* Initial plan
* Extract agent context updates into bundled agent-context extension
* Potential fix for pull request finding 'Unused import'
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* Potential fix for pull request finding 'Unused import'
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* fix: address review comments on agent-context extension
- bash: parse init-options.json with a single python3 invocation instead
of three separate read_json_field calls, for parity with the PowerShell
ConvertFrom-Json approach and to avoid divergent error semantics
- bash: use parameter expansion to strip PROJECT_ROOT prefix from plan
path instead of sed interpolation, avoiding special-character fragility
- powershell: limit Get-ChildItem to -Depth 1 so plan.md discovery matches
the bash glob specs/*/plan.md (one level deep) — fixes cross-platform
inconsistency with nested plan.md files
- powershell: replace Substring+Length relative-path with
[System.IO.Path]::GetRelativePath for robustness across case/PSDrive
differences
- __init__.py: move agent-context extension install to after
save_init_options so init-options.json is present when hooks run
- __init__.py: seed context_markers in init-options only when
context_file is truthy; avoids noise for integrations without a context
file
- integrations/base.py: narrow blanket except Exception in
_resolve_context_markers to ImportError / (OSError, ValueError) so
unexpected bugs surface instead of being silently swallowed
* fix: gate context_markers in _update_init_options_for_integration on context_file
Apply the same gating logic used during `specify init`: only write
context_markers to init-options.json when the integration actually has a
context_file set. When switching to an integration without a context file
the stale markers are removed, keeping the two init paths consistent.
* fix: move context_file/context_markers from init-options.json to agent-context extension config
* Potential fix for pull request finding 'Unused global variable'
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* fix: clarify local import comment in agents.py
* Fix remaining agent-context review findings
* Fix follow-up agent-context review issues
* Address review feedback: narrow except, improve PyYAML messaging, surface config-written note
* Fix double-space in PyYAML install hint message
* Potential fix for pull request finding 'Empty except'
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* Potential fix for pull request finding 'Empty except'
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* Address latest agent-context review feedback
* Harden bash config parse output handling
* Clarify ImportError-only fallback comment
* Apply review feedback: drop dead try/except, guard ext-config creation, explicit ConvertFrom-Yaml check
* Remove redundant $Options = $null in PS1 catch block
* Add constitution directives, deprecation warning, agent-context auto-install, and init flow fix
- Add constitution-loading directive to specify, clarify, tasks, checklist, taskstoissues commands
- Add deprecation warning (v0.12.0) in upsert_context_section()
- Auto-install agent-context extension during specify init
- Move context_file from init-options.json to agent-context extension config
- Add tests: deprecation warning, corrupt config, constitution directives
- Update file inventories across all integration tests
* Address review: fix init ordering, test coverage, and hermes inventory
- Move agent-context extension install after init-options.json is saved
so skill registration can read ai_skills + integration key
- Write extension config after install (avoids template overwriting context_file)
- Fix test_defaults_when_markers_field_missing to truly test missing markers key
- Update hermes tests to allow extension-installed agent-context skill
* Address review: chmod ordering, preserve markers, PS1 Python check, YAML key order
- Move ensure_executable_scripts after agent-context extension install
so extension scripts get execute bits set
- Use preserve_markers=True on reinit to keep user-customized markers
- Add Python 3 version check in PowerShell fallback (matching bash behavior)
- Add sort_keys=False to yaml.safe_dump for stable config output
* Address review: path traversal guards and docstring fix
- Reject absolute paths and '..' segments in context_file in both bash and
PowerShell scripts to prevent writes outside the project root
- Fix docstring in _update_init_options_for_integration to accurately
describe marker preservation behavior
* Address review: strict enabled check, docstring, segment-level path traversal
- Use 'is not False' for enabled check so only literal False disables
- Update upsert_context_section docstring to mention disabled-extension return
- Fix path traversal guards to check actual path segments, not substrings
(allows filenames like 'notes..md' while rejecting '../' traversal)
* Address review: UnicodeError handling, missing extension warning
- Add UnicodeError to exception tuples in _load_agent_context_config and
_resolve_context_markers so garbled UTF-8 config files fall back to defaults
- Emit error (with reinstall command) instead of silent skip when bundled
agent-context extension is not found during init
* Address review: bash backslash traversal guard, wheel packaging
- Reject backslash separators and Windows drive-letter paths in bash
context_file validation (prevents traversal on Git-Bash/Windows)
- Add extensions/agent-context to pyproject.toml force-include so the
bundled extension is included in wheel builds
* Address review: write extension config before init-options.json
- Reorder writes in _update_init_options_for_integration so the
agent-context extension config is updated first; if it fails,
init-options.json remains consistent with the previous state
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Manfred Riem <15701806+mnriem@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* chore: bump version to 0.8.18
* chore: begin 0.8.19.dev0 development
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Initial plan
* feat: support SPECKIT_INTEGRATION_<KEY>_EXECUTABLE env var override
Adds `IntegrationBase._resolve_executable()` which reads
`SPECKIT_INTEGRATION_<KEY>_EXECUTABLE` (hyphens→underscores, uppercased)
and falls back to `self.key` when unset or whitespace-only.
