Skip to content

catalog: add tekimax-security community extension (v0.3.1)#2215

Open
kaman1 wants to merge 1 commit intogithub:mainfrom
kaman1:add-tekimax-security-extension
Open

catalog: add tekimax-security community extension (v0.3.1)#2215
kaman1 wants to merge 1 commit intogithub:mainfrom
kaman1:add-tekimax-security-extension

Conversation

@kaman1
Copy link
Copy Markdown

@kaman1 kaman1 commented Apr 14, 2026
edited
Loading

Summary

Adds a catalog.community.json entry and a Community Extensions README row for TEKIMAX Secure SDD (speckit-security), an Apache-2.0 Spec Kit extension that layers security gates onto the spec-driven development lifecycle.

Files changed

  • extensions/catalog.community.json — new tekimax-security entry (alphabetical, between sync and tinyspec); top-level updated_at bumped.
  • README.md — new row in the Community Extensions table (alphabetical, between Superpowers Bridge and TinySpec).

What the extension adds for Spec Kit users

9 slash commands under speckit.tekimax-security.*:

  • data-contract — declare sources, schemas, PII strategy, bias audit, drift thresholds
  • threat-model — generate a STRIDE threat model for the active spec
  • model-governance — pin model version, define eval baselines, rollback plan
  • guardrails — generate versioned system prompt + guardrail YAML
  • gate-check — run all seven gates against the active spec, emit verdict
  • audit — post-implementation scan (inline prompts, secrets, direct SDK imports) — polyglot (TS/JS/Py/Go/Rust/Ruby/Java/Kotlin/Swift/PHP/Sh/YAML/JSON/TOML/TF/MD)
  • dep-audit — dependency CVE scan (Gate G) via osv-scanner / pnpm / npm / yarn
  • red-team — generate adversarial scenarios; --run hits staging with safety guards
  • install-rules — install development rules into docs, constitution, and agent context

5 phase hooks:

Hook Command Blocking?
after_specify data-contract Optional
after_plan threat-model Optional
before_implement gate-check Blocks on failure
after_implement audit Blocks on critical findings
before_analyze red-team Optional

Seven gates (A–G) run via gate-check.sh: Data Contract, Threat Model, Model Governance, Guardrails, Red Team, Inline Content Scan (polyglot), Dependency CVEs (new in v0.3.1).

Highlights (why v0.3.1)

  • Dependency CVEs (Gate G)osv-scanner preferred, falls back to pnpm audit / npm audit / yarn npm audit. Threshold-gated via dep_audit.fail_on (low|moderate|high|critical).
  • Polyglot inline-content scan — default coverage across TS/JS/Py/Go/Rust/Ruby/Java/Kotlin/Swift/PHP/Sh/YAML/JSON/TOML/Terraform/Markdown. Extend via audit.include_globs / audit.exclude_paths.
  • Anchored gateway allowlist — prefix + / boundary + file-extension append; src/ai/gateway no longer silently matches src/ai/gateway-bypass.ts.
  • Recursive .env detectionapps/*/.env, packages/*/.env.local; .env.example / .sample / .template remain allowed.
  • --staged-only and --json flags on audit.sh, gate-check.sh, dep-audit.sh for pre-commit and CI.
  • Carried forward from v0.3.0: project-root confinement (require_inside_project), JSONL injection prevention (jsonl_append), tamper-evident hash chain (jsonl_append_chained), Gate B STRIDE content-row check, Gate D numeric rate-limit / cost-ceiling check.

Review feedback addressed

  • @mnriem — "add a row in the Community extension section in the main README (alphabetically ordered)." → Added; alphabetical position verified (Superpowers Bridge → TEKIMAX Secure SDD → TinySpec).
  • @mnriem — "update the PR description." → Rewritten for v0.3.1.
  • @copilot-pull-request-reviewer — "created_at and updated_at should match on first publish." → Both set to 2026-04-16T00:00:00Z.
  • @copilot-pull-request-reviewer — "PR description, catalog entry version, and download_url should be consistent." → All three reference v0.3.1.

Verification

  • extensions/catalog.community.json is valid JSON (python3 -m json.tool)
  • Alphabetical position in both catalog and README confirmed (between sync/Superpowers Bridge and tinyspec/TinySpec)
  • created_at == updated_at on the new entry
  • Version 0.3.1 matches extension.yml, the release tag, and the download_url
  • Upstream extension CI: 18/18 shell tests pass (ubuntu-latest + macos-latest), shellcheck clean — https://github.com/TEKIMAX/speckit-security/actions
  • Apache 2.0 license included
  • Rebased on current github/spec-kit:main

Links

Compatibility

Requires speckit_version >= 0.1.0.

@kaman1 kaman1 requested a review from mnriem as a code owner April 14, 2026 15:01
@mnriem mnriem requested a review from Copilot April 14, 2026 15:22
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds the TEKIMAX Secure SDD community extension (tekimax-security) to the Spec Kit community extensions catalog so users can discover and install it via the standard catalog mechanism.

