From Quint LLM Kit
Implements code against an existing Quint spec using a Research → Plan → Implement workflow. Use for refactoring, new features, or closing spec-code gaps.
How this skill is triggered — by the user, by Claude, or both
Slash command
/quint-llm-kit:quint-execute-specThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
When you have a Quint spec and want to make a change to the codebase, this skill grounds the work
When you have a Quint spec and want to make a change to the codebase, this skill grounds the work in the spec. The spec is not advisory — it is the formal statement of what the system must do. All changes must satisfy it. The spec is reviewed, then the code follows.
If no spec exists yet, use quint-modeling first to create the grounding artifact.
This skill is the post-spec half of the loop: Research and Plan are anchored by the
existing .qnt file and compact gap analysis—not by prose plans alone. Implement proceeds only
with the verification gates in Phases 3–4 (Quint tool runs after substantive edits). Natural-language
plans are not proof; tool results are.
Never modify the spec to make a failing verification pass. If the spec must change (behavior is intentionally changing), stop and present the proposed spec change to the user before touching any code. The spec change is the highest-leverage review point.
Context utilization target: 40–60% during research and planning. Catalog the codebase compactly rather than reading everything into the main context.
[Quint spec] + [Desired change description]
↓
┌────────────────────────────────────────────────────────────┐
│ Phase 0: Orient │
│ → Read the spec: what does it guarantee? │
│ → Clarify the change: what new behavior is needed? │
│ → Decide: is this a spec change or a code change? │
└────────────────────────────────────────────────────────────┘
↓
┌────────────────────────────────────────────────────────────┐
│ Phase 1: Research (compact) │
│ → Map the gap between spec and code │
│ → Output: compact gap analysis (target: under 300 lines) │
└────────────────────────────────────────────────────────────┘
↓
┌────────────────────────────────────────────────────────────┐
│ Phase 2: Plan │
│ → Precise steps: files to change, expected state delta │
│ → For each step: how to verify it satisfies the spec │
│ → Identify which Quint properties to run at each gate │
│ → Present plan to user before implementing │
└────────────────────────────────────────────────────────────┘
↓
┌────────────────────────────────────────────────────────────┐
│ Phase 3: Implement │
│ → Follow plan phase by phase │
│ → After each phase: run Quint tools, verify properties │
│ → Compact status back into the plan after each phase │
└────────────────────────────────────────────────────────────┘
↓
┌────────────────────────────────────────────────────────────┐
│ Phase 4: Verify │
│ → Run all witnesses (expect VIOLATED) │
│ → Run all invariants (expect no violation) │
│ → If any invariant fails: return to Phase 2, fix plan │
└────────────────────────────────────────────────────────────┘
Read the spec and understand the desired change.
Lightweight path (skip research for simple changes): If the change is small (single function, one module, no new state), skip Phase 1 and go straight to Phase 2.
For non-trivial changes, produce a compact gap analysis between spec and code. Keep this focused — the goal is a compact, accurate summary, not a full codebase read. Answer these questions:
Given the Quint spec at
[spec path]and the source files[file list from handoff]:
- For each state variable in the spec, find where it is managed in source code
- For each action in the spec, find the corresponding function(s) in source code
- Identify any spec behaviors that have no corresponding source code (gaps)
- Identify any source code behaviors not captured in the spec (out-of-scope)
- For the change
[change description]: which source files are affected?Output a compact summary. Do not read files that are not relevant. Target: under 300 lines.
If the analysis missed something critical, do a targeted follow-up read before proceeding.
Create a precise implementation plan. Each plan step must:
## Change: [one-sentence description]
### Spec impact
- Properties that must continue to hold: [list]
- Properties that will change (if any): [list] — REQUIRES USER APPROVAL BEFORE IMPLEMENTATION
### Implementation steps
#### Step 1: [file] — [what changes]
- Expected behavior change: [description]
- Quint verification gate: `quint run` / `quint verify` — invariant `[name]`
#### Step 2: [file] — [what changes]
...
### Rollback criteria
If invariant `[name]` fails after Step N, stop and return to planning. Do not proceed.
Present the plan to the user before implementing. Human review of the plan has higher leverage than review of the code.
If the plan requires modifying the spec, present the spec change explicitly and get approval first.
Follow the plan. After each step:
quint typecheck and fix all reported errors.quint run / quint test / quint verify)After each step is verified, compact progress:
## Status (after Step N)
- Steps 1–N: DONE ✓
- Current: Step N+1
- Blocking issues: [none / description]
- Next verification gate: [invariant name]
Write this to the plan file. In complex implementations, start a new context window with the updated plan rather than continuing in an overloaded context.
| Need | Tool |
|---|---|
| Type-check spec after any edit | Run quint typecheck; fix all reported errors before continuing |
| Verify witnesses are reachable | quint run with witness as invariant |
| Verify safety invariants hold | quint run with --max-samples 5000 or quint verify |
| Interactive exploration | quint REPL session + quint REPL eval (only when CLI is insufficient) |
Run the full property suite.
All witnesses must be violated (meaning the expected state is reachable):
quint run with witness name in witnesses (or mapped invariant selector).Counterexample found in raw CLI wording).All invariants must not be violated:
quint run (or quint verify when stronger coverage needed).The implementation has over-constrained behavior — a path that should be reachable is blocked. Return to Phase 2 and identify which step introduced the constraint.
If the desired change requires updating the spec (new state variables, changed invariants):
This preserves the spec as the source of truth even when it evolves.
| Anti-pattern | Why it breaks the workflow |
|---|---|
| Modify spec to pass a failing invariant | Destroys the spec as ground truth |
| Skip verification gates between steps | Breaks incremental verification; bugs compound |
| Read the whole codebase into main context | Floods context; catalog compactly in Phase 1 instead |
| Plan in prose, implement "roughly" | Plan must be precise enough to verify step-by-step |
| Treat spec as advisory documentation | Spec is a formal constraint — machine-checkable |
| Fix invariant failure by weakening the invariant | Invariants must be fixed in code, not loosened |
For small, well-understood changes (single function, no new state):
quint run with those invariantsSkip Phase 0–1. Use Phases 2–4 only for non-trivial changes.
npx claudepluginhub quint-co/quint-llm-kit --plugin quint-llm-kitBuilds Quint formal specifications from ideas, requirements, code, or TLA+. Also audits existing Quint specs.
Executes specification-driven feature builds, bug fixes with test coverage, and refactoring via 4-phase workflow with multi-agent orchestration and quality gates.
Transforms ideas into structured specifications (requirements, design, tasks) before implementation. Use when building features, fixing bugs, refactoring, or designing systems.