* chore: update extension versions in community catalog
- Update architecture-guard from v1.4.0 to v1.6.7
- Update memory-md from v0.7.5 to v0.7.9
- Update security-review from v1.4.2 to v1.4.5
All extensions now point to latest release downloads.
* chore: update timestamps in community catalog
Co-authored-by: Copilot <copilot@github.com>
---------
Co-authored-by: Copilot <copilot@github.com>
* fix(forge): use hyphen notation for command refs in Forge integration
- Add invoke_separator = "-" class attribute to ForgeIntegration so
effective_invoke_separator() returns "-" for shared-template installs
- Add "invoke_separator": "-" to ForgeIntegration.registrar_config so
agents.py CommandRegistrar can resolve refs with the correct separator
- Pass invoke_separator to process_template() in ForgeIntegration.setup()
so all .forge/commands/*.md bodies use /speckit-foo notation
- Replace literal /speckit.specify with __SPECKIT_COMMAND_SPECIFY__ in
extensions/git/commands/speckit.git.feature.md so every agent resolves
the reference through its own separator
- Apply resolve_command_refs re.sub in agents.py register_commands() after
argument-placeholder substitution so extension commands registered for
Forge get /speckit-foo refs; all other agents continue to get /speckit.foo
Fixes ZSH compatibility: dot-notation command invocations (/speckit.specify)
are misinterpreted by ZSH as file-path operations; hyphen notation
(/speckit-specify) works correctly in all shells.
* fix(agents): propagate invoke_separator from integration class into AGENT_CONFIGS
Skills-based agents (claude, codex, kimi, …) inherit invoke_separator="-"
from SkillsIntegration but do not repeat it in their registrar_config dicts.
_build_agent_configs() was copying registrar_config verbatim, so
register_commands() fell back to "." when resolving __SPECKIT_COMMAND_*__
tokens for those agents — emitting /speckit.specify instead of the correct
/speckit-specify for extension commands like speckit.git.feature.
Fix: after copying registrar_config, inject invoke_separator from the
integration's class attribute when it is not already declared explicitly.
This makes the integration class the single source of truth for all agents,
without requiring each SkillsIntegration subclass to duplicate the field.
Also replace the inline re.sub in register_commands() with a call to
IntegrationBase.resolve_command_refs() (deferred import to avoid the
existing circular dependency) so token-resolution logic is not duplicated.
Adds two tests in test_agent_config_consistency.py:
- test_skills_agents_have_hyphen_invoke_separator_in_agent_configs: asserts
every /SKILL.md agent has invoke_separator="-" in AGENT_CONFIGS.
- test_skills_agent_command_token_resolves_with_hyphen: end-to-end check via
CommandRegistrar that the git extension's speckit.git.feature command is
installed for Claude with /speckit-specify (not /speckit.specify).
Addresses review comment on PR #2462.
* feat(catalog): add Cost Tracker (cost) community extension
Adds a new entry for spec-kit-cost — track real LLM dollar cost across
SDD workflows with per-feature budgets, per-integration comparison,
and finance-ready exports.
Repo: https://github.com/Quratulain-bilal/spec-kit-cost
Release: v1.0.0
* docs(catalog): add Cost Tracker README row, bump updated_at
Address Copilot review feedback:
- Add Cost Tracker row to README community extensions table
- Bump top-level updated_at per EXTENSION-PUBLISHING-GUIDE.md
* fix(catalog): address Copilot feedback on cost extension entry
- Move cost entry after confluence so the c* block is alphabetized
- Bump top-level updated_at to 2026-05-05 per EXTENSION-PUBLISHING-GUIDE
- Use documented 'visibility' category in README (not 'analytics'),
matching Token Consumption Analyzer's classification
- Replace 'analytics' tag with 'visibility' in catalog tags for consistency
* fix(catalog): bump top-level updated_at for cost entry addition
Address Copilot feedback: the file-level updated_at must be bumped on
every catalog change per EXTENSION-PUBLISHING-GUIDE.md:204-205.
---------
Co-authored-by: Quratulain-bilal <quratulain.bilal@users.noreply.github.com>
Simplify the community catalog submission flow to use issue templates
with manual maintainer review (no automation scripts or workflows).
- Add explicit CODEOWNERS entries for catalog.community.json files so
submissions are automatically assigned to a maintainer for review
- Improve preset submission template:
- Add 'Required Extensions' optional field
- Make 'Templates Provided' optional (supports command-only presets)
- Add 'Number of Scripts' optional field
The existing extension and preset issue templates already collect all
required catalog metadata. Maintainers review submissions and manually
update the catalog JSON files.
