* fix(shared-infra): remove stale managed scripts the core no longer ships (#3076)
install_shared_infra never removed shared scripts a prior (pre-refactor) install recorded but the current core no longer ships — e.g. the legacy scripts/<variant>/update-agent-context.sh, superseded by the bundled agent-context extension. On a legacy project the orphan lingers and crashes when it sources a refreshed common.sh (HAS_GIT unbound under set -u).
Apply the stale-removal that integration_upgrade already performs to install_shared_infra: manifest-tracked scripts the current bundle no longer produces are removed, but only managed copies (hash matches the manifest); user-customized files, symlinks, and recovered entries are preserved. Guarded so a missing/empty source can't trigger mass deletion, and the safe-destination check prevents unlinking through a symlinked ancestor.
Add IntegrationManifest.remove(); drop the stale update-agent-context.sh reference in CONTRIBUTING.md.
AI assistance: implemented with Claude Code (Anthropic); reviewed and validated locally (ruff clean, full suite 4176 passed, manual CLI repro).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(shared-infra): harden stale-cleanup per review (empty source + orphan manifest)
- Set scripts_scanned only after a real source file is seen, so an empty variant source can't trigger mass deletion of tracked scripts.
- Prune a stale manifest entry even when its file is already gone from disk, keeping the manifest consistent (previously left tracked forever).
- Add a test for each edge case.
Addresses the Copilot review comments on #3098. AI assistance: Claude Code (Anthropic), reviewed/validated locally (ruff clean, full suite 4178 passed).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(shared-infra): guard unsafe manifest keys in stale-cleanup (review)
- Skip absolute / '..' manifest keys before any filesystem access in stale-cleanup, so a corrupted/hand-edited manifest can't make it touch paths outside the project root (mirrors IntegrationManifest.check_modified / uninstall).
- Clarify the scripts_scanned comment: the safety hinge is that flag, not seen_rels (which also holds template paths).
- Add a containment test: a traversal manifest key is skipped, its target untouched.
Addresses the second round of Copilot review on #3098. AI assistance: Claude Code (Anthropic); validated locally (ruff clean, full suite 4179 passed).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(manifest): make remove() reject absolute/.. keys like its siblings (review)
IntegrationManifest.remove() now applies the same lexical validation and normalization as record_existing() / is_recovered(): absolute paths and '..' segments are rejected (return False) instead of being used verbatim as a key. Keeps the manifest API consistent. Adds tests (valid drop + no-op, absolute rejected, traversal rejected).
Addresses the third round of Copilot review on #3098. AI assistance: Claude Code (Anthropic); validated locally (ruff clean, full suite 4182 passed).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(shared-infra): validate stale-cleanup keys for containment, not just lexically (review)
The stale-script cleanup guarded manifest keys with a lexical check only
(is_absolute() / ".." segments). On Windows a drive-relative key such as
"C:tmp\\file" is not is_absolute(), yet joining it onto the project path
discards the root — so cleanup could stat/unlink outside the project before
_ensure_safe_shared_destination raised, and a corrupted manifest key turned
into an install-time hard failure (ValueError) instead of being skipped.
Reuse the canonical containment helper (_validate_rel_path, the same one
IntegrationManifest.is_recovered / remove use): after the fast lexical reject,
resolve the join and confirm it stays within the project root; a key that
still escapes is skipped, never unlinked, never fatal.
Adds a regression test that forces _validate_rel_path to reject a managed key
(portably simulating the Windows drive-relative escape) and asserts the
install skips it without failing and still installs the real scripts.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* docs: dogfood Spec Kit — bundler SDD artifacts + constitution
Scaffold Spec Kit (--integration copilot) and run the full SDD workflow
against the `specify bundle` subcommand feature:
- spec.md (4 user stories, 31 FRs, 8 success criteria) + clarifications
- plan.md, research.md, data-model.md, contracts/, quickstart.md
- tasks.md (43 dependency-ordered tasks, organized by user story)
- Spec Kit Constitution v1.0.0 (code quality, testing, UX, performance,
dependency/security principles) derived from deep codebase analysis
- plan Constitution Check + tasks grounded against the ratified principles
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(bundler): add `specify bundle` subcommand for role-based setups
Implements the Spec Kit Bundler as a `specify bundle ...` subcommand group
that calls existing primitive machinery in-process with zero new dependencies,
per the v1.0.0 constitution (Principles I-V).
Adds the `specify_cli.bundler` package (models, services, lib helpers) and the
`commands/bundle` Typer group wiring search, info, list, install, update,
remove, validate, build, init, and catalog list/add/remove (with --json and
--offline). Includes manifest/catalog schemas, version + integration-clash
gating, discovery-only refusal, idempotent install with atomic rollback,
non-collateral removal, and offline-first catalog resolution.
Ships an 82-test suite (contract/unit/integration), four sample role bundles
(product-manager, business-analyst, security-researcher, developer), README
"Bundles" docs, and an AGENTS.md pitfall on the test-venv gotcha. Marks
tasks T001-T043 complete and records follow-ups T044 (live in-process
primitive dispatch) and T045 (install from a local artifact path).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs(contributing): document running the full test suite via project .venv
Add a "Running the full test suite" subsection under Automated checks covering
`uv pip install -e ".[test]"` + `.venv/bin/python -m pytest`, with the
shared/global editable-install contamination caveat that mirrors the AGENTS.md
pitfall.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(bundler): wire real in-process primitive install + local-artifact install
Closes the two follow-ups left after the initial bundler landing.
