* feat(extensions): verify catalog archive sha256 before install
Extension and preset archives were downloaded over HTTPS and unpacked
(with Zip-Slip protection) but their bytes were never checked against a
known digest. Trust rested entirely on TLS and the integrity of the
release host, so a tampered or swapped archive from a compromised
third-party release would be installed silently. Maintainers do not audit
extension code, so consumer-side integrity is the only available defence.
Catalog entries may now pin an optional `sha256` digest. When present, the
downloaded archive is verified before it is written to disk and installed;
a mismatch aborts with a clear error. Entries without `sha256` keep
working unchanged (a DEBUG line records that the download was unverified),
so the change is backwards compatible. The check runs on both download
paths (extensions and presets) via a single shared helper so the two stay
in parity.
- Add `verify_archive_sha256` helper in shared_infra (digest match,
`sha256:` prefix, case-insensitive; DEBUG log when no digest declared)
- Enforce it in ExtensionCatalog.download_extension and
PresetCatalog.download_pack, before the archive is written to disk
- Document the optional `sha256` field in the publishing guides
- Tests: helper unit tests + matching/mismatch/no-digest on both paths
Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
Assisted-by: AI
* fix(extensions): harden sha256 parsing and tidy download test mocks
Follow-up to the review on #3080:
- shared_infra.verify_archive_sha256: strip only a literal `sha256:`
algorithm prefix (case-insensitive) instead of `split(':', 1)[-1]`,
which silently dropped any prefix — so `md5:<64-hex>` was accepted as
if it were a valid SHA-256. Validate that the declared value is exactly
64 hex characters and raise a clear error otherwise, and compare with
`hmac.compare_digest` for a constant-time check. Add tests covering a
malformed digest and a non-`sha256:` prefix (both previously accepted).
- Download test helpers: configure the context-manager mock via
`__enter__.return_value`/`__exit__.return_value` rather than assigning a
`lambda s: s`, which is clearer and independent of the invocation arity.
Assisted-by: AI
Signed-off-by: Zied Jlassi (Architect AI) <6190550+zied-jlassi@users.noreply.github.com>
* fix(extensions): reject a declared-but-empty sha256 instead of skipping verification
verify_archive_sha256 skipped on any falsy expected value, so a present-but-empty digest (e.g. sha256: "" reached via ...get("sha256")) silently disabled the integrity check instead of surfacing the authoring error. Guard on expected is None so only an absent digest skips; blank/whitespace/bare-prefix values fall through to the 64-hex validation and are rejected. Adds a regression test.
Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
* docs(shared_infra): clarify _SHA256_HEX_RE accepts and normalizes uppercase
The comment described the regex as matching '64 lowercase' hex characters,
but verify_archive_sha256 lowercases the declared value (raw.lower()) before
matching, so an uppercase digest is accepted and normalized rather than
rejected. Clarify the comment to avoid misleading future readers.
Addresses Copilot review feedback on shared_infra.py.
Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
* test(presets): cover the no-sha256 backwards-compatible path
Address Copilot review: download_pack's optional sha256 verification was
tested for match/mismatch but not the backwards-compatible path where a
catalog entry has no sha256 (pack_info.get("sha256") is None). Add a
no-sha256 test mirroring the extensions coverage so the helper never
silently becomes mandatory for presets.
Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
---------
Signed-off-by: Zied Jlassi <6190550+zied-jlassi@users.noreply.github.com>
Signed-off-by: Zied Jlassi (Architect AI) <6190550+zied-jlassi@users.noreply.github.com>
* Update preset-fiction-book-writing to community catalog
- Preset ID: fiction-book-writing
- Version: 1.5.0
- Author: Andreas Daumann
- Description: Spec-Driven Development for novel and long-form fiction. Replaces software engineering terminology with storytelling craft: specs become story briefs, plans become story structures, and tasks become scene-by-scene writing tasks. Supports 8 POV modes, all major plot structure frameworks, 5 humanized-AI prose profiles, and exports to DOCX/EPUB/LaTeX via pandoc. V1.5.0: Support interactive, audiobooks, series, workflow corrections
* Add fiction-book-writing preset to community catalog
- Preset ID: fiction-book-writing
- Version: 1.6.0
- Author: Andreas Daumann
- Description: Added support for 12 languages, export with templates, cover builder, bio builder, workflow fixes
* Update presets/catalog.community.json
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fixed update_at for fiction-book-writing preset
* Update README.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fixed description for fiction-book-writing
* Update Fiction Book Writing to community catalog
- Preset ID: fiction-book-writing
- Version: 1.9.0
- Author: Andreas Daumann
- Description: Update added illustration support
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Add Workflow Preset to community catalog
Add workflow-preset submitted by @bigsmartben to:
- presets/catalog.community.json (alphabetical order)
- docs/community/presets.md community presets table
Closes#2618
* Fix Requires column: use — for no required extensions
The Requires column lists required extensions, not the Spec Kit
version. This preset has no extension dependencies.