Closes#2400
* feat: add Architecture Guard to community catalog
- Add architecture-guard v1.4.0 extension entry to catalog
- Add entry to README community extensions table
- Includes built-in Laravel-specific governance rules
* chore: update catalog timestamp to 2026-05-05
* fix: address PR feedback
- Add 'governance' category to README legend (used by Architecture Guard)
- Update architecture-guard timestamps to 2026-05-05 (submission date)
- Align with published extension behavior (Laravel support now built-in)
* chore: update Architecture Guard category to process
- Changed from 'governance' to 'process' (official category)
- Aligns with schema in EXTENSION-PUBLISHING-GUIDE.md
- Removed 'governance' from category legend (not an official category)
* chore: update timestamps to actual UTC datetime
- Top-level updated_at: 2026-05-05T07:26:00Z
- Entry created_at/updated_at: 2026-05-05T07:26:00Z
- Replaces placeholder 00:00:00Z with actual submission time
* Add Work IQ extension to community catalog
Adds the Work IQ extension by sakitA to the community catalog.
Work IQ integrates Microsoft 365 organizational knowledge (emails,
meetings, documents, Teams) into spec-driven development workflows.
- 4 commands: ask, context, stakeholders, enrich
- 2 hooks: before_specify, after_specify
- Requires: speckit >=0.1.0, Node.js >=18.0.0, workiq CLI
Repository: https://github.com/sakitA/spec-kit-workiq
* Address PR review comments
- Fix download_url to use .zip (Spec Kit installer requires ZIP format)
- Bump top-level catalog updated_at to 2026-04-29
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Sakit Atakishiyev <satakishiyev@microsoft.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The compatibility-error messages in extensions.py and presets.py, plus the
extension troubleshooting guide, told users to upgrade with:
uv tool install specify-cli --force
Without `--from git+https://github.com/github/spec-kit.git`, uv resolves
`specify-cli` from PyPI, where an unrelated package with the same name
(no author, no project URLs) ships a stub CLI that lacks `extension`,
`preset`, and most spec-kit commands. Users following the upgrade hint
land on the squat package and report "extension command removed"
(see #1982).
Reuse the existing `REINSTALL_COMMAND` constant in extensions.py and
import it from presets.py so all three call sites point at the GitHub
source. The doc fix also adds a one-line note explaining the PyPI
collision so the same advice doesn't get re-stripped later.
Refs #1982
Update v-model extension entry in community catalog to reflect the v0.6.0
release: https://github.com/leocamello/spec-kit-v-model/releases/tag/v0.6.0
Highlights of v0.6.0:
- Domain Overlay Architecture (9 overlay manifests; automotive, medical,
aerospace, general)
- ID Lifecycle Model (Proposed -> Active -> Deprecated -> Removed)
- Standards enrichment across all 11 commands (IEEE 1012:2016, ISO
25010:2023, ISO 42030:2019, ISO 12207:2017, IEEE 1016, IEEE 29148,
ISO 29119-4, ISO 14971, DO-178C, ARP4761A, INCOSE SE Handbook)
- Aerospace DO-178C support: Flight Warning Computer DAL-A golden fixture
- Test infrastructure: fixtures reorganized; +11 LLM-as-judge evals (42 -> 53)
Command count remains 14 (no new commands added in this release).
Stars updated to live count (21) from GitHub API.
* feat: add threatmodel extension to community catalog
* update timestamp for catalogue freshness
* update timestamp for catalogue freshness
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Update README.md
update readme.md with spec-kit-threatmodel
---------
Co-authored-by: Samal <navia.samal@sap.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Add Microsoft 365 Integration to community catalog and README.
Ingests Teams messages, files, and meeting transcripts as Markdown
for use with speckit specify.