All concrete `build_exec_args()` implementations now call
`self._resolve_executable()` instead of hard-coding `self.key` or
`"agy"` as the first argv token:
- MarkdownIntegration, TomlIntegration, SkillsIntegration (base classes)
- CodexIntegration, DevinIntegration, OpencodeIntegration, HermesIntegration, AgyIntegration
- CopilotIntegration (overrides `_resolve_executable()` to fall back to
the platform-specific `_copilot_executable()` default; also updates
`dispatch_command()` to use `_resolve_executable()`)
Tests added to tests/integrations/test_extra_args.py covering:
- default (unset) falls back to key
- env var replaces first argv token
- whitespace-only env var is a no-op
- key hyphen→underscore normalisation
- cross-integration scoping (wrong key ignored)
- all override integrations (Codex, Devin, Opencode, Copilot)
- Copilot dispatch_command path
- EXECUTABLE and EXTRA_ARGS can be set simultaneously
See issue #2596."
* fix: complete docstring sentence in _resolve_executable
* test: generalize extra-args test comments for override coverage
* Fix stale Codex executable comment
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Add noop: report-as-issue: false to safe-outputs frontmatter in both
add-community-extension and add-community-preset workflows to prevent
them from posting noise comments to the [aw] No-Op Runs tracking issue.
Closes#2747
Display a yellow warning panel and default-deny [y/N] prompt when
installing extensions via --from <url>, since this bypasses the
catalog trust boundary.
Both add-community-preset and add-community-extension workflows previously
triggered on issues opened, edited, and labeled events. This caused them to
fire on every new issue and post noisy bot comments explaining the issue
wasn't a submission (see #2739).
Changes:
- Narrow trigger from [opened, edited, labeled] to [labeled] only
- Update prompt instructions to stop silently on non-matching issues
instead of posting a comment
* feat(integrations): support SPECIFY_<KEY>_EXTRA_ARGS env var for agent subprocess flags
Read a per-integration env var (SPECIFY_<KEY>_EXTRA_ARGS) inside
`SkillsIntegration.build_exec_args`, `MarkdownIntegration.build_exec_args`,
and `TomlIntegration.build_exec_args` and append the parsed flags to the
spawned agent's argv, gated per integration key.
Operators can now opt into extra CLI flags (e.g.
`SPECIFY_CLAUDE_EXTRA_ARGS=--dangerously-skip-permissions`) without
modifying any SKILL or workflow YAML. Useful in CI / non-interactive
contexts where the spawned `<agent> -p ...` would otherwise hang on
an internal permission or input prompt invisible to the parent
`specify workflow run` process.
Key normalization: `kiro-cli` → `SPECIFY_KIRO_CLI_EXTRA_ARGS` (hyphen
replaced with underscore, then uppercased).
Default (env var unset or whitespace-only) is byte-identical to
previous behaviour. Extra args are inserted between `-p prompt` and
the model / output-format flags so they cannot clobber canonical
Spec Kit args.
Implementation: a single helper `IntegrationBase._apply_extra_args_env_var`
encapsulates the env-var read + shlex parsing; each of the three
concrete `build_exec_args` implementations calls it.
Closes#2595
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(integrations): wire SPECIFY_<KEY>_EXTRA_ARGS into Codex/Devin/Opencode/Copilot
Four integrations override `build_exec_args` and were silently
ignoring the env-var hook introduced in the previous commit:
- CodexIntegration (`codex exec ...`)
- DevinIntegration (`devin -p ...`)
- OpencodeIntegration (`opencode run ...`)
- CopilotIntegration (`copilot -p ...`)
Each now calls `self._apply_extra_args_env_var(args)` between the
base argv and the canonical Spec Kit flags (matching the placement
in `MarkdownIntegration`, `TomlIntegration`, and `SkillsIntegration`),
so operator-injected flags cannot clobber `--model` / `--output-format`
/ `--json`.
Adds 4 parameterized override-integration tests locking the wiring
per agent. Also cleans up an inline `__import__("os").environ` in the
fixture to a top-of-file `import os`.
Drive-by typing fix: guard `self.registrar_config.get(...)` in
`CopilotIntegration.add_commands` against the `None` case, matching
the pattern already used in `base.py` for the same access.
Addresses Copilot review on #2596.
* fix(integrations): apply Opencode extra-args before prompt-derived --command
When the Opencode prompt starts with `/`, `build_exec_args` injects
`--command <X>` derived from the prompt. The previous placement of
`self._apply_extra_args_env_var(args)` appended operator-injected
args AFTER that `--command`, so a user setting
`SPECIFY_OPENCODE_EXTRA_ARGS="--command override"` could redirect the
command under typical last-wins repeated-flag CLI semantics.
Move the hook to immediately after `args = [self.key, "run"]`, before
the prompt-parsing block. The operator's `--command override` (if
any) now precedes the Spec Kit-derived `--command speckit`, so the
canonical choice wins.
Adds `test_opencode_extra_args_cannot_clobber_prompt_derived_command`
locking the ordering. Also corrects the module docstring to describe
the hook as living in `IntegrationBase` (not `SkillsIntegration`) and
to acknowledge that this file covers Codex/Devin/Opencode/Copilot in
addition to SkillsIntegration stubs.
Addresses Copilot review on #2596.
* fix(integrations): honour SPECIFY_COPILOT_EXTRA_ARGS in dispatch_command
`CopilotIntegration` is the only integration that overrides
`dispatch_command` — it builds `cli_args` inline rather than going
through `build_exec_args`. The previous commit wired
`_apply_extra_args_env_var` into `build_exec_args` but workflow
execution calls `dispatch_command`, so `SPECIFY_COPILOT_EXTRA_ARGS`
was silently ignored at runtime.
Add the hook in `dispatch_command` immediately after
`cli_args = ["copilot", "-p", prompt]`, mirroring the placement in
`build_exec_args` (between `-p prompt` and the canonical
`--agent` / `--yolo` / `--model` / `--output-format` flags).