* Add game-narrative-writing preset to community catalog
- Preset ID: game-narrative-writing
- Version: 1.0.0
- Author: Andreas Daumann
- Description: Spec-Driven Development for interactive game narrative for pre-production for video games. Authors write in a portable generic format, Twine/Sugarcube (.twee) or Ink (.ink). Covers choice-IF, visual novels, and branching dialogue. Supports Tier 1 mechanic hooks (flag, counter, inventory, timer, trust, currency, npc_state, ending_condition), multi-ending design, series carry-over variable registry, and NPC-focused character architecture.
Co-authored-by: Copilot <copilot@github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Simplify the community catalog submission flow to use issue templates
with manual maintainer review (no automation scripts or workflows).
- Add explicit CODEOWNERS entries for catalog.community.json files so
submissions are automatically assigned to a maintainer for review
- Improve preset submission template:
- Add 'Required Extensions' optional field
- Make 'Templates Provided' optional (supports command-only presets)
- Add 'Number of Scripts' optional field
The existing extension and preset issue templates already collect all
required catalog metadata. Maintainers review submissions and manually
update the catalog JSON files.
Closes#2400
* feat(presets): add Spec2Cloud preset for Azure deployment workflow
Co-authored-by: Copilot <copilot@github.com>
* feat(presets): add Spec2Cloud preset details to community catalog
* fix(presets): update Spec2Cloud URL to point to the correct GitHub repository
* feat(presets): update Spec2Cloud entry with created_at and updated_at timestamps
* feat(presets): update Spec2Cloud version to 1.1.0 and adjust timestamps
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fix: update spec2cloud preset details and resolve merge conflicts
* fix: reorder Spec2Cloud entry in community presets for consistency
---------
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Update preset-fiction-book-writing to community catalog
- Preset ID: fiction-book-writing
- Version: 1.5.0
- Author: Andreas Daumann
- Description: Spec-Driven Development for novel and long-form fiction. Replaces software engineering terminology with storytelling craft: specs become story briefs, plans become story structures, and tasks become scene-by-scene writing tasks. Supports 8 POV modes, all major plot structure frameworks, 5 humanized-AI prose profiles, and exports to DOCX/EPUB/LaTeX via pandoc. V1.5.0: Support interactive, audiobooks, series, workflow corrections
* Add fiction-book-writing preset to community catalog
- Preset ID: fiction-book-writing
- Version: 1.6.0
- Author: Andreas Daumann
- Description: Added support for 12 languages, export with templates, cover builder, bio builder, workflow fixes
* Update presets/catalog.community.json
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fixed update_at for fiction-book-writing preset
* Update README.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fixed description for fiction-book-writing
* "Add fiction-book-preset to community catalog
- Preset ID: fiction-book-writing
- Version: 1.7.0
- Author: Andreas Daumann
- Description: It adapts the Spec-Driven Development workflow for storytelling to create books or audiobooks (with annotations) in 12 languages: features become story elements, specs become story briefs, plans become story structures, and tasks become scene-by-scene writing tasks. Supports single and multi-POV, all major plot structure frameworks, and two style modes: an author voice sample or humanized AI prose. Supports interactive elements like brainstorming, interview, roleplay and extras like statistics, cover builder and bio command. Export with templates for KDP, D2D etc. V1.7.0: Support for offline semantic search.
* Update presets/catalog.community.json
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update presets/catalog.community.json
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Add fiction-book-writing to community catalog
- Preset ID: fiction-book-writing
- Version: 1.7.0
- Author: Andreas Daumann
- Description: Spec-Driven Development for novel and long-form fiction. RAG support
* Update docs/community/presets.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* feat(extensions,presets): authenticate GitHub-hosted catalog and download requests with GITHUB_TOKEN/GH_TOKEN
Squashed from #2087 (original author: @anasseth).
Adds GitHub-token authentication to extension and preset catalog fetching
and ZIP downloads so private GitHub repos work when GITHUB_TOKEN/GH_TOKEN
is set, while preventing credential leakage to non-GitHub hosts.
