mostalive/rpg-combat-pi-01
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add Allium pi.dev skills and upstream repository

Browse Source 
Install Allium skills (allium, elicit, distill, propagate, tend, weed)
from the pi-allium-port, with corrected symlinks for upstream content.

Add juxt/allium as a git submodule for language reference materials.
Allium CLI v3.0.5 is already installed via Homebrew.
This commit is contained in:
Willem van den Ende 2026-06-12 19:55:43 +01:00
parent 7c108b628b
commit 6c57136e7f
24 changed files with 1981 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "allium-main"]
path = allium-main
url = https://github.com/juxt/allium.git

312
.pi/skills/allium/SKILL.md Normal file
View File

@ -0,0 +1,312 @@
---
name: allium
description: Give your AI agents something more useful than a prompt. Velocity through clarity.
disable-model-invocation: true
license: MIT
metadata:
upstream: https://github.com/juxt/allium
version: 3
---
# Allium
Allium is a formal language for capturing software behaviour at the domain level. It sits between informal feature descriptions and implementation, providing a precise way to specify what software does without prescribing how it's built.
The name comes from the botanical family containing onions and shallots, continuing a tradition in behaviour specification tooling established by Cucumber and Gherkin.
Key principles:
- Describes observable behaviour, not implementation
- Captures domain logic that matters at the behavioural level
- Generates integration and end-to-end tests (not unit tests)
- Forces ambiguities into the open before implementation
- Implementation-agnostic: the same spec could be implemented in any language
Allium does NOT specify programming language or framework choices, database schemas or storage mechanisms, API designs or UI layouts, or internal algorithms (unless they are domain-level concerns).
## Routing table
| Task | Tool | When |
|------|------|------|
| Writing or reading `.allium` files | this skill | You need language syntax and structure |
| Building a spec through conversation | `/skill:elicit` | User describes a feature or behaviour they want to build |
| Extracting a spec from existing code | `/skill:distill` | User has implementation code and wants a spec from it |
| Modifying an existing spec | `/skill:tend` | User wants targeted changes to `.allium` files |
| Checking spec-to-code alignment | `/skill:weed` | User wants to find or fix divergences between spec and implementation |
| Generating tests from a spec | `/skill:propagate` | User wants to generate tests, PBT properties or state machine tests from a specification |
## Quick syntax summary
### Entity
```
entity Candidacy {
-- Fields
candidate: Candidate
role: Role
status: pending | active | completed | cancelled -- inline enum
retry_count: Integer
-- Relationships
invitation: Invitation with candidacy = this -- one-to-one
slots: InterviewSlot with candidacy = this -- one-to-many
-- Projections
confirmed_slots: slots where status = confirmed
pending_slots: slots where status = pending
-- Derived
is_ready: confirmed_slots.count >= 3
has_expired: invitation.expires_at <= now
}
```
### External entity
```
external entity Role { title: String, required_skills: Set<Skill>, location: Location }
```
### Value type
```
value TimeRange { start: Timestamp, end: Timestamp, duration: end - start }
```
### Sum type
A base entity declares a discriminator field whose capitalised values name the variants. Variants use the `variant` keyword.
```
entity Node {
path: Path
kind: Branch | Leaf -- discriminator field
}
variant Branch : Node {
children: List<Node?>
}
variant Leaf : Node {
data: List<Integer>
log: List<Integer>
}
```
Lowercase pipe values are enum literals (`status: pending | active`). Capitalised values are variant references (`kind: Branch | Leaf`). Type guards (`requires:` or `if` branches) narrow to a variant and unlock its fields.
### Module given
Declares the entity instances a module's rules operate on. All rules inherit these bindings. Not every module needs one: rules scoped by triggers on domain entities get their entities from the trigger. `given` is for specs where rules operate on shared instances that exist once per module scope.
```
given {
pipeline: HiringPipeline
calendar: InterviewCalendar
}
```
Imported module instances are accessed via qualified names (`scheduling/calendar`) and do not appear in the local `given` block. Distinct from surface `context`, which binds a parametric scope for a boundary contract.
### Rule
```
rule InvitationExpires {
when: invitation: Invitation.expires_at <= now
requires: invitation.status = pending
let remaining = invitation.proposed_slots where status != cancelled
ensures: invitation.status = expired
ensures:
for s in remaining:
s.status = cancelled
@guidance
-- Non-normative implementation advice.
}
```
### Trigger types
- **External stimulus**: `when: CandidateSelectsSlot(invitation, slot)` — action from outside the system
- **State transition**: `when: interview: Interview.status transitions_to scheduled` — entity changed state (transition only, not creation)
- **State becomes**: `when: interview: Interview.status becomes scheduled` — entity has this value, whether by creation or transition
- **Temporal**: `when: invitation: Invitation.expires_at <= now` — time-based condition (always add a `requires` guard against re-firing)
- **Derived condition**: `when: interview: Interview.all_feedback_in` — derived value becomes true
- **Entity creation**: `when: batch: DigestBatch.created` — fires when a new entity is created
- **Chained**: `when: AllConfirmationsResolved(candidacy)` — subscribes to a trigger emission from another rule's ensures clause
All entity-scoped triggers use explicit `var: Type` binding. Use `_` as a discard binding where the name is not needed: `when: _: Invitation.expires_at <= now`, `when: SomeEvent(_, slot)`.
### Rule-level iteration
A `for` clause applies the rule body once per element in a collection:
```
rule ProcessDigests {
when: schedule: DigestSchedule.next_run_at <= now
for user in Users where notification_setting.digest_enabled:
let settings = user.notification_setting
ensures: DigestBatch.created(user: user, ...)
}
```
### Ensures patterns
Ensures clauses have four outcome forms:
- **State changes**: `entity.field = value`
- **Entity creation**: `Entity.created(...)` — the single canonical creation verb
- **Trigger emission**: `TriggerName(params)` — emits an event for other rules to chain from
- **Entity removal**: `not exists entity` — asserts the entity no longer exists
These forms compose with `for` iteration (`for x in collection: ...`), `if`/`else` conditionals and `let` bindings.
Entity creation uses `.created()` exclusively. Domain meaning lives in entity names and rule names, not in creation verbs.
In state change assignments, the right-hand expression references pre-rule field values. Conditions within ensures blocks (`if` guards, creation parameters, trigger emission parameters) reference the resulting state.
### Surface
```
surface InterviewerDashboard {
facing viewer: Interviewer
context assignment: SlotConfirmation where interviewer = viewer
exposes:
assignment.slot.time
assignment.status
provides:
InterviewerConfirmsSlot(viewer, assignment.slot)
when assignment.status = pending
related:
InterviewDetail(assignment.slot.interview)
when assignment.slot.interview != null
}
```
Surfaces define contracts at boundaries. The `facing` clause names the external party, `context` scopes the entity. The remaining clauses use a single vocabulary regardless of whether the boundary is user-facing or code-to-code: `exposes` (visible data, supports `for` iteration over collections), `provides` (available operations with optional when-guards), `contracts:` (references module-level `contract` declarations with `demands`/`fulfils` direction markers), `@guarantee` (named prose assertions about the boundary), `@guidance` (non-normative advice), `related` (associated surfaces reachable from this one), `timeout` (references to temporal rules that apply within the surface's context).
The `facing` clause accepts either an actor type (with a corresponding `actor` declaration and `identified_by` mapping) or an entity type directly. Use actor declarations when the boundary has specific identity requirements; use entity types when any instance can interact (e.g., `facing visitor: User`). For integration surfaces where the external party is code, declare an actor type with a minimal `identified_by` expression. Actors that reference `within` in their `identified_by` expression must declare the expected context type: `within: Workspace`.
### Surface-to-implementation contract
The `exposes` block is the field-level contract: the implementation returns exactly these fields, the consumer uses exactly these fields. Do not add fields not listed. Do not omit fields that are listed.
### Contract
```allium
contract Codec {
serialize: (value: Any) -> ByteArray
deserialize: (bytes: ByteArray) -> Any
@invariant Roundtrip
-- deserialize(serialize(value)) produces a value
-- equivalent to the original for all supported types.
}
```
Contracts are module-level declarations referenced by name in surface `contracts:` clauses (`demands Codec`, `fulfils EventSubmitter`). See [Contracts](references/language-reference.md#contracts) for declaration syntax and referencing rules.
### Expressions
Navigation: `interview.candidacy.candidate.email`, `reply_to?.author` (optional), `timezone ?? "UTC"` (null coalescing). Collections: `slots.count`, `slot in invitation.slots`, `interviewers.any(i => i.can_solo)`, `for item in collection: item.status = cancelled`, `permissions + inherited` (set union), `old - new` (set difference). Comparisons: `status = pending`, `count >= 2`, `status in {confirmed, declined}`, `provider not in providers`. Boolean logic: `a and b`, `a or b`, `not a`, `a implies b`.
### Modular specs
```
use "github.com/allium-specs/google-oauth/abc123def" as oauth
```
Qualified names reference entities across specs: `oauth/Session`. Coordinates are immutable (git SHAs or content hashes). Local specs use relative paths: `use "./candidacy.allium" as candidacy`.
### Config
```
config {
invitation_expiry: Duration = 7.days
max_login_attempts: Integer = 5
extended_expiry: Duration = invitation_expiry * 2 -- expression-form default
sync_timeout: Duration = core/config.default_timeout -- config parameter reference
}
```
Rules reference config values as `config.invitation_expiry`. For default entity instances, use `default`.
### Defaults
```
default Role viewer = { name: "viewer", permissions: { "documents.read" } }
```
### Invariant
```allium
invariant NonNegativeBalance {
for account in Accounts:
account.balance >= 0
}
```
Expression-bearing invariants (`invariant Name { expression }`) assert properties over entity state. They are logical assertions, not runtime checks. Distinct from prose annotations (`@invariant Name`) in contracts, which use the `@` sigil to mark content the checker does not evaluate. See [Invariants](references/language-reference.md#invariants).
### Transition graph (v3)
```
entity Order {
status: pending | confirmed | shipped | delivered | cancelled
transitions status {
pending -> confirmed
confirmed -> shipped
shipped -> delivered
pending -> cancelled
confirmed -> cancelled
terminal: delivered, cancelled
}
}
```
### State-dependent field presence (v3)
```
entity Order {
status: pending | confirmed | shipped | delivered | cancelled
customer: Customer
total: Money
tracking_number: String when status = shipped | delivered
shipped_at: Timestamp when status = shipped | delivered
transitions status {
pending -> confirmed
confirmed -> shipped
shipped -> delivered
pending -> cancelled
confirmed -> cancelled
terminal: delivered, cancelled
}
}
```
### Deferred specs
```
deferred InterviewerMatching.suggest -- see: detailed/interviewer-matching.allium
```
### Open questions
```
open question "Admin ownership - should admins be assigned to specific roles?"
```
## Verification
When the `allium` CLI is installed, a hook validates `.allium` files automatically after every write or edit. Fix any reported issues before presenting the result. If the CLI is not available, verify against the [language reference](references/language-reference.md).
## References
- [Language reference](references/language-reference.md) — full syntax for entities, rules, expressions, surfaces, contracts, invariants and validation
- [Test generation](references/test-generation.md) — generating tests from specifications
- [Patterns](references/patterns.md) — 9 worked patterns: auth, RBAC, invitations, soft delete, notifications, usage limits, comments, library spec integration, framework integration contract