T044 — DefaultPrimitiveInstaller now performs real installs through existing
machinery instead of raising "use the primitive command" errors:
- presets/extensions install via their reusable managers
(install_from_directory / install_from_zip); bundled assets install fully
offline, catalog assets are fetched only when the network is allowed.
- workflows/steps delegate to the existing `workflow add` / `workflow step add`
command callables in-process (project root as cwd), avoiding any duplicated
download/validation logic (Principle I).
- `--offline` is threaded through DefaultPrimitiveInstaller(allow_network=…) so
network-only kinds refuse with an actionable message rather than silently
reaching out.
T045 — `specify bundle install` now accepts a local path (a built .zip
artifact, a bundle directory, or a bundle.yml) and installs directly without
consulting the catalog stack; bundle-ids still resolve via the stack.
Adds 13 tests (routing, offline gating, local-source resolution, and an
end-to-end offline build → install → list → remove of the bundled
agent-context extension). Bundler suite: 95 passing; ruff clean. Marks T044
and T045 complete in tasks.md.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs(bundler): append Phase 8 convergence tasks from converge assessment
Ran the converge command: assessed the codebase against spec.md, plan.md,
tasks.md, and the v1.0.0 constitution. Appended 7 traceable gap-closure tasks
(T046–T052) as a new "Phase 8: Convergence" section. Append-only — no existing
tasks were modified and no application code was changed.
Findings: 1 CRITICAL (Constitution III — bundle group undocumented under
docs/reference/), 3 HIGH (FR-005/SC-007 validate references; FR-009/SC-002 info
expansion; FR-012 install-time init), 3 MEDIUM (FR-013 integration precedence;
FR-020 surface overlaps; FR-028 update refresh).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Implement Phase 8 convergence tasks (T046–T052)
Close the gaps the converge command found between the bundler spec/plan/
constitution and the code:
- T046: add docs/reference/bundles.md documenting the full `specify bundle`
command group; link it from docs/reference/overview.md (Constitution III).
- T047: wire a reference checker into `bundle validate` (services/references.py);
online runs fail and name unresolved component references, offline runs warn.
- T048: expand `bundle info` to enumerate the full component set (versions,
preset priority/strategy) plus the bundle integration — info == install.
- T049/T050: `bundle install`/`bundle init` now scaffold an uninitialized
project via the existing `specify init` machinery, choosing the integration by
precedence (override → bundle-declared → Copilot + OS default script type).
- T051: surface foreseeable component overlaps during info and install.
- T052: `bundle update` refreshes already-installed components via a new
refresh path in install_bundle, preserving primitive-level overrides.
Adds unit/contract/integration coverage (107 tests pass).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* converge: append Phase 9 (T053) — surface bundle trust indicator
Re-run of converge after Phase 8. The seven Phase 8 tasks are verified closed.
One residual partial gap remains: the `verified`/trust indicator (FR-010,
FR-027) is exposed only in `bundle info --json`, absent from `bundle search`
(the primary discovery surface) and `bundle info` text. Appended as a single
new task for implement to complete. Append-only; no code changed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Implement T053 — surface bundle trust indicator in discovery
`bundle search` (text + JSON) and `bundle info` (text + JSON) now expose each
catalog entry's verification/trust level (verified vs community), so users can
judge a bundle's trust before installing, per FR-010 / FR-027. Previously
`verified` was only present in `bundle info --json`.
Adds contract coverage; 108 tests pass.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: dogfood Spec Kit — bundler SDD artifacts + constitution
Scaffold Spec Kit (--integration copilot) and run the full SDD workflow
against the `specify bundle` subcommand feature:
- spec.md (4 user stories, 31 FRs, 8 success criteria) + clarifications
- plan.md, research.md, data-model.md, contracts/, quickstart.md
- tasks.md (43 dependency-ordered tasks, organized by user story)
- Spec Kit Constitution v1.0.0 (code quality, testing, UX, performance,
dependency/security principles) derived from deep codebase analysis
- plan Constitution Check + tasks grounded against the ratified principles
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(bundler): add `specify bundle` subcommand for role-based setups
Implements the Spec Kit Bundler as a `specify bundle ...` subcommand group
that calls existing primitive machinery in-process with zero new dependencies,
per the v1.0.0 constitution (Principles I-V).
Adds the `specify_cli.bundler` package (models, services, lib helpers) and the
`commands/bundle` Typer group wiring search, info, list, install, update,
remove, validate, build, init, and catalog list/add/remove (with --json and
--offline). Includes manifest/catalog schemas, version + integration-clash
gating, discovery-only refusal, idempotent install with atomic rollback,
non-collateral removal, and offline-first catalog resolution.