- Introduces shared _github_http module with build_github_request() and
open_github_url() helpers
- Routes ExtensionCatalog and PresetCatalog network calls through
GitHub-auth-aware opener
- Adds comprehensive unit/integration tests for auth header behavior
- Updates user docs for both extensions and presets
Co-authored-by: anasseth <16745089+anasseth@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(auth): address review feedback from #2087
- Fix redirect handler to preserve Authorization on GitHub-to-GitHub
redirects (e.g. github.com → codeload.github.com). The previous
implementation relied on super().redirect_request() which strips
auth on cross-host redirects, breaking private repo archive downloads.
- Add codeload.github.com to documented host lists in both
EXTENSION-USER-GUIDE.md and presets/README.md
- Add redirect auth-preservation and auth-stripping tests
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(auth): use Bearer scheme instead of token for consistency
Aligns with the rest of the codebase (e.g. __init__.py:1721) and
GitHub's current API guidance. Updates all test assertions accordingly.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: address second round of Copilot review feedback
- Fix docstring to say Bearer instead of token (matches implementation)
- Remove unused imports/fixtures from redirect tests (GITHUB_HOSTS,
MagicMock, temp_dir, monkeypatch)
- Replace __import__('io').BytesIO() with normal import io pattern
in test_presets.py
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: anasseth <16745089+anasseth@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: move community presets table to docs site, add missing entries
- Move the full community presets table from README.md to the docs site
at docs/community/presets.md, replacing the README section with a
short link (matching the pattern used for Walkthroughs and Friends).
- Add missing Jira Issue Tracking and Screenwriting rows to the docs
table so it reflects all entries in catalog.community.json.
* docs(presets): add docs site table step to publishing guide
Add step to update docs/community/presets.md when submitting a
community preset, and add corresponding PR checklist item. Matches
the pattern used in the extensions publishing guide.
* Clarify alphabetical sort key in presets publishing guide
Specify that the docs table should be sorted by preset name (the first
column), disambiguating from the catalog JSON which sorts by preset ID.
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Address review: fix provides count, admonition style, example row
- Add missing scripts count to Fiction Book Writing table row to match catalog
- Switch README disclaimer to GitHub admonition format for consistency
- Include optional scripts count in PUBLISHING.md example row
* Fix Fiction Book Writing link text to match actual repo name
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* docs(presets): add lean preset README and enrich catalog metadata
- Add README.md documenting the lean workflow preset, its commands,
when to use it, and development instructions.
- Add license, requires.speckit_version, and provides.commands fields
to the lean preset catalog entry.
- Add "core" tag to preset.yml for discoverability.
* fix: bump catalog updated_at and add provides.templates for consistency
Address PR review feedback:
- Bump updated_at to reflect catalog modification time
- Add provides.templates (0) to lean preset entry for consistency
with catalog schema used in catalog.community.json
* feat: register jira preset in community catalog
Adds luno/spec-kit-preset-jira — overrides speckit.taskstoissues to
create Jira issues instead of GitHub Issues.
See #2223 for context on why this is a preset rather than an extension.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: use immutable tag URL and sort jira preset alphabetically
- Change download_url from heads/main to refs/tags/v1.0.0 for reproducible installs
- Move jira entry to correct alphabetical position in presets object
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Ed Harrod <1381991+echarrod@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: rebase onto upstream/main, resolve conflicts with PR #2189
upstream/main merged PR #2189 (wrap-only strategy) which overlaps with
our comprehensive composition strategies (prepend/append/wrap). Resolved
conflicts keeping our implementation as source of truth:
- README: keep our future considerations (composition is now fully
implemented, not a future item)
- presets.py: keep our composition architecture (_reconcile_composed_commands,
collect_all_layers, resolve_content) while preserving #2189's
_substitute_core_template which is used by agents.py for skill
generation
- tests: keep both test sets (our composition tests + #2189's wrap
tests), removed TestReplayWrapsForCommand and
TestInstallRemoveWrapLifecycle which test the superseded
_replay_wraps_for_command API; our composition tests cover equivalent
scenarios
- Restored missing _unregister_commands call in remove() that was lost
during #2189 merge
* fix: re-create skill directory in _reconcile_skills after removal
After _unregister_skills removes a skill directory, _register_skills
skips writing because the dir no longer passes the is_dir() check.
Fix by ensuring the skill subdirectory exists before calling
_register_skills so the next winning preset's content gets registered.
Fixes the Claude E2E failure where removing a top-priority override
preset left skill-based agents without any SKILL.md file.
