` | Module name for display and identification |
| `version` | `number` | Increment when the spec changes |
| `status` | `enum` | `draft`, `review`, `stable`, or `deprecated` |
| `files` | `string[]` | Source files this spec covers (must be non-empty) |

### Optional Fields

| Field | Type | Description |
|:------|:-----|:------------|
| `db_tables` | `string[]` | Validated against `CREATE TABLE` statements in your `schemaDir` |
| `depends_on` | `string[]` | Paths to other spec files — validated for existence |

---

## Required Sections

Every spec must include these `## Heading` sections (configurable via `requiredSections` in `specsync.json`):

| Section | What SpecSync checks |
|:--------|:---------------------|
| `## Purpose` | Presence only |
| `## Public API` | Backtick-quoted symbols cross-referenced against code exports |
| `## Invariants` | Presence only |
| `## Behavioral Examples` | Presence only |
| `## Error Cases` | Presence only |
| `## Dependencies` | Presence only |
| `## Change Log` | Presence only |

Override the list in config:

```json
{ "requiredSections": ["Purpose", "Public API"] }
```

---

## Public API Tables

The core of what SpecSync validates. Use markdown tables with **backtick-quoted symbol names** — SpecSync extracts the first backtick-quoted identifier per row and cross-references it against code exports.

```markdown
## Public API

| Function | Parameters | Returns | Description |
|----------|-----------|---------|-------------|
| `authenticate` | `(token: string)` | `User \| null` | Validates bearer token |
```

{: .note }
> Column headers don't matter. SpecSync only reads backtick-quoted names in the first column. Structure the table however suits your team.

---

## Consumed By Section

Track reverse dependencies under `## Dependencies`. SpecSync validates that referenced files exist:

```markdown
## Dependencies

### Consumed By

| Module | Usage |
|--------|-------|
| api-gateway | Uses `authenticate()` middleware |
```

---

## Custom Templates

`specsync generate` uses `specs/_template.spec.md` if present, otherwise a built-in default. The generator auto-fills:
- `module:` — directory name
- `version:``1`
- `status:``draft`
- `files:` — discovered source files

---

## Full Example

<details markdown="block">
<summary>Complete spec file</summary>

```markdown
---
module: auth
version: 3
status: stable
files:
  - src/auth/service.ts
  - src/auth/middleware.ts
db_tables:
  - users
  - sessions
depends_on:
  - specs/database/database.spec.md
---

# Auth

## Purpose

Handles authentication and session management. Validates bearer tokens,
manages session lifecycle, provides middleware for route protection.

## Public API

### Exported Functions

| Function | Parameters | Returns | Description |
|----------|-----------|---------|-------------|
| `authenticate` | `(token: string)` | `User \| null` | Validates a token |
| `refreshSession` | `(sessionId: string)` | `Session` | Extends session TTL |

### Exported Types

| Type | Description |
|------|-------------|
| `User` | Authenticated user object |
| `Session` | Active session record |

## Invariants

1. Sessions expire after 24 hours
2. Failed auth attempts rate-limited to 5/minute
3. Tokens validated cryptographically, never by string comparison

## Behavioral Examples

### Scenario: Valid token

- **Given** a valid JWT token
- **When** `authenticate()` is called
- **Then** returns the corresponding User object

### Scenario: Expired token

- **Given** an expired JWT token
- **When** `authenticate()` is called
- **Then** returns null and logs a warning

## Error Cases

| Condition | Behavior |
|-----------|----------|
| Expired token | Returns null, logs warning |
| Malformed token | Returns null |
| DB unavailable | Throws `ServiceUnavailableError` |

## Dependencies

| Module | Usage |
|--------|-------|
| database | `query()` for user lookups |
| crypto | `verifyJwt()` for token validation |

### Consumed By

| Module | Usage |
|--------|-------|
| api-gateway | Uses `authenticate()` middleware |

## Change Log

| Date | Change |
|------|--------|
| 2026-03-18 | Initial spec |
```

</details>