Ships an 82-test suite (contract/unit/integration), four sample role bundles
(product-manager, business-analyst, security-researcher, developer), README
"Bundles" docs, and an AGENTS.md pitfall on the test-venv gotcha. Marks
tasks T001-T043 complete and records follow-ups T044 (live in-process
primitive dispatch) and T045 (install from a local artifact path).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs(contributing): document running the full test suite via project .venv
Add a "Running the full test suite" subsection under Automated checks covering
`uv pip install -e ".[test]"` + `.venv/bin/python -m pytest`, with the
shared/global editable-install contamination caveat that mirrors the AGENTS.md
pitfall.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(bundler): wire real in-process primitive install + local-artifact install
Closes the two follow-ups left after the initial bundler landing.
T044 — DefaultPrimitiveInstaller now performs real installs through existing
machinery instead of raising "use the primitive command" errors:
- presets/extensions install via their reusable managers
(install_from_directory / install_from_zip); bundled assets install fully
offline, catalog assets are fetched only when the network is allowed.
- workflows/steps delegate to the existing `workflow add` / `workflow step add`
command callables in-process (project root as cwd), avoiding any duplicated
download/validation logic (Principle I).
- `--offline` is threaded through DefaultPrimitiveInstaller(allow_network=…) so
network-only kinds refuse with an actionable message rather than silently
reaching out.
T045 — `specify bundle install` now accepts a local path (a built .zip
artifact, a bundle directory, or a bundle.yml) and installs directly without
consulting the catalog stack; bundle-ids still resolve via the stack.
Adds 13 tests (routing, offline gating, local-source resolution, and an
end-to-end offline build → install → list → remove of the bundled
agent-context extension). Bundler suite: 95 passing; ruff clean. Marks T044
and T045 complete in tasks.md.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs(bundler): append Phase 8 convergence tasks from converge assessment
Ran the converge command: assessed the codebase against spec.md, plan.md,
tasks.md, and the v1.0.0 constitution. Appended 7 traceable gap-closure tasks
(T046–T052) as a new "Phase 8: Convergence" section. Append-only — no existing
tasks were modified and no application code was changed.
Findings: 1 CRITICAL (Constitution III — bundle group undocumented under
docs/reference/), 3 HIGH (FR-005/SC-007 validate references; FR-009/SC-002 info
expansion; FR-012 install-time init), 3 MEDIUM (FR-013 integration precedence;
FR-020 surface overlaps; FR-028 update refresh).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Implement Phase 8 convergence tasks (T046–T052)
Close the gaps the converge command found between the bundler spec/plan/
constitution and the code:
- T046: add docs/reference/bundles.md documenting the full `specify bundle`
command group; link it from docs/reference/overview.md (Constitution III).
- T047: wire a reference checker into `bundle validate` (services/references.py);
online runs fail and name unresolved component references, offline runs warn.
- T048: expand `bundle info` to enumerate the full component set (versions,
preset priority/strategy) plus the bundle integration — info == install.
- T049/T050: `bundle install`/`bundle init` now scaffold an uninitialized
project via the existing `specify init` machinery, choosing the integration by
precedence (override → bundle-declared → Copilot + OS default script type).
- T051: surface foreseeable component overlaps during info and install.
- T052: `bundle update` refreshes already-installed components via a new
refresh path in install_bundle, preserving primitive-level overrides.
Adds unit/contract/integration coverage (107 tests pass).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* converge: append Phase 9 (T053) — surface bundle trust indicator
Re-run of converge after Phase 8. The seven Phase 8 tasks are verified closed.
One residual partial gap remains: the `verified`/trust indicator (FR-010,
FR-027) is exposed only in `bundle info --json`, absent from `bundle search`
(the primary discovery surface) and `bundle info` text. Appended as a single
new task for implement to complete. Append-only; no code changed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Implement T053 — surface bundle trust indicator in discovery
`bundle search` (text + JSON) and `bundle info` (text + JSON) now expose each
catalog entry's verification/trust level (verified vs community), so users can
judge a bundle's trust before installing, per FR-010 / FR-027. Previously
`verified` was only present in `bundle info --json`.
Adds contract coverage; 108 tests pass.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): address PR review — annotations, Windows paths, HTTPS, errors, reproducible builds
Resolves automated review feedback on github/spec-kit#3070:
- validator: drop redundant string-quoting on ReferenceChecker's
`str | None` return so the annotation evaluates as a real union under
`from __future__ import annotations`.
- adapters: normalize Windows drive-letter paths (e.g. C:\...) to the
local-file branch so offline file catalogs resolve on Windows.
- adapters: enforce HTTPS (HTTP only for localhost) and require a host on
remote catalog URLs before any network call, mirroring
specify_cli.catalogs URL validation (MITM/downgrade protection).
- adapters: pass `origin` to loads_json for local files and HTTP payloads
so JSON parse errors name the real source instead of <string>.
- manifest: parse component `priority` defensively, raising an actionable
BundlerError on non-integer values instead of a raw ValueError.
- packager: write zip members with a fixed timestamp + permissions so
identical inputs yield byte-for-byte identical artifacts (genuinely
reproducible builds), and strengthen the determinism test accordingly.
Adds regression tests for priority validation, plain-HTTP/host rejection,
and byte-level artifact reproducibility (111 bundler tests pass; ruff clean).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): address PR review round 2 — nested output dir + file:// URLs
- packager: when --output points inside the bundle directory, exclude the
whole output subtree from collection so previously-built artifacts are
never re-packaged (prevents broken reproducibility and unbounded growth).