1
.pi/skills/allium/references/actioning-findings.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/actioning-findings.md

1
.pi/skills/allium/references/assessing-specs.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/assessing-specs.md

1
.pi/skills/allium/references/language-reference.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/language-reference.md

1
.pi/skills/allium/references/migration-v1-to-v2.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/migration-v1-to-v2.md

1
.pi/skills/allium/references/migration-v2-to-v3.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/migration-v2-to-v3.md

1
.pi/skills/allium/references/patterns.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/patterns.md

1
.pi/skills/allium/references/test-generation.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/test-generation.md

885
.pi/skills/distill/SKILL.md Normal file
View File

@ -0,0 +1,885 @@
---
name: distill
description: "Extract an Allium specification from an existing codebase. Use when the user has existing code and wants to distil behaviour into a spec, reverse engineer a specification from implementation, generate a spec from code, turn implementation into a behavioural specification, or document what a codebase does in Allium terms."
disable-model-invocation: true
license: MIT
metadata:
upstream: https://github.com/juxt/allium
version: 3
---
# Distillation guide
This guide covers extracting Allium specifications from existing codebases. The core challenge is the same as forward elicitation: finding the right level of abstraction. In elicitation you filter out implementation ideas as they arise. In distillation you filter out implementation details that already exist. Both require the same judgement about what matters at the domain level.
Code tells you *how* something works. A specification captures *what* it does and *why* it matters. The skill is asking "why does the stakeholder care about this?" and "could this be different while still being the same system?"
## Scoping the distillation effort
Before diving into code, establish what you are trying to specify. Not every line of code deserves a place in the spec.
### Questions to ask first
1. **"What subset of this codebase are we specifying?"**
Mono repos often contain multiple distinct systems. You may only need a spec for one service or domain. Clarify boundaries explicitly before starting.
2. **"Is there code we should deliberately exclude?"**
- **Legacy code**: features kept for backwards compatibility but not part of the core system
- **Incidental code**: supporting infrastructure that is not domain-level (logging, metrics, deployment)
- **Deprecated paths**: code scheduled for removal
- **Experimental features**: behind feature flags, not yet design decisions
3. **"Who owns this spec?"**
Different teams may own different parts of a mono repo. Each team's spec should focus on their domain.
### The "Would we rebuild this?" test
For any code path you encounter, ask: "If we rebuilt this system from scratch, would this be in the requirements?"
- Yes: include in spec
- No, it is legacy: exclude
- No, it is infrastructure: exclude
- No, it is a workaround: exclude (but note the underlying need it addresses)
### Documenting scope decisions
At the top of a distilled spec, document what is included and excluded:
```
-- allium: 3
-- interview-scheduling.allium
-- Scope: Interview scheduling flow only
-- Includes: Candidacy, Interview, InterviewSlot, Invitation, Feedback
-- Excludes:
-- - User authentication (use auth library spec)
-- - Analytics/reporting (separate spec)
-- - Legacy V1 API (deprecated, not specified)
-- - Greenhouse sync (use greenhouse library spec)
```
The version marker (`-- allium: N`) must be the first line of every `.allium` file. Use the current language version number.
## Finding the right level of abstraction
Distillation and elicitation share the same fundamental challenge: choosing what to include. The tests below work in both directions, whether you are hearing a stakeholder describe a feature or reading code that implements it.
### The "Why" test
For every detail in the code, ask: "Why does the stakeholder care about this?"
| Code detail | Why? | Include? |
|-------------|------|----------|
| Invitation expires in 7 days | Affects candidate experience | Yes |
| Token is 32 bytes URL-safe | Security implementation | No |
| Sessions stored in Redis | Performance choice | No |
| Uses PostgreSQL JSONB | Database implementation | No |
| Slot status changes to 'proposed' | Affects what candidate sees | Yes |
| Email sent when invitation accepted | Communication requirement | Yes |
If you cannot articulate why a stakeholder would care, it is probably implementation.
### The "Could it be different?" test
Ask: "Could this be implemented differently while still being the same system?"
- If yes: probably implementation detail, abstract it away
- If no: probably domain-level, include it
| Detail | Could be different? | Include? |
|--------|---------------------|----------|
| `secrets.token_urlsafe(32)` | Yes, any secure token generation | No |
| 7-day invitation expiry | No, this is the design decision | Yes |
| PostgreSQL database | Yes, any database | No |
| "Pending, Confirmed, Completed" states | No, this is the workflow | Yes |
### The "Template vs Instance" test
Is this a **category** of thing, or a **specific instance**?
| Instance (often implementation) | Template (often domain-level) |
|--------------------------------|-------------------------------|
| Google OAuth | Authentication provider |
| Slack webhook | Notification channel |
| SendGrid API | Email delivery |
| `timedelta(hours=3)` | Confirmation deadline |
Sometimes the instance IS the domain concern. See "The concrete detail problem" below.
## The distillation mindset
### Code is over-specified
Every line of code makes decisions that might not matter at the domain level:
```python
# Code tells you:
def send_invitation(candidate_id: int, slot_ids: List[int]) -> Invitation:
candidate = db.session.query(Candidate).get(candidate_id)
slots = db.session.query(InterviewSlot).filter(
InterviewSlot.id.in_(slot_ids),
InterviewSlot.status == 'confirmed'
).all()
invitation = Invitation(
candidate_id=candidate_id,
token=secrets.token_urlsafe(32),
expires_at=datetime.utcnow() + timedelta(days=7),
status='pending'
)
db.session.add(invitation)
for slot in slots:
slot.status = 'proposed'
invitation.slots.append(slot)
db.session.commit()
send_email(
to=candidate.email,
template='interview_invitation',
context={'invitation': invitation, 'slots': slots}
)
return invitation
```
```
-- Specification should say:
rule SendInvitation {
when: SendInvitation(candidacy, slots)
requires: slots.all(s => s.status = confirmed)
ensures:
for s in slots:
s.status = proposed
ensures: Invitation.created(
candidacy: candidacy,
slots: slots,
expires_at: now + 7.days,
status: pending
)
ensures: Email.created(
to: candidacy.candidate.email,
template: interview_invitation
)
}
```
What we dropped:
- `candidate_id: int` became just `candidacy`
- `db.session.query(...)` became relationship traversal
- `secrets.token_urlsafe(32)` removed entirely (token is implementation)
- `datetime.utcnow() + timedelta(...)` became `now + 7.days`
- `db.session.add/commit` implied by `created`
- `invitation.slots.append(slot)` implied by relationship
### Ask "Would a product owner care?"
For every detail in the code, ask:
| Code detail | Product owner cares? | Include? |
|-------------|---------------------|----------|
| Invitation expires in 7 days | Yes, affects candidate experience | Yes |
| Token is 32 bytes URL-safe | No, security implementation | No |
| Uses SQLAlchemy ORM | No, persistence mechanism | No |
| Email template name | Maybe, if templates are design decisions | Maybe |
| Slot status changes to 'proposed' | Yes, affects what candidate sees | Yes |
| Database transaction commits | No, implementation detail | No |
### Distinguish means from ends
**Means:** how the code achieves something.
**Ends:** what outcome the system needs.
| Means (code) | Ends (spec) |
|--------------|-------------|
| `requests.post('https://slack.com/api/...')` | `Notification.created(channel: slack)` |
| `candidate.oauth_token = google.exchange(code)` | `Candidate authenticated` |
| `redis.setex(f'session:{id}', 86400, data)` | `Session.created(expires: 24.hours)` |
| `for slot in slots: slot.status = 'cancelled'` | `for s in slots: s.status = cancelled` |
## The concrete detail problem
The hardest judgement call: when is a concrete detail part of the domain vs just implementation?
### Google OAuth example
You find this code:
```python
OAUTH_PROVIDERS = {
'google': GoogleOAuthProvider(client_id=..., client_secret=...),
}
def authenticate(provider: str, code: str) -> User:
return OAUTH_PROVIDERS[provider].authenticate(code)
```
**Question:** Is "Google OAuth" domain-level or implementation?
**It is implementation if:**
- Google is just the auth mechanism chosen
- It could be replaced with any OAuth provider
- Users do not see or care which provider
- The code is written generically (provider is a parameter)
**It is domain-level if:**
- Users explicitly choose Google (vs Microsoft, etc.)
- "Sign in with Google" is a feature
- Google-specific scopes or permissions are used
- Multiple providers are supported as a feature
