Spec Format
Specs define what the system does using requirements and scenarios.
Structure
Section titled “Structure”# Capability Name
## PurposeBrief description of what this capability provides.
## Requirements
### Requirement: Feature NameThe system SHALL [do something].
#### Scenario: Success case- **WHEN** [precondition]- **THEN** [expected result]- **AND** [additional result]Requirements
Section titled “Requirements”Header Format
Section titled “Header Format”### Requirement: User AuthenticationAlways use ### Requirement: (3 hashtags) followed by a descriptive name.
Wording
Section titled “Wording”Use SHALL or MUST for normative requirements:
The system SHALL authenticate users with valid credentials.The system MUST reject expired tokens.Avoid “should” or “may” unless intentionally non-normative.
Scenarios
Section titled “Scenarios”Format
Section titled “Format”Scenarios use exactly #### Scenario: (4 hashtags):
#### Scenario: Valid login- **WHEN** user provides valid email and password- **THEN** return JWT token- **AND** set session cookieRequired
Section titled “Required”Every requirement MUST have at least one scenario. This ensures testable behavior.
Common Patterns
Section titled “Common Patterns”Success case:
#### Scenario: Successful creation- **WHEN** valid data provided- **THEN** create resource- **AND** return 201 CreatedError case:
#### Scenario: Invalid input- **WHEN** required field missing- **THEN** return 400 Bad Request- **AND** include error detailsEdge case:
#### Scenario: Concurrent modification- **WHEN** resource modified by another user- **THEN** return 409 ConflictDelta Operations
Section titled “Delta Operations”When creating changes, use delta headers:
ADDED Requirements
Section titled “ADDED Requirements”New capabilities:
## ADDED Requirements
### Requirement: Two-Factor AuthenticationThe system MUST support TOTP-based second factor.
#### Scenario: OTP verification- **WHEN** valid OTP provided- **THEN** complete authenticationMODIFIED Requirements
Section titled “MODIFIED Requirements”Changed behavior. Include the complete updated requirement:
## MODIFIED Requirements
### Requirement: User LoginThe system SHALL authenticate users with email, password, AND OTP.
#### Scenario: Full authentication flow- **WHEN** valid credentials and OTP- **THEN** return JWT tokenREMOVED Requirements
Section titled “REMOVED Requirements”Deprecated features:
## REMOVED Requirements
### Requirement: Remember Me**Reason**: Security risk with 2FA enabled**Migration**: Users must authenticate each sessionRENAMED Requirements
Section titled “RENAMED Requirements”Name changes only:
## RENAMED Requirements- FROM: `### Requirement: Login`- TO: `### Requirement: User Authentication`Common Mistakes
Section titled “Common Mistakes”Wrong scenario format
Section titled “Wrong scenario format”### Scenario: Wrong ✗ (3 hashtags)- **Scenario: Wrong ✗ (bullet)**Scenario**: Wrong ✗ (bold)
#### Scenario: Right ✓ (4 hashtags)Missing scenarios
Section titled “Missing scenarios”### Requirement: Some FeatureThe system SHALL do something.(no scenarios) ✗
### Requirement: Some FeatureThe system SHALL do something.
#### Scenario: Basic usage ✓- **WHEN** triggered- **THEN** does somethingPartial MODIFIED
Section titled “Partial MODIFIED”## MODIFIED Requirements
### Requirement: Login- Add OTP field ✗ (partial - loses existing content)
### Requirement: LoginThe system SHALL authenticate with email, password, and OTP.
#### Scenario: Complete login ✓ (full replacement)- **WHEN** all fields valid- **THEN** authenticate userValidation
Section titled “Validation”Check your specs:
openspec validate my-change --strictDebug parsing:
openspec show my-change --json --deltas-only | jq '.deltas'