`IntegrationBase.dispatch_command` already delegates to
`build_exec_args`, so Codex, Devin, and Opencode continue to honour
their respective env vars through inheritance — no further changes
needed for them.
Adds two end-to-end tests that monkeypatch `subprocess.run` and
assert the env-var args reach the executed argv:
- `test_copilot_dispatch_command_includes_extra_args` locks the
bypass fix on the overridden path.
- `test_codex_dispatch_command_includes_extra_args` locks the
inherited-base-dispatch path for the other three integrations.
Addresses Copilot review on #2596.
* refactor(integrations): rename env var to SPECIFY_INTEGRATION_<KEY>_EXTRA_ARGS
Per maintainer request: scope the operator-injected env var to the
integration subsystem by prepending `INTEGRATION_` to the key
segment, so it does not collide with other Spec Kit env-var
namespaces.
Renames everywhere it appears:
- Helper `IntegrationBase._apply_extra_args_env_var` env_name
format and docstring (`base.py`).
- Inline comment in `CopilotIntegration.dispatch_command`.
- All `monkeypatch.setenv(...)` calls, docstrings, and the
autouse fixture's scope filter in
`tests/integrations/test_extra_args.py`.
No behaviour change beyond the variable name. Default (env var
unset) still byte-identical to before this PR.
Addresses review on #2596.
* fix(integrations): raise actionable error on malformed EXTRA_ARGS quoting
Wrap `shlex.split` in `_apply_extra_args_env_var` so an unmatched quote
in `SPECIFY_INTEGRATION_<KEY>_EXTRA_ARGS` surfaces a clear `ValueError`
naming the offending env var and showing the invalid value, instead of
crashing workflow dispatch with a bare shlex traceback. Adds a new test
locking the actionable error path.
Addresses Copilot review feedback on #2596.
* test(integrations): use `_copilot_executable()` in Copilot extra-args test
`test_copilot_integration_honours_extra_args` hardcoded `"copilot"`
in the expected argv, but `CopilotIntegration.build_exec_args` calls
`_copilot_executable()` which returns `"copilot.cmd"` on Windows
(`os.name == "nt"`). The test passed on Linux/macOS and failed on
all three Windows-latest matrix entries.
Resolve by importing `_copilot_executable` alongside `CopilotIntegration`
and using it as the first expected argv token. The companion
`test_copilot_dispatch_command_includes_extra_args` already uses
`index()` lookups rather than full-argv equality so it was unaffected.
* fix(integrations): couple Codex executable to self.key + cover base classes
Two Copilot findings on the latest pass:
1. `CodexIntegration.build_exec_args` hardcoded the executable name
as the literal `"codex"` while the env-var lookup derives from
`self.key`. The two should stay coupled (matching Devin/Opencode,
which both use `self.key` already). Replace the literal with
`self.key` so the argv and env-var scoping cannot drift.
2. `tests/integrations/test_extra_args.py` covered the
`SkillsIntegration` mechanism (via stubs near the top) and the
four `build_exec_args` overrides (Codex/Devin/Opencode/Copilot)
end-to-end, but did not exercise the `MarkdownIntegration` or
`TomlIntegration` base implementations directly. Add bare
`_MarkdownAgentStub` and `_TomlAgentStub` test stubs and a test
each — the most common integration pattern (Amp, Auggie, Generic,
Gemini, Tabnine, …) inherits without overriding, so the base
wiring is now locked.
Full suite: 3011 passed (was 3009), 40 skipped, no regressions.
Addresses Copilot review feedback on #2596.
* fix(integrations): rename env var to SPECKIT_INTEGRATION_<KEY>_EXTRA_ARGS
Renames the env-var hook prefix from `SPECIFY_INTEGRATION_*` to
`SPECKIT_INTEGRATION_*` to match the established codebase
convention for integration-subsystem env vars
(`SPECKIT_INTEGRATION_CATALOG_URL` in `integrations/catalog.py`,
`SPECKIT_COPILOT_ALLOW_ALL_TOOLS` in `integrations/copilot/__init__.py`).
The `SPECIFY_*` prefix is reserved for user-facing
feature-resolution variables (`SPECIFY_FEATURE`,
`SPECIFY_FEATURE_DIRECTORY`); reusing it for integration-subsystem
scoping would introduce a second integration namespace under a
different prefix, confusing operators who already set
`SPECKIT_INTEGRATION_CATALOG_URL`.
Also reverts the unrelated defensive `arg_placeholder` /
`registrar_config is None` guard in
`CopilotIntegration.setup_skills_mode` — it was a drive-by pyright
cleanup mixed into this PR. Every concrete integration sets
`registrar_config` so the guard never fires in practice; the
typing issue belongs in a focused follow-up rather than this
env-var-hook PR.
Updates everywhere the old prefix appeared:
- `IntegrationBase._apply_extra_args_env_var` helper + docstring
- `CopilotIntegration.dispatch_command` inline comment
- All `monkeypatch.setenv(...)` calls in `tests/integrations/test_extra_args.py`
- The autouse fixture scope filter
- Test module docstring
Full suite: 3011 passed, 40 skipped, no regressions.
Addresses Copilot review feedback on #2596.
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore: bump version to 0.8.17
* chore: begin 0.8.18.dev0 development
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* docs: consolidate Community sections in README
Replace four separate Community sections (Extensions, Presets,
Walkthroughs, Friends) with a single consolidated section containing
a bullet list, one shared disclaimer, and both publishing guide links.