**How to tell:** Look at the UI and user flows. If users see "Sign in with Google" as a choice, it is domain-level. If they just see "Sign in" and Google happens to be behind it, it is implementation.
### Database choice example
You find PostgreSQL-specific code:
```python
from sqlalchemy.dialects.postgresql import JSONB, ARRAY
class Candidate(Base):
skills = Column(ARRAY(String))
metadata = Column(JSONB)
```
**Almost always implementation.** The spec should say:
```
entity Candidate {
skills: Set<String>
metadata: String? -- or model specific fields
}
```
The specific database is rarely domain-level. Exception: if the system explicitly promises PostgreSQL compatibility or specific PostgreSQL features to users.
### Third-party integration example
You find Greenhouse ATS integration:
```python
class GreenhouseSync:
def import_candidate(self, greenhouse_id: str) -> Candidate:
data = self.client.get_candidate(greenhouse_id)
return Candidate(
name=data['name'],
email=data['email'],
greenhouse_id=greenhouse_id,
source='greenhouse'
)
```
**Could be either:**
**Implementation if:**
- Greenhouse is just where candidates happen to come from
- Could be swapped for Lever, Workable, etc.
- The integration is an implementation detail of "candidates are imported"
Spec:
```
external entity Candidate {
name: String
email: String
source: CandidateSource
}
```
**Product-level if:**
- "Greenhouse integration" is a selling point
- Users configure their Greenhouse connection
- Greenhouse-specific features are exposed (like syncing feedback back)
Spec:
```
external entity Candidate {
name: String
email: String
greenhouse_id: String? -- explicitly modeled
}
rule SyncFromGreenhouse {
when: GreenhouseWebhookReceived(candidate_data)
ensures: Candidate.created(
...
greenhouse_id: candidate_data.id
)
}
```
### The "Multiple implementations" heuristic
Look for variation in the codebase:
- If there is only one OAuth provider, probably implementation
- If there are multiple OAuth providers, probably domain-level
- If there is only one notification channel, probably implementation
- If there are Slack AND email AND SMS, probably domain-level
The presence of multiple implementations suggests the variation itself is a domain concern.
## Distillation process
### Step 1: Map the territory
Before extracting any specification, understand the codebase structure:
1. **Identify entry points.** API routes, CLI commands, message handlers, scheduled jobs.
2. **Find the domain models.** Usually in `models/`, `entities/`, `domain/`.
3. **Locate business logic.** Services, use cases, handlers.
4. **Note external integrations.** What third parties does it talk to?
Create a rough map:
```
Entry points:
- API: /api/candidates/*, /api/interviews/*, /api/invitations/*
- Webhooks: /webhooks/greenhouse, /webhooks/calendar
- Jobs: send_reminders, expire_invitations, sync_calendars
Models:
- Candidate, Interview, InterviewSlot, Invitation, Feedback
Services:
- SchedulingService, NotificationService, CalendarService
Integrations:
- Google Calendar, Slack, Greenhouse, SendGrid
```
### Step 2: Extract entity states
Look at enum fields and status columns:
```python
class Invitation(Base):
status = Column(Enum('pending', 'accepted', 'declined', 'expired'))
```
Becomes:
```
entity Invitation {
status: pending | accepted | declined | expired
}
```
Look for enum definitions, status or state columns, constants like `STATUS_PENDING = 'pending'`, and state machine libraries (e.g. `transitions`, `django-fsm`).
### Step 3: Extract transitions
Find where status changes happen:
```python
def accept_invitation(invitation_id: int, slot_id: int):
invitation = get_invitation(invitation_id)
if invitation.status != 'pending':
raise InvalidStateError()
if invitation.expires_at < datetime.utcnow():
raise ExpiredError()
slot = get_slot(slot_id)
if slot not in invitation.slots:
raise InvalidSlotError()
invitation.status = 'accepted'
slot.status = 'booked'
# Release other slots
for other_slot in invitation.slots:
if other_slot.id != slot_id:
other_slot.status = 'available'
# Create the interview
interview = Interview(
candidate_id=invitation.candidate_id,
slot_id=slot_id,
status='scheduled'
)
notify_interviewers(interview)
send_confirmation_email(invitation.candidate, interview)
```
Extract:
```
rule CandidateAcceptsInvitation {
when: CandidateAccepts(invitation, slot)
requires: invitation.status = pending
requires: invitation.expires_at > now
requires: slot in invitation.slots
ensures: invitation.status = accepted
ensures: slot.status = booked
ensures:
for s in invitation.slots:
if s != slot: s.status = available
ensures: Interview.created(
candidacy: invitation.candidacy,
slot: slot,
status: scheduled
)
ensures: Notification.created(to: slot.interviewers, ...)
ensures: Email.created(to: invitation.candidate.email, ...)
}
```
**Key extraction patterns:**
| Code pattern | Spec pattern |
|--------------|--------------|
| `if x.status != 'pending': raise` | `requires: x.status = pending` |
| `if x.expires_at < now: raise` | `requires: x.expires_at > now` |
| `if item not in collection: raise` | `requires: item in collection` |
| `x.status = 'accepted'` | `ensures: x.status = accepted` |
| `Model.create(...)` | `ensures: Model.created(...)` |
| `send_email(...)` | `ensures: Email.created(...)` |
| `notify(...)` | `ensures: Notification.created(...)` |
Assertions, checks and validations found in code (e.g. `assert balance >= 0`, class-level validators) may map to expression-bearing invariants rather than rule preconditions. Consider whether they describe a system-wide property or a rule-specific guard.
### Step 4: Find temporal triggers
Look for scheduled jobs and time-based logic:
```python
# In celery tasks or cron jobs
@app.task
def expire_invitations():
expired = Invitation.query.filter(
Invitation.status == 'pending',
Invitation.expires_at < datetime.utcnow()
).all()
for invitation in expired:
invitation.status = 'expired'
for slot in invitation.slots:
slot.status = 'available'
notify_candidate_expired(invitation)
@app.task
def send_reminders():
upcoming = Interview.query.filter(
Interview.status == 'scheduled',
Interview.slot.time.between(
datetime.utcnow() + timedelta(hours=1),
datetime.utcnow() + timedelta(hours=2)
)
).all()
for interview in upcoming:
send_reminder_notification(interview)
```
Extract:
```
rule InvitationExpires {
when: invitation: Invitation.expires_at <= now
requires: invitation.status = pending
ensures: invitation.status = expired
ensures:
for s in invitation.slots:
s.status = available
ensures: CandidateInformed(candidate: invitation.candidate, about: invitation_expired)
}
rule InterviewReminder {
when: interview: Interview.slot.time - 1.hour <= now
requires: interview.status = scheduled
ensures: Notification.created(to: interview.interviewers, template: reminder)
}
```
### Step 5: Identify external boundaries
Look for third-party API calls, webhook handlers, import/export functions, and data that is read but never written (or vice versa).
These often indicate external entities:
```python
# Candidate data comes from Greenhouse, we don't create it
def import_from_greenhouse(webhook_data):
candidate = Candidate.query.filter_by(
greenhouse_id=webhook_data['id']
).first()
if not candidate:
candidate = Candidate(greenhouse_id=webhook_data['id'])
candidate.name = webhook_data['name']
candidate.email = webhook_data['email']
```
Suggests:
```
external entity Candidate {
name: String
email: String
}
```
When repeated interface patterns appear across service boundaries (e.g. the same serialisation contract expected by multiple consumers), these suggest `contract` declarations for reuse rather than duplicated inline obligation blocks.
### Step 6: Abstract away implementation
Now make a pass through your extracted spec and remove implementation details.
**Before (too concrete):**
```
entity Invitation {
candidate_id: Integer
token: String(32)
created_at: DateTime
expires_at: DateTime
status: pending | accepted | declined | expired
}
```
**After (domain-level):**
```
entity Invitation {
candidacy: Candidacy
created_at: Timestamp
expires_at: Timestamp
status: pending | accepted | declined | expired
is_expired: expires_at <= now
}
```
Changes:
- `candidate_id: Integer` became `candidacy: Candidacy` (relationship, not FK)
- `token: String(32)` removed (implementation)
- `DateTime` became `Timestamp` (domain type)
- Added derived `is_expired` for clarity
Config values that derive from other config values (e.g. `extended_timeout = base_timeout * 2`) should use qualified references or expression-form defaults in the config block rather than independent literal values.
### Step 7: Validate with stakeholders
The extracted spec is a hypothesis. Validate it:
1. **Show the spec to the original developers.** "Is this what the system does?"
2. **Show to stakeholders.** "Is this what the system should do?"
3. **Look for gaps.** Code often has bugs or missing features; the spec might reveal them.
Common findings:
- "Oh, that retry logic was a hack, we should remove it"
- "Actually we wanted X but never built it"
- "These two code paths should be the same but aren't"
## Recognising library spec candidates
During distillation, stay alert for code that implements **generic integration patterns** rather than application-specific logic. These belong in library specs, not your main specification.