- adapters: resolve file:// catalog URLs via url2pathname and preserve
netloc, so Windows file URLs (file:///C:/...) and UNC shares
(file://server/share) resolve correctly instead of dropping the host or
producing /C:/x.
Adds regression tests for nested-output exclusion and file:// resolution
(113 bundler tests pass; ruff clean).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): address PR review round 3 — discovery UX + hardening
- bundle search/info: fall back to the built-in/user catalog stack instead of
requiring a Spec Kit project, so discovery works in a fresh directory (and
the README/quickstart examples now match actual behavior). install still
auto-initializes a project as before.
- packager: traverse with os.walk(followlinks=False) and prune symlinked
directories before descending, so a symlink-to-dir can no longer pull in
out-of-tree files (which previously turned "skip symlinks" into a hard
ensure_within() failure and did extra filesystem work).
- records: parse contributed-component priority defensively, raising an
actionable BundlerError on a corrupt records file instead of leaking a raw
ValueError/traceback.
- installer: give install_bundle's manifest parameter an explicit
BundleManifest | None type for a clearer, safer service API.
Adds regression tests for project-less search/info, symlinked-dir pruning,
and corrupt-priority records (117 bundler tests pass; ruff clean).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): address PR review round 4 + markdownlint exclusions
Review fixes:
- bundle info: expand the manifest regardless of install policy so
discovery-only bundles remain inspectable (only install is refused).
- _download_manifest: handle local .zip download_url by extracting bundle.yml
(via _local_manifest_source), and add a real remote HTTPS fetch path using
the shared authenticated, redirect-validated open_url client (HTTPS enforced
on the initial URL and every redirect; offline still refuses).
- _run_init: thread the --offline flag through to the init callback so
`bundle install/init --offline` never performs network init.
- conflict.ConflictReport: use field(default_factory=list) and drop the
None + __post_init__ workaround.
- CatalogSource.from_dict: parse priority defensively, raising an actionable
BundlerError naming the source + offending value instead of a raw ValueError.
markdownlint:
- Exclude .specify/, .github/, and specs/ (and their subdirectories) from
markdownlint so the in-flight dogfooding scaffolding doesn't trip the linter.
Adds regression tests for discovery-only info, local-zip download_url, and
non-integer catalog priority (120 bundler tests pass; ruff clean; the PR's own
markdown lints clean).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): address PR review round 5 + ignore generated files in whitespace check
Review fixes:
- packager: exclude any prior build artifact for this bundle (matching
<id>-*.zip), not just the current output path, so older artifacts next to
bundle.yml are never re-packaged.
- docs(bundles): correct the note — `search` and `info` work without a project
(they fall back to the built-in/user catalog stack); only list/update/remove/
catalog require an initialized project.
CI / generated files:
- .gitattributes: mark the generated dogfooding scaffolding (.specify/**, the
speckit .github agent/prompt files, copilot-instructions.md, specs/**) with
-whitespace so `git diff --check` (the Lint workflow's whitespace gate) stops
flagging emitted trailing whitespace. These files are produced by
`specify init` and are scrubbed before merge.
Adds a regression test for prior-artifact exclusion (121 bundler tests pass;
ruff clean).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): collision-resistant catalog ids, canonical local paths, explicit uninstalled result
Addresses review round 6 (PR #3070):
- catalog_config._derive_id now combines host label with the URL path stem so
multiple catalogs from the same host get distinct, stable default ids.
- add_source canonicalizes local file paths to absolute before persisting, so
project config no longer depends on the caller's cwd.
- InstallResult gains a dedicated `uninstalled` list; remove_bundle no longer
overloads `installed` for removals, and the CLI prints from `uninstalled`.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): confine config writes, guard indeterminate integration, fix validate docs
Addresses review round 7 (PR #3070):
- save_records and catalog_config._write now pass within=project_root to
dump_json/dump_yaml, refusing symlinked .specify paths that escape the
project (defense-in-depth, matching the rest of the codebase).
- resolve_install_plan now fails when a bundle pins an integration but the
project's active integration cannot be determined and no explicit
--integration override was given, instead of silently adopting the bundle's
required integration (FR-019 guard). CLI passes integration_explicit.
- docs/reference/bundles.md: corrected the validate semantics to describe the
actual best-effort online behavior (unreachable catalogs warn, not fail).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): Windows path handling + review round 8 hardening
Fix Windows CI failures:
- is_safe_relpath now rejects POSIX-absolute (/abs) and Windows drive-absolute
(C:\x, UNC) paths on every OS, instead of passing them through on Windows
where os.path.isabs('/abs') is False and Path('/abs').parts yields '\\'.
- _download_manifest treats a Windows drive-letter download_url (C:\bundle.yml,
which urlparse reads as scheme 'c') as a local file, fixing the empty
component set in `bundle info` on Windows.
Address review round 8 (PR #3070):
- Bundled workflows now install under --offline (locate via
_locate_bundled_workflow) instead of being refused unconditionally.
- bundle update preserves the original installed_at timestamp on refresh
(import find_record; reuse the existing record's timestamp).
- _derive_id lowercases the host label so 'Example.com' and 'example.com'
produce the same deterministic id.