* docs: replace deprecated --ai flag with --integration in all documentation
Replace all user-facing --ai, --ai-skills, and --ai-commands-dir references
with their modern equivalents:
- --ai <agent> → --integration <agent>
- --ai-skills → --integration-options="--skills"
- --ai-commands-dir <dir> → --integration generic --integration-options="--commands-dir <dir>"
Updated files:
- README.md (~17 occurrences)
- docs/installation.md (~8 occurrences)
- docs/upgrade.md (~11 occurrences)
- docs/local-development.md (~5 occurrences)
- CONTRIBUTING.md (1 occurrence)
- extensions/EXTENSION-USER-GUIDE.md (1 occurrence)
- src/specify_cli/__init__.py (docstring examples and error messages)
Left unchanged:
- CHANGELOG.md (historical record)
- Test files (intentionally exercise deprecated flag path)
- CLI flag implementation (backward compatibility)
Closes#2358
* docs: address review feedback on pre-existing issues
- Fix duplicate copilot example in README.md (replace with codex)
- Fix invalid gemini --integration-options="--skills" example (gemini
does not support --skills)
- Update generic integration comment from 'Unsupported agent' to
'Bring your own agent; requires --commands-dir'
- Clarify EXTENSION-USER-GUIDE.md: skills auto-register for
skills-based integrations, not only with --integration-options
* docs: replace bare 'AI agent' / 'AI assistant' with 'coding agent' throughout
Full sweep across all documentation and user-facing CLI messages to
align terminology. Bare references like 'AI agent', 'AI assistant',
and 'AI Agent' are replaced with 'coding agent' or 'coding agent
integration' as appropriate.
Intentionally left unchanged:
- 'AI coding agent' (already correct expanded form)
- Deprecated --ai flag help text and error messages (describes the
deprecated flag itself)
- Community extension descriptions (external project text)
- 'generated by an AI' in CONTRIBUTING.md (general AI, not agent)
* docs: address review — remove deprecated --offline, qualify --skills scope
- Remove --offline from docstring examples (deprecated no-op)
- Remove --offline from CONTRIBUTING.md testing example
- Replace --offline instructions in docs/installation.md with note that
bundled assets are used by default
- Qualify --integration-options="--skills" in README.md to note it only
applies to integrations that support skills mode
* feat(extensions,presets): authenticate GitHub-hosted catalog and download requests with GITHUB_TOKEN/GH_TOKEN
Squashed from #2087 (original author: @anasseth).
Adds GitHub-token authentication to extension and preset catalog fetching
and ZIP downloads so private GitHub repos work when GITHUB_TOKEN/GH_TOKEN
is set, while preventing credential leakage to non-GitHub hosts.
- Introduces shared _github_http module with build_github_request() and
open_github_url() helpers
- Routes ExtensionCatalog and PresetCatalog network calls through
GitHub-auth-aware opener
- Adds comprehensive unit/integration tests for auth header behavior
- Updates user docs for both extensions and presets
Co-authored-by: anasseth <16745089+anasseth@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(auth): address review feedback from #2087
- Fix redirect handler to preserve Authorization on GitHub-to-GitHub
redirects (e.g. github.com → codeload.github.com). The previous
implementation relied on super().redirect_request() which strips
auth on cross-host redirects, breaking private repo archive downloads.
- Add codeload.github.com to documented host lists in both
EXTENSION-USER-GUIDE.md and presets/README.md
- Add redirect auth-preservation and auth-stripping tests
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(auth): use Bearer scheme instead of token for consistency
Aligns with the rest of the codebase (e.g. __init__.py:1721) and
GitHub's current API guidance. Updates all test assertions accordingly.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: address second round of Copilot review feedback
- Fix docstring to say Bearer instead of token (matches implementation)
- Remove unused imports/fixtures from redirect tests (GITHUB_HOSTS,
MagicMock, temp_dir, monkeypatch)
- Replace __import__('io').BytesIO() with normal import io pattern
in test_presets.py
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: anasseth <16745089+anasseth@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update product-forge to v1.5.0 in community catalog
- Extension ID: product-forge
- Version: 1.1.1 → 1.5.0
- Author: VaiYav
- Description: updated to reflect v1.5 features (portfolio, lite mode,
monorepo, optional V-Model)
- Commands: 10 → 29
- Tags: refreshed to reflect current surface area
- download_url pinned to v1.5.0 release tag
- updated_at bumped to 2026-04-24
Release: https://github.com/VaiYav/speckit-product-forge/releases/tag/v1.5.0
* Bump product-forge to v1.5.1 (docs patch)
Follow-up to v1.5.0 that surfaces the optional V-Model dependency
(leocamello/spec-kit-v-model ≥ 0.5.0) in README Requirements,
config-template.yml, and docs/config.md. Docs-only patch — no
behavioural change.
