speckit-security

Agent Compatibility

Which AI agents are verified hands-on with speckit-security, and which are inferred from Spec Kit's supported list.

speckit-security is agent-neutral, the extension ships generic Markdown command files and Spec Kit handles the translation into each AI agent's native format at install time.

Verified end-to-end

These agents have been smoke-tested with a full install cycle: specify init --ai <agent>, specify extension add --dev ..., specify extension list, and execution of the gate-check.sh script from inside the installed project.

AgentInstall locationFormat
Claude Code.claude/skills/speckit-tekimax-security-*/SKILL.mdMarkdown skill with frontmatter
OpenCode.opencode/command/speckit.tekimax-security.*.mdMarkdown command
GitHub Copilot.github/agents/*.agent.md + .github/prompts/*.prompt.mdAgent + prompt files
Gemini CLI.gemini/commands/speckit.tekimax-security.*.tomlTOML command
Cursor.cursor/skills/speckit-tekimax-security-*/SKILL.mdMarkdown skill

All eight speckit-security commands register cleanly on each agent, and the gate-check script runs end-to-end after install.

Supported by Spec Kit (inferred)

These agents are listed in specify init --ai <name> but haven't been hands-on tested with speckit-security. They should work because Spec Kit handles the translation layer and the extension provides the same agent-neutral Markdown that it translates for the verified agents above.

  • auggie
  • bob
  • codebuddy
  • codex
  • forge
  • iflow
  • junie
  • kilocode
  • kimi
  • kiro-cli
  • pi
  • qodercli
  • qwen
  • roo
  • shai
  • tabnine
  • trae
  • vibe (Mistral Vibe)
  • windsurf
  • generic (fallback for unsupported agents)

If you try one of these and it works, please open a PR upstream to move it into the "Verified" table. If it doesn't work, please open an issue with the exact specify init and specify extension add output.

Requirements regardless of agent

  • Spec Kit >= 0.1.0 installed via uv tool install specify-cli
  • Bash (macOS + Linux supported; Windows requires WSL or Git Bash)
  • Python 3, used by helper scripts for JSON parsing and template substitution

Testing on your agent of choice

# 1. Init a project with your target agent
specify init test-app --ai <agent-name> --no-git

# 2. Install the extension
cd test-app
specify extension add --dev /path/to/speckit-security

# 3. Verify registration
specify extension list
# Should show: Commands: 8 | Hooks: 5 | Status: Enabled

# 4. Verify the commands were translated into the agent's format
specify extension info tekimax-security

# 5. Run the gate-check script directly against a sample spec
#    (it requires a real spec path, so create a stub first)
mkdir -p .specify/specs
cat > .specify/specs/F-000-smoke.md <<'EOF'
## Data Contract
## Security / Threat Model
EOF
bash .specify/extensions/tekimax-security/scripts/bash/gate-check.sh \
  .specify/specs/F-000-smoke.md 2>&1 || true

If step 3 shows Commands: 8 | Hooks: 5 | Status: Enabled and step 5 runs the gate script (even if it reports gate failures on the stub spec), the agent is functionally supported.

Reporting incompatibilities

  • Open an issue at https://github.com/TEKIMAX/speckit-security/issues
  • Include the agent name, spec-kit version, OS, and the exact output of specify extension add --dev and specify extension list
  • Do not include prompts or conversation snippets, just the commands you ran and their output

Customization

Config file, template overrides, hook toggling, allowlists, and environment variables.

Development Rules

The opinionated engineering discipline speckit-security enforces for contributors and ships as a template for users.

On this page

Verified end-to-endSupported by Spec Kit (inferred)Requirements regardless of agentTesting on your agent of choiceReporting incompatibilities