The same principle applies in elicitation. When a stakeholder describes "we use Google for login" or "payments go through Stripe", pause and consider whether this is a library spec.
### Signals in the code
**Third-party integration modules:**
```python
# Finding code like this suggests a library spec
class StripeWebhookHandler:
def handle_invoice_paid(self, event):
...
def handle_subscription_cancelled(self, event):
...
class GoogleOAuthProvider:
def exchange_code(self, code):
...
def refresh_token(self, refresh_token):
...
```
**Generic patterns with specific providers:**
- OAuth flows (Google, Microsoft, GitHub)
- Payment processing (Stripe, PayPal)
- Email delivery (SendGrid, Postmark, SES)
- Calendar sync (Google Calendar, Outlook)
- ATS integrations (Greenhouse, Lever)
- File storage (S3, GCS)
**Configuration-driven integrations:**
```python
# Heavy configuration suggests the integration itself is separable
OAUTH_CONFIG = {
'google': {'client_id': ..., 'scopes': ...},
'microsoft': {'client_id': ..., 'scopes': ...},
}
```
### Questions to ask
1. **"Is this integration logic, or application logic?"**
Integration: how to talk to Stripe.
Application: what to do when payment succeeds.
2. **"Would another application integrate the same way?"**
If yes, library spec candidate. If no, probably application-specific.
3. **"Does the code separate integration from application concerns?"**
If cleanly separated, easy to extract to library spec. If tangled, might need refactoring first (but the spec should still separate them).
### How to handle
**Option 1: Reference an existing library spec**
If a standard library spec exists for this integration:
```
use "github.com/allium-specs/stripe-billing/abc123" as stripe
-- Application responds to Stripe events
rule ActivateSubscription {
when: stripe/PaymentSucceeded(invoice)
...
}
```
**Option 2: Create a separate library spec**
If no standard spec exists but the integration is generic:
```
-- greenhouse-ats.allium (library spec)
-- Specifies: Greenhouse webhook events, candidate sync, etc.
-- interview-scheduling.allium (application spec)
use "./greenhouse-ats.allium" as greenhouse
rule ImportCandidate {
when: greenhouse/CandidateCreated(data)
ensures: Candidacy.created(...)
}
```
**Option 3: Abstract and move on**
If the integration is minor, just abstract it:
```
-- Don't specify Slack details, just:
ensures: Notification.created(
to: interviewers,
channel: slack
)
```
### Red flags: integration logic in your spec
If you find yourself writing spec like this, stop and reconsider:
```
-- TOO DETAILED - this is Stripe's domain, not yours
rule ProcessStripeWebhook {
when: WebhookReceived(payload, signature)
requires: verify_stripe_signature(payload, signature)
let event = parse_stripe_event(payload)
if event.type = "invoice.paid":
...
}
```
Instead:
```
-- Application responds to payment events (integration handled elsewhere)
rule PaymentReceived {
when: stripe/InvoicePaid(invoice)
...
}
```
### Common library spec extractions
| Code pattern found | Library spec candidate |
|-------------------|----------------------|
| OAuth token exchange, refresh, session management | `oauth2.allium` |
| Stripe webhook handling, subscription lifecycle | `stripe-billing.allium` |
| Email sending with templates, bounce handling | `email-delivery.allium` |
| Calendar event sync, availability checking | `calendar-integration.allium` |
| ATS candidate import, status sync | `greenhouse-ats.allium`, `lever-ats.allium` |
| File upload, virus scanning, thumbnail generation | `file-storage.allium` |
See patterns.md Pattern 8 for detailed examples of integrating library specs.
## Common distillation challenges
### Challenge: Duplicate terminology
When you find two terms for the same concept (across specs, within a spec, or between spec and code) treat it as a blocking problem.
```
-- BAD: Acknowledges duplication without resolving it
-- Order vs Purchase
-- checkout.allium uses "Purchase" - these are equivalent concepts.
```
This is not a resolution. When different parts of a codebase are built against different specs, both terms end up in the implementation: duplicate models, redundant join tables, foreign keys pointing both ways.
**What to do:**
- Choose one term. Cross-reference related specs before deciding.
- Update all references. Do not leave the old term in comments or "see also" notes.
- Note the rename in a changelog, not in the spec itself.
**Warning signs in code:**
- Two models representing the same concept (`Order` and `Purchase`)
- Join tables for both (`order_items`, `purchase_items`)
- Comments like "equivalent to X" or "same as Y"
The spec you extract must pick one term. Flag the other as technical debt to remove.
### Challenge: Implicit state machines
Code often has implicit states that are not modelled:
```python
# No explicit status field, but there's a state machine hiding here
class FeedbackRequest:
interview_id = Column(Integer)
interviewer_id = Column(Integer)
requested_at = Column(DateTime)
reminded_at = Column(DateTime, nullable=True)
feedback_id = Column(Integer, nullable=True) # FK to Feedback if submitted
```
The implicit states are:
- `pending`: requested_at set, feedback_id null, reminded_at null
- `reminded`: reminded_at set, feedback_id null
- `submitted`: feedback_id set
Extract to explicit:
```
entity FeedbackRequest {
interview: Interview
interviewer: Interviewer
requested_at: Timestamp
reminded_at: Timestamp?
status: pending | reminded | submitted
}
```
### Challenge: Scattered logic
The same conceptual rule might be spread across multiple places:
```python
# In API handler
def accept_invitation(request):
if invitation.status != 'pending':
return error(400, "Already responded")
...
# In model
class Invitation:
def can_accept(self):
return self.expires_at > datetime.utcnow()
# In service
def process_acceptance(invitation, slot):
if slot not in invitation.slots:
raise InvalidSlot()
...
```
Consolidate into one rule:
```
rule CandidateAccepts {
when: CandidateAccepts(invitation, slot)
requires: invitation.status = pending
requires: invitation.expires_at > now
requires: slot in invitation.slots
...
}
```
### Challenge: Dead code and historical accidents
Codebases accumulate features that were built but never used, workarounds for bugs that are now fixed, and code paths that are never executed.
Do not include these in the spec. If you are unsure:
1. Check if the code is actually reachable
2. Ask developers if it is intentional
3. Check git history for context
### Challenge: Missing error handling
Code might silently fail or have incomplete error handling:
```python
def send_notification(user, message):
try:
slack.send(user.slack_id, message)
except SlackError:
pass # Silently ignore failures
```
The spec should capture the intended behaviour, not the bug:
```
ensures: Notification.created(to: user, channel: slack)
```
Whether the current implementation properly handles failures is separate from what the system should do.
### Challenge: Over-engineered abstractions
Enterprise codebases often have abstraction layers that obscure intent:
```java
public interface NotificationStrategy {
void notify(NotificationContext context);
}
public class SlackNotificationStrategy implements NotificationStrategy {
@Override
public void notify(NotificationContext context) {
// Actual Slack call buried 5 levels deep
}
}
```
Cut through to the actual behaviour. The spec does not need strategy patterns, dependency injection or abstract factories. Just: `ensures: Notification.created(channel: slack, ...)`
## Checklist: Have you abstracted enough?
Before finalising a distilled spec:
- [ ] No database column types (Integer, VARCHAR, etc.)
- [ ] No ORM or query syntax
- [ ] No HTTP status codes or API paths
- [ ] No framework-specific concepts (middleware, decorators, etc.)
- [ ] No programming language types (int, str, List, etc.)
- [ ] No variable names from the code (use domain terms)
- [ ] No infrastructure (Redis, Kafka, S3, etc.)
- [ ] Foreign keys replaced with relationships
- [ ] Tokens/secrets removed (implementation of identity)
- [ ] Timestamps use domain Duration, not timedelta/seconds
If any remain, ask: "Would a stakeholder include this in a requirements doc?"
## Checklist: Terminology consistency
- [ ] Each concept has exactly one name throughout the spec
- [ ] No "also known as" or "equivalent to" comments
- [ ] Cross-referenced related specs for conflicting terms
- [ ] Duplicate models in code flagged as technical debt to remove
## After distillation
The extracted spec is a starting point. For targeted changes as requirements evolve, use /skill:tend. For checking ongoing alignment between the spec and implementation, use /skill:weed.
## Verification
After writing any `.allium` file, run `allium check <file>` if the CLI is available. Fix any reported issues before presenting the result.
## Syntax rules
Before writing any `.allium` file, read `../../allium/references/allium-rules.md` for syntax gotchas, naming conventions and anti-patterns. This covers common model mistakes (e.g. `with` vs `where`, `transitions_to` vs `becomes`, capitalised vs lowercase pipe values) that the language reference does not emphasise.
## References
- [Language reference](references/language-reference.md), full Allium syntax
- [Worked examples](references/worked-examples.md), complete code-to-spec examples in Python, TypeScript and Java
- [Allium rules](../../allium/references/allium-rules.md), syntax gotchas and anti-patterns