- CatalogEntry.from_dict validates 'tags' is a list and 'verified' is a real
boolean, raising BundlerError on invalid untrusted shapes.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): normalize SemVer prerelease spellings before version parsing
Addresses review round 9 (PR #3070): parse_version and is_semver now apply the
same prerelease normalization (mirroring specify_cli._version._normalize_tag)
so SemVer spellings like 1.2.3-rc1 / 1.2.3-alpha1 validate and compare
consistently across is_semver, parse_version, and satisfies. Leading 'v' is
also stripped. Keeps the manifest validator and constraint checks in agreement.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): no collateral removal + enforce manifest-pinned versions
Addresses review round 10 (PR #3070):
- install_bundle records only the components this bundle actually contributed:
freshly-installed components, plus pre-existing ones already owned by this
bundle (refresh) or a sibling bundle (shared/refcounted). A component that is
installed on disk but tracked by no bundle was installed independently and is
no longer attributed, so `bundle remove` won't uninstall it (FR-022).
- preset/extension/workflow install paths now verify the active catalog's
advertised version matches the manifest-pinned component.version before
downloading/installing, raising BundlerError on mismatch so bundles stay
reproducible. When a catalog advertises no version the pin can't be enforced
and installation proceeds.
Added regression tests: independent pre-existing component survives removal;
version-mismatch refusal (helper + workflow path).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(scripts): add SPECIFY_INIT_DIR to target a member project from the repo root (#2892)
* feat(scripts): add SPECIFY_INIT_DIR to target a member project from the repo root
Resolve an explicit SPECIFY_INIT_DIR project override once in the core
get_repo_root / Get-RepoRoot, so a non-interactive / CI caller can target a
member project (the directory containing .specify/) from a monorepo root
without cd. Strict by design: the path must exist and contain .specify/,
otherwise it hard-errors with no silent fallback.
- Single resolver in core; the git feature-branch script inherits it by
sourcing core, with no per-extension copies.
- PS resolver verifies the resolved path is a directory (Resolve-Path also
succeeds for files) so a file value errors as "not an existing directory".
- get_feature_paths splits decl/assignment so a SPECIFY_INIT_DIR failure
propagates instead of being masked by `local`.
- create-new-feature-branch: when core is absent (only git-common loaded) and
SPECIFY_INIT_DIR is set, hard-error rather than silently using the git root.
- Document SPECIFY_INIT_DIR and SPECIFY_FEATURE_DIRECTORY in the core reference.
- Tests for valid/relative/trailing-slash/file/missing/no-.specify targets,
feature-axis composition, the no-core guard, and a PowerShell mirror.
* fix: guard SPECIFY_INIT_DIR with stale core scripts
* docs: clarify SPECIFY_FEATURE_DIRECTORY precedence wording
* fix: normalize trailing slash in PowerShell SPECIFY_INIT_DIR resolver
Resolve-Path preserves a trailing separator from its input, so a
SPECIFY_INIT_DIR ending in a slash returned a root that didn't match the
bash resolver (whose `cd && pwd` strips it). That broke
test_ps_trailing_slash_tolerated on the CI runners, which do have pwsh.
Trim it with TrimEndingDirectorySeparator (no-op on a bare root or a path
with no trailing separator).
Also fix the misleading test comment: the PowerShell mirror runs on the
CI ubuntu/windows runners (they ship pwsh), it is not skipped there.
* test: normalize bash path expectations on Windows
* docs: clarify SPECIFY_INIT_DIR root helpers
* chore: sync dogfooded .specify core scripts with SPECIFY_INIT_DIR
Mirror the SPECIFY_INIT_DIR resolver (resolve_specify_init_dir in
common.sh) into the committed dogfooding .specify/scripts/bash copies so
the git extension's create-new-feature-branch.sh finds an up-to-date
common.sh instead of failing with "requires updated Spec Kit core
scripts". Fixes the test_init_dir.py CI failures.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): harden remote catalog fetch and config parsing
- adapters: route catalog HTTP fetches through the shared authenticated
client (authentication.http.open_url) so auth.json tokens apply and the
Authorization header is stripped on cross-host/downgrade redirects.
Reject any redirect that leaves HTTPS via a redirect_validator and
re-validate the final URL after redirects, closing the urlopen
auto-redirect MITM/downgrade gap.
- catalog_config._read: raise an actionable BundlerError when the config
top level is not a mapping, 'catalogs' is not a list, or an entry is
not a mapping, instead of letting list(<str>) produce a downstream
AttributeError.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): tighten record read confinement, policy gate, and precedence
Addresses review 4534504799:
- records.load_records: confine the read via ensure_within(project_root,
...) so a symlinked/traversal-escaping .specify cannot read arbitrary
files outside the project (matches the write path's within= guard).
- catalog_config._slug: lowercase so derived catalog ids are
deterministic across platforms and case-variant duplicates can't slip
past the case-sensitive dup check.
- installer.install_bundle: reword the docstring's misleading "atomic on
failure" claim to describe the real scoped guarantee (record written
only on full success; rollback limited to newly-installed components).
- bundle update: enforce the source install_policy like install, refusing
to update from a discovery-only source (FR-025).
- catalog source precedence: the CLI now passes ~/.specify as the user
config dir so project > user > built-in precedence is actually
reachable (previously the user scope was silently ignored).
