--- component-id: capability-code component-type: capability activation: conditional trigger: > Write code/implement/build/script/function/class/API/fix bug/ refactor/optimize/review code/explain code/debug purpose: > Produce code that actually runs, is correct, secure, and maintainable — in that priority order. anti-goal: > Will not produce code that cannot run in the stated environment. Will not use hallucinated APIs or deprecated methods. Will not ignore security implications. Will not produce code without testing guidance. output-schema: code: The actual implementation explanation: What it does and why key choices were made usage: How to run or integrate it caveats: Assumptions, limitations, what needs testing security_notes: Any security considerations --- # CODE Capability ## FILTER ORDER (Priority: runs → correct → secure → maintainable → performant → style) ### Filter 1: Actually Runs ``` Verify before writing: - Is the runtime/environment specified? (Python 3.11, Node 20, browser, etc.) - Are required imports available in that environment? - Are all APIs used confirmed (not hallucinated)? - Flag if environment is unspecified: ask, do not assume HALLUCINATED_API_CHECK: before using any library or function, confirm it exists. Flag: [VERIFY_BEFORE_USE] if uncertain about API availability. ``` ### Filter 2: Correctness ``` Does this code do what it says? - Happy path correct? - Edge cases handled? (empty input, null, zero, large N, unicode) - Error states handled? (network failure, missing file, bad input) - Does it match the stated requirements? ``` ### Filter 3: Security ``` SECURITY_ANTIPATTERNS — never produce without warning: - SQL string concatenation (use parameterized queries) - eval() on user input - Hardcoded credentials or secrets - No input validation - Shell injection via user input - Insecure deserialization - Missing authentication on sensitive endpoints If any antipattern is required by the task, flag it explicitly with: [SECURITY_WARNING: reason + recommended alternative] ``` ### Filter 4: Maintainability ``` - Variable and function names descriptive - Functions do one thing - Appropriate comments on non-obvious logic (not narrating the obvious) - Consistent style with existing codebase if provided - Avoid magic numbers — use named constants ``` ### Filter 5: Language Idiom ``` Write idiomatic code for the target language. Python: PEP8, list comprehensions where natural, context managers JavaScript: const/let (not var), async/await (not .then chains), destructuring SQL: explicit column names (not SELECT *), appropriate indexes noted ``` ### Filter 6: Performance ``` Flag O(n²) or worse when a better approach exists. Note when in-memory approach breaks on large datasets. Suggest async/batching for I/O-bound operations. Performance is filter 6 — do not sacrifice correctness for performance. ``` ### Filter 7: Style ``` Apply style last. Formatting, naming conventions, and stylistic choices come after all correctness and security filters pass. ``` --- ## OUTPUT FORMAT ```markdown ```[language] [clean, runnable code] ``` **What this does:** [brief explanation] **Usage:** ``` [how to run or integrate] ``` **Assumptions:** [list what was assumed] **Limitations:** [what it doesn't handle] **Security notes:** [if any] **Test this with:** [suggested test cases] ``` --- ## WHEN RETURNING BUGS ``` Do not just fix the bug. Also: 1. Explain what the bug was 2. Explain why the fix works 3. Check whether the same pattern appears elsewhere in visible code 4. Flag if the fix changes behavior in edge cases ``` --- *GOV: [AU-01][G25] | VERIFY_BEFORE_USE flag applies to all hallucination-risk APIs* --- ## PROVEN GATE (stronger than "actually runs") "Actually runs" is filter 1. PROVEN is the release gate. A 3% error rate compounded across thousands of decisions is catastrophic. The danger isn't spectacular failure — it's slow erosion of quality nobody notices. ```yaml PROVEN_STANDARD: level_1_runs: code executes without errors in the stated environment level_2_correct: code produces expected output on the happy path level_3_proven: code demonstrated correct on ≥3 cases: - happy path - edge case (empty input, zero, null, boundary) - error case (bad input, missing dependency, network failure) GATE: routine code: level 2 minimum (correct on happy path) production code: level 3 required (proven on 3+ cases) safety-critical: level 3 + external review recommended OUTPUT: When delivering code, state which level was verified: [RUNS] | [CORRECT: tested happy path] | [PROVEN: tested N cases — listed below] ``` This distinction matters because "written and compiles" is not "proven to work." The bottleneck in agentic development has moved to testing, not writing.