1
.pi/skills/distill/references/language-reference.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/language-reference.md

1
.pi/skills/distill/references/worked-examples.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/distill/references/worked-examples.md

357
.pi/skills/elicit/SKILL.md Normal file
View File

@ -0,0 +1,357 @@
---
name: elicit
description: "Run a structured discovery session to build an Allium specification through conversation. Use when the user wants to create a new spec from scratch, elicit or gather requirements, capture domain behaviour, specify a feature or system, define what a system should do, or is describing functionality and needs help shaping it into a specification."
disable-model-invocation: true
license: MIT
metadata:
upstream: https://github.com/juxt/allium
version: 3
---
# Elicitation
This skill guides you through building Allium specifications by conversation. The goal is to surface ambiguities and produce a specification that captures what the software does without prescribing implementation.
The same principles apply to distillation. Whether you are hearing a stakeholder describe a feature or reading code that implements it, the challenge is identical: finding the right level of abstraction.
## Scoping the specification
Before diving into details, establish what you are specifying. Not everything needs to be in one spec.
### Questions to ask first
**"What's the boundary of this specification?"** A complete system? A single feature area? One service in a larger system? Be explicit about what is in and out of scope.
**"Are there areas we should deliberately exclude?"** Third-party integrations might be library specs. Legacy features might not be worth specifying. Some features might belong in separate specs.
**"Is this a new system or does code already exist?"** If code exists, you are doing distillation with elicitation. Existing code constrains what is realistic to specify.
### Documenting scope decisions
Capture scope at the start of every spec:
```
-- allium: 3
-- interview-scheduling.allium
-- Scope: Interview scheduling for the hiring pipeline
-- Includes: Candidacy, Interview, Slot management, Invitations, Feedback
-- Excludes:
-- - Authentication (use oauth library spec)
-- - Payments (not applicable)
-- - Reporting dashboards (separate spec)
-- Dependencies: User entity defined in core.allium
```
The version marker (`-- allium: N`) must be the first line of every `.allium` file. Use the current language version number.
## Finding the right level of abstraction
The hardest part of specification is choosing what to include and what to leave out. Too concrete and you are specifying implementation. Too abstract and you are not saying anything useful.
### The "Why" test
For every detail, ask: "Why does the stakeholder care about this?"
| Detail | Why? | Include? |
|--------|------|----------|
| "Users log in with Google OAuth" | They need to authenticate | Maybe not, "Users authenticate" might be sufficient |
| "We support Google and Microsoft OAuth" | Users choose their provider | Yes, the choice is domain-level |
| "Sessions expire after 24 hours" | Security/UX decision | Yes, affects user experience |
| "Sessions are stored in Redis" | Performance | No, implementation detail |
| "Passwords must be 12+ characters" | Security policy | Yes, affects users |
| "Passwords are hashed with bcrypt" | Security implementation | No, how not what |
### The "Could it be different?" test
Ask: "Could this be implemented differently while still being the same system?"
- If yes, it is probably an implementation detail. Abstract it away.
- If no, it is probably domain-level. Include it.
Examples:
- "Notifications sent via Slack". Could be email, SMS, etc. Abstract to `Notification.created(channel: ...)`.
- "Interviewers must confirm within 3 hours". This specific deadline matters at the domain level. Include the duration.
- "We use PostgreSQL". Could be any database. Do not include.
- "Data is retained for 7 years for compliance". Regulatory requirement. Include.
### The "Template vs Instance" test
Is this a category of thing, or a specific instance?
| Instance (implementation) | Template (domain-level) |
|---------------------------|-------------------------|
| Google OAuth | Authentication provider |
| Slack | Notification channel |
| 15 minutes | Link expiry duration (configurable) |
| Greenhouse ATS | External candidate source |
Sometimes the instance IS the domain concern. "We specifically integrate with Salesforce" might be a competitive feature. "We support exactly these three OAuth providers" might be design scope.
When in doubt, ask the stakeholder: "If we changed this, would it be a different system or just a different implementation?"
### Levels of abstraction
```
Too abstract: "Users can do things"
|
Product level: "Candidates can accept or decline interview invitations"
|
Too concrete: "Candidates click a button that POST to /api/invitations/:id/accept"
```
**Signs you are too abstract.** The spec could describe almost any system. No testable assertions. Product owner says "but that doesn't capture..."
**Signs you are too concrete.** You are mentioning technologies, frameworks or APIs. You are describing UI elements (buttons, pages, forms). The implementation team says "why are you dictating how we build this?"
### Configuration vs hardcoding
When you encounter a specific value (3 hours, 7 days, etc.), ask:
1. **Is this value a design decision?** Include it.
2. **Might it vary per deployment or customer?** Make it configurable.
3. **Is it arbitrary?** Consider whether to include it at all.
```
-- Hardcoded design decision
rule InvitationExpires {
when: invitation: Invitation.created_at + 7.days <= now
...
}
-- Configurable
config {
invitation_expiry: Duration = 7.days
}
rule InvitationExpires {
when: invitation: Invitation.created_at + config.invitation_expiry <= now
...
}
```
### Black boxes
Some logic is important but belongs at a different level:
```
-- Black box: we know it exists and what it considers, but not how
ensures: Suggestion.created(
interviewers: InterviewerMatching.suggest(
considering: {
role.required_skills,
Interviewer.skills,
Interviewer.availability,
Interviewer.recent_load
}
)
)
```
The spec says there is a matching algorithm, that it considers these inputs and that it produces interviewer suggestions. The spec does not say how matching works, what weights are used or the specific algorithm.
This is the right level when the algorithm is complex and evolving, when product owners care about inputs and outputs rather than internals, and when a separate detailed spec could cover it if needed.
## Elicitation methodology
### Phase 1: Scope definition
**Goal:** Understand what we are specifying and where the boundaries are.
Questions to ask:
1. "What is this system fundamentally about? In one sentence?"
2. "Where does this system start and end? What's in scope vs out?"
3. "Who are the users? Are there different roles?"
4. "What are the main things being managed, the nouns?"
5. "Are there existing systems this integrates with? What do they handle?"
**Outputs:** List of actors and roles. List of core entities. Boundary decisions (what is external). One-sentence description.
**Watch for:** Scope creep ("and it also does X, Y, Z", gently refocus). Assumed knowledge ("obviously it handles auth", make explicit).
### Phase 2: Happy path flow
**Goal:** Trace the main journey from start to finish.
Questions to ask:
1. "Walk me through a typical [X] from start to finish"
2. "What happens first? Then what?"
3. "What triggers this? A user action? Time passing? Something else?"
4. "What changes when that happens? What state is different?"
5. "Who needs to know when this happens? How?"