* fix: broken community anchor links and missing Hermes hook note injection
- Update README.md and extensions/README.md to point community
extension links to the docs site instead of removed section anchor
- Add post_process_skill_content() call in Hermes setup() so hook
command notes are injected into generated skills
- Add Hermes test override for test_hook_sections_explain_dotted_command_conversion
with Path.home() monkeypatch
* feat(agy): enhance Google Antigravity CLI integration
- Set requires_cli=True and install_url for CLI tool detection
- Implement build_exec_args() for non-interactive execution via agy --print
- Add dot-to-hyphen hook command note injection in generated SKILL.md files
* fix(agy): add --ignore-agent-tools to TestAgyAutoPromote tests
Tests verify file layout and setup warnings, not CLI presence.
agy requires_cli=True causes CI failures when agy is not installed.
* Fix dev extension agent symlinks
* Address dev symlink review feedback
* fix: handle dev symlink relpath failures
* fix: fall back when dev cache writes fail
* test: cover dev symlink fallback without privileges
* fix(integrations): share skills hook note post-processing
* fix(integrations): tighten skill post-processing
Apply skill content post-processing before the initial write, use an exact hook-note sentinel for idempotence, and route Copilot skill post-processing through the shared helper before adding mode frontmatter.
* Make hook note injection per instruction
* Deduplicate Codex hook note processing
---------
Co-authored-by: Puneet Dixit <236133619+puneetdixit200@users.noreply.github.com>
Co-authored-by: Puneet Dixit <puneetdixit200@users.noreply.github.com>
* feat: add Hermes Agent integration
* feat: add Hermes Agent integration
* feat: add Hermes Agent integration
* feat: add Hermes Agent integration (with review fixes)
- Full SkillsIntegration subclass with dual install strategy
(project-local .hermes/skills/ + global ~/.hermes/skills/)
- CLI fix: integration_uninstall now calls integration.teardown()
instead of manifest.uninstall() directly, allowing custom cleanup
- Fix Copilot review issues:
- Docstring now reflects both -Q (quiet) and -q (query) flags
- Empty command guard prevents passing empty skill names
- Add catalog entry for hermes in integrations/catalog.json
Co-authored-by: Zhaoxiaoguang001 <3357983213@qq.com>
* feat: write Hermes skills directly to global ~/.hermes/skills/
Hermes loads skills from the global ~/.hermes/skills/ directory,
not from project-local paths. The old dual-install strategy copied
SKILL.md files to both locations — project-local (for manifest
tracking) and global (for Hermes discovery).
This change removes the project-local copies entirely:
- setup() writes directly to ~/.hermes/skills/speckit-*/SKILL.md
- An empty .hermes/skills/ marker directory is created in the
project so extension commands (e.g. git) can detect Hermes
as an active integration via register_commands_for_all_agents()
- teardown() cleans both the global speckit-* dirs and the local
marker
- import yaml moved to local import inside setup()
Tests updated: Hermes-specific tests now assert global skill
location, and shared SkillsIntegrationTests that assumed
project-local files are overridden with Hermes-appropriate
assertions.
Co-authored-by: Zhaoxiaoguang001 <3357983213@qq.com>
* fix: address Copilot review feedback on Hermes integration
Addresses all 6 review comments from copilot-pull-request-reviewer:
1. Hard-fail on missing integration key → fall back to
manifest.uninstall() with a warning instead of raising an error.
Allows users to always remove stale integration files even when
the integration class is missing from the registry.
2. HOME isolation in tests → every test that calls setup() or
CliRunner now monkeypatches Path.home() to a temp directory,
keeping the test suite hermetic and non-destructive.
3. HermesIntegration.teardown() now delegates to
manifest.uninstall() for project-local tracked files
(scripts, manifest), merging results with global cleanup.
4. Global skills cleanup gated behind force=True to avoid destroying
speckit-* skills shared across multiple Spec Kit projects when
running 'specify integration uninstall hermes' without --force.
5. Line 160 isolation (CLI test test_complete_file_inventory_sh).
6. Line 258 isolation (Path.home assertion in
test_ai_hermes_without_ai_skills_auto_promotes).
* fix: address second Copilot review round — 6 remaining observations
- Move to module scope (was inside per-template loop)
- Add safety checks in setup() matching standard
- Fix docstrings: global skills always removed on uninstall (standard)
- Fix removal tracking: only report after successful rmtree
- Override shared test_modified_file_survives_uninstall with Hermes-appropriate
behaviour (global skills always removed, no hash tracking)
- Update PR description to match implementation (global-only skills + marker)
* fix: add first-class global/home-based agent dir support in CommandRegistrar
Resolves Copilot HIGH concern (discussion_r3312194525):
HermesIntegration.registrar_config.dir was '.hermes/skills' (project-
relative), but skills live in ~/.hermes/skills/ (global). Extensions
and presets registering commands for the 'hermes' agent via
CommandRegistrar would write to the project-local marker directory
instead of the real global skills directory, making those commands
invisible to Hermes.
Fix consists of three parts:
1. CommandRegistrar._resolve_agent_dir now supports '~/'-prefixed and
absolute paths in agent_config['dir']. Relative paths still resolve
against project_root as before — zero change for existing agents
(Claude, Codex, Gemini, etc.).
2. HermesIntegration.registrar_config.dir changed from '.hermes/skills'
to '~/.hermes/skills', so extensions/presets write directly to the
global directory Hermes searches at runtime.
3. Two inline project_root / agent_config['dir'] calls in the extension
update backup/restore paths (src/specify_cli/__init__.py) now delegate
to _resolve_agent_dir, giving them the same global-dir support plus
the legacy_dir fallback they were missing (improvement for all agents).