- .gitattributes: scope the specs whitespace exemption to the generated
dogfooding feature dir (specs/001-spec-kit-bundler/**) instead of all
of specs/**.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): no collateral refresh, catalog id integrity, loud info
Addresses review 4534571362:
- installer: in refresh mode (bundle update) only re-apply already-
installed components that this bundle (or a sibling) owns. Components
installed independently and tracked by no bundle are now skipped, never
refreshed, so update cannot make collateral changes (FR-022).
- catalog.load_catalog_payload: validate each entry's own id is present
and matches its enclosing bundles key, rejecting catalogs that would
otherwise list a spoofed or unresolvable id.
- bundle info: stop swallowing manifest download failures. If the
manifest can't be resolved (e.g. --offline against an https download_url
or a download failure), surface the error and exit non-zero instead of
silently degrading to catalog `provides` counts, preserving the "info
== what install applies" guarantee.
Added regressions: refresh leaves independently-installed components
untouched, catalog id key/field mismatch + missing id rejection, and
info exits non-zero when the manifest is unresolvable offline.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): confine catalog-config and integration-marker reads
Addresses review 4534716790: two more state reads bypassed the
symlink/path-escape confinement that records and the write paths already
enforce.
- catalog_config._read: validate the config path with
ensure_within(project_root, ...) before exists()/read, so a symlinked
.specify resolving outside project_root is rejected instead of read.
- lib.project.active_integration: confine the .specify/integration.json
read the same way; an out-of-tree escape is treated as "not
determinable" (returns None) rather than followed.
Added regressions covering both via a symlinked .specify pointing
outside the project root.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): validate manifest tags, disambiguate derived ids by full host
Addresses review 4534768419:
- manifest.from_dict: reject a non-list `tags` (e.g. a bare string) instead
of splitting it character-by-character, matching the catalog parser and
the schema contract (tags = list of strings).
- catalog_config._derive_id: derive ids from the full host (TLD included)
so example.com and example.net no longer collide on the same id. Updated
the affected id assertions.
- CHANGELOG: call out the new `specify bundle` command group in the
unreleased section (the PR's headline user-facing feature).
- .gitattributes: clarify the specs whitespace exemption — the dogfooding
feature dir is scrubbed before merge (not retained), so it doesn't weaken
checks for kept docs.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore(gitattributes): retain whitespace exemption for constitution.md
The project constitution (.specify/memory/constitution.md) is the one
dogfooding artifact carried forward past the pre-merge scrub. Give it its
own standalone whitespace exemption so it survives removal of the broader
.specify/** generated-scaffolding exemption.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): accurate uninstall count, confine catalog read, safe bundle id
Addresses review 4534812056:
- installer.remove_bundle: only count a component as uninstalled when
installer.remove() actually ran; components already absent on disk are
reported as skipped, keeping the uninstalled count accurate.
- catalog.load_source_stack: confine the project-scoped .specify config read
with ensure_within, so a symlinked .specify/ resolving outside the project
root is refused (consistent with the bundler's other guarded reads).
- manifest: enforce a filesystem-safe slug for bundle.id in structural
validation; packager.build_bundle adds an ensure_within defense-in-depth
check so a crafted id can never push the artifact outside the output dir.
Also reverts the CHANGELOG entry (the changelog is updated separately).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): validate requires/provides shapes in manifest and catalog
Addresses review 4534855443:
- manifest: validate requires.tools and requires.mcp as list-of-strings via
a shared _parse_str_list helper (also reused for tags), so a bare string
like `tools: docker` is rejected with an actionable BundlerError instead of
being split character-by-character.
- catalog.CatalogEntry.from_dict: validate that `requires` and `provides` are
mappings before accessing them, so an untrusted catalog payload with
`requires: "..."` raises a named BundlerError rather than escaping as a raw
AttributeError traceback.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): require README.md when building a bundle artifact
Addresses review 4534938014: build_bundle now fails early with an
actionable error when README.md is missing, matching the documented
artifact contract (manifest + README) instead of silently producing a
bundle with no human-facing description.
Also reverts CHANGELOG.md to the upstream/main copy.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): validate record shapes; drop stale install --refresh claim
Addresses review 4534969692:
- records.InstalledBundleRecord.from_dict: hard-error when
contributed_components is not a list, instead of iterating a corrupt
bare string character-by-character.
- records.load_records: validate the top-level 'bundles' field is a list and
fail with a clear BundlerError when a corrupt file makes it a mapping/string.
- PR description: remove the inaccurate "supports --refresh" note from
`bundle install` (refresh is the `bundle update` path); docs already omit it.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): refuse symlinked .specify, reject bad url schemes, IPv6 ids
Addresses review 4534997724:
- lib.project.find_project_root: a symlinked .specify is no longer accepted
as a project root (is_dir() follows symlinks), matching the confinement the
rest of the CLI applies and avoiding confusing downstream failures.
- catalog_config.add_source: reject unsupported url schemes (ssh://, ftp://,
...) up front instead of silently treating them as local paths; local paths
containing ':' but not '://' are still allowed.
- catalog_config._derive_id: derive the host via urlparse().hostname so IPv6
literals, credentials, and ports no longer corrupt the derived id.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): strict semver, narrow artifact skip, preserve priority 0
Addresses review 4535084048:
- versioning.is_semver: enforce a full MAJOR.MINOR.PATCH SemVer (with optional
pre-release/build) via a dedicated regex, instead of accepting any
packaging.version.Version-parseable string (e.g. "1", "1.0"). This makes
BundleManifest.structural_errors() reject non-semver versions.