**Technique:** Follow one entity through its lifecycle.
```
Candidacy:
pending_scheduling -> scheduling_in_progress -> scheduled ->
interview_complete -> feedback_collected -> decided
```
**Outputs:** State machines for key entities. Main triggers and their outcomes. Communication touchpoints.
**Watch for:** Jumping to edge cases too early ("but what if...", note it and stay on happy path). Implementation details creeping in ("the API endpoint...", redirect to outcomes).
### Phase 3: Edge cases and errors
**Goal:** Discover what can go wrong and how the system handles it.
Questions to ask:
1. "What if [actor] doesn't respond?"
2. "What if [condition] isn't met when they try?"
3. "What if this happens twice? Or in the wrong order?"
4. "How long should we wait before [action]?"
5. "When should a human be alerted to intervene?"
6. "What if [external system] is unavailable?"
**Technique:** For each rule, ask "what are all the ways requires could fail?"
**Outputs:** Timeout and deadline rules. Retry and escalation logic. Error states. Recovery paths.
**Watch for:** Infinite loops ("then it retries, then retries again...", need terminal states). Missing escalation, because eventually a human needs to know.
When stakeholders state system-wide properties ("balance never goes negative", "no two interviews overlap for the same candidate"), these are candidates for top-level invariants. Capture them as `invariant Name { expression }` declarations.
### Phase 4: Refinement
**Goal:** Clean up the specification and identify gaps.
Questions to ask:
1. "Looking at [entity], are these states complete? Can it be in any other state?"
2. "Is there anything we haven't covered?"
3. "This rule references [X], do we need to define that, or is it external?"
4. "Is this detail essential here, or should it live in a detailed spec?"
**Technique:** Read back the spec and ask "does this match your mental model?"
**Outputs:** Complete entity definitions. Open questions documented. Deferred specifications identified. External boundaries confirmed.
When the same obligation pattern (e.g. a serialisation contract, a deterministic evaluation requirement) appears across multiple surfaces, suggest extracting it as a `contract` declaration for reuse.
## Elicitation principles
### Ask one question at a time
Bad: "What entities do you have, and what states can they be in, and who can modify them?"
Good: "What are the main things this system manages?"
Then: "Let's take [Candidacy]. What states can it be in?"
Then: "Who can change a candidacy's state?"
### Work through implications
When a choice arises, do not just accept the first answer. Explore consequences.
"You said invitations expire after 48 hours. What happens then?"
"And if the candidate still hasn't responded after we retry?"
"What if they never respond, is this candidacy stuck forever?"
This surfaces decisions they have not made yet.
### Distinguish product from implementation
When you hear implementation language, redirect:
| They say | You redirect |
|----------|-------------|
| "The API returns a 404" | "So the user is informed it's not found?" |
| "We store it in Postgres" | "What information is captured?" |
| "The frontend shows a modal" | "The user is prompted to confirm?" |
| "We use a cron job" | "This happens on a schedule, how often?" |
### Surface ambiguity explicitly
Better to record an open question than assume.
"I'm not sure whether declining should return the candidate to the pool or remove them entirely. Let me note that as an open question."
```
open question "When candidate declines, do they return to pool or exit?"
```
### Use concrete examples
Abstract discussions get stuck. Ground them.
"Let's say Alice is a candidate for the Senior Engineer role. She's been sent an invitation with three slots. Walk me through what happens when she clicks on Tuesday 2pm."
### Iterate willingly
It is normal to revise earlier decisions.
"Earlier we said all admins see all notifications. But now you're describing role-specific dashboards. Should we revisit that?"
### Know when to stop
Not everything needs to be specified now.
"This is getting into how the matching algorithm works. Should we defer that to a detailed spec?"
"We've covered the main flow. The reporting dashboard sounds like a separate specification."
## Common elicitation traps
### The "Obviously" trap
When someone says "obviously" or "of course", probe. "You said obviously the admin approves. Is there ever a case where they don't need to? Could this be automated later?"
### The "Edge Case Spiral" trap
Some people want to cover every edge case immediately. "Let's capture that as an open question and stay on the main flow for now. We'll come back to edge cases."
### The "Technical Solution" trap
Engineers especially jump to solutions. "I hear you saying we need real-time updates. At the domain level, what does the user need to see and when?"
### The "Vague Agreement" trap
Do not accept "yes" without specifics. "You said yes, candidates can reschedule. How many times? Is there a limit? What happens after that?"
### The "Missing Actor" trap
Watch for actions without clear actors. "You said 'the slots are released'. Who or what releases them? Is it automatic, or does someone trigger it?"
### The "Equivalent Terms" trap
When you hear two terms for the same concept, from different stakeholders, existing code or related specs, stop and resolve it before continuing.
"You said 'Purchase' but earlier we called this an 'Order'. Which term should we use?"
A comment noting that two terms are equivalent is not a resolution. It guarantees both will appear in the implementation. Pick one term, cross-reference related specs and update all references. Do not leave the old term anywhere, not even in "see also" notes.
## Elicitation session structure
**Opening (5 min).** Explain Allium briefly: "We're capturing what the software does, not how it's built." Set expectations: "I'll ask lots of questions, some obvious-seeming." Agree on scope for this session.
**Scope definition (10-15 min).** Identify actors, entities, boundaries. Get the one-sentence description.
**Happy path (20-30 min).** Trace main flow start to finish. Capture states, triggers, outcomes. Note communications.
**Edge cases (15-20 min).** Timeouts and deadlines. Failure modes. Escalation paths.
**Wrap-up (5-10 min).** Read back key decisions. List open questions. Identify next session scope if needed.
**After session.** Write up specification draft. Send for review. Note questions for next session.
## After elicitation
For targeted changes where you already know what you want, use /skill:tend. For substantial additions that need structured discovery (new feature areas, complex entity relationships, unclear requirements), elicit is still the right tool even if a spec already exists. Checking alignment between specs and implementation belongs to /skill:weed.
## Verification
After writing any `.allium` file, run `allium check <file>` if the CLI is available. Fix any reported issues before presenting the result.
## Syntax rules
Before writing any `.allium` file, read `../../allium/references/allium-rules.md` for syntax gotchas, naming conventions and anti-patterns. This covers common model mistakes (e.g. `with` vs `where`, `transitions_to` vs `becomes`, capitalised vs lowercase pipe values) that the language reference does not emphasise.
## References
- [Language reference](references/language-reference.md), full Allium syntax
- [Recognising library spec opportunities](references/library-spec-signals.md), signals, questions and decision framework for identifying library specs during elicitation
- [Allium rules](../../allium/references/allium-rules.md), syntax gotchas and anti-patterns