Test side-effect: test_update_failure_rolls_back_registry_hooks_and_commands
was constructing verification paths with project_dir / '~/.hermes/skills'
(literal tilde) — fixed to use _resolve_agent_dir and monkeypatch
Path.home() so Hermes' global dir doesn't leak into the real filesystem.
* fix: address remaining 3 Copilot review observations (round 3)
- teardown docstring: clarify marker removal is conditional (if empty)
- test_pre_existing_skills_not_removed: now actually calls teardown()
to verify foreign skills survive uninstall (was only running setup)
- integration_switch Phase 1: replaced old_manifest.uninstall() +
remove_context_section() with current_integration.teardown(),
matching the pattern already used in integration_uninstall.
This ensures custom teardown logic (e.g. Hermes global skills
cleanup) runs during switches.
* fix: address Copilot round 4 — home-relative dir resolution + project-local detection
1. _resolve_agent_dir(): expand ~/... via Path.home() + slice instead of
expanduser(), so tests that monkeypatch Path.home() properly isolate
the home directory (Copilot r3312731595, r3312731729)
2. Add detect_dir field to registrar_config: Hermes declares
detect_dir='.hermes/skills' (project-local marker). CommandRegistrar
checks detect_dir before resolving the output dir, preventing global
dirs like ~/.hermes/skills from causing false detection in every
project (Copilot r3312731682)
3. test_update_failure_rolls_back: no additional changes needed — the
_resolve_agent_dir fix makes the existing Path.home() monkeypatch
effective, so ~/.hermes/skills is not found in the fake home and
Hermes is properly skipped.
Tests: 2236 passed (2009 integration + 195 extension + 32 hermes)
---------
Co-authored-by: Zhaoxiaoguang001 <3357983213@qq.com>
Co-authored-by: majordave <majordave@users.noreply.github.com>
* chore: bump version to 0.8.16
* chore: begin 0.8.17.dev0 development
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* feat(workflows): expose `{{ context.run_id }}` template variable
Closes#2590.
Surfaces the engine-assigned run id (the same 8-character hex
string Spec Kit prints as `Run ID:` at the end of
`workflow run`) as a workflow template variable so YAML
authors can reference it from shell `run:`, command
`input.args:`, switch `expression:`, and any other field that
already evaluates `{{ ... }}` templates.
### Why
The run id is the natural join key between a Spec Kit workflow
run and downstream artifacts, telemetry, or per-run scratch
state. Today the operator sees it in stdout but workflows
themselves cannot reference it — there was no way to stamp a
log line, name a scratch directory, or tag an artifact with
the same id Spec Kit assigned.
The three motivating use cases from the issue:
1. Telemetry / observability — stamp logs and events with the
run id so external systems can join workflow runs to
downstream artifacts.
2. Per-run scratch / isolation — interactive operator commands
that need their own state directory under
`/tmp/run-<id>/`.
3. Run-id in artifact metadata — stable join key from artifact
back to the producing run.
### Implementation
`StepContext.run_id` is already populated by `WorkflowEngine`
in both `execute()` and `resume()`. The only gap was the
template namespace builder.
`_build_namespace` (in `workflows/expressions.py`) now adds a
`context` key alongside the existing `inputs`, `steps`,
`item`, and `fan_in` namespaces:
```python
ns["context"] = {"run_id": run_id}
```
The value is always present (even outside a run) and falls
back to an empty string when no run is active. Workflows
referencing `{{ context.run_id }}` therefore never error — a
hard requirement from the issue's acceptance criteria for
dry-run, validation, and ad-hoc evaluator usage.
### Default behaviour preserved
Workflows that do not reference `{{ context.run_id }}` are
byte-equivalent to before this change. The `context`
namespace is added unconditionally to keep template
resolution branch-free, but its presence has no observable
effect when nothing references it.
### Tests
`TestExpressions` (unit-level) gains three tests:
- `test_context_run_id_resolves` — direct lookup against a
`StepContext(run_id=...)`.
- `test_context_run_id_defaults_to_empty_when_unset` —
graceful default outside a run context.
- `test_context_run_id_string_interpolation` — mixed
template (e.g. `"RUN_ID={{ context.run_id }}"`).
`TestContextRunId` (end-to-end) covers the three step types
the acceptance criteria called out:
- `test_shell_run_resolves_run_id` — `run:` field
substitution, verified via captured stdout.
- `test_command_input_args_resolves_run_id` — `input.args:`
resolution, captured in step output even when CLI dispatch
is unavailable (the artifact-metadata use case).
- `test_switch_expression_matches_on_run_id` — switch
matches against the resolved value, proving the run id is a
first-class value in the expression engine, not just an
interpolation token.
- `test_workflow_without_context_reference_unchanged` —
locks the byte-equivalent default required by the issue.
### Docs
`workflows/README.md` gains a "Runtime Context" subsection
under "Expressions" documenting the new namespace and the
three canonical use patterns (telemetry, per-run scratch,
artifact metadata).
* test(workflows): drop inline double-quotes in run_id shell tests
`test_shell_run_resolves_run_id` and
`test_switch_expression_matches_on_run_id` used
`run: 'echo "RUN_ID={{ context.run_id }}"'` with inner double-quotes
around the echo argument. Bash/sh strips those quotes before invoking
echo, but cmd.exe (used on Windows when `shell=True`) treats them
as literal characters and emits `"RUN_ID=abc12345"` — failing the
exact-match assertion. Linux passed; all three Windows-latest matrix
entries failed with `assert '"RUN_ID=abc12345"' == 'RUN_ID=abc12345'`.
