Development Rules
The opinionated engineering discipline speckit-security enforces for contributors and ships as a template for users.
speckit-security ships with two versions of the development
rules:
- Contributor rules, docs/DEVELOPMENT-RULES.md in the repo. Apply to anyone contributing to the extension itself.
- User template, templates/development-rules.md.
Installed into your project by
/speckit.tekimax-security.install-rulesso your team inherits the same discipline.
Both versions cover the same nine sections; the user template is stack-agnostic and designed to be customized per project.
The nine sections
- Commit message rules, describe the change, not the process. No AI attribution, no conversation context, no scrub history.
- File structure rules, hooks stay in hooks, scripts in
scripts/, templates intemplates/, tests intests/, docs indocs/. - Code organization and reuse, DRY. Extract helpers when a function exceeds 30 lines or does more than one thing.
- File length and complexity, target sizes per file type, hard ceilings before splitting.
- Naming conventions, files, functions, variables, env vars.
- Inline documentation, comment why, not what.
- Unit test rules, every bug fix lands with a regression test, incremental coverage, one-command runnable.
- Readability and maintainability, one idea per line, early returns, no magic numbers, readable at 3 AM.
- Review checklist, eleven items before opening a PR.
Runtime enforcement
Installing the rules with /speckit.tekimax-security.install-rules
writes to three targets so they actually bind the AI agent:
docs/DEVELOPMENT-RULES.md, full human-readable reference.specify/memory/constitution.md, Spec Kit constitution, read by every spec-kit-aware AI agent at session start- Agent-specific context file (auto-detected from
.specify/init-options.json):
| Agent | File |
|---|---|
claude | CLAUDE.md |
copilot | .github/copilot-instructions.md |
gemini | GEMINI.md |
cursor / cursor-agent | .cursorrules |
windsurf | .windsurfrules |
opencode, codex, kiro-cli, everything else | AGENTS.md |
The script is idempotent, running it twice does not duplicate the
## Development Rules section. Pass --force to replace an existing
section.
Why this matters
Writing rules to a docs/ file only works if a human or agent
explicitly reads that file. By also writing to the spec-kit
constitution and the agent context file, the rules become part of
every AI agent's system context at session start. The agent
inherits the discipline automatically for every conversation,
without the human having to remind it.
Running the installer
From the AI agent:
/speckit.tekimax-security.install-rulesFrom the terminal directly:
bash .specify/extensions/tekimax-security/scripts/bash/install-rules.shOptional flags:
--docs <path>, override the defaultdocs/DEVELOPMENT-RULES.mdtarget--project-name <name>, override project name detection--force, replace an existing## Development Rulessection
See /speckit.tekimax-security.install-rules
for the full command reference.