Release: https://github.com/VaiYav/speckit-product-forge/releases/tag/v1.5.1
xargs re-parses stdin as shell tokens, causing 'unterminated quote'
errors when feature descriptions contain apostrophes, double quotes,
or backslashes. Replace with sed-based whitespace trim that preserves
input verbatim.
Add regression tests for special characters in descriptions (core and
extension scripts), plus a negative test for whitespace-only input.
Fixes#2339
* catalog: add wireframe extension
Adds https://github.com/TortoiseWolfe/spec-kit-extension-wireframe
(v0.1.0) to the community catalog. Provides a visual feedback loop
for spec-driven development: SVG wireframe generation, review, and
sign-off. Approved wireframes become spec constraints honored by
/plan, /tasks, and /implement.
Supersedes #1410 — the old PR predated the extension system
introduced in #2130 and proposed commands in templates/commands/,
which is no longer the right home for third-party commands.
* catalog: address review feedback (position + author)
Two changes per Copilot review:
- Move `wireframe` entry alphabetically between `whatif` and
`worktree` (was appended after `worktrees`).
- Simplify `author` from "TortoiseWolfe (turtlewolfe.com)" to
just "TortoiseWolfe" so the exact-match author filter in
`ExtensionCatalog.search` finds the entry. Portfolio URL
remains accessible via `homepage`/`repository`.
Thanks @Copilot, @mnriem for the review.
* docs(readme): add Wireframe Visual Feedback Loop row
Addresses @mnriem's follow-up: the README extension table also
needs an entry, not just the catalog JSON. Slots in alphabetically
between "What-if Analysis" and "Worktree Isolation" with category
`visibility` and Read+Write effect (since sign-off writes the
approved wireframe paths into spec.md).
* catalog: use speckit-prefixed command names in wireframe description
Address remaining Copilot review comment on PR #2262. The actual
commands are /speckit.plan, /speckit.tasks, /speckit.implement;
the unprefixed names would mislead catalog users.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* catalog: bump wireframe extension to v0.1.1
v0.1.1 of spec-kit-extension-wireframe ships the /speckit.-prefixed
command references in extension.yml and README.md. This updates the
catalog entry to point at the new release tag so `specify extension
add wireframe` installs the corrected version.
* catalog: set wireframe created_at to current timestamp
Per EXTENSION-PUBLISHING-GUIDE.md: newly added entries should use
the current timestamp for both created_at and updated_at. The 04-17
value reflected when I drafted the entry locally, not when the
catalog submission landed.
---------
Co-authored-by: TortoiseWolfe <jonpohlner@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(catalog): add red-team extension
Adds the `red-team` community extension to the catalog:
- Adversarial review of functional specs before /speckit.plan locks in
architecture.
- Complements /speckit.clarify (correctness) and /speckit.analyze
(consistency) with parallel adversarial lens agents.
- One command: speckit.red-team.run
- MIT licensed; requires spec-kit >= 0.7.0.
Origin: this extension was originally proposed as a core command
(github/spec-kit#2303). Per maintainer guidance (mnriem's comment on
that PR), it's been restructured as a community extension hosted at
https://github.com/ashbrener/spec-kit-red-team.
Dogfood-validated on a 500-line functional spec: 5 lens agents
dispatched in parallel returned 25 findings in ~1.5 min wall-clock,
19 of which met the meaningful-finding bar (severity >= HIGH AND
novel adversarial angle that clarify/analyze structurally cannot
catch). Full detail in the extension's CHANGELOG.
* catalog: shorten red-team description to fit <200 char schema limit
Resolves Copilot review comment on #2306. Previous description (259
chars) exceeded the extensions/EXTENSION-PUBLISHING-GUIDE.md Appendix
schema ceiling. Shortened to 188 chars, keeping the distinctive
value proposition (adversarial, complements clarify/analyze) and
moving the per-phase mechanics to the extension's own README.
* catalog: bump red-team to v1.0.1 (lower required spec-kit version)
Follow-up to v1.0.0 catalog entry:
- version: 1.0.0 -> 1.0.1
- download_url: points at v1.0.1 release asset
- requires.speckit_version: >=0.7.0 -> >=0.1.0
The v1.0.0 requirement was too strict and blocked installation on
common 0.6.x field versions (confirmed via local install attempt).
The extension uses no 0.7.x-specific APIs; matches community norm
(reconcile, refine, others use >=0.1.0).