Resolve by dropping the inner double-quotes (the value has no spaces
or shell metacharacters) and wrapping the YAML scalar in plain
double-quotes the same way other shell-step tests in this file do
(e.g. `run: "echo b-saw-..."`). Behaviour-equivalent on POSIX,
portable to cmd.exe.
* fix: resolve __SPECKIT_COMMAND_*__ refs in preset skill rendering (#2717)
The preset skill layer mirrors command templates into SKILL.md files but
only ran resolve_skill_placeholders(), leaving command cross-references as
raw __SPECKIT_COMMAND_<NAME>__ placeholders instead of rendering them as
/speckit-<cmd> the way CommandRegistrar.register_commands() does. As a
result, presets that override core commands under the agent skill layer
(e.g. Claude --ai-skills) leaked the raw tokens into SKILL.md.
Add a shared PresetManager._resolve_skill_command_refs() helper that maps
the agent's invoke separator to IntegrationBase.resolve_command_refs(), and
call it right after resolve_skill_placeholders() in every preset
skill-rendering path: _register_skills() (install), the _reconcile_skills()
override-restoration block, and both _unregister_skills() restore paths.
This mirrors register_commands() and addresses the path divergence flagged
in #1976.
Add regression tests covering the install and restore paths.
AI assistance: authored with Claude Code (Anthropic) — analysis, patch, and
tests. Verified via the existing pytest suite plus a manual CLI install and
remove cycle on a Claude --ai-skills project.
* test: cover reconcile-override and extension restore command-ref paths (#2718 review)
Copilot review flagged that the install and core-template restore paths
gained regression tests, but the reconcile project-override branch and the
extension-backed restore branch were uncovered. Add focused tests for both:
- test_reconcile_override_skill_resolves_command_refs: a project override
wins after preset removal; _reconcile_skills must render command refs.
- test_extension_restore_resolves_command_refs: a skill restored from an
extension command body must also render command refs.
Both fail on main and pass with the fix in 8dd93c0.
* Add Workflow Preset to community catalog
Add workflow-preset submitted by @bigsmartben to:
- presets/catalog.community.json (alphabetical order)
- docs/community/presets.md community presets table
Closes#2618
* Fix Requires column: use — for no required extensions
The Requires column lists required extensions, not the Spec Kit
version. This preset has no extension dependencies.
* fix: paths-only skips branch validation, setup-plan preserves existing plan (#2653)
- check-prerequisites.sh/ps1: move branch validation after --paths-only
early exit so --paths-only returns paths without requiring a spec branch
- setup-plan.sh/ps1: skip template copy when plan.md already exists to
prevent overwriting user-authored plans on reruns
- setup-plan.sh: send status messages to stderr in --json mode so stdout
remains parseable JSON
- Add tests for both fixes (bash + PowerShell)
* fix: remove trailing whitespace in PowerShell scripts
* fix: route PS skip message to stderr in -Json mode, add PS JSON assertions
Address review: setup-plan.ps1 Write-Output polluted stdout in -Json
mode when plan.md already existed. Use [Console]::Error.WriteLine()
when -Json is set. Add json.loads + stderr assertions to the PS rerun
test to catch regressions.
* fix: use Test-Path -PathType Leaf for plan existence check
Bare Test-Path matches directories too, which would silently skip plan
creation if a directory existed at the plan.md path.
* Re-validate spec quality checklist after clarify updates spec
After clarify modifies spec.md, the existing checklists/requirements.md
(generated by specify) can become stale. Items like 'No [NEEDS
CLARIFICATION] markers remain' may now pass, and newly added requirements
aren't reflected in the checklist evaluation.
Add step 8 to the clarify command that re-validates the spec quality
checklist against the updated spec after each clarification session:
- Check/uncheck items based on current spec state
- Report before/after pass counts in the completion report
- Skip silently if no checklist exists
Fixes#2693
* Address review: scope to checkbox lines, use FEATURE_DIR path
- Constrain re-validation to GitHub task-list checkbox lines only
(- [ ] / - [x] outside code fences), ignoring headings, notes,
and non-checkbox content
- Define pass counts as checked/total checkbox items
- Use FEATURE_DIR/checklists/requirements.md in Done When for
consistency with the rest of the template
* Address review: handle regressions in checklist revalidation
- Clarify that each checkbox is set based solely on current spec state,
regardless of prior marker (checked->unchecked is possible)
- Completion report now lists both newly passing items and regressions
(checked->unchecked) so users see what became non-compliant
* Address review: case-insensitive checkboxes, preserve file verbatim
- Accept [x], [X], and leading whitespace for nested task items
- Explicitly state only the [ ]/[x] marker is toggled; all other
file content (headings, metadata, notes, ordering, whitespace)
must remain unchanged to avoid noisy diffs
* Address review: track per-item state, preserve marker case
- Add explicit before-snapshot step to capture each item's prior
marker state before re-evaluation
- Compute three lists for the report: newly passing, regressions,
and still unchecked
- Only toggle markers whose checked/unchecked state actually changes;
preserve existing case ([x]/[X]) when state is unchanged to avoid
cosmetic diffs
* chore: bump version to 0.8.15
* chore: begin 0.8.16.dev0 development
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* fix: promote post-execution hook dispatch to H2 with directive language
Restructure the after_* hook dispatch in all five core command templates
(specify, clarify, implement, plan, tasks) to make hook execution
structurally unmissable by LLMs during interactive slash-command flows.