1
.pi/skills/elicit/references/language-reference.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/language-reference.md

1
.pi/skills/elicit/references/library-spec-signals.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/elicit/references/library-spec-signals.md

218
.pi/skills/propagate/SKILL.md Normal file
View File

@ -0,0 +1,218 @@
---
name: propagate
description: "Generate tests from Allium specifications. Use when the user wants to propagate tests, generate test files from a spec, write tests for a specification, create property-based tests, produce state machine tests, check test coverage against spec obligations, or understand what tests a specification requires."
disable-model-invocation: true
license: MIT
metadata:
upstream: https://github.com/juxt/allium
version: 3
---
# Propagation
This skill generates tests from Allium specifications. Propagation is how plants reproduce from cuttings of the parent: the spec is the parent, the tests are the offspring.
Deterministic tools guarantee completeness (every spec construct maps to a test obligation). You handle the implementation bridge: correlating spec constructs with code, generating tests in the project's conventions.
## Prerequisites
Before propagating tests, you need:
1. **An Allium spec** — the `.allium` file describing the system's behaviour
2. **A target codebase** — the implementation to test
3. **Test obligations** — from `allium plan <spec>` (JSON listing every required test)
4. **Domain model** — from `allium model <spec>` (JSON describing entity shapes, constraints, state machines)
If the CLI tools are not available, derive test obligations manually from the spec using the test-generation taxonomy in `references/test-generation.md`.
## Modes
### Surface mode
Generates boundary tests from surface declarations. Use when the user wants to test an API, UI contract or integration boundary.
For each surface in the spec:
1. **Exposure tests** — verify each item in `exposes` is accessible to the specified actor, including `for` iteration over collections
2. **Provides tests** — verify operations appear when their `when` conditions are true and are hidden otherwise, including when the corresponding rule's `requires` clauses are not met
3. **Actor restriction tests** — verify the surface is not accessible to other actor types
4. **Actor identification tests** — verify only entities matching the actor's `identified_by` predicate can interact; for actors with `within`, verify interaction is scoped to the declared context
5. **Context scoping tests** — verify the surface instance is absent when no entity matches the `context` predicate
6. **Contract obligation tests** — verify `demands` are satisfied by the counterpart, `fulfils` are supplied by this surface, including all typed signatures
7. **Guarantee tests** — verify `@guarantee` annotations hold across the boundary
8. **Timeout tests** — verify referenced temporal rules fire within the surface's context
9. **Related navigation tests** — verify navigation to related surfaces resolves to the correct context entity
### Spec mode
Walks the full test obligations document. Use when the user wants comprehensive test coverage for the entire specification.
Categories from the test-generation taxonomy:
- **Entity and value type tests** — fields, types, optional (`?`) null handling, `when`-clause state-dependent presence, relationships, join lookups, equality
- **Enum tests** — comparability across named enums, membership tests, inline enum isolation
- **Sum type tests** — variant fields, type guards, exhaustiveness, creation via variant name, base `.created` trigger narrowing
- **Derived value and projection tests** — computation, filtering, `-> field` extraction, parameterised derived values, `now` volatility, collection operations
- **Default instance tests** — unconditional existence, field values, cross-references between defaults
- **Config tests** — defaults, overrides, mandatory parameters, expression-form defaults, qualified references, config chains
- **Invariant tests** — post-rule verification, edge cases, implication logic, entity-level invariants
- **Rule tests** — success/failure/edge cases, conditionals (ensuring `if` guards read resulting state), entity creation, removal, bulk updates, rule-level `for` iteration, `let` bindings, chained triggers
- **State transition tests** — valid/invalid transitions, terminal states, `transitions_to` vs `becomes` semantics
- **Temporal tests** — deadline boundaries, re-firing prevention, optional field null behaviour
- **Surface tests** — exposure, availability, actor identification with `within` scoping, context scoping, related navigation
- **Contract tests** — signature satisfaction, `@invariant` honouring, `demands`/`fulfils` direction
- **Cross-module tests** — qualified entity references, external trigger responses, type placeholder substitution
- **Cross-rule interaction tests** — duplicate creation guards, provides availability
- **Transition graph tests** — every declared edge is reachable via its witnessing rule, undeclared transitions are rejected, terminal states have no outbound rules, non-terminal states have at least one exit, exact correspondence between enum values and graph edges
- **State-dependent field tests** — presence when in qualifying state, absence when outside, presence obligations on entering the `when` set, absence obligations on leaving, no obligation when moving within or outside, convergent transitions all set the field, guard required to access `when`-qualified fields, derived value `when` inference via input intersection
- **Scenario tests** — happy path, edge cases, order independence
## Test output kinds
### 1. Assertion-based tests
For deterministic obligations: field presence, enum membership, transition validity, surface exposure, state-dependent field presence and absence. These are standard unit/integration tests.
### 2. Property-based tests
For invariants and rule properties. Each expression-bearing invariant becomes a PBT property:
- Generate a valid entity state using the generator spec
- Apply a sequence of rules (following the transition graph when declared, or deriving valid sequences from rules alone)
- Check the invariant holds at every step
Use the project's PBT framework:
| Language | Framework | Discovery |
|----------|-----------|-----------|
| TypeScript | fast-check | `package.json` |
| Python | Hypothesis | `pyproject.toml` |
| Rust | proptest | `Cargo.toml` |
| Go | rapid | `go.mod` |
| Elixir | StreamData | `mix.exs` |
Fall back to assertion-based tests if no PBT framework is present.
### 3. State machine tests
For entities with status enums. When a transition graph is declared, walk every path through the graph. When no graph is declared, derive valid transitions from rules.
- Verify transitions succeed via witnessing rules
- Verify rejected transitions fail
- Verify state-dependent fields are present or absent at each state per their `when` clauses
- Verify invariants hold at each state
State machine tests require an **action map**: a function per transition edge that takes the entity in the source state and produces it in the target state by calling the actual implementation code. Without this map, the test framework can describe valid paths through the graph but cannot execute them.
To build the action map:
1. For each edge in the transition graph, find the witnessing rule in the spec
2. Find the code implementing that rule (the implementation bridge)
3. Write a test action that sets up the preconditions (`requires` clauses), invokes the code, and returns the entity in the target state
4. Register the action under the `(from_state, to_state)` key
Once the map is built, the PBT framework can walk random valid paths: start at any non-terminal state, pick a random outbound edge, apply its action, check all entity-level invariants, repeat. The path length and starting state are generated randomly. This is the fullest expression of the spec's transition graph as a test.
## The implementation bridge
You correlate spec constructs with implementation code, the same way the weed skill correlates for divergence checking.
### For surface tests
Map surfaces to their implementation:
- API surfaces map to endpoints (REST routes, GraphQL resolvers, gRPC services)
- UI surfaces map to components or pages
- Integration surfaces map to message handlers or SDK methods
Discover the mapping by reading the codebase. Look for naming patterns, route definitions and handler registrations.
### For internal tests
For each rule in the spec:
1. Find the code implementing the rule (service method, event handler, state machine transition)
2. Determine how to instantiate the entities involved (factories, builders, fixtures)
3. Determine how to invoke the rule (API call, method call, event dispatch)
4. Determine how to assert postconditions (database queries, return values, event assertions)
### For temporal tests
Temporal triggers (deadline-based rules) need a controllable time source in the test. If the implementation uses wall-clock time (`Instant.now()`, `System.currentTimeMillis()`), the test cannot reliably position itself before, at or after a deadline.
Before attempting temporal tests, check whether the component accepts an injected clock or time parameter. Common patterns: a `Clock` parameter on the constructor, an epoch-millisecond argument on the method, a `TimeProvider` interface. If the seam exists, inject a controllable time source. If it does not, flag this as a test infrastructure gap: the temporal tests cannot be generated until the component supports time injection. Do not attempt to test temporal behaviour by sleeping or racing against wall-clock time.
### For cross-module trigger chains
When a rule emits a trigger that another spec's rule receives (e.g. the Arbiter emits `ClerkReceivesEvent`, the Clerk handles it), testing the chain requires multiple components wired together.
Before generating cross-module tests:
1. Trace the trigger emission graph from the plan output: which rules emit triggers, and which rules in other specs receive them
2. Check whether the codebase has an existing integration test fixture that wires the participating components (a pipeline test, an end-to-end test helper, a test harness class)
3. If a fixture exists, reuse it. Cross-module tests should compose existing wiring, not rebuild it
4. If no fixture exists, generate only the test skeleton with TODOs marking where component wiring is needed
Cross-module tests are integration tests by nature. They verify that the spec's trigger chains are faithfully implemented across component boundaries, but the setup cost is high. Prioritise them after single-component tests are passing.
### Reusing existing tests
When exploring the codebase, note which spec obligations are already covered by existing tests. An existing integration test that exercises the happy path from event submission through to acknowledged output already covers multiple `rule_success` obligations and the end-to-end scenario.
When an existing test covers a spec obligation, reference it rather than generating a duplicate. The propagate skill's value at the integration level is verifying that coverage is complete against the spec's obligation list, identifying gaps, and generating tests to fill them. Replacing working hand-written tests with generated equivalents adds no value.
### For deferred specs
Deferred specifications are fully specified in separate files. When the target codebase doesn't include the deferred spec's module, generate a test stub with a placeholder:
```typescript
// TODO: deferred spec — InterviewerMatching.suggest
// This behaviour is specified as deferred. Provide a mock or skip.
```
## Process
1. **Read the spec** — understand entities, rules, surfaces, invariants, transition graphs, state-dependent fields, contracts, config, defaults
2. **Read test obligations** — from `allium plan` output or manual derivation
3. **Read domain model** — from `allium model` output or manual derivation
4. **Explore the codebase** — find existing tests, test framework, entity implementations, rule implementations
5. **Map constructs to code** — correlate spec entities/rules/surfaces with implementation classes/functions/endpoints
6. **Generate tests** — produce test files following the project's conventions
7. **Verify tests compile/run** — ensure generated tests are syntactically valid
### Discovery checklist
Before generating tests, establish:
- [ ] Test framework and runner (Jest, pytest, cargo test, etc.)
- [ ] PBT framework if present (fast-check, Hypothesis, proptest, etc.)
- [ ] Test file location conventions (co-located, `__tests__/`, `tests/`, etc.)
- [ ] Entity/model location and patterns (classes, interfaces, structs)
- [ ] Factory/fixture patterns for test data
- [ ] How state transitions are implemented (methods, events, state machines)
- [ ] How surfaces are implemented (routes, controllers, resolvers)
- [ ] Existing test helpers or utilities
- [ ] Whether components accept injected time sources for temporal tests
- [ ] Whether an integration test fixture exists for cross-module trigger chains
- [ ] Which spec obligations are already covered by existing tests
### Generator awareness
When generator specs are available, use them to produce valid test data:
- Respect field types and constraints
- For entities with transition graphs, generate entities at specific lifecycle states with correct field presence per `when` clauses (e.g. a `shipped` Order has `tracking_number` and `shipped_at` populated; a `pending` Order does not)
- For invariants, generate states that exercise boundary conditions
- For config parameters, use declared defaults unless testing overrides
## Syntax rules
When reading `.allium` specs, be aware of the syntax distinctions documented in `../../allium/references/allium-rules.md`. This covers `with` vs `where`, `transitions_to` vs `becomes`, capitalised vs lowercase pipe values, and other gotchas that affect correct interpretation of the spec.
## Interaction with other tools
- /skill:distill produces specs from code. Those specs feed propagate.
- /skill:weed checks alignment. After propagating tests, weed verifies spec-code match.
- /skill:tend evolves specs. After spec changes, run propagate again to update tests.
- /skill:elicit builds specs through conversation. Once a spec is ready, propagate generates tests.
## Limitations
- Generated tests are a starting point. They may need adjustment for project-specific patterns.
- The implementation bridge is LLM-mediated. Complex or unusual codebases may need manual guidance on the mapping.
- Cross-module test generation is not yet supported. Each spec generates tests independently.
- Runtime trace validation and model checking are separate workstreams.

1
.pi/skills/propagate/references/test-generation.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/test-generation.md