* fix: address twenty-third round of Copilot PR review feedback
- Protect reconciliation in remove(): wrap _reconcile_composed_commands
and _reconcile_skills in try/except so failures emit a warning instead
of leaving the project in an inconsistent state
- Protect reconciliation in install(): same pattern for post-install
reconciliation so partial installs don't lack cleanup
- Inherit scripts/agent_scripts from base frontmatter: when composing
commands, merge scripts and agent_scripts keys from the base command's
frontmatter into the top layer's frontmatter if missing, preventing
composed commands from losing required script references
- Add tier-5 bundled core fallback to collect_all_layers(): check the
bundled core_pack (wheel) or repo-root templates (source checkout) when
.specify/templates/ doesn't contain the core file, matching resolve()'s
tier-5 fallback so composition can always find a base layer
* fix: address twenty-fourth round of Copilot PR review feedback
- Use yaml.safe_load for frontmatter parsing in resolve_content instead
of CommandRegistrar.parse_frontmatter which uses naive find('---',3);
strip strategy key from final frontmatter to prevent leaking internal
composition directives into rendered agent command files
- Filter _reconcile_skills to specific commands: use _FilteredManifest
wrapper so only the commands being reconciled get their skills updated,
preventing accidental overwrites of other commands' skills that may be
owned by higher-priority presets
* fix: address twenty-fifth round of Copilot PR review feedback
- Support legacy command-frontmatter strategy: when preset.yml doesn't
declare a strategy, check the command file's YAML frontmatter for
strategy: wrap as a fallback so legacy wrap presets participate in
composition and multi-preset chaining
- Guard skill dir creation in _reconcile_skills: only re-create the
skill directory if the skill was previously managed (listed in some
preset's registered_skills), avoiding creation of new skill dirs
that _register_skills would normally skip
* fix: add explanatory comment to empty except in legacy frontmatter parsing
* fix: address twenty-sixth round of Copilot PR review feedback
- Unregister stale commands when composition fails: when resolve_content
returns None during reconciliation (base layer removed), unregister
the command from non-skill agents and emit a warning
- Load extension aliases during reconciliation: _register_command_from_path
now checks extension.yml for aliases when the winning layer is an
extension, so alias files are restored after preset removal
- Use line-based fence detection for legacy frontmatter strategy fallback:
scan for --- on its own line instead of split('---',2) to avoid
mis-parsing YAML values containing ---
* fix: address twenty-seventh round of Copilot PR review feedback
- Handle non-preset winners in _reconcile_skills: when the winning
layer is core/extension/project-override, restore skills via
_unregister_skills so skill-based agents stay consistent with the
priority stack
- Update base_frontmatter_text on replace layers: when a higher-priority
replace layer occurs during composition, update both top and base
frontmatter so scripts/agent_scripts inheritance reflects the
effective base beneath the top composed layer
* fix: address twenty-eighth round of Copilot PR review feedback
- Parse only interior lines in _parse_fm_yaml: use lines[1:-1] instead
of filtering all --- lines, preventing corruption when YAML values
contain a line that is exactly ---
- Omit empty frontmatter: skip re-rendering when top_fm is empty dict
to avoid emitting ---/{}/--- for intentionally empty frontmatter
- Update scaffold wrap comment: mention both {CORE_TEMPLATE} and
$CORE_SCRIPT placeholders for templates/commands vs scripts
- Clarify shell composition scope in ARCHITECTURE.md: note that bash/PS1
resolve_template_content only handles templates; command/script
composition is handled by the Python resolver
* fix: address twenty-ninth round of Copilot PR review feedback
- Fix TestCollectAllLayers docstring: reference collect_all_layers()
- Add default/unknown strategy handling in bash/PS1 composition: error
on unrecognized strategy values instead of silently skipping
- Fix comment: .composed/ is a persistent dir, not temporary
- Fix comment: legacy fallback checks all valid strategies, not just wrap
- Cache PresetRegistry in _reconcile_skills: build presets_by_priority
once instead of constructing registry per-command
* fix: address thirtieth round of Copilot PR review feedback
- Guard legacy frontmatter fallback: only check command file frontmatter
for strategy when the manifest entry doesn't explicitly include the
strategy key, preventing override of manifest-declared strategies
- Document rollback limitation: note that mid-registration failures may
leave orphaned agent command files since partial progress isn't
captured by the local vars
* fix: handle project override skills and extension context in reconciliation
* fix: add comment to empty except in extension registration fallback
* fix: filter extension commands in reconciliation and fix type annotation
* fix: filter extension commands from post-install reconciliation
Apply the same extension-installed check used in _register_commands to
the reconciliation command list, preventing reconciliation from
registering commands for extensions that are not installed.