Changes applied consistently across all five templates:
1. Promote hook block from a final numbered step to a top-level
'## Mandatory Post-Execution Hooks' H2, placed before the completion
report. An H2 boundary is salient in a way that a numbered sub-step
buried after 'Report completion' is not.
2. Use directive language for mandatory hooks: 'You MUST emit
EXECUTE_COMMAND: for each mandatory hook' and 'You MUST complete this
section before reporting completion to the user.' The previous
conditional framing ('check if', 'based on its optional flag') buried
the mandatory cases.
3. List mandatory hooks before optional hooks in the dispatch block, so
the required action appears first.
4. Add a terminal '## Done When' verification checklist at the end of
each template, including 'Extension hooks dispatched' as an explicit
completion criterion. This gives the model a structured opportunity to
verify completion before exiting.
5. Extract the completion report into its own '## Completion Report' H2
section, clearly separated from the hook dispatch.
These changes preserve the interactive-vs-workflow distinction and do not
introduce auto-run. They raise the reliability of the existing
best-effort dispatch mechanism.
Fixes#2688
* fix: address review — narrow Done When wording and move to end of templates
- Narrow the hooks checklist item from a broad condition to 'dispatched
or skipped according to the rules in Mandatory Post-Execution Hooks
above' so it does not contradict the filtering rules for disabled
hooks or hooks with non-empty conditions.
- Move the Done When section to the actual end of specify.md, plan.md,
and tasks.md so it does not signal premature completion before the
agent reads required guidance sections (Quick Guidelines, Phases/Key
rules, Task Generation Rules).
* fix: update stale step 8 reference in specify.md validation flow
The old 'proceed to step 8' pointed to the completion report step that
was renumbered when hook dispatch was promoted to its own H2 section.
Update the reference to point to 'Mandatory Post-Execution Hooks'.
* fix: create skills directory on demand during extension/preset install
_get_skills_dir() in both extensions.py and presets.py returned None
when the skills directory did not yet exist on disk, even though skills
were enabled in init-options. This caused extension skill registration
to silently produce an empty registered_skills list and skip writing
SKILL.md files.
Replace the is_dir() bail-out with mkdir(parents=True, exist_ok=True)
so the directory is created on demand when ai_skills is enabled.
Update the existing test expectation and add a parametrized regression
test (claude + codex) that installs an extension before the skills
directory exists and asserts SKILL.md files and registry entries are
created.
Fixes#2682
* test: assert skills dir is NOT created when skills are disabled
Strengthen negative tests to verify _get_skills_dir does not create the
directory on disk when ai_skills is false or init-options.json is absent.
* fix: add symlink/containment check and preserve Kimi existence gate
Address PR review feedback:
- Use _ensure_safe_shared_directory() instead of raw mkdir() to prevent
symlink-following writes outside the project root.
- Restore the is_dir() existence gate for the Kimi native-skills
fallback (ai_skills=false): only create the directory on demand when
ai_skills is explicitly enabled.
- Update docstrings to reflect the on-demand vs existence-gate behavior.
- Reuse resolve_skills_dir helper in tests instead of manually
reconstructing paths from AGENT_CONFIG.
* refactor: extract resolve_active_skills_dir shared helper
Deduplicate the _get_skills_dir logic that was nearly identical in
ExtensionManager and PresetManager into a single module-level
resolve_active_skills_dir() function in __init__.py.
The shared helper wraps _ensure_safe_shared_directory errors with
skills-specific messages so users see 'agent skills directory' instead
of 'shared infrastructure directory' in error output.
Both class methods now delegate to the shared helper.
* fix: preserve original error reason in skills dir safety check
Include the original exception message from _ensure_safe_shared_directory
in the re-raised ValueError so the user sees the specific reason (symlink,
not-a-directory, path escape, etc.) instead of a generic message.
* fix: handle skills dir safety errors gracefully during install
Catch ValueError/OSError from _get_skills_dir() inside
_register_extension_skills() so a symlink or permission error logs a
warning and returns [] instead of aborting mid-install and leaving a
partially-installed extension without a registry entry.
Also document OSError in resolve_active_skills_dir() docstring.
* fix: catch errors in _get_skills_dir and use _print_cli_warning
Move the ValueError/OSError catch from _register_extension_skills into
_get_skills_dir itself so all callers (install, uninstall, reconcile)
are protected from unsafe-path exceptions.
Replace logging.getLogger().warning with _print_cli_warning for
consistent Rich-formatted user output.
* fix: use context-aware error messages for skills directory safety
Add a 'context' parameter to _ensure_safe_shared_directory (defaults to
'shared infrastructure directory' for backward compat). The skills dir
caller passes context='agent skills directory' so error messages say
e.g. 'Refusing to use symlinked agent skills directory' instead of
'Refusing to use symlinked shared infrastructure directory'.
Simplify resolve_active_skills_dir by removing the now-unnecessary
try/except wrapper.
* fix: validate Kimi native-skills directory for symlink/containment
The Kimi fallback path (ai_skills=false) used is_dir() which follows
symlinks, so a symlinked .kimi/skills could cause writes outside the
project root. Now validates with _ensure_safe_shared_directory(create=
False) before returning the directory.