- packager: narrow the prior-artifact skip pattern to semver-named zips
(<id>-<x.y.z>.zip) so legitimate assets like <id>-assets.zip are still
packaged.
- primitives (preset + extension install): use an explicit `is None` check so
an intentional priority of 0 is preserved instead of being replaced by the
default.
Adds regressions: non-semver rejection ("1"/"1.0"/"1.2.3.4"), asset-not-
excluded vs semver-artifact-excluded, and priority-0 pass-through.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): artifact regex for prerelease+build; clarify integration/priority docs
Addresses review 4535132279:
- packager: the prior-artifact skip regex now matches semver names carrying
both a prerelease and build-metadata segment (e.g. 1.0.0-rc1+build5), so such
an existing artifact is excluded rather than re-packaged — keeping builds
bounded/deterministic, consistent with is_semver().
- docs/reference/bundles.md: correct the install integration wording.
--integration selects the integration when initializing a new project and
confirms the target when a pinned bundle's active integration can't be
determined; it does NOT override a bundle that targets a specific integration
(a mismatch aborts with no changes).
- examples/security-researcher README: reword the preset priority note in terms
of the numeric comparison (ascending priority order) to avoid inverting the
meaning.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): --integration can't bypass clash guard; honest rollback docs
Addresses review 4535159341:
- bundle install: for an already-initialized project, the project's recorded
active integration is now authoritative. --integration no longer overrides it
(which let a copilot project install a claude-pinned bundle via
`--integration claude`, bypassing the FR-019 clash guard). The override still
selects the integration at init time and confirms the target only when the
active integration cannot be determined.
- docs/reference/bundles.md: reword the install guarantee to match the
implementation — no provenance record is written unless the install fully
succeeds, and rollback of this run's components is best-effort (removal errors
are swallowed, so partial on-disk state may remain). Dropped the inaccurate
"atomic / rolls back everything" claim.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): validate component kind/id when loading records
Addresses review 4535194606: _component_from_dict now rejects a contributed
component whose 'kind' is not a supported component kind or whose 'id' is
empty, raising a BundlerError that explicitly flags the records file as
corrupt. Previously such a record loaded successfully and only failed later
(e.g. in primitive_manager() during bundle remove/update) with a less
actionable error.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): address review 4535234003 (7 findings)
- versioning: tolerate an uppercase `V` prefix in `_normalize_semver` and
`is_semver`, mirroring specify_cli._version tag normalization (V -> v) so
`V1.2.3` parses and validates consistently.
- validator: import BundlerError and narrow the speckit_version constraint
except clause to `BundlerError` only, so programming errors are no longer
masked behind an "invalid constraint" message.
- bundle update: accept `--integration` and thread it through
resolve_install_plan the same way `bundle install` does (override used only
when the active integration can't be auto-detected), so integration-pinned
bundles can be updated where `.specify/integration.json` is missing/unreadable.
- bundle validate: fold reference warnings into `report.warnings` so the
ValidationReport is the single warning channel at the CLI layer.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test(bundler): make update --integration help assertion ANSI-safe
Rich can split the "--integration" option label with ANSI escape codes
between the two leading dashes, so the literal substring check failed under
CI's terminal settings. Match the un-split option word instead, mirroring how
test_bundle_help_lists_all_commands checks bare command names.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): preserve exec bits in artifacts; document install-time pins
Addresses review 4535280786:
- packager.build_bundle: no longer forces every ZIP member to 0644, which
stripped the executable bit from bundled scripts (e.g. extension hook
scripts) and could break them after extraction. Permissions are now
normalized reproducibly to 0755 when the source file has any execute bit
set, otherwise 0644 — identical inputs still yield byte-for-byte identical
artifacts.
- installer.install_bundle + docs/reference/bundles.md: document that version
pins are enforced install-time only. Because primitive is_installed checks
are id-based (not version-aware), an already-present component is skipped
during install without comparing its on-disk version to the manifest pin;
pins are guaranteed applied only on a real install or `bundle update` refresh.
Added a regression asserting executable sources map to 0755 and plain files to
0644 in the built artifact.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test(bundler): skip exec-bit packager test on Windows
Windows filesystems do not carry Unix execute bits, so chmod(0o755) is a no-op
and the source file reports no execute bit — the packager then correctly stores
the member as 0644. The assertion that an executable source maps to 0755 is only
meaningful on POSIX, so skip it on nt rather than asserting platform-specific
behavior.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): normalize prerelease spellings inside version constraints
Addresses review 4535327154: parse_version() normalized SemVer prerelease
spellings (e.g. 1.2.3-rc1 -> 1.2.3rc1) but parse_constraint() passed the
constraint to packaging.SpecifierSet unmodified, so ">=1.2.3-rc1" raised
InvalidSpecifier even though the same spelling is accepted for installed
versions. parse_constraint() now normalizes the version portion of each
comma-separated clause via the shared _normalize_semver helper, so prerelease
handling is consistent across versions and constraints.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(bundler): validate schema versions and required record identity fields
Addresses review 4535351596:
- records.load_records: validate the on-disk 'schema_version' (required;
forward-compatible across same-major minor bumps) and fail fast with an
actionable error on a missing/unknown version, rather than silently parsing a
possibly-incompatible format and risking incorrect bundle attribution/removal.