* catalog: bump red-team to v1.0.2 (adds mandatory before_plan gate)
v1.0.2 ships a /speckit.red-team.gate command wired as a mandatory
before_plan hook so /speckit.plan auto-invokes it on every run against
qualifying specs. Non-qualifying specs return PROCEED silently; qualifying
specs without findings on record return HALT with explicit remediation
(run /speckit.red-team.run, or opt out via --skip-red-team-gate: <reason>
which is recorded as an Accepted Risk [red-team-skipped] in the plan).
Catalog metadata delta:
- version: 1.0.1 -> 1.0.2
- download_url: v1.0.2/red-team-v1.0.2.zip
- provides.commands: 1 -> 2 (adds speckit.red-team.gate)
- provides.hooks: 0 -> 1 (adds before_plan hook)
No breaking changes. Projects that do not want the gate simply do not
install the extension.
---------
Co-authored-by: Ash Brener <ashley@midletearth.com>
* Add superpowers-bridge community extension
Adds the superpowers-bridge extension by WangX0111 to the community
catalog and README table. This extension bridges spec-kit with
obra/superpowers (brainstorming, TDD, subagent-driven-development,
code-review) into a unified, resumable workflow with graceful
degradation and session progress tracking.
Extension details:
- ID: superpowers-bridge
- Repository: https://github.com/WangX0111/superspec
- Version: 1.0.0
- Commands: 5, Hooks: 3
- License: MIT
* Address Copilot review feedback
- Update top-level updated_at to 2026-04-22
- Shorten description to under 200 characters
---------
Co-authored-by: 乘浩 <wch453799@alibaba-inc.com>
* Add spec-validate to community catalog
- Extension ID: spec-validate
- Version: 1.0.1
- Author: Ahmed Eltayeb
- Description: Comprehension validation, review gating, and approval state for spec-kit artifacts
* Reorder spec-validate before speckit-utils (address Copilot feedback)
Lexicographically 'spec-validate' < 'speckit-utils' because '-' (0x2D)
sorts before 'k' (0x6B). Move the entry to match the alphabetical
ordering used in the 's' range of the catalog.
* Add version-guard to community catalog
- Extension ID: version-guard
- Version: 1.0.0
- Author: KevinBrown5280
- Description: Verify tech stack versions against live registries before planning and implementation
* Fix alphabetical ordering: move Version Guard after Verify rows
- Extension ID: spec-reference-loader
- Version: 1.0.0
- Author: KevinBrown5280
- Description: Reads the ## References section from the current feature spec and loads the listed files into context
- Adds scope entry to catalog.community.json (between review and security-review)
- Adds Spec Scope row to community extensions table in README.md (between Spec Refine and Spec Sync)
- Bumps top-level updated_at to 2026-04-16T19:00:00Z
* fix: suppress CRLF warnings in auto-commit.ps1 (#2253)
Replace 2> with 2>&1 redirection and assignment to properly
suppress stderr output including CRLF warnings on Windows. Exit code
logic preserved for change detection.
Fixes#2253
* fix: use SilentlyContinue for CRLF stderr handling, add tests
The 2>&1 approach still raises terminating errors under
$ErrorActionPreference='Stop'. Instead, temporarily set
SilentlyContinue around all native git calls that may emit
CRLF warnings to stderr (rev-parse, diff, ls-files, add, commit).
Adds 5 pytest tests (TestAutoCommitPowerShellCRLF) that set
core.autocrlf=true with LF-ending files. On Windows runners
this triggers actual CRLF warnings; on other platforms the tests
pass trivially.
Fixes#2253
* refactor: address Copilot review feedback
- Use 'Continue' instead of 'SilentlyContinue' so error output is
still captured in $out for diagnostics on real git failures.
- Wrap all three EAP save/restore blocks in try/finally to guarantee
restoration even on unexpected exceptions.
- Fix CRLF test to commit a tracked LF file first, then modify it,
so git diff --quiet HEAD actually inspects the tracked change and
triggers the CRLF warning on Windows.
* test: assert CRLF warning fires on Windows
On Windows, probe git diff stderr before running the script to verify
the test setup actually produces the expected CRLF warning. This
makes the regression test deterministic on the Windows runner. On
non-Windows the probe is skipped (warnings don't fire there).
---------
Co-authored-by: Manfred Riem <15701806+mnriem@users.noreply.github.com>
- Adds catalog-ci entry to catalog.community.json (between canon and ci-guard)
- Adds Catalog CI row to community extensions table in README.md
- Bumps top-level updated_at