Changes:

  • Bump extensions/catalog.community.json top-level updated_at.
  • Add a new tekimax-security entry with metadata (repo/docs/download URL, version, tags, requires/provides).
Show a summary per file
File Description
extensions/catalog.community.json Adds the new community extension entry and updates catalog timestamp metadata.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread extensions/catalog.community.json Outdated
@mnriem mnriem self-assigned this Apr 14, 2026
mnriem
mnriem requested changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@mnriem mnriem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address Copilot feedback and make sure to also add a row in the Community extension section in the main README (alphabetically ordered)

@kaman1
Copy link
Copy Markdown
Author

kaman1 commented Apr 14, 2026

Bumped this PR to v0.2.6 (commit 78472d0) to reflect the latest release:

  • Docs chat (Ask AI) at speckit.tekimax.com/chat, grounded in the full docs corpus via Llama 3.3 70B on Cloudflare Workers AI
  • Cloudflare native rate limiter on the chat endpoint (20 req/60s per IP, no external services)
  • v0.2.5 config read-back is also rolled in: user entries in tekimax-security-config.yml now extend built-in secret patterns, inline-prompt patterns, and the direct-SDK allowlist

Release notes: https://github.com/TEKIMAX/speckit-security/releases/tag/v0.2.6

The catalog download_url now points at the v0.2.6 tag archive. Still a clean 4-line diff relative to the original entry.

@mnriem mnriem requested a review from Copilot April 14, 2026 19:59
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new community extension entry to extensions/catalog.community.json for TEKIMAX Secure SDD and updates the catalog’s top-level updated_at timestamp.

Changes:

  • Bumped extensions/catalog.community.json top-level updated_at.
  • Added a new tekimax-security extension entry (metadata, download URL, tags, provides/requires).
Show a summary per file
File Description
extensions/catalog.community.json Updates catalog timestamp and registers the new tekimax-security community extension entry.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread extensions/catalog.community.json Outdated
Comment on lines +1843 to +1845
"version": "0.2.6",
"download_url": "https://github.com/TEKIMAX/speckit-security/archive/refs/tags/v0.2.6.zip",
"repository": "https://github.com/TEKIMAX/speckit-security",
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description states the release being added is v0.2.5, but the catalog entry sets version to 0.2.6 and the download_url points at the v0.2.6 tag. Please make these consistent (either update the PR description/verification links to v0.2.6, or change the catalog entry back to v0.2.5) so consumers download the intended release.

Copilot uses AI. Check for mistakes.
@mnriem mnriem self-requested a review April 14, 2026 20:06
mnriem
mnriem requested changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@mnriem mnriem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the PR description and then we should be good to go

kaman1 added a commit to TEKIMAX/speckit-security that referenced this pull request Apr 16, 2026
@kaman1
chore(catalog): bump entry to v0.3.1
c1ec5c5 
Reflects the v0.3.1 release in the community-catalog entry so the
spec-kit catalog maintainers see current content when reviewing
PR github/spec-kit#2215.

- version: 0.3.0 → 0.3.1
- commands_count: 8 → 9 (dep-audit added)
- description: mention polyglot scan and Gate G
- PR-BODY.md: rewritten for v0.3.1 (Gate G, polyglot, anchored
  allowlist, recursive .env, --staged-only / --json flags)

No behavior changes. Release artifacts (CHANGELOG, README, tag
v0.3.1, GitHub release) already reflect v0.3.1.
@kaman1 kaman1 mentioned this pull request Apr 16, 2026
Merged
3 tasks
kaman1 added a commit to TEKIMAX/speckit-security that referenced this pull request Apr 16, 2026
@kaman1
chore(catalog): bump entry to v0.3.1 (#4)
378953a 
Reflects the v0.3.1 release in the community-catalog entry so the
spec-kit catalog maintainers see current content when reviewing
PR github/spec-kit#2215.

- version: 0.3.0 → 0.3.1
- commands_count: 8 → 9 (dep-audit added)
- description: mention polyglot scan and Gate G
- PR-BODY.md: rewritten for v0.3.1 (Gate G, polyglot, anchored
  allowlist, recursive .env, --staged-only / --json flags)

No behavior changes. Release artifacts (CHANGELOG, README, tag
v0.3.1, GitHub release) already reflect v0.3.1.
@kaman1
catalog: add tekimax-security v0.3.1 community extension
a24efbd 
Adds the TEKIMAX Secure SDD extension to
extensions/catalog.community.json and the Community Extensions
table in README.md (alphabetical, between Superpowers Bridge and
TinySpec per maintainer guidance on PR github#2215).

Catalog entry:
- version: 0.3.1 (current shipped release)
- created_at == updated_at == 2026-04-16 (first-publish timestamps
  match per Copilot review feedback on PR github#2215)
- download_url points at the v0.3.1 release tag
- provides: 9 commands, 5 hooks
- license: Apache-2.0

Repo:    https://github.com/TEKIMAX/speckit-security
Release: https://github.com/TEKIMAX/speckit-security/releases/tag/v0.3.1

Addresses github#2215 review comments (@mnriem,
@copilot-pull-request-reviewer):
- README row added in Community Extensions section (alphabetical).
- created_at / updated_at on the entry match on first publish.
- PR description, catalog entry version, and download_url are
  consistent at v0.3.1.
@kaman1 kaman1 force-pushed the add-tekimax-security-extension branch from 78472d0 to a24efbd Compare April 17, 2026 03:26
@kaman1 kaman1 changed the title catalog: add tekimax-security community extension catalog: add tekimax-security community extension (v0.3.1) Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mnriem mnriem mnriem requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@mnriem mnriem

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kaman1 @mnriem