- records.InstalledBundleRecord.from_dict: treat missing 'bundle_id' or
'version' as corruption and raise BundlerError, instead of coercing them to
empty strings that let later list/remove/update operations behave
unpredictably.
- catalog_config._read: validate 'schema_version' when present (same-major
compatibility) and fail fast on an unsupported version so an incompatible
future config shape can't be mis-parsed into a wrong effective catalog stack.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore(bundler): scrub generated dogfooding scaffold before merge
The bundler feature was developed by dogfooding Spec Kit on itself. Now that
the work is complete, remove all generated scaffolding so it does not land in
the repository on merge:
- specs/001-spec-kit-bundler/** (spec, plan, research, data-model, contracts,
quickstart, tasks, checklists)
- .specify/** (extensions, integrations, scripts, templates, workflows,
feature/init/integration metadata)
- .github/agents/speckit.*.agent.md, .github/prompts/speckit.*.prompt.md, and
.github/copilot-instructions.md (Copilot integration scaffold)
Retained: .specify/memory/constitution.md — the single dogfooding artifact
carried forward — with its whitespace exemption in .gitattributes.
.gitattributes and .markdownlint-cli2.jsonc are reverted to the upstream
baseline (plus the constitution whitespace exemption), dropping the now-moot
exemptions for the removed scaffold.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Pascal THUET <pascal.thuet@arte.tv>
- AGENTS.md: branch naming as a requirement for AI coding agents
- CONTRIBUTING.md: branch naming as a recommendation for human contributors
- Convention: <type>/<number>-<short-slug> where number is issue or PR number
Closes#2677
* docs: replace deprecated --ai flag with --integration in all documentation
Replace all user-facing --ai, --ai-skills, and --ai-commands-dir references
with their modern equivalents:
- --ai <agent> → --integration <agent>
- --ai-skills → --integration-options="--skills"
- --ai-commands-dir <dir> → --integration generic --integration-options="--commands-dir <dir>"
Updated files:
- README.md (~17 occurrences)
- docs/installation.md (~8 occurrences)
- docs/upgrade.md (~11 occurrences)
- docs/local-development.md (~5 occurrences)
- CONTRIBUTING.md (1 occurrence)
- extensions/EXTENSION-USER-GUIDE.md (1 occurrence)
- src/specify_cli/__init__.py (docstring examples and error messages)
Left unchanged:
- CHANGELOG.md (historical record)
- Test files (intentionally exercise deprecated flag path)
- CLI flag implementation (backward compatibility)
Closes#2358
* docs: address review feedback on pre-existing issues
- Fix duplicate copilot example in README.md (replace with codex)
- Fix invalid gemini --integration-options="--skills" example (gemini
does not support --skills)
- Update generic integration comment from 'Unsupported agent' to
'Bring your own agent; requires --commands-dir'
- Clarify EXTENSION-USER-GUIDE.md: skills auto-register for
skills-based integrations, not only with --integration-options
* docs: replace bare 'AI agent' / 'AI assistant' with 'coding agent' throughout
Full sweep across all documentation and user-facing CLI messages to
align terminology. Bare references like 'AI agent', 'AI assistant',
and 'AI Agent' are replaced with 'coding agent' or 'coding agent
integration' as appropriate.
Intentionally left unchanged:
- 'AI coding agent' (already correct expanded form)
- Deprecated --ai flag help text and error messages (describes the
deprecated flag itself)
- Community extension descriptions (external project text)
- 'generated by an AI' in CONTRIBUTING.md (general AI, not agent)
* docs: address review — remove deprecated --offline, qualify --skills scope
- Remove --offline from docstring examples (deprecated no-op)
- Remove --offline from CONTRIBUTING.md testing example
- Replace --offline instructions in docs/installation.md with note that
bundled assets are used by default
- Qualify --integration-options="--skills" in README.md to note it only
applies to integrations that support skills mode
- New docs/integrations.md: canonical reference for supported agents table
(with keys), list/install/uninstall/switch/upgrade commands, file
preservation behavior, and integration-specific options
- README.md: replace inline agents table with summary + link to new page;
normalize heading to 'Supported AI Coding Agent Integrations'
- docs/toc.yml: add top-level 'Reference' section with Integrations page
- docs/upgrade.md: fix broken cross-reference, update terminology
- CONTRIBUTING.md: update anchor link to new heading
Add automated markdown linting to ensure consistent formatting across
all markdown files in the repository.
Changes:
- Add .markdownlint-cli2.jsonc configuration
- Create .github/workflows/lint.yml for CI/CD integration
- Fix all 908 existing markdown errors across 27 files
- Enforce ATX-style headings and asterisk emphasis
- Set consistent 2-space list indentation
This prevents markdown errors after project initialization and
maintains high documentation quality standards.
Add comprehensive Qwen Code integration following existing patterns:
- Add Qwen as fourth AI assistant option in CLI
- Update all documentation to include Qwen CLI references
- Extend GitHub Actions workflow for Qwen template generation
- Add Qwen support to shell scripts and templates
- Maintain backward compatibility with existing assistants