* fix: skip convention fallback for explicit file paths and add stem fallback to tier-5
When a preset manifest provides an explicit file path that does not
exist, skip the convention-based fallback to avoid masking typos.
Also add speckit.<stem> to <stem>.md fallback in tier-5 bundled/source
core lookup for consistency with tier-4.
* fix: scan past non-replace layers to find base in resolve_content
The base-finding scan now skips non-replace layers below a replace
layer instead of stopping at the first non-replace. This fixes the
case where a low-priority append/prepend layer sits below a replace
that should serve as the base for composition.
* fix: add context_note to non-skill agent registration for extensions
Add context_note parameter to register_commands_for_non_skill_agents
and pass extension name/id during reconciliation so rendered command
files preserve the extension-specific context markers.
* fix: Optional type, rollback safety, and override skill restoration
- Fix context_note type to Optional[str]
- Wrap shutil.rmtree in try/except during install rollback
- Separate override-backed skills from core/extension in _reconcile_skills
* fix: align bash/PS1 base-finding with Python resolver
Rewrite bash and PowerShell composition loops to find the effective
base replace layer first (scanning bottom-up, skipping non-replace
layers below it), then compose only from the base upward. This
prevents evaluation of irrelevant lower layers (e.g. a wrap with
no placeholder below a replace) and matches resolve_content behavior.
* fix: PS1 no-python warning, integration hook for override skills, alias cleanup
- Warn when no Python 3 found in PS1 and presets use composition strategies
- Apply post_process_skill_content integration hook when restoring
override-backed skills so agent-specific flags are preserved
- Unregister command aliases alongside primary name when composition
fails to prevent orphaned alias files
* fix: include aliases in removed_cmd_names during preset removal
Read aliases from preset manifest before deleting pack_dir so alias
command files are included in unregistration and reconciliation.
* fix: add comment to empty except in alias extraction during removal
* fix: scan top-down for effective base in all resolvers
Change base-finding to scan from highest priority downward to find the
nearest replace layer, then compose only layers above it. Prevents
evaluation of irrelevant lower layers (e.g. a wrap without placeholder
below a higher-priority replace) across Python, bash, and PowerShell.
* fix: align CLI composition chain display with top-down base-finding
Show only contributing layers (base and above) in preset resolve
output, matching resolve_content top-down semantics. Layers below
the effective base are omitted since they do not contribute.
* fix: guard corrupted registry entries and make manifest authoritative
- Add isinstance(meta, dict) guard in bash registry parsing so corrupted
entries are skipped instead of breaking priority ordering
- Only use convention-based file lookup when the manifest does not list
the requested template, making preset.yml authoritative and preventing
stray on-disk files from creating unintended layers
* fix: align resolve() with manifest file paths and match extension context_note
- Update resolve() preset tier to consult manifest file paths before
convention-based lookup, matching collect_all_layers behavior
- Use exact extension context_note format matching extensions.CommandRegistrar
- Update test to declare template in manifest (authoritative manifest)
* revert: restore resolve() convention-based behavior for backwards compatibility
resolve() is the existing public API used by shell scripts and other
callers. Changing it to manifest-authoritative breaks backward compat
for presets that rely on convention-based file lookup. Only the new
collect_all_layers/resolve_content path uses manifest-authoritative
logic.
* fix: only pre-compose when this preset is the top composing layer
Skip composition in _register_commands when a higher-priority replace
layer already wins for the command. Register the raw file instead and
let reconciliation write the correct final content.
* fix: deduplicate PyYAML warnings and use self.registry in reconciliation
- Emit PyYAML-missing warning once per function call in bash/PS1 instead
of per-preset to avoid spamming stderr
- Use self.registry.list_by_priority() in reconciliation methods instead
of constructing new PresetRegistry instances to avoid redundant I/O
and potential consistency issues
* fix: document strategy handling consistency between layers and registrar
Composed output already strips strategy from frontmatter (resolve_content
pops it). Raw file registration preserves legacy frontmatter strategy
for backward compat; reconciliation corrects the final state.
* fix: correct stale comments for alias tracking and base-finding algorithm
* security: validate manifest file paths in bash/PowerShell resolvers
Reject absolute paths and parent directory traversal (..) in the
manifest-declared file field before joining with the preset directory.
Matches the Python-side validation in PresetManifest._validate().