* chore: bump version to 0.8.14
* chore: begin 0.8.15.dev0 development
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* refactor: create commands/ package and move init handler (PR-4/8)
- Extract agent configuration constants (AGENT_CONFIG, AI_ASSISTANT_HELP,
SCRIPT_TYPE_CHOICES, etc.) to _agent_config.py to avoid circular imports
- Create commands/ package skeleton with stub modules for each command group
- Move init command handler (~670 lines) from __init__.py to commands/init.py
using the register(app) pattern; lazy imports inside the handler body
prevent circular dependencies with __init__.py
- Re-export AGENT_CONFIG, AI_ASSISTANT_HELP, SCRIPT_TYPE_CHOICES from
__init__.py for backward compatibility
- Add tests/test_commands_package.py to verify package structure
* fix(tests): update patch targets after moving init handler to commands/init.py
_stdin_is_interactive and select_with_arrows are now bound in
specify_cli.commands.init, not specify_cli directly.
* fix(lint): remove unused imports and mark re-exports in __init__.py
- Remove shutil, shlex top-level imports (used lazily inside functions)
- Remove rich.live.Live import (moved to commands/init.py)
- Mark select_with_arrows and _locate_bundled_workflow as explicit
re-exports to satisfy ruff F401
* chore: add from __future__ import annotations to new modules
Aligns with the project convention established in _console.py, _assets.py,
_utils.py, and other modules.
* docs(cli): align init help with bundled scaffolding
Potential fix for pull request finding
Update command package documentation and init help text to reflect the current implementation: init uses bundled assets and integration setup, while placeholder command modules are import anchors until extracted. Remove the unused tracker-active flag assignment that had no reader in the codebase.
Constraint: --offline is hidden/no-op and init no longer downloads templates from GitHub releases
Rejected: Add no-op register functions to placeholder modules | would imply extracted command groups are implemented there
Confidence: high
Scope-risk: narrow
Directive: Keep CLI help text aligned with the actual init scaffolding path
Tested: uv run specify init --help; uv run pytest tests/test_commands_package.py tests/test_agent_config_consistency.py -q; uv run pytest tests/test_commands_package.py tests/test_console_imports.py tests/integrations/test_cli.py -q
Not-tested: full test suite
* fix(init): align preset failure reporting with _print_cli_warning helper
Use the _print_cli_warning helper (introduced in main) for preset install
failures so that output matches the expected format:
"Failed to install preset '<name>': ..."
"Continuing without the optional preset."
* fix(init): remove unused lazy imports
The init command imported CLI error formatting helpers through its circular-dependency-safe lazy import block, but the module does not use them. Remove those imports so ruff does not report F401.
Constraint: uvx ruff check src/ must pass.
Rejected: Wire the helpers into init error handling | Existing preset warnings already use _print_cli_warning, and changing behavior is unnecessary for this lint fix.
Confidence: high
Scope-risk: narrow
Directive: Keep lazy import blocks limited to names consumed in the importing module.
Tested: uvx ruff check src/
Not-tested: Full pytest suite
Co-authored-by: OmX <omx@oh-my-codex.dev>
---------
Co-authored-by: OmX <omx@oh-my-codex.dev>
- AGENTS.md: branch naming as a requirement for AI coding agents
- CONTRIBUTING.md: branch naming as a recommendation for human contributors
- Convention: <type>/<number>-<short-slug> where number is issue or PR number
Closes#2677
* chore: bump version to 0.8.13
* chore: begin 0.8.14.dev0 development
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* fix: while/do-while loop condition reads stale iteration-0 step output
After executing namespaced loop body steps, copy each iteration's
results back to the original unprefixed step key so that
evaluate_condition() sees the latest values instead of stale
iteration-0 data.
Fixes#2592
* address review: cross-platform tests, preserve iteration-0 history
- Rewrite shell scripts in tests to use Python via script files
instead of POSIX syntax, so they pass on Windows CI.
- Snapshot iteration-0 nested-step results under a namespaced key
(parent:child:0) before the first copy-back overwrite, preserving
complete per-iteration history for debugging.
* address review: skip copy-back on paused/failed iterations
Move the status check before the copy-back so that partial results
from paused or failed nested steps (e.g., a gate awaiting input)
do not overwrite the unprefixed key. This preserves correct resume
behavior.
* address review: quote paths in test shell commands
Quote both the Python executable and script file paths in the
run: commands to handle spaces in paths on Windows.
* address review: execute loop body with original IDs
Instead of namespacing step IDs for execution and copying results
back, execute the loop body with original (unprefixed) step IDs so
results naturally land at the right keys. Snapshot previous
iteration results to namespaced keys (parent:child:N) for history
only.
This fixes multi-step loop bodies where step B references step A's
output within the same iteration — previously step B would see
stale data until the copy-back ran after the entire iteration.
* address review: namespaced execution with per-step copy-back
Revert to namespaced step IDs for execution (preserving unique
log entries and state keys per iteration) but copy each step's
result back to the unprefixed key immediately after it completes.
This preserves backward compatibility (same namespaced key format,
same log IDs) while fixing both the condition evaluation bug and
inter-step references within multi-step loop bodies.
* address review: alias after status check, add multi-step body test
- Move per-step aliasing below the PAUSED/FAILED/ABORTED status
check so partial results from incomplete steps are not aliased
back to the unprefixed key.
- Add test_while_loop_multi_step_body_inter_step_refs to exercise
a multi-step loop body where step B reads step A's output within
the same iteration, verifying per-step aliasing works correctly.
Addresses feedback from @doquanghuy (items 2 & 4) and Copilot
review on commit 9d0a222.
* address review: stable fallback IDs, expression-based inter-step test
- Use enumerate() for stable fallback IDs when loop body steps lack
an explicit id (step-0, step-1, etc. instead of always step-0).
- Rewrite multi-step body test so step B uses expression
substitution ({{ steps.step-a.output.stdout }}) instead of
reading the counter file directly, making it a true regression
test for per-step aliasing.