90
.pi/skills/tend/SKILL.md Normal file
View File

@ -0,0 +1,90 @@
---
name: tend
description: "Tend the Allium garden. Use when the user wants to write, edit, update, add to, improve, clarify, refine, restructure, fix or migrate Allium specs. Covers adding entities, rules, triggers, surfaces and contracts, fixing syntax or validation errors, renaming or refactoring within specs, migrating specs to a new language version, and translating requirements into well-formed specifications. Pushes back on vague requirements."
disable-model-invocation: true
license: MIT
metadata:
upstream: https://github.com/juxt/allium
version: 3
---
# Tend
You tend the Allium garden. You are responsible for the health and integrity of `.allium` specification files. You are senior, opinionated and precise. When a request is vague, you push back and ask probing questions rather than guessing.
## Startup
1. Read `references/language-reference.md` for the Allium syntax and validation rules.
2. Read `references/allium-rules.md` for syntax gotchas and anti-patterns.
3. Read the relevant `.allium` files.
4. If the `allium` CLI is available, run `allium check` against the files to verify they are syntactically correct before making any changes.
5. Understand the existing domain model before proposing changes.
## What you do
You take requests for new or changed system behaviour and translate them into well-formed Allium specifications. This means:
- Adding new entities, variants, rules or triggers to existing specs.
- Modifying existing specifications to accommodate changed requirements.
- Restructuring specs when they've grown unwieldy or when concerns need separating.
- Cross-file renames and refactors within the spec layer.
- Fixing validation errors or syntax issues in `.allium` files.
## How you work
**Challenge vagueness.** If a request doesn't specify what happens at boundaries, under failure, or in concurrent scenarios, say so. Ask what should happen rather than inventing behaviour. A spec that papers over ambiguity is worse than no spec. Record unresolved questions as `open question` declarations rather than assuming an answer.
**Find the right abstraction.** Specs describe observable behaviour, not implementation. Two tests help:
- *Why does the stakeholder care?* "Sessions stored in Redis": they don't. "Sessions expire after 24 hours": they do. Include the second, not the first.
- *Could it be implemented differently and still be the same system?* If yes, you're looking at an implementation detail. Abstract it.
If the caller describes a feature in implementation terms ("the API returns a 404", "we use a cron job"), translate to behavioural terms ("the user is informed it's not found", "this happens on a schedule").
**Respect what's there.** Read the existing specs thoroughly before changing them. Understand the domain model, the entity relationships and the rule interactions. New behaviour should fit into the existing structure, not fight it.
**Spot library spec candidates.** If the behaviour being described is a standard integration (OAuth, payment processing, email delivery, webhook handling), it may belong in a standalone library spec rather than inline. Ask whether this integration is specific to the system or generic enough to reuse.
**Be minimal.** Add what's needed and nothing more. Don't speculatively add fields, rules or config that weren't asked for. Don't restructure working specs for aesthetic reasons.
## Boundaries
- You work on `.allium` files only. You do not modify implementation code.
- You do not check alignment between specs and code. That belongs to the `weed` skill (`/skill:weed`).
- You do not extract specifications from existing code. That belongs to the `distill` skill (`/skill:distill`).
- You do not run structured discovery sessions. When requirements are unclear or the change involves new feature areas with complex entity relationships, that belongs to the `elicit` skill (`/skill:elicit`). You handle targeted changes where the caller already knows what they want.
- You do not modify `references/language-reference.md`. The language definition is governed separately.
## Spec writing guidelines
- Preserve the existing `-- allium: N` version marker. Do not change the version number.
- Follow the section ordering defined in the language reference.
- Use `config` blocks for variable values. Do not hardcode numbers in rules.
- Temporal triggers always need `requires` guards to prevent re-firing.
- Use `with` for relationships, `where` for projections. Do not swap them.
- `transitions_to` fires on field transition only (not creation). `becomes` fires on both creation and transition. Do not swap them.
- Capitalised pipe values are variant references. Lowercase pipe values are enum literals.
- New entities use `.created()` in `ensures` clauses. Variant instances use the variant name.
- Inline enums compared across fields must be extracted to named enums.
- Collection operations use explicit parameter syntax: `items.any(i => i.active)`.
- Place new declarations in the correct section per the file structure.
- `@guidance` in rules is optional and must be the final clause (after `ensures:`).
- Use `contract` declarations for obligation blocks. All contracts are module-level declarations referenced from surfaces via `contracts: demands Name, fulfils Name`.
- Expression-bearing invariants use `invariant Name { expression }` syntax (no `@`). Prose-only invariants use `@invariant Name` (with `@`, no colon). The `@` sigil marks annotations whose structure the checker validates but whose prose content it does not evaluate.
- `@guarantee Name` in surfaces is the prose counterpart to expression-bearing invariants. Same `@` sigil convention.
- `@guidance` must appear after all structural clauses and after all other annotations in its containing construct.
- Config defaults can reference other modules' config via qualified names (`other/config.param`). Expression-form defaults support arithmetic (`base_timeout * 2`).
- `implies` is available in all expression contexts. `a implies b` is `not a or b`, with the lowest boolean precedence.
## Verification
After writing any `.allium` file, run `allium check <file>` if the CLI is available. Fix any reported issues before presenting the result.
## Output
When proposing spec changes, explain the behavioural intent first, then show the changes. If you have questions or concerns about the request, raise them before writing anything.
## References
- [Language reference](references/language-reference.md) — full syntax for entities, rules, expressions, surfaces, contracts, invariants and validation
- [Allium rules](references/allium-rules.md) — syntax gotchas and anti-patterns

1
.pi/skills/tend/references/allium-rules.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/.claude/rules/allium.md

1
.pi/skills/tend/references/language-reference.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/language-reference.md

99
.pi/skills/weed/SKILL.md Normal file
View File

@ -0,0 +1,99 @@
---
name: weed
description: "Weed the Allium garden. Find where Allium specifications and implementation code have diverged, and help resolve the divergences. Use when the user wants to check spec-code alignment, compare specs against implementation, audit for spec drift or violations, sync specs with code or code with specs, or verify whether the implementation matches what the spec says."
disable-model-invocation: true
license: MIT
metadata:
upstream: https://github.com/juxt/allium
version: 3
---
# Weed
You weed the Allium garden. You compare `.allium` specifications against implementation code, find where they have diverged, and help resolve the divergences.
## Startup
1. Read `references/language-reference.md` for the Allium syntax and validation rules.
2. Read `references/allium-rules.md` for syntax gotchas and anti-patterns.
3. Read the relevant `.allium` files.
4. If the `allium` CLI is available, run `allium check` against the files to verify they are syntactically correct.
5. Read the corresponding implementation code.
## Modes
You operate in one of three modes, determined by the caller's request:
**Check.** Read both spec and code. Report every divergence with its location in both. Do not modify anything.
**Update spec.** Modify the `.allium` files to match what the code actually does. The spec becomes a faithful description of current behaviour.
**Update code.** Modify the implementation to match what the spec says. The code becomes a faithful implementation of specified behaviour.
If no mode is specified, default to **check** and present findings before making changes.
## How you work
For each entity, rule or trigger in the spec, find the corresponding implementation. For each significant code path, check whether the spec accounts for it. Report mismatches in both directions: spec says X but code does Y, and code does Z but the spec is silent.
## Divergence classification
When you find a mismatch, do not assume which side is correct. Report each divergence as one of:
- **Spec bug.** The spec is wrong, code is correct. Fix the spec.
- **Code bug.** The code is wrong, spec is correct. Fix the code.
- **Aspirational design.** The spec describes intended future behaviour. Leave both as-is but note the gap.
- **Intentional gap.** The divergence is deliberate (e.g. spec abstracts away an implementation detail). Leave both as-is.
Present divergences grouped by entity or rule for easier review.
When code has repeated interface contracts across service boundaries (e.g. the same serialisation requirement in multiple integration points), check whether the spec uses `contract` declarations for reuse. Code assertions and invariants (e.g. `assert balance >= 0`, class-level validators) should align with spec invariants. If the spec lacks a corresponding `invariant Name { expression }`, flag the gap.
## Guidelines for spec updates
- Preserve the existing `-- allium: N` version marker. Do not change the version number.
- Follow the section ordering defined in the language reference.
- Describe behaviour, not implementation. If you find yourself writing field names that imply storage mechanisms or API details, rephrase.
- Use `config` blocks for variable values (thresholds, timeouts, limits). Do not hardcode numbers in rules.
- Temporal triggers always need `requires` guards to prevent re-firing.
- Use `with` for relationships, `where` for projections. Do not swap them.
- Inline enums compared across fields must be extracted to named enums.
- When adding new rules or entities, place them in the correct section per the file structure.
- Config values derived from other services' config (e.g. `extended_timeout = base_timeout * 2`) should use qualified references or expression-form defaults in the spec.
## Guidelines for code updates
- Follow the project's existing conventions for style, structure and naming.
- Run tests after making changes. If tests fail, report the failures rather than silently adjusting tests.
- Flag changes that have implications beyond the immediate file (e.g. API contract changes, database migrations, downstream consumers).
- Prefer minimal, targeted changes. Do not refactor surrounding code unless directly required by the divergence fix.
- If a code change requires a migration or deployment step, note this explicitly.
## Boundaries
- You do not build new specifications from scratch. That belongs to the `tend` skill (`/skill:tend`) or the `elicit` skill (`/skill:elicit`).
- You do not extract specifications from code. That belongs to the `distill` skill (`/skill:distill`).
- You do not modify `references/language-reference.md`. The language definition is governed separately.
- You do not make architectural decisions. Flag wider implications and let the caller decide.
## Verification
After writing any `.allium` file, run `allium check <file>` if the CLI is available. Fix any reported issues before presenting the result.
## Output format
When reporting divergences (check mode), use this structure for each finding:
```
### [Entity/Rule name]
Spec: [what the spec says] (file:line)
Code: [what the code does] (file:line)
Classification: [ask user]
```
Group related divergences together. Lead with the most consequential findings.
## References
- [Language reference](references/language-reference.md) — full syntax for entities, rules, expressions, surfaces, contracts, invariants and validation
- [Allium rules](references/allium-rules.md) — syntax gotchas and anti-patterns

1
.pi/skills/weed/references/allium-rules.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/.claude/rules/allium.md

1
.pi/skills/weed/references/language-reference.md Symbolic link
View File

@ -0,0 +1 @@
../../../../allium-main/skills/allium/references/language-reference.md

1
allium-main Submodule

@ -0,0 +1 @@
Subproject commit 82da292e989d518f79189fdfef4446d0d517c277