---------
Co-authored-by: Manfred Riem <15701806+mnriem@users.noreply.github.com>
* feat: implement strategy: wrap
* fix: resolve merge conflict for strategy wrap correctness
* feat: multi-preset composable wrapping with priority ordering
Implements comment #4 from PR review: multiple installed wrap presets
now compose in priority order rather than overwriting each other.
Key changes:
- PresetResolver.resolve() gains skip_presets flag; resolve_core() wraps
it to skip tier 2, preventing accidental nesting during replay
- _replay_wraps_for_command() recomposed all enabled wrap presets for a
command in ascending priority order (innermost-first) after any
install or remove
- _replay_skill_override() keeps SKILL.md in sync with the recomposed
command body for ai-skills-enabled projects
- install_from_directory() detects strategy: wrap commands, stores
wrap_commands in the registry entry, and calls replay after install
- remove() reads wrap_commands before deletion, removes registry entry
before rmtree so replay sees post-removal state, then replays
remaining wraps or unregisters when none remain
Tests: TestResolveCore (5), TestReplayWrapsForCommand (5),
TestInstallRemoveWrapLifecycle (5), plus 2 skill/alias regression tests
* fix: resolve extension commands via manifest file mapping
PresetResolver.resolve_extension_command_via_manifest() consults each
installed extension.yml to find the actual file declared for a command
name, rather than assuming the file is named <cmd_name>.md. This fixes
_substitute_core_template for extensions like selftest where the manifest
maps speckit.selftest.extension → commands/selftest.md.
Resolution order in _substitute_core_template is now:
1. resolve_core(cmd_name) — project overrides win, then name-based lookup
2. resolve_extension_command_via_manifest(cmd_name) — manifest fallback
3. resolve_core(short_name) — core template short-name fallback
Path traversal guard mirrors the containment check already present in
ExtensionManager to reject absolute paths or paths escaping the extension
root.
* fix: add bundled core_pack as Priority 5 in PresetResolver.resolve()
resolve_core() was returning None for built-in commands (implement,
specify, etc.) because PresetResolver only checked .specify/templates/
commands/ (Priority 4), which is never populated for commands in a
normal project. strategy:wrap presets rely on resolve_core() to fetch
the {CORE_TEMPLATE} body, so the wrap was silently skipped and SKILL.md
was never updated.
Priority 5 now checks core_pack/commands/ (wheel install) or
repo_root/templates/commands/ (source checkout), mirroring the pattern
used by _locate_core_pack() elsewhere.
Updated two tests whose assertions assumed resolve_core() always
returned None when .specify/templates/commands/ was absent.
* fix: harden preset wrap replay removal
* fix: stabilize existing directory error output
* fix: track outermost_pack_id from contributing preset; use Path.parts in tests
- outermost_pack_id now updates alongside outermost_frontmatter inside
the wrap loop, so it reflects the actual last contributing preset
rather than always taking wrap_presets[0] (which may have been skipped)
- Replace str(path) substring checks in TestResolveCore with Path.parts
tuple comparisons for correct behaviour on Windows (CI runs windows-latest)
* fix: guard against non-mapping YAML manifests; apply integration post-processing in replay
- ExtensionManifest._load raises ValidationError for non-dict YAML roots instead of TypeError
- PresetManager._replay_wraps_for_command calls integration.post_process_skill_content,
matching _register_skills behaviour
- PresetResolver skips extensions that raise OSError/TypeError/AttributeError on manifest load
- Tests: non-mapping YAML, OSError manifest skip, and replay integration post-processing
* Update preset-fiction-book-writing to community catalog
- Preset ID: fiction-book-writing
- Version: 1.5.0
- Author: Andreas Daumann
- Description: Spec-Driven Development for novel and long-form fiction. Replaces software engineering terminology with storytelling craft: specs become story briefs, plans become story structures, and tasks become scene-by-scene writing tasks. Supports 8 POV modes, all major plot structure frameworks, 5 humanized-AI prose profiles, and exports to DOCX/EPUB/LaTeX via pandoc. V1.5.0: Support interactive, audiobooks, series, workflow corrections
* Add fiction-book-writing preset to community catalog
- Preset ID: fiction-book-writing
- Version: 1.6.0
- Author: Andreas Daumann
- Description: Added support for 12 languages, export with templates, cover builder, bio builder, workflow fixes
* Update presets/catalog.community.json
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fixed update_at for fiction-book-writing preset
* Update README.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fixed description for fiction-book-writing
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* feat: add claude-ask-questions preset for AskUserQuestion rendering
Delivers the /speckit.clarify and /speckit.checklist AskUserQuestion
integration as a stackable preset under presets/claude-ask-questions/
instead of modifying core templates or ClaudeIntegration.
- presets/claude-ask-questions/preset.yml registers command overrides
for speckit.clarify and speckit.checklist following the same pattern
as the bundled lean preset.
- Override commands replace the Markdown-table question-rendering
blocks with AskUserQuestion instructions. Option | Description maps
to {label, description} for clarify; Option | Candidate | Why It
Matters maps to {label: Candidate, description: Why It Matters} for
checklist. Recommended option is placed first with a
"Recommended — <reasoning>" prefix; a final "Custom"/"Short" option
preserves the free-form ≤5-word escape hatch.
- Registered in presets/catalog.json as a bundled preset.
Core templates, ClaudeIntegration, and the existing test suite are
left untouched, so non-Claude agents and users who do not install
this preset see no behavior change.
Closes github/spec-kit#2181
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: move claude-ask-questions preset to external repo
Per maintainer feedback on #2191, presets should be hosted on the
author's own GitHub repository and registered in catalog.community.json
rather than bundled in spec-kit. Removes the bundled preset directory
and its entry from the official catalog, and adds a community catalog
entry pointing at the external repository and release archive.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs(catalog): sync claude-ask-questions description with upstream preset
* revert: keep presets/catalog.json updated_at unchanged
No entries in the official catalog changed in this PR, so the timestamp
bump was spurious. Addresses Copilot review feedback on #2191.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: Update catalog.community.json for preset-fiction-book-writing
* Add fiction-book-writing preset to community catalog
- Preset ID: fiction-book-writing
- Version: 1.3.0
- Author: Andreas Daumann
- Description: Spec-Driven Development for novel and long-form fiction. Replaces software engineering terminology with storytelling craft: specs become story briefs, plans become story structures, and tasks become scene-by-scene writing tasks. Supports 8 POV modes, all major plot structure frameworks, 5 humanized-AI prose profiles, and exports to DOCX/EPUB/LaTeX via pandoc.
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* doc: added fiction-book-writing preset link in README.md
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Manfred Riem <15701806+mnriem@users.noreply.github.com>
* feat: add bundled lean preset with minimal workflow commands
Add a lean preset that overrides the 5 core workflow commands (specify,
plan, tasks, implement, constitution) with minimal prompts that produce
exactly one artifact each — no extension hooks, no scripts, no git
branching, no templates.
Bundled preset infrastructure:
- Add _locate_bundled_preset() mirroring _locate_bundled_extension()
- Update 'specify init --preset' to try bundled -> catalog fallback
- Update 'specify preset add' to try bundled -> catalog fallback
- Add bundled guard in download_pack() for presets without download URLs
- Add lean to presets/catalog.json with 'bundled: true' marker
- Add lean to pyproject.toml force-include for wheel packaging
- Align error messages with bundled extension error pattern
Tests: 15 new tests (TestLeanPreset + TestBundledPresetLocator)
* refactor: address review — clean up unused imports, strengthen test assertions
- Remove unused MagicMock import and cache_dir setup in download test
- Assert 'bundled' and 'reinstall' in CLI error output (not just exit code)
- Mock catalog in missing-locally test for deterministic bundled error path
- Fix test versions to satisfy updated speckit_version >=0.6.0 requirement
* refactor: address review — fix constitution paths, add REINSTALL_COMMAND to presets.py
- Fix constitution path to .specify/memory/constitution.md in plan, tasks,
implement commands (matching core command convention)
- Include REINSTALL_COMMAND in download_pack() bundled guard for consistent
recovery instructions across bundled extensions and presets
* refactor: address review — explicit feature_directory paths, ZIP cleanup in finally
- Prefix spec.md/plan.md/tasks.md with <feature_directory>/ in plan, tasks,
and implement commands so the agent doesn't operate on repo root by mistake
- Move ZIP unlink into finally block in init --preset path so cleanup runs
even when install_from_zip raises (matching preset_add pattern)
* refactor: address review — replace Unicode em dashes with ASCII, fix grammar
- Replace all Unicode em dashes with ASCII hyphens in preset.yml and
catalog.json to avoid decode errors on non-UTF-8 environments
- Fix grammar: 'store it in tasks.md' -> 'store them in tasks.md'
* refactor: address review - align task format between tasks and implement
- Remove undefined [P] marker from implement (lean uses sequential execution)
- Clarify checkbox update: 'change - [ ] to - [x]' instead of ambiguous '[X]'
- Simplify implement to execute tasks in order without parallel complexity
* refactor: address review - parse frontmatter instead of raw substring search
- Use CommandRegistrar.parse_frontmatter() to check for scripts/agent_scripts
keys in YAML frontmatter instead of brittle 'scripts:' substring search
* feat: add Table of Contents to generated markdown documents (#1970)
* fix: address Copilot review - clarify TOC placement wording
* fix: include TOC sections in structure templates
* fix: include TOC in structure templates and fix tasks TOC placement wording
* fix: correct TOC anchors to match headings with mandatory suffix
* fix: include all ##-level headings in tasks-template TOC
* fix: add missing TOC entries in tasks-template, remove leading blank line in
* fix: move TOC after metadata block and include all ## headings in tasks-template
* fix: use plain text for dynamic phase entries in tasks-template TOC
* fix: remove hardcoded anchor links from template TOCs, use plain text exemplars
* fix: remove HTML comments from template TOCs
* fix: add missing Parallel Example heading to tasks-template TOC
* revert: remove all core template changes, pivot to preset approach
* feat: deliver TOC navigation as a preset (closes#1970)
Pivots from core template changes to a preset approach per reviewer
request. Adds presets/toc-navigation/ with 3 template overrides and
3 command overrides that add Table of Contents sections to generated
spec.md, plan.md, and tasks.md documents.
Addresses all 8 impact concerns from review:
- Templates use anchor links (not plain text) matching command instructions
- All 12 tasks-template headings accounted for (dynamic phases as plain text)
- spec-template anchors include -mandatory suffix
- TOC placed after Note paragraph in plan-template
- Self-reference exclusion explicit in all commands
- Clarify stale TOC instruction in specify command
- Implement misparse warning in tasks command
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: publish toc-navigation preset to community catalog (#1970)
Move preset to standalone repository per maintainer guidance:
https://github.com/Quratulain-bilal/spec-kit-preset-toc-navigation
- Remove presets/toc-navigation/ from core repo
- Add toc-navigation entry to catalog.community.json
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Add toc-navigation preset to main README community presets table
Adds Table of Contents Navigation entry (alphabetically between Pirate
Speak and VS Code Ask Questions) to the community presets table in
README.md as requested by maintainer.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Add community content disclaimers
Add notes clarifying that community extensions, presets, walkthroughs,
and community friends are independently created and maintained by their
respective authors and are not reviewed, nor endorsed, nor supported
by GitHub.
Disclaimers added to:
- README.md: Community Extensions, Community Presets, Community
Walkthroughs, and Community Friends sections
- extensions/README.md: Community Reference Catalog and Available
Community Extensions sections
- presets/README.md: Catalog Management section
* Refine community disclaimers per PR review feedback
- Clarify that GitHub/maintainers may review catalog PRs for formatting
and policy compliance, but do not review, audit, endorse, or support
the extension/preset code itself (avoids contradiction with submission
process that mentions PR reviews)
- Add missing 'use at your own discretion' guidance to Community
Walkthroughs and Community Friends sections for consistency
- Add 🎨 Community Presets section between Community Extensions and Community Walkthroughs
- Add ToC entry for the new section
- Populate presets/catalog.community.json with pirate and aide-in-place presets
- Entries alphabetized: catalog by id, README table by name
* docs: add Extensions & Presets section to README
Add a new 'Making Spec Kit Your Own: Extensions & Presets' section that covers:
- Layering diagram (Mermaid) showing resolution order
- Extensions: what they are, when to use, examples
- Presets: what they are, when to use, examples
- When-to-use-which comparison table
- Links to extensions/README.md and presets/README.md
* docs: clarify project-local overrides in layering diagram
Address review feedback: explain the project-local overrides layer
shown in the diagram, and adjust the intro to acknowledge it as a
third customization mechanism alongside extensions and presets.
* docs: Clarify template vs command resolution in README
- Separate template resolution (top-down, first-match-wins stack) from
command registration (written directly into agent directories)
- Update Mermaid diagram paths to use <preset-id> and <ext-id>
placeholders consistent with existing documentation
Addresses PR review feedback on #1898.
* docs: Clarify install-time vs runtime resolution for commands and templates
- README: label templates as runtime-resolved (stack walk) and commands
as install-time (copied into agent directories, last-installed wins)
- presets/README: add runtime note to template resolution, contrast with
install-time command registration
* docs: Address review — fix template copy wording, tighten command override description
- presets/README: clarify that preset files are copied at install but
template resolution still walks the stack at runtime
- README: describe priority-based command resolution and automatic
restoration on removal instead of vague 'replacing whatever was there'