speckit-security

Commands

The nine slash commands speckit-security adds to Spec Kit.

speckit-security adds nine slash commands to whichever AI agent you're using. Every command is an agent-neutral Markdown file under commands/ in the extension repo, Spec Kit translates each one into the active agent's native format on install.

CommandOne-line purpose
data-contractDeclare sources, schemas, PII strategy, bias audit, drift thresholds
threat-modelGenerate a STRIDE threat model for the active spec
model-governancePin model version, define eval baselines, write rollback plan
guardrailsGenerate versioned system prompt + guardrail YAML for AI features
gate-checkRun all seven gates against the active spec, emit verdict
auditPost-implementation scan — inline prompts, secrets, direct SDKs (polyglot)
dep-auditDependency CVE scan (Gate G) via osv-scanner / pnpm / npm / yarn
red-teamGenerate adversarial scenarios; --run hits staging automatically
install-rulesInstall dev rules into docs, constitution, and agent context file

Naming convention

All commands live under the speckit.tekimax-security.* namespace:

/speckit.tekimax-security.data-contract
/speckit.tekimax-security.threat-model
/speckit.tekimax-security.model-governance
/speckit.tekimax-security.guardrails
/speckit.tekimax-security.gate-check
/speckit.tekimax-security.audit
/speckit.tekimax-security.red-team
/speckit.tekimax-security.install-rules

This follows Spec Kit's extension command naming pattern: speckit.{extension-id}.{command-name}.

Which commands fire automatically

Five of the eight commands are wired to Spec Kit phase hooks and fire automatically. Three are manual-only, you invoke them when you need them.

Automatic (via hooks)

  • data-contract fires after /speckit.specify (optional, prompts)
  • threat-model fires after /speckit.plan (optional, prompts)
  • gate-check fires before /speckit.implement (blocks on failure)
  • audit fires after /speckit.implement (blocks on critical findings)
  • red-team fires before /speckit.analyze (optional, prompts)

Manual

  • model-governance, run once at DESIGN time when adding an AI feature
  • guardrails, run once when adding an AI feature
  • install-rules, run once at project setup

The three optional-prompt hooks (data-contract, threat-model, red-team) can also be invoked manually if you opt out of the prompts or want to re-run them later.

Skipping a hook

To skip an optional hook without disabling the extension, answer "no" at the prompt. To skip a required hook (gate-check, audit), you have to either:

  1. Fix the issue the gate is catching, or
  2. Temporarily disable the extension with specify extension disable tekimax-security
  3. Edit the installed extension.yml to make the hook optional

See Customization for the long form.

How It Works

Six gates, five hooks, eight commands and how they fit into Spec Kit's lifecycle.

Security Model

How speckit-security protects itself, confines scripts to the project directory, and enforces guardrails at every layer.

On this page

Naming conventionWhich commands fire automaticallyAutomatic (via hooks)